Friday, August 18, 2017

Russia May Have Tried Maritime GPS Spoofing

In a 22 June 2017 report, twenty (20) ships near the Russian Black Sea coast indicated their GPS location to be inland at Gelendzhyk Airport. Similar GPS position malfunctioning was noticed in automobiles driving near the Kremlin in Moscow, Russia. These GPS anomalies indicate the likelihood that Russia is testing security measures by utilizing GPS spoofing to test their capability in the event of a military conflict; both on land and at sea...READ MORE

Wapack Labs has cataloged and reported extensively on Russia and GPS spoofing in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Thursday, August 17, 2017

Compromised Brazilian Government Account Advertising Hacker Shops

Wapack Labs' “Operation 8-ball” identified a hacker forum being advertised through a compromised government email account located in Para, Brazil. One of the advertised hacker shop domains was also tweeted by a novice, Canadian carder. Originating IPs were located in Kosovo. Kosovo is listed in the hacker forum's WHOIS data. The exact attribution for the Brazilian government compromise is absent...READ MORE

Wapack Labs has cataloged and reported extensively on compromised accounts and hacker forums in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Wednesday, August 16, 2017

Indian Physical Security Company Compromise

TLP AMBER ANNOUNCEMENT: 

On 15 July 2017, Wapack Labs identified, with high confidence, four keylogged email accounts identified as compromised, including username and password, belonging to an Indian physical security company. These email accounts were used to harvest information from multiple internal systems and external portals. Both the sales and customer relationship management systems may have been compromised. Since many of the keylogger infections have spread through automation, there is a potential for compromise within customer, partner, and supply chain relationships...READ MORE

Wapack Labs has cataloged and reported extensively on keyloggers in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
This TLP AMBER report is available only to Red Sky Alliance members.

Monday, August 14, 2017

DiamondFox in the Wild

TLP AMBER ANNOUNCEMENT: 

DiamondFox is a credential stealing multi purpose botnet that is available on the black market as MaaS (Malware as a Service). Also known as Gorynych, DiamondFox is still actively leveraged in the wild with its recent version Crystal available in online marketplaces. This dangerous malware can steal information from PoS (Point of Sale) systems with campaigns targeting multi-state healthcare providers, dental clinics, manufacturers, and technology companies. To get a picture of the current state of DiamondFox botnets, Wapack Labs has collected recent samples and extracted the command and control (C2) information from their configuration files. This report provides technical details on DiamondFox, the Russian botnet infrastructure, and details regarding the domains...READ MORE

Wapack Labs has cataloged and reported extensively on malware and botnets in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Life After AlphaBay: TradeRoute

TLP AMBER ANNOUNCEMENT: 

On 04 August 2017, Wapack Labs discovered TradeRoute, a Russian and English Tor-based marketplace and forum on the dark net that focuses on the sale of illegal drugs. However, vendors also sell electronics, digital goods, forgeries, hacking services, lab equipment for narcotics, fashion counterfeits, and fraud services. With the recent takedowns by law enforcement of Hansa Market and AlphaBay (past reporting by Wapack Labs), actors are migrating to TradeRoute quickly making it a leading dark net marketplace...READ MORE

Wapack Labs has cataloged and reported extensively on Tor marketplaces and forums in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Friday, August 11, 2017

Microsoft Office Hoax Phishing Site

On 27 July 2017, Wapack Labs, using our Cyber Threat Analysis Center (CTAC), discovered a phishing site disguised as a Microsoft Office Sign-in page. The phishing site is designed to trick users into entering their Microsoft related email and passwords. When a user enters their credentials into the malicious site, they are then redirected to the real Microsoft Sign-in page. The differences in the webpages can be seen in...READ MORE

Wapack Labs has cataloged and reported extensively on phishing in the past. An archive of related reporting can be found in the Red Sky Alliance portal.



Shadowbrokers and the Scylla Hacking Store

The ShadowBrokers (SB) have recently started a new Tor based market called Scylla Hacking Store. SB is selling several APT stolen exploits (US, Russian and Chinese exploits), crimewave exploit kits, and other crimewave hacking tools: bots, hash cracking, and Microsoft Office exploits. Analysts believe, with medium confidence, the recent Petya activity may be related to SB sales of all the payload source code for the FuzzBunch framework, which included, EternalBlue...READ MORE

Wapack Labs has cataloged and reported extensively on the ShadowBrokers in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


Thursday, July 20, 2017

Financially Motivated APT-style Actors Target Retail & Hospitality

A new wave of financially motivated, APT-style group, of cyber threat actors are targeting large restaurant chains with phishing emails containing malicious attachments. As early as April 2017, a new wave of the group's activity has been targeting the retail and hospitality sectors. The APT-style group has been active since 2015 and is known for their use of the Carbanak malware. The most recent campaigns leverage two new RTF droppers to deliver a variant of a known backdoor. Early campaigns were known for targeting financial institutions and banks; in 2015, targeting European banks through a banking application called the Internet Front End Banking System (iFOBS). This report describes TTPs leveraged in the recent campaigns...READ MORE

Wapack Labs has cataloged and reported extensively on APTs, cyber threat actors, phishing, malware, financial institutions, and Carbanak in the past. An archive of related reporting can be found in the Red Sky Alliance portal.



