Tuesday, December 27, 2016

Google AdWords Phishing Campaign

Wapack Labs has discovered a new phishing campaign. While generally simplistic, it contains some elements of high sophistication. It is also fairly expensive to operate, which suggests it is a precursor to a more sophisticated and potentially harmful campaign. Wapack Labs conducted a brief tactical analysis and is providing this report for your situational awareness.
  • Search for “Facebook” in Google Chrome produced a link to a fake anti-virus malware. 
  • Facebook was notified of this activity.
  • A much more serious malware campaign targeting major social, retail, and online companies may be in the works...READ MORE
Publication Date: 19 December 2016
Handling Requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: Google AD campaign phishing/unknown author
Actor Type:  Adversary capabilities have been assessed as Tier II
Industries Targeted: Financial, business and retail sectors
Past Reporting: Red Sky Alliance: DOC-2901
Companies Cited In This Report: Facebook, EBay, and Home Deport

The full report may be viewed in the Red Sky Alliance as DOC-4557.  
Contact Wapack Labs for more information.

Reorganization of China’s Military Cyber Forces

A significant reform of China’s People’s Liberation Army (PLA) instituted by President Xi Jinping on 31 December 2015, has resulted in a sweeping restructure of PLA command elements and combat forces. This restructure has impacted China’s military cyber forces that include identified cyber actors. The PLA General Staff Third Department, under which these military cyber actors were subordinated, was apparently disestablished. This report analyzes how China’s military cyber forces are currently structured, and where they are located in China’s military structure.

Information available from Chinese open sources, while still fragmentary, suggests that the following changes have taken place in Chinese cyber forces:
  • The former Third Department is now subordinated under an entirely new branch of service: the PLA Strategic Support Force (SSF).
  • The Third Department is now known as the SSF Network Systems Department. This was indicated by references to former Third Department elements that are now under this new entity.
  • The Third Department Eighth Bureau was one element identified as under the Network Systems Department. This suggests that cyber actors are also under the Network Systems Department.
  • The Third Department’s technical reconnaissance bureaus are probably also under the Network Systems Department...READ MORE
Publication Date: 20 December 2016
Handling Requirements: Traffic light protocol (TLP) GREEN.
Attribution/Threat Actors: State actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.
Actor Type: Adversary capabilities have been assessed as Tier IV.
Industries Targeted: US government, Department of Defense, defense contractors, and other US corporations.
Previous Reporting: N/A

The full report may be viewed in the Red Sky Alliance as DOC-4556.  
Contact Wapack Labs for more information.

Tuesday, December 20, 2016

27 Chinese Hackers Profiled


Hacker use information sharing and collaboration, and there is a large community of Chinese coders are doing just that -- exchanging ideas, and tools, and sharing software development. This week, Wapack Labs published a study of 27 of the most active Chinese coders, revealing the some common characteristics of this community:
  • These coders are not lone hackers. They are mostly employed in major corporations or network security entities. This includes Alibaba, TenCent, and Huawei, and security entities KnownSec, Keen Team, and Evil Octal.
  • They are not anonymous. Real names were found for 18 of the 27 coders studied.
  • Many are well known in China and abroad. Several of those studied had more than 400 followers, and one had about 1,800.
  • Many are contributing regularly; Several updating ideas and code more than 200 times over a year period.
In addition, the white-hat posture taken by these coders appears to have been accepted so far by the Chinese government. This community does not appear to fear suppression by the government, similar to the shutdown of the Wooyun vulnerability-hunter website earlier this year.

Publication Date: 8 December 2016
Handling Requirements: Traffic light protocol (TLP) AMBER
Attribution/Threat Actors: Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.
Actor Type: Adversary capabilities have been assessed as Tier IV
Industries Targeted: Multi-industry targets/International
Past Reporting: The full reports may be viewed in Red Sky Alliance as DOC-2098, DOC-4350, and comment-7187.  Contact Wapack Labs for more information.  

