Monday, October 16, 2017

Attacker TTP: Discord Chat Application

On 12 October 2017, Wapack Labs observed underground conversations regarding Discord, a new communication method which is gaining popularity among hackers. Discord is a chat and voice-over-IP (VoIP) application designed for gamers to use with teammates, and rivals other providers in the gamer market, including TeamSpeak and Ventrilo. Discord provides services for free with plans to monetize additional content such as chat application skins, emoticons, stickers, etc., in the future. Discord's ease of use, along with the fact that it is available for free, has drawn attention from novice hackers. This new complimentary communication method does not appear to replace forums, IRC, Jabber, or any other previous platforms. Various underground forum and image boards have begun to set up Discord servers for member chat functions, in addition to the usual offerings of IRC, Tor, Jabber, and E-Mail. Discord allows both voice and textual chats. Discord seems to be a current and affordable option for gamers, but with further sophistication, could develop into a viable communication channel for hackers...READ MORE

Wapack Labs has cataloged and reported dark web communication channels in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

UPDATE - Indian Physical Security Company Compromise

Oct 14, 2017

On July 15, 2017, Wapack Labs identified, with high confidence, multiple keylogged, compromised email accounts belonging to an Indian physical security company. These email accounts were used to collect information from multiple internal systems and several external.

UPDATE  Oct 14, 2017 - Since that initial notification in July, Wapack Labs has over 1500 new records in Cyber Threat Analysis Center (CTAC) intelligence collections, showing keylogger activities not only collecting data from the company's email system, but also accessing their Customer Relationship Management system, allowing potential targeting of the company's customers, including the Indian Oil and Coal Etender sites, Nuclear Power Company of India and others.

The company was notified of the breach in July, and again in October, with no response.

Companies cited in this report include:
  • IndianOil Etenders – a contracting site for Indian Oil (https://iocletenders.gov.in/nicgep/app)
  • MSTC METAL - A virtual 'online' market place for purchase of Steel, Ferrous/Non-Ferrous Finished/Semi Finished products on fixed price basis.
  • Coal India Etenders - The eProcurement System of Coal India Limited: https://coalindiatenders.nic.in/nicgep/app
  • Borat Oman Refineries: Procurement site: https://etender.borl.in/BORL
  • Larsen & Toubro: Construction and engineering in the energy industry
  • Hindustan Unilever, LTD: The Indian wing of the Multinational consumer goods company Lever International
  • Samsung CNT
  • Lupin Pharmaceuticals: Lupin Pharmaceuticals, Inc. is the U.S. wholly owned subsidiary of Lupin Limited, which is among the top five pharmaceutical companies in India with sales and marketing headquarters in Baltimore, MD.[2]
  • NTPC:  “India’s leading Oil and Petroleum company”[3]
  • Hindustan Petrolium
  • Blue Star “India’s leading air conditioning and commercial refrigeration”[4]
  • Nuclear Power Company of India
  • Rashtriya Chemicals and Fertilizers
  • The Indian Navy
  • Asian Paints
  • Siddhi Vinayak Logistics
  • Royal Moving Transportation


[1] Wikipedia
[2] Wikipedia
[3] http://www.ntpc.co.in
[4] bluestarindia.com
____________________________________________________________________________
The full report may be purchased at:

Thursday, October 12, 2017

Carding Shop in Possession of Stolen Credit Cards

The administrator of a dark web carding shop may be in possession of stolen credit cards from the recent Sonic breach, and is advertising carding services on numerous carding forums. On 28 September 2017, the shop posted a dump of five million credit cards - mostly US. Analysts believe with moderate confidence that all the data from this dump may be from the recent Sonic breach, and two unknown buyers (high confidence) recently purchased some of these cards. Wapack Labs believes with moderate confidence that the administrator may not be the culprit of the breach, but is the seller of the stolen information. This is due to a feature that allows members to sell stolen cards to the shop. Wapack Labs will continue to monitor the forum and persona to identify the threat actor...READ MORE

Wapack Labs has cataloged and reported carding shops and stolen credit card dumps in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Tuesday, October 10, 2017

8chan Vs. Anonymous

On 4 October 2017, Wapack Analysts observed a post made to 8chan’s image board with a link to a raid against Anonymous on the "insurgency" board. Raids are commonly organized on image boards and are the act of harassing an organization by means of exposing one’s personal information (doxing), SWATing, hacking, spamming, prank phone calling, and other forms of remote harassment. The raid organizers claim that they are sick of the Anonymous movement and that hacktivists are a bunch of annoying Social Justice Warriors (SJW). The term SJW is very common derogatory slang among image board users, directed at individuals who fight strongly for a cause. Several doxes of Anonymous members have been posted, but still need to be verified. Alternative communication sources for the raid, such as IRC and Discord, were once active, but currently are not. The raid started in June and is still active on 8chan’s "insurgency" board, but alternative communication sources are no longer active, suggesting the raid is dying down in popularity and will likely soon end. Wapack Labs Analysts will continue to monitor 8chan’s cyber operations, conducted against Anonymous, for any potential implications to our subscribers...READ MORE

