Tuesday, January 31, 2017

Florida Cargo and Cuba



The first maritime shipment from Cuba arrived in Ft. Lauderdale FL - Port Everglades this past week. Officials from Port Everglades and the Port of Palm Beach met with Cuban representatives, showing positive signs of trade cooperation, but failed to negotiate an agreement. This diplomacy collapse was one day after Gov. Scott threatened to cut off state port funding if the ports signed a pact with Cuba. On December 2014, the City of Ft. Lauderdale suffered a DDoS attack from a politically focused hacking group. A Florida embargo of Cuban goods could precipitate similar cyber actions.

Wapack Labs extensively reported on maritime sector issues in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal.

TLP: AMBER
ACTOR TYPE: (N/A)
SERIAL: TR-020-2017
COUNTRIES: US (FL) & CU
REPORT DATE: 20170127

Early Warning of a Russian Keylogger Campaign


On 24 January 2017, Wapack Labs began collecting keylogger data associated with a threat actor's email address. All of the collected data that was associated with the threat actor indicated that the keylogging campaign has not yet become operational. Metadata contained within the keylogger output indicated the threat actor is located in Western Russia. A screenshot of the threat actor, installing a cracked copy of a popular keylogger program, indicates it was obtained from a Russian underground forum. The actor makes white-supremacist references, but it is unknown if the references are indicative of the threat actor’s motivations or intended to mislead/insult malware researchers. 

Wapack Labs has reported extensively on Russian threat actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal.

TLP: AMBER
ACTOR TYPE: (II)
SERIAL: TR-021-2017
COUNTRIES: XZ
REPORT DATE: 20170127

Thursday, January 26, 2017

Shamoon and Essex Shipping


On 17 January 2017 the Saudi Arabia Computer Emergency Response Team (CERT), Abdulrahman al-Friah, confirmed that close to 22 businesses in Saudi Arabia were affected by the Shamoon malware virus. Shamoon is alleged to have been created in Iran, and is the same wiper malware that hit Saudi Aramco in 2012. Some are identifying the malware as: Shimon 2. Among the companies affected was Essex Shipping.

Wapack Labs has reported on cyber threats to the maritime sector in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal.

TLP: GREEN
ACTOR TYPE: (V)
SERIAL: TR-018-2017
COUNTRIES: SA, GB
REPORT DATE: 20170125

Insider Trading in the Underground

Wapack Lab research has uncovered an underground forum with experienced grey and black hat hackers and coders who specialize and host an “Insider Trading” sub-forum. A variety of hackers and coders make their skills available in the various rooms. The forum claims to have a robust vetting process in place to preclude script kiddies, law enforcement, journalists, IT researchers, and “lurkers.” The Insider Trading forum claims to take advantage of talented users with expertise in advanced math, economics, quantum theories, and business entrepreneurship to facilitate insider trading.

TLP: GREEN
ACTOR TYPE: (V)
SERIAL: TR-017-2017
COUNTRIES: ANY
REPORT DATE: 20170125

Wednesday, January 25, 2017

WhatsApp - What’s up?

It has been demonstrated that a deliberate design decision for the WhatsApp messaging application created a vulnerable condition that could allow for entire conversations or calls to be intercepted. Exploitation of this condition would require a very highly skilled threat actor to access to WhatsApp servers in order to execute a man-in-the-middle attack.

Wapack Labs has reported on WhatsApp privacy in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 


TLP: GREEN
ACTOR TYPE: (V)
SERIAL: TIR-016-2017
COUNTRIES: All
REPORT DATE: 20170125

The Gambia Internet Embargo


On 30 November 2016, ahead of presidential elections the following day, The Gambian government blocked all Internet services as well as incoming and outgoing international phone calls.  On 2 December 2016 President Yahya Jammeh reversed his decision to accept the election results that made Adama Barrow President, and declared new elections would be held due to “serious and unacceptable abnormalities.” A highly credible Wapack Lab source stated urging from foreign leaders prompted the swearing in of Barrow at The Gambian Embassy in neighboring Senegal. On 21 January 2017 Jammeh agreed to step down and leave the country; social media users reported messaging apps on at least one of the top 3 service providers in the country were unblocked. 