PayPal Balance Reseller en Espanol


A member of a Spanish speaking underground forum is promoting a PayPal balance transfer/payback scheme to clients. This type of financial transaction is illegal and commonly supported by illicit funds. The forum member operates in Latin America, yet promotes business in worldwide Spanish forums. This report is being provided for your situational awareness.
  • Spanish forum supports malicious cyber tools and activity.
  • Spanish forum member operates in Mexico, Central, and South America
  • Spanish forum member accepts payments via Bitcoin, Western Union and OXXO. 
Forum member prefers to communicate via Facebook and accepts payments via Bitcoin, Western Union, and OXXO (a chain of convenience stores from Mexico with over 14,000 stores across Latin America. It also offers money wire transferring services like Western Union). We assess with high confidence that this forum member lives in Latin America, likely Mexico.

Publication Date: 16 December 2016
Handling Requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: PayPal balance transfer scheme
Actor Type: Adversary capabilities have been assessed as Tier II
Potential Targets: Financial and PayPal
Past Reporting: The full reports may be viewed in Red Sky Alliance as DOC-3969.  Contact Wapack Labs for more information.  

Saturday, December 17, 2016

Cybersecurity Christmas Wish List

This blog entry saw a ton of views, so I thought it worth updating and republishing. We called this our Christmas Wish List, but very much falls more inline with our wish list for 2017. We hope you enjoy the read.

*********************************************************

It’s that time of year again, when we place our faith and trust in imaginary entities who always deliver exactly what is needed, under impossible circumstances, just in the nick of time. Why should wishes and dreams be limited to children’s toys? Don’t cyber security nerds and digital janitors deserve a little holiday magic too? As I close my eyes and think about what could be, I wish…

for more emphasis on blocking and tackling. Patch your systems in a timely manner. When reminded to upgrade a system, or update a software application, do it as soon as possible. Close unused ports. There are dozens of very unglamorous things you are not doing that would make getting pwned so much more difficult. I know people use the term “rock star” a lot in this field, but we’re all a lot more Howard than Mick.

for greater accountability at all levels. Bosses: walk the walk. Don’t say computer security is important and then force IT to make special exceptions for you. Your people do what you do more than they do what you say. Employees: Just because it’s a “cyber” policy doesn’t mean it should not be taken seriously. “Cyber” doesn’t mean “not real.” If anything it means the repercussions for not complying are likely to be disproportionate to whatever the meat-space analog would be.

for more sharing and collaboration. Join your industry ISAC. Join a private industry sharing initiative like Red Sky Alliance. Go to pertinent Meet-ups and connect (I didn’t say “network”) with people who can help you and who you can help. I don’t care how good you think you are, you’re not going to make it on your own.

practitioners would remember that they work for businesses, not security businesses. Anything you propose that precludes people getting things done or impedes their ability to make money is a non-starter. Learn the business, then apply security principles to it. Cyber security is not the issue we think it is, and no amount of wishful thinking is going to change that.

more people would do threat modeling. Don’t buy the hot thing because you saw it on an airport billboard. Don’t follow a given practice because you heard it stops the APTs. You and your business are a target, but for whom? What are their motivations? What are they capable of? You don’t bring a knife to a gun fight; you’re equally foolish if you buy a tank to fight a roach infestation.

more people would understand what real intelligence is and use it. Intelligence is not a feed. It is not an aggregation of feeds. Intelligence is a product of human minds applying various methodologies to data in order to provide context and meaning in order to help you make sound decisions. You can’t understand the threat, what risks you face, or what technologies or strategies will help you if you’re not consuming intelligence.

organizations would inject more realism and rigor in their security testing regimens. Once you know who or what you’re up against, test yourself against that same caliber of threat. Serious bad actors don’t look or sound anything like a pen test. If your adversaries are high-end, understand that they do their homework, they put in the time, and they understand ROI. If you’re not training to fight peer or superior adversaries, you’re setting yourself up for failure.

organizations would implement more effective security training. You can’t hold people accountable for security violations if they don’t know what a violation is. What’s good security practice and what’s negligence or malfeasance? Good training in cyber security doesn’t have to be expensive or time-consuming or onerous. You wouldn’t take someone off the street, throw them into a machine shop, and expect them to have all their fingers at the end of the week, but you pay lip service to security training and wonder why people are constantly falling for phishing schemes and plugging in those USB sticks they find in the parking lot.

for more open mindedness in our field. If you listen to most people in cyber security it’s obvious what the solution to problem X is: just do what they say.  That would be great if the world revolved around one person and there weren’t a million different factors that impact the ability to implement said solution in a non-catastrophic way. We spend way too much time fighting each other, blowing things out of proportion, and making up controversies than we do addressing actual problems. There is plenty of blame to go around, but if you’re not giving an inch or walking a mile in someone else’s proverbial shoes, you’re probably not really doing everything you can to advance the cause.