Wapack Labs has cataloged and reported image boards and activity involving Anonymous in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Auto-Update Malware Delivery TTP

TLP AMBER ANNOUNCEMENT: 

Malicious Microsoft Word documents are one of the most prevalent malware delivery mechanisms, and typically use embedded Visual Basic (VBA) macros to download and install malware on a victim’s machine. In late August and September 2017, Wapack Labs observed an uptick in an alternative Word doc based malware delivery method being leveraged in malicious email campaigns. The tactic involves using auto-updating links, instead of macros, to download additional malware payloads. Due to the prevalence of Office-based malware delivery, this new method will likely affect multiple industries, including Red Sky Alliance members. This report provides analysis on related specimens, including common artifacts and observed campaigns, as well as a generic mitigation that detects most variants...READ MORE

Wapack Labs has cataloged and reported malware delivery tactics in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Tor Network Shrinking

On 5 October 2017, Wapack Analysts observed several prominent Tor-based hacker forums go permanently offline - at the same time. Despite the clearweb address being offline, one of the forum's Tor onion sites was still online, suggesting a potential infiltration of the server; as seen with past law enforcement activities. The forums went offline with out any announcement or reason given for the disappearance. Several Reddit users have re-circulated the onion sites and are now speculating about what happened. In a recent blog post by Gizmodo, they explain that the Tor network is statistically shrinking. Gizmodo, utilizing the Onionscan tool, scanned a list of over 30,000 onion domains and reported only 4,400 online. Wapack Analysts have not observed any new Tor-based hacking forums for more than a week, suggesting possibly, a move away from Tor and on to different channels of communication...READ MORE

Wapack Labs has cataloged and reported Tor network activity and trends in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Monday, October 2, 2017

Browser-Side JavaScript Miners Affect Computer Performance

Browser-side mining of cryptocurrencies, which uses parallel processing CPU power for profit, was developed in the 2011-2014 time-frame. In September 2017, it was distinguished as part of malicious campaigns. Some content providers test this technology as a way to monetize their traffic. The SafeBrowse Chrome extension was allegedly hacked to include a mining functionality. These mining scripts pose a moderate cyber threat, as they significantly slow down the computer while the page is open in the browser. Detecting these malvertising campaigns and disabling mining scripts is advised...READ MORE

Wapack Labs has cataloged and reported extensively on mining cryptocurrencies in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Monday, September 25, 2017

Aeronautical Phishing Campaign Targets Transportation

TLP AMBER ANNOUNCEMENT:

Several email accounts were identified as part of an apparently unsuccessful phishing attack on several transportation related organizations. These email addresses were targeted in a phishing campaign, but the intended victims did not receive the phishing message due to a rate limit on the attacker’s email account. While the phishing message body was not observed, the subject line of the message was “Court Notice,” indicating the lure to be legal themed. The unsuccessful phishing attack took place on 15 January 2017. Monitoring of the keylogger data is ongoing, however, Wapack Labs has no further information at this time...READ MORE

Wapack Labs has cataloged and reported phishing attacks and credential theft in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

New Tor Forum Recruiting Members

On 21 September 2017, Wapack labs observed a new tor based forum. The discovery was made while monitoring another space where members post and review dark web markets. The forum is recently new and has three main discussion sections within the forum: Drugs, Fraud, and General. With the forum recently opening for registration, the number of members is likely to grow. If members from other forums have migrated to the new forum, it has potential to become a reliable replacement market on the dark web. Wapack Labs will monitor the new forum and report on any activities affecting Red Sky Alliance members...READ MORE 

Wapack Labs has cataloged and reported extensively on Tor forums and markets in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TOR "Skimmer Shop"


On 20 September 2017, Wapack Labs observed a Tor site selling a variety of credit card skimming devices. The owners of the Tor site claim to produce and modify all the products in their own workshops, which are purported to be located in the U.S. and Europe. The website states the business began in early 2015 and now consists of eleven (11) technically trained employees. The skimmer shop sells a variety of skimmers based on the shopper’s interests. The website presents various skimmer sections: ATM, gas pump, GSM (Global System for Mobile communication) receivers, POS, RFID, readers, and other skimmer accessories. Prices range from $800.00 USD to $1800.00 USD, depending on the skimmer wanted. Wapack Labs will continue to monitor this dark net skimmer shop in attempt to identify and monitor the threat actors and their activities...READ MORE

Wapack Labs has cataloged and reported extensively on Tor network shops in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Rogue Money Shredders