Wapack Labs has reported on The Gambia in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal.

TLP: GREEN
ACTOR TYPE: (N/A) 
SERIAL: TR-015-2017 
COUNTRIES: GM 
REPORT DATE: 20170125

Tuesday, January 24, 2017

Ivory Coast's Main Port Closed


On 18 January 2017, The Ivory Coast Gendarmes, a police force under the authority of the defense ministry, took control and closed the port in Abidjan. Ivory Coast is the world’s leading producer of cocoa, and Abidjan is one of the two main cocoa export points. The cocoa factory and warehouses were also closed. The closure immediately affected London cocoa stock futures. This police action is in response to incongruences between Ivory Coast economic growth and government wages.

Wapack Labs has reported on threats to the maritime and port industries in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal. 

TLP: GREEN
ACTOR TYPE: (II) 
SERIAL: TR-013-2017 
COUNTRIES: GB, CI 
REPORT DATE: 20170122


Friday, January 20, 2017

Algerian Phishing Attempt


A Red Sky Alliance member is reporting a suspected phishing email to Wapack Labs. Subsequent analysis reveals the campaign was initiated by an Algerian threat actor associated with a known hacking team. This Algerian threat actor compromised a French auto dealership on 19 July 2016 and sent phishing emails to a social group in New England U.S.A from a compromised domain belonging to a pizza shop in South Carolina. This information is offered as a caution; presented for your situational awareness.
  • Algerian threat actor associated with known hacking team.
  • Previously targeted French organizations for religious/national reasons. Target set and motivations, for the attacks, may have evolved.
  • The hacking team's twitter went dormant on 17 Sep 2015 with the message “#Team_Closed Goodbye and Expect Us in 2016”. On 19 December 2016 the group created a new Facebook page and appears active again...READ MORE
Publication Date: 12 January 2017
Handling Requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: Laakel En Person/Moujahidin Team
Actor Type: Adversary capabilities have been assessed as Tier II
Potential Targets: Worldwide phishing
Past Reporting: N/A


The full report may be viewed in the Red Sky Alliance as DOC-4608. 
Contact Wapack Labs for more information.

Wednesday, January 18, 2017

Italian Hackers and Eye Pyramid Malware

Italian authorities have arrested a brother and sister hacking team in connection with the hacking of over 18,000 emails; to include Italian politicians, Vatican officials, and the European Central Bank. Giulio Occhionero and his sister Francesca Maria are alleged to have committed cyber-crimes which began in 2012. G. Occhionero developed a proprietary keylogger malware named Eye Pyramid. This information is being supplied for your situational awareness.
  • The Eye Pyramid malware operation began in 2012 via the Occhionero’s.
  • Eye Pyramid is keylogger malware which captured over 1,700 passwords.
  • This very basic malware demonstrates the ease of utilization, with high consequences...READ MORE
Publication Date: 11 January 2017
Handling Requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: Eye Pyramid/Giulio Occhionero, Francesca Maria Occhionero
Actor Type: Adversary capabilities have been assessed as Tier III
Potential Targets: Italian politicians, Vatican officials and European Central Bank
Past Reporting: Red Sky Alliance: DOC-2971, 3331, 3254

The full report may be viewed in the Red Sky Alliance as DOC-4612. 
Contact Wapack Labs for more information.

Tuesday, January 17, 2017

Japan Spear Phished by Trojan: BKDR_ChChes

In November 2016, a string of spear phishing attacks targeted Japanese governmental agencies. The Trojan in this attack was dubbed BKDR_ChChes by the anti-virus vendor Trend Miro. Tactics, Techniques, and Procedures (TTP’s) show this was a targeted campaign using custom malware attributed to a known hacking group. Whether the Trojan was developed from the hacking group source code leak in 2015, or if it was designed by the hacking group on behalf of the attackers, is an intelligence gap.


