Tuesday, February 28, 2017

Keylogger Genealogy: The Grandson of Hawkeye

Gear Informer is the successor to the iSpy Keylogger, which was developed as a replacement for the Hawkeye keylogger. This family of keyloggers is one of the most prevalent in Wapack Labs collections. Daily Show threat actors were quick to adopt it to their maritime shipping campaigns and provided Wapack Labs with our first observed sample...READ MORE

Wapack Labs has extensively reported on keyloggers in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

TLP: AMBER
ACTOR: N/A
SERIAL: TIR-002-2017
COUNTRIES: All
INDUSTRIES: All
REPORT DATE: 20170228

For Sale: W-2s and the GozNym Botnet

On February 17, 2017 Wapack Analysts observed a deep web market vendor advertising 2016 U.S. W-2’s with dates of birth (DOB) and U.S./EU bank accounts for sale. Additionally, the vendor is also selling the GozNym botnet. The vendor maintains good feedback in deep web markets. GozNym, though underground, received media attention in late September 2016 when CISCO’s Talos team cracked the Domain Generation Algorithm (DGA) of GozNym. This exposure may be the reason for the vendor's current public sale - utilizing dark web market escrow systems. Though the vendor sells on these sites, business is conducted over Jabber/E-Mail using PGP encryption...READ MORE

Wapack Labs has extensively reported on botnets in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

TLP: AMBER
ACTOR TYPE: (III)
SERIAL: IA-004-2017
COUNTRIES: US, EU
INDUSTRIES: Financial
REPORT DATE: 20170221

The Relative Importance of the SHA1 Hash Collision


A hash collision occurs when two input strings of a hash function produce the same hash result. Given that hash functions have infinite input length and a predefined output length, there has always been the possibility of two different inputs producing the same output hash. Research by Google’s Project Zero managed to create such a collision with the SHA1 hashing algorithm. If your threat model includes organizations that can spend $130,000 on cloud computing power to perform 9,223,372,036,854,775,808 SHA-1 computations (6,500 years of CPU time and 110 years of GPU time) then you should give serious consideration to abandoning SHA1 for a stronger algorithm in short order.


TLP: GREEN
ACTOR TYPE: (IV-V)
SERIAL: TR-040-2017
COUNTRIES: Worldwide
INDUSTRIES: All
REPORT DATE: 20170224

Hacking Foursome Promotes DDoS-as-a-service

Wapack Labs is researching a group of hackers who sell their DDoS-as-a-service. The team promotes their service on Russian hacker forums, and their website explains they use all types of DDoS and fake googlebots. They demonstrate their capabilities, via video, by boasting about the impact of their attack against major web sites. They target both web sites and mobile devices. Ironically, they also offer DDoS protection. 

Wapack Labs has cataloged and extensively reported on DDoS attackers in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: AMBER
ACTOR TYPE: (III)
SERIAL: TR-039-2017
COUNTRIES: RU
INDUSTRIES: ALL
REPORT DATE: 20170224

Continued Updates: PLA Cyber Actor & Mission


A continued review of academic work by members of the PLA revealed certain units publishing an increasing amount of papers on cyber security. One of these units was examined in detail to identify its personnel, expertise, location, facilities, and leadership. The results of this examination showed:
  • The name and location of the unit was confirmed.