On 15 September 2017, Wapack Labs observed a new Tor onion involving rogue, foreign money shredders. They claim to be apart of a large network of shredders who devalue Swiss Franc currency by re-circulating, or converting, the Francs into other currencies: U.S. Dollars (USD), Euro (EUR), and the British Pound (GBP). The hard currency that is to be shredded must be deteriorated, have holes, or is a beyond a specific date - laundering only small amounts at a time. In order to procure the cash, they claim to use anonymous bitcoin bribes and violent threats. They state that the currency used is legitimate and legal; warning counterfeit currency is illegal. The legitimacy of their hard currency product(s) is unknown. Wapack Labs will continue to research the groups' capabilities and attempt to identify the actors involved in this currency operation...READ MORE

Wapack Labs has cataloged and reported extensively on Tor forums and money laundering in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Monday, September 18, 2017

Carding Forum Observation

On 15 September 2017, Wapack Labs observed a carding forum advertising services on numerous other carding forums. In addition to selling stolen credit cards (CCs), the forum's database contains thousands of CCs on a global scale. Meta-data and screenshots from several online videos point to the threat actor being from Russia. Wapack Labs will continue to monitor the forum in order to identify the Tactics, Techniques, and Procedures (TTPs) and the persona operating the carding forum.

Wapack Labs has cataloged and reported extensively on Russia and carding forums in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Saturday, September 16, 2017

New from Wapack Labs! Ridiculously Simple… RiskWatch!

Ridiculously simple is going to be my mantra. Wapack Lab's RiskWatch makes monitoring threat Ridiculously Simple. Define Ridiculously Simple you say?

We can do it for you, or you can do it yourself.

For the individual: Sign in, enter an email. That domain gets checked and monitored. When we see something, you get a report. Simple right?

RiskWatch tally's the number of times any of domains, IP, or domains are seen in our intelligence. If it is, a report is generated and you get an email.

When the recipient of one of our emails logs in (for free), they'll see a dashboard that will give them enough information to fix the problem. For a small fee (starting at $9 per month) the victim can sign up for a detailed look, including raw logs and a notification service.

Think credit monitoring, but we're watching for malicious activity targeting you.

For your company: Today, our analysts screen thousands of companies. When we find issues, we'll enter a point of contact and you'll get the report. Fix away. Interested in having one of these in your own company? Use it for reporting security concerns, risks, threats to your suppliers? Partners? Easy.  Interested? Drop us a note. We're working on that console as we speak.  We'll call you when we're ready.

I was told "think Equifax report".

As of this morning, we've sent out over 1300 suspicious activity reports to individual users in the last two days.  Received one? No sweat.  Sign in. We'll build your report on the fly.

Want to be proactive? Sign up on the site. If we see something, we'll tell you!

Simple right?

RiskWatch is Patent Pending.

Tuesday, September 12, 2017

Warhorse Botnet and Attack Framework

In August 2017, Wapack Labs uncovered a new botnet leveraging a recently released attack framework dubbed "Warhorse". The bots were observed delivering the GlobeImposter malware to numerous targets including those in the government, military, telecommunications, and energy sectors. Javascript downloaders such as Warhorse have become a popular delivery mechanism for multiple malware campaigns. The speed by which Warhorse was adopted by cyber criminals is notable with the campaign described in this report taking place only a few days after the project appeared on Github. While Warhorse currently has an above average detection ratio on VirusTotal, it is still undetected by several major anti-virus vendors. Furthermore, since it is likely that the delivery infrastructure is part of a larger botnet then there is a high probability the bots are being leveraged in other attacks. This report provides an early warning on this new botnet and details on the Warhorse attack framework...READ MORE

Wapack Labs has cataloged and reported extensively on botnets and malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Monday, September 11, 2017

Profile: Arrested Chinese Cyber Actor Yu Pingan

TLP AMBER ANNOUNCEMENT: 

On 22 August 2017, a Chinese national named Yu Pingan was arrested and charged with cyber intrusions into four U.S. corporations between 2011 and 2014 that included the use of Sakula malware, known for its use in the major breaches of Anthem patient records and the Office of Personnel Management (OPM). Yu Pingan operates under the principle persona “Goldsun.” Analysts believe (high confidence) that he is in fact the Goldsun that was active at the Chinese hacker website Xfocus.net from 2004 to 2009. He is credited with and likely authored several pieces of malware that he posted during this period. His real identity remained unknown, but email addresses in some of his posts correspond to other accounts identified in the charges that led to his arrest. The charges against Yu Pingan do not identify any organization he was working for nor any connection to the Chinese government. Wapack Labs believes with medium confidence that Yu is affiliated with the Chinese civilian hacker group Wekby. The Chinese Government has not issued any statements and there has been no coverage of his arrest in official media...READ MORE

Wapack Labs has cataloged and reported extensively on China, Wekby, APT, and cyber intrusions in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

This TLP AMBER report is available only to Red Sky Alliance members.