Publication Date: January 10, 2016
Handling Requirements: Traffic light protocol (TLP) AMBER
Attribution/Threat Actors: known hacking group, unknown Chinese threat actors
Actor Type: Adversary capabilities have been assessed as TIER III
Potential Targets: Japanese Government, Worldwide Governments / Worldwide Businesses
Previous Reporting: Red Sky Alliance: DOC-2343

The full report may be viewed in the Red Sky Alliance as DOC-4606. 
Contact Wapack Labs for more information.

IP Range Blocked in Guyana

A Guyana telecommunication company, GTT, has been implicated in a large-scale spamming campaign and various cyber security related incidents. This prompted the IP ranges of GTT to be blocked by several U.S. financial institutions and payment services. This may cause financial challenges to citizens and business in Guyana, but once the cyber security matters are rectified the IP range could be released. This information is being supplied for your situational awareness.
  • Guyana is an English-speaking South American/Caribbean country located to the east of Venezuela.
  • Guyana Telephone and Telegraph, rebranded as GTT+ in late 2015, is controlled by Atlantic Tele-Network (ATN). GTT+’s mobile unit Cellink competes with Digicel Guyana for market share and both operate the GSM/GPRS networks.
  • Digicel openly criticized GTT in 2016 for operating a government monopoly and hinted at corruption...READ MORE
Publication Date: 10 January 2017
Handling Requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: Caribbean black hat actors/UKN
Actor Type: Adversary capabilities have been assessed as Tier II
Potential Targets: PayPal; Bank of America and Google Pay
Past Reporting: Red Sky Alliance: DOC-3314

The full report may be viewed in the Red Sky Alliance as DOC-4598. 
Contact Wapack Labs for more information.

Friday, January 13, 2017

Publications Help Identify PLA Units with Cyber Missions

Military reform efforts in China has led to Signals Intelligence (SIGINT) units being assigned cyber missions. Order of battle analysis indicates there are three Chinese military units involved in cyber operations against foreign networks. All three are subordinated to the People’s Liberation Army (PLA) General Staff Third Department. Research into publications from officers in these units helps confirm earlier assessments as to which units have cyber missions...READ MORE


Publication Date: 3 January 2016
Handling Requirements: Traffic light protocol (TLP) AMBER
Attribution/Threat Actors: Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits. 
Actor Type: Adversary capabilities have been assessed as Tier IV
Industries Targeted: U.S. Government, Department of Defense, U.S. defense contractor, and other U.S. corporate networks.
Past Reporting: Red Sky Alliance: DOC-4556

The full report may be viewed in the Red Sky Alliance as DOC-4592. 
Contact Wapack Labs for more information.


Thursday, January 12, 2017

Threat Actor with Diverse Malware Toolset

Analysis of Wapack Labs CyberWatch® data have led to the identification of a sophisticated threat actor with a diverse malware toolset. This report is being provided for your situational awareness.
  • Leverages a wide variety of malware
  • Targeting remains unknown at this time
  • Collected data indicates the threat actor is capable of reverse engineering malicious tools...READ MORE


Publication Date: 30 December 2016
Handling Requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: Oldstealer
Actor Type: Adversary capabilities have been assessed as Tier III
Potential Targets: Numerous sectors
Past Reporting: N/A


The full report may be viewed in the Red Sky Alliance as DOC-4574. 
Contact Wapack Labs for more information.

Wednesday, January 11, 2017

Foreign Influence of the 2016 Presidential Election


The 2016 U.S. Presidential Election was unprecedented on a number of levels. One’s personal politics aside, it is clear that there was a concerted foreign effort undertaken to influence the decision-making calculus of the American electorate. Was the perpetrator of that effort Russia, as conventional wisdom holds?