Now if you’ll excuse me, I’ve got to go prepare for the shenanigans of Stekkjarstaur, Giljagaur and Bjugnakraekir.

Attacker TTP: AntiFooling

On 10 December 2016, a Wapack Labs analyst reported on a malware tool, AntiFooling V1.0.0, shared on the Spanish hacker forum. In order to defeat malware analysis, certain advanced malware can differentiate between virtual machines and a real computer. AntiFooling tricks malware installed on a computer by simulating processes and artifacts seen in a virtual machine. This is a concern for cyber research efforts. On 12 December 2016 Wapack Labs analyst discovered a script – Anti-AntiFooling – being passed around on the same hacker forum. Anti-AntiFooling v0.1 compares MD5 hash values to detect the use of AntiFooling.

This report provides technical analysis, details on an additional tool, and attribution. Our PIR is being provided for your situational awareness and as an update to previous reporting.

Publication Date: 14 December 2016
Handling Requirements: Traffic light protocol (TLP) AMBER
Attribution/Threat Actors: Malware Tool Author
Actor Type: Adversary capabilities have been assessed as Tier II
Potential Targets: N/A
Past Reporting: DOC-4526

Huawei in Africa: Burkina Faso, Perceptions & Perspectives


Huawei continues to rapidly expand in Africa with fiber optic placement and cyber product distribution. Huawei’s products sold in Africa have a direct link back to mainland China; as with their cell phone app: WeChat. Huawei’s marketing tactics to governments have raised ethical questions and charges of undue influence.
  • Huawei has been operating in Africa for 17 years.
  • Huawei began selling low quality cell phones in Africa, but has expanded and upgraded product sales and its fiber optic network wires much of cyber monopoly in Africa.
  • Parliament officials in Burkina Faso have openly accepted free Huawei tablets in a clear conflict of interest situation.
Huawei will continue to grow in Africa so long as it delivers quality products and services at low costs to consumer and governmental markets. Its efforts may be undermined by practices such as the tablet incident in Burkina Faso, reinforcing the idea that it is using its economic strength to buy political power. African public opinion and trust, even among African consumers anxious to get their hands on the latest smartphone, are hard to rebuild once they have been compromised. This information is being supplied for your situational awareness.

Publication Date: 11 December 2016
Handling Requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: Huawei/Chinese government and military influence
Actor Type: Adversary capabilities have been assessed as Tier III
Potential Targets: African markets and government
Past Reporting: DOC-4455, DOC-2183, Msgs #9367 & #5060

Saturday, December 10, 2016

Black Hat Hackers: Counterfeit Coupons

Wapack Labs research into the hacker underground has uncovered a group of black hat hackers who claim to have taken over a coupon counterfeiting business. This black hat collective may have an affiliation with another threat actor who operated in the dark web marketplace, SilkRoad, and was sentenced to prison for selling counterfeit coupons. This information is being provided for your situational awareness. 
  • Collective is a self-described all female, black hat hacking group.
  • Collective appears to have taken over coupon counterfeiting cyber business.
  • Collective offers a variety of counterfeit coupons to be exploited at self-checkout lanes in retail stores.

Publication Date: 7 December 2016
Handling Requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: Black Hat Hacking Collective
Actor Type: Adversary capabilities have been assessed as Tier II
Potential Targets: Financial, business and retail sectors
Past Reporting: Msg/#8168 & 8722

Tuesday, December 6, 2016

Nigeria & Cyber Security: Two Steps Forward, One Step Back


Nigeria has long been a haven for highly talented and successful hackers, scammers, and their many spin off groups. Having developed this negative cyber reputation, Nigeria has in recent years enacted cyber laws to combat these groups and help protect their businesses and reputation. These laws were recently used for unfortunate political purposes, yet demonstrate a positive direction toward improved cyber security efforts.
  • Nigeria has a historical negative reputation for cyber hackers and scammers.
  • New cyber security legislation has been enacted to curb cybercrime.
  • Nigeria has recently arrested a popular blogger under the cyber laws, which was viewed as a political more than law enforcement measure.