Tuesday, July 18, 2017

NotPetya: Ransomware Or Russian Wiper?

Creators of the NotPetya (also known as Petya, PetrWrap, Petya.A, Win32/Diskcoder.Petya.C, EternalPetya, Nyetya, and exPetr) continue to present NotPetya as “simple ransomware.” The developers have moved received bitcoins, sent payments to Pastebin and DeepPaste associated wallets, contacted the public, and apparently were able to decrypt one short NotPetya encrypted file. At the same time, NotPetya creators did not use the original Petya ransomware source code, and likely left no remedy for most users to recover their encrypted data, despite showing them the ransom note. These observations, together with targeting and comparative TTP data for XData and BlackEnergy3 Killdisk, allow Wapack analysts to attribute NotPetya as likely belonging to Russian APT. The Petya/NotPetya operation is likely another Russian APT targeted disruption of Ukrainian IT infrastructure and possibly an intelligence operation - yet masked as a ransomware case. At the same time, it is probable that Petya and NotPetya actors may have a master key to decrypt user files; in case the targeted disk was not destroyed and system information is available...READ MORE

Wapack Labs has cataloged and reported extensively on Petya/NotPetya, ransomware, BlackEnergy, Russian APT, wiper malware, and Ukrainian attacks in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Monday, July 17, 2017

Below the noise of Petya - Loki Bot Credential Stealing Malware


In late June 2017, Wapack Labs identified a malicious email targeting a Ukrainian FI (Financial Institution) to deliver a credential stealing malware called Loki Bot. This incident happened at the same time as the Petya/NotPetya Ransomware.


Loki Bot samples and C2’s were reported as being Petya/NotPetya ransomware. Further confusion resulted when AV detections began identifying Loki Bot as Petya/NotPetya. Loki Bot is sold in underground Tor marketplaces and can steal passwords from browsers, FTP/SSH applications, email accounts and crypto-coin wallets. Wapack Labs was able to sinkhole malicious Loki Bot C2 domains for further analysis. 

This report discusses the misattribution of Loki Bot, along with technical details of analyzed Loki Bot samples including analysis regarding the sinkholed domains and indicators of compromise.

We normally don't publish analysis in its entirety. My team has requested that we post this analysis on the blog for broader situational awareness. 

Enjoy.



Friday, July 14, 2017

Petya/NotPetya and Really Not Petya - Loki Bot Credential Stealing Malware


In late June 2017, Wapack Labs identified a malicious email targeting Ukrainian Financial Institutions (FI) to deliver a credential stealing malware called Loki Bot. This incident happened at the same time as the Petya/NotPetya Ransomware outbreak, which also targeted Ukrainian banking infrastructure. Possibly due to the confusion generated during the initial Petya/NotPetya outbreak, Loki Bot samples and C2s were reported as being Petya/NotPetya ransomware. Further confusion resulted when Anti-virus (AV) detections began identifying Loki Bot as Petya/NotPetya. Loki Bot is sold in underground Tor marketplaces and can steal passwords from browsers, File Transfer Protocol (FTP) applications, email accounts, and crypto-coin wallets. This report discusses the misattribution of Loki Bot, along with technical details of analyzed Loki Bot samples

Get the full report here. 
Wapack Labs has cataloged and reported extensively on Loki Bot, and Loki RAT, in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Tuesday, July 4, 2017

Happy Fourth of July!

I was traveling Saturday, so I didn't get to post...

Today when we're all enjoying hot dogs and hamburgers and corn on the cob and all things American, which is exactly what we should be doing, remember, we're the...

Land of the free BECAUSE of the brave.


…and tomorrow? Back to protecting cyber in the free world…

Have a great Fourth of July!
Jeff

Wednesday, June 28, 2017

Lurking Offshore: The Business Case Study for Working Together

Last week, the MPS-ISAO held a cybersecurity intelligence themed webinar, “Lurking Offshore: Active Cyber Threats Targeting Ports & Maritime”, with our partner, Wapack Labs. It’s a fascinating story about a financially motivated adversary using spear-phish to target Ports.I’m sure you are thinking, “Another scary cyber story… Why should I care?”By studying the data associated with this actor – how, when, why, and who, the case for Maritime and Port organizations working together to protect themselves from cyber adversaries is made. Cybersecurity silos need to be shattered - now.