The analysts, linguists, and cultural experts at Wapack Labs looked at what data has been made publicly available from the government and other sources, as well as our own private data sources. We undertook this project to demonstrate that a serious analytic effort to attribute malicious activity is more than just connecting the dots: it is holistic, relying on diverse data sets, and subject to formal analytic methodologies.

Democracy Compromised is available to all Red Sky Alliance members in the portal.

We hope this work will both elevate the discussion around these issues, and enable decision-makers in the public and private sector who are concerned about these issues to focus their limited time on actual intelligence, rather than fear, hyperbole, and circular reporting.

Wapack labs is a cyber threat analysis and intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and other organizations with targeted intelligence analysis that helps reduce risk and counter cybersecurity threats. Security teams, C-suites, and board rooms of public and private organizations around the world rely on our assessments and reports to keep them informed of threats to their enterprise. To learn more about us and the value of belonging to the Red Sky Alliance, contact sales@wapacklabs.com or call (603) 661-0366.

Tuesday, January 10, 2017

Spanish Underground Promotion: Malware Cloaking Tool


Wapack Labs has identified a malware concealing tool that is being promoted by a persona on the Spanish Forum, indectables.net. This report is being provided for your situational awareness.
  • Indetectables.net is a very active underground Spanish forum
  • The malware cloaking tool is for Windows 7-10
  • Undetected malware can have serious ramification to network stability...READ MORE


Publication Date:u30 December 2016
Handling Requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: Spanish underground forum persona
Actor Type: Adversary capabilities have been assessed as Tier II
Potential Targets: Numerous sectors
Past Reporting: Red Sky Alliance: DOC-4323, 4420, 4469

The full report may be viewed in the Red Sky Alliance as DOC-4573. 
Contact Wapack Labs for more information.

Tuesday, January 3, 2017

Olympic Vision aka Codelux

Wapack Labs assesses, with moderate confidence, that Olympic Vision products will continue to be sought after as a one-stop-shop for cyber criminals.  The remote access keylogger known as Olympic Vision (formerly Codelux) makes it an attractive option for budget minded hackers. Olympic Vision possesses a weakness that pertains to the internal licensing requiring the hacker to maintain payment on the keylogger’s subscription license.  Malware authors often use custom crypters like Olympic Crypter to prevent detection by Anti-Virus solutions. Olympic Vision's keyloggers and crypters are available for low rates in one place...READ MORE

Publication Date: 30 December 2016
Handling Requirements: Traffic light protocol (TLP) Green.
Attribution/Threat Actors: Codelux software company 
Actor Type: Adversary capabilities have been assessed as TIER III.
Industries Targeted: Gaming Industry, Financial Sector
Past Reporting: N/A


The full report may be viewed in the Red Sky Alliance as DOC-4572.  
Contact Wapack Labs for more information.

Australian Malware Authors Release New Trojan


Wapack Labs assesses, with medium confidence, that Australian malware authors (medium confidence) have released a new banking Trojan.  This Trojan performs real time web-injections and redirection attacks on its victims.  It currently enjoys low and generic detection by intrusion prevention systems.  Analysts at IBM report to have followed the Trojan during its testing cycles3.  It now has moved out of the testing phase and is actively defrauding banks and consumers.  If it becomes as virulent (as did its' predecessors), it will likely spread to the US by the second quarter of 2017...READ MORE

Publication Date: 23 December 2016
Handling Requirements: Traffic light protocol (TLP) AMBER.
Attribution/Threat Actors: Australian Malware Authors
Actor Type: Adversary capabilities have been assessed as TIER III.
Industries Targeted: Financial
Past Reporting: Red Sky Alliance: DOC-2301, DOC-2522, DOC-3456, Message #7963

The full report may be viewed in the Red Sky Alliance as DOC-4566.  
Contact Wapack Labs for more information.