While our Wapack Labs African Desk sees Nigeria making real progress in cyber security, we still see a country facing an increasing domestic and international threat in all domains of cyber security. When considerations of terrorism and the ongoing Boko Haram activities are brought into the equation, the pursuit of bloggers seems quite petty at best, and at worst, negligently misguided. While Nigeria continues to make very real steps forward in cyber security, it also tends to take a few steps backwards along the way.  This information is being supplied for your situational awareness.

Publication Date: 3 December 2016
Handling Requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: Hackers & Scammers
Actor Type: Adversary capabilities have been assessed as Tier III
Potential Targets: Worldwide targets using Nigerian networks; connections to terrorism
Past Reporting: DOC-4283, DOC-4002, DOC-4486

The full report is available on our Executive Readboard.

AlphBay: DDoS-for-hire Service Author


AlphaBay Market is a well-known TOR based underground website that advertises, for sale, many malicious cyber tools and services. A known DDoS-for-hire service author has been operating in AlphaBay. Author claims to have successfully targeted multiple corporations. This information is being provided for your situational awareness.
  • AlphaBay is hosted in The Onion Router (TOR) network.
  • The AlphaBay Market is notorious for selling malicious cyber tools and services.
  • DDoS-for-hire service author is a threat actor who provides malicious DDoS services.
Publication Date: 3 December 2016
Handling Requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actor: DDoS-for-hire service author
Actor Type: Adversary capabilities have been assessed as Tier IV
Potential Targets: All; Distributed Denial of Service (DDoS) for hire provider
Past Reporting: DOC-4214


Saturday, December 3, 2016

Safe Haven: Perfect Money Iceland


On 29 Nov 2016 Wapack Labs identified several threat actors signing up for Perfect Money Iceland accounts. Perfect Money is an online payment service used to exchange many types of digital and conventional currency between accounts. Wapack Labs has previously assessed Iceland’s potential as a data safe haven. The adoption of the Icelandic version of Perfect Money confirms actors are leveraging those privacy protections to launder the profits of their fraud. Wapack Labs is providing this attacker TTP analysis for your situational awareness.

Publication Date: 1 December 2016
Handling Requirements: Traffic light protocol (TLP) AMBER
Attribution/Threat Actors: Known Hacking Group
Actor Type: Adversary capabilities have been assessed as Tier III
Potential Targets: Worldwide (Financial Institutions)
Past Reporting: DOC-3116,4432

Friday, December 2, 2016

E-Cigarettes Are Spreading Malware

Suspect Chinese e-cigarette manufacturers are hardcoding USB charging units with malware. If an infected e-cigarette USB charger is used to connect with a computer, malware can be downloaded. This information is being supplied for your situational awareness.
  • E-cigarettes were invented in 1963, but further developed in 2003.
  • E-cigarettes are charged via USB connected chargers or directly into computers.
  • USBs continue to be infected with malware through hardcoding within the manufacturing process.
Using a USB as a malware delivery system is not a new phenomenon, but illustrates how companies can be easily breached in a very innocuous way. If you have ever questioned the legitimacy of an $5.00 Ebay, made in China USB connected item, you should seriously think twice before purchasing and using it with your computer.


Publication Date: 28 November 2016
Handling Requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: Chinese e-cigarette manufacturer(s)
Actor Type: Adversary capabilities have been assessed as Tier II
Potential Targets: Financial, business and retail sectors
Past Reporting: DOC-4214

Tuesday, November 29, 2016

Huawei: Monopoly in Africa


Huawei Technologies Co. Ltd. has a very strong telecommunications foothold in Africa. Many security experts believe that Huawei has been and continues to be associated with the Chinese government information sharing program. Their strong presence in Africa in numerous aspects of cyber technology, is close to becoming a monopoly in Africa. This corner of the market sets the stage for ambiguous domination of cyber technology within the African continent. This information is being supplied for your situational awareness.
  • Huawei Ltd. began their African operations in 1999.
  • In 17 years, Huawei has expanded exponentially with major footholds in Egypt, Kenya, South Africa, North African and Western Africa.
  • Huawei has long been suspected as a corporation in collusion with the government of China and continues to create cyber security suspicion. 