Understanding the adversary.
Because Wapack has been tracking this adversary for some time, we have learned a lot by studying the intel.
First, this adversary is successful.  Our intel team sees an almost 100% success rate with a low detection rate (< 5%) through traditional security technology and vendor sourced data.  During the first six months of 2017, over 1,000 U.S. and European victims have been observed.
It’s a cost-effective, organized business operation. The malware being used only costs about $30 per month, and the adversary has developed a business model with specialized skills.  Also, there is high reuse between victims. So, if one Port is compromised, there is a good possibility that other Ports will be targeted using the same spear-phish email.
And, this adversary is persistent.  They improve odds of success by including supply chain partners in the scope of an attack.  In one instance where a Port was the intended victim, ten suppliers to this Port were targeted at the same time and with the same spear-phish email being used across all organizations.  The targeted suppliers were diverse too.  They included organizations who performed:   
  • Construction Consortium
  • Logistics Services
  • Oil & Gas Services
  • Consulting Services
  • Marine Transport
  • IT Services Provider
  • Multi-Modal Transport
  • Oil & Gas Engineering Services

Turning the tide.  
In 2015, The Obama administration issued two important pieces of Cybersecurity legislation.  A Presidential Executive Order (EO) was issued in February 2015 to promote private sector cybersecurity information sharing.  Section 2 of this EO states, “strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs).”  A few months later, the Cybersecurity Information Sharing Act of 2015 (CISA) was signed into law to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats.” CISA provides information sharing legal protections to organizations who participate in an ISAO.  

These two pieces of legislation led to the formation of the Maritime and Port Security ISAO, and its parent organization – the International Association of Certified ISAOs (IACI), to promote cyber resilience.   
If someone could tell you where the sharks were, wouldn’t you want to know?
The MPS-ISAO, headquartered at the Global Situational Awareness Center (GSAC) at NASA/Kennedy Space Center, is a non-profit private sector-led organization working in collaboration with government to advance Port and Maritime cyber resilience.  The core mission to enable and sustain a safe, secure and resilient Maritime and Port Critical Infrastructure through security situational intelligence, bi-directional information sharing, coordinated response, and best practice adoption supported by role-based education.
Port and Maritime organizations who subscribe to the MPS-ISAO’s cyber intelligence service have the advantage of early threat awareness provided via industry-specific, cross-sector, and global cyber intelligence along with countermeasure solutions.  They participate in a Maritime and Port community composed of stakeholders from across the industry sector who are interested in working together to achieve cyber resilience.  
Going back to the Lurking Offshore Case Study, we know that this adversary targets multiple victims within a Port’s supply chain using the same malicious email, and then reuses the email across another 8-10 Port victims.  When the email is shared into the MPS-ISAO Community, early threat awareness enables organizations to put protective measures in place.  
So, a single share can protect many.
And, the business case for working together was never stronger.
Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.

Ransomware Affecting APM Terminals

27 June 2017, According to open source reporting, numerous high-profile organizations have released statements stating that they are affected by a SMB exploit. Merck & Co, Rosneft, Boryspil International Airport, Antonov State Company, Ukrenergo, and WPP are among victim companies. The Maersk Group, on behalf of their subsidiary APM Terminals, confirmed infections in APM facilities. At the time of this report, the bitcoin (BTC) wallet associated with the ransomware has thirty-one (31) received payments totaling 3.27744736 BTC ($7908.12 USD). Maersk has issued the following statement: “We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation.” Open source reporting has confirmed that ports in Rotterdam, NL and Mobile, Alabama, US are affected and currently closed until network systems are restored. It is probable that all ports with APM facilities are affected due to the malware’s multiple lateral movement capabilities. PetrWrap ransomware is being spread using the EternalBlue SMB exploit. The malware will also leverage Windows Management Instrumentation Command-line (WMIC) and PsExec to spread internally across a network.

Wapack Labs has cataloged and reported extensively on maritime vulnerabilities and ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, June 23, 2017

The Darknet's Brickr Ransomware

Wapack Labs analysts observed an actor, on the darknet, advertising Brickr v1 Ransomware. Brickr v1’s purpose is “to be affordable, cheap and reliable product.” Buyers must contact the actor through Jabber or through the darknet forum's private messenger. Brickr v1 encrypts a user's personal files, if executed. To receive the decryption key, a ransom must be paid. As of 28 May 2017, Brickr v1 was for sale at $80.00 via Bitcoin (BTC). An article was published on how to remove Brickr Ransomware using task manager, which prompted the actor to include a new feature that will temporarily disable the task manager when executed. The actor revealed that Brickr v2 is under development and will include upgraded features. Wapack Labs will continue to monitor the forum, track all versions of this malware, and attempt to identify the actor.

Wapack Labs has cataloged and reported extensively on ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.