Tuesday, August 23, 2016

APT Sinkhole Connection Notification

Wapack Labs released a report today that identified 17 connections to Advanced Persistent Threat (APT) sinkholes by six corporate networks.  While not a perfect indicator, connections to these sinkholes are indicative of potential compromise by an APT actor.  Wapack Labs recommends that each of the 17 machines be examined by security personnel.

What’s a sinkhole? When a computer is compromised by malware, it often connects to a computer outside of the victim network for instructions.  Wapack Labs purchased these command and control (C2) nodes specifically to identify computers reaching out of their native environment.  As a result, any computer connecting to the Wapack Labs sinkhole should be considered likely compromised, and examined immediately for compromise, data loss, exfiltration or theft.

APT sinkholes indicate potential State Sponsored Espionage attacks against them.

Companies in the following industries are mentioned in this report:
  • Fortune 100 Chemical
  • Internet Service Provider
  • SMB Virtual Server Hosting 
  • SMB Onsite managed IT
  • Medium sized Defense Industrial Base company
  • SMB IT Consulting
Publication Date: 22 August 2016

Handling requirements: Traffic light protocol (TLP) RED - Recipients may not share TLP: RED information with any parties outside of the specific exchange, meeting or conversation in which it is originally disclosed.

Attribution/Threat Actors: Various/Multiple

Actor type:  Adversary capabilities have been assessed as Tier IV and Tier V (Criminal, State Sponsored, Advanced Persistent Threat)

Previous reporting: Multiple

Targeted industries:  Chemical, Defense/Industrial Controls, Internet/Hosting

Victim information will be provided separately to Wapack Labs security partners.

The full attribution report has been published in its entirety in the Red Sky Alliance portal.  For more information please contact the lab directly at 844-4-WAPACK, 603-606-1246, or feedback@wapacklabs.com.

About Wapack Labs

Wapack Labs, located in New Boston, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber.  Wapack Labs’ engineers, researchers and analysts use deep analysis techniques and visualization to design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information.  The intelligence derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.