Huawei was suspected by South Sudan of surveillance and forgery in 2014. This was an alleged effort to gain market intelligence and delay of a funding timeline for a rival telecom infrastructure project. There has not been current reporting on these accusations, yet it illustrates the savvy nature of Huawei in creating a near African monopoly on cyber systems, IT infrastructure, cyber products and associated training. Mr. Vincent (Bo) Pang, President of Huawei’s Western European Region, in response to the South Sudan claim, stated that Huawei is trusted across Africa because it is, “in the region for the long haul.” This never a truer statement.

Wapack Labs, Africa Desk will continue to monitor Huawei and their African development.

Publication Date: 27 November 2016
Handling Requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: Chinese APT
Actor Type: Adversary capabilities have been assessed as Tier IV
Potential Targets: Vodafone, French Thales, Orange & numerous African telecoms
Past Reporting: DOC-4455/4249/2902, Msg-8558


Friday, November 25, 2016

Wanted: Wicked Smaat Cyber Security Operator/Analysts

Wapack Labs seeks two people for opportunities as Cyber Security Analysts with strong network security skills. 

What’s that mean? You should be able to break down TCP/IP, author Python scripts to manipulate network captured data, read PCAP, and correlate events.

  • Have you always wanted to be a cyber intelligence analyst?
  • When you see a ‘wet paint sign’ what do you do? 
  • Can you interface with non-technical type “A” personnel who rely on you to be their expert but may have egos like fighter pilots?
  • Can you break down network security indicators and use that data to compare to, and create intelligence?
  • Do you enjoy (we mean, take immense pleasure in) hunting and stopping bad guys on big networks.

If you’re this person. Please continue reading.

Wapack Labs is looking for a Cyber Intelligence Operator and Analyst to work onsite at a VERY cool customer location in Concord, NH. 

The person selected for this position will be called upon for day-to-day operations of the in-place security solutions and the for the identification, investigation and resolution of security breaches detected by those systems.

This may include involvement in the implementation of new security solutions, participation in the creation and or maintenance of policies, standards, baselines, guidelines and procedures as well as conducting vulnerability audits and assessments. The IT Security Analyst is expected to be fully aware of the enterprise’s security goals as established by its stated policies, procedures and guidelines and to actively work towards upholding those goals.

Position Responsibilities

  • You will be responsible for monitoring security in a large enterprise environment. You’ll will be expected to have an understanding of up-to-date knowledge of the IT security industry including current attack TTPs and how they can be stopped.

  • You will interface with Wapack Labs Intelligence operations with this knowledge, you will be called on to recommend additional security solutions or enhancements to existing security solutions to improve overall enterprise security.

  • The Cyber Security Analyst may be called on to perform deployment, integration and configuration of new security solutions or enhancements to existing security.

  • More… as directed.

Knowledge & Experience

You must have a working technical knowledge of the following:

  • Security solutions including Anti-Virus, Firewall, Malware, Intrusion Prevention, etc.

  • Computer hardware including desktops, laptops, smartphones (preferably iPhone), servers, storage, removal media, printers, faxes, and other storage or communication devices

  • Strong understanding of TCP/IP and other network protocols
  • Strong understanding of Microsoft and Linux Operating Systems

  • Strong network skills from a Security Operations perspective. What’s that mean? You should be able to break down TCP/IP, author Python scripts to manipulate network captured data, read PCAP, and correlate events.

  • Written, oral, and interpersonal communication skills; you will be required to write reports. Your ability to translate technical observations and analysis into actionable reports is critical. If you hate writing, stop here. This job is not for you. (This cannot be emphasized enough. All Wapack Labs positions include writing.)

Personal Attributes

  • No criminal record; a security clearance may be required
  • Proven analytical and problem-solving abilities
  • Ability to effectively prioritize and execute tasks in a high-pressure environment
  • Ability to conduct research into IT security issues and products as required
  • Ability to present ideas in business-friendly and user-friendly language
  • Highly self-motivated and directed
  • Team-oriented and skilled in working within a collaborative environment

Work Hours and Location

  • This is a full time onsite position. You will conform with the client’s normal business hours. 
  • Location: Concord, NH


Education and Certifications

Wapack Labs hires transitioning Veterans, Law Enforcement and First Responders first. Veterans, especially wounded warriors, service connected disabled, or those in an occupational transition program with IT or cyber skills are strongly encouraged to apply. 

BS/BA or equivalent work experience is required. Certifications will be accepted with 3+ years of demonstrated work experience as an operating IT or Information Security team. 

Interested? Shoot us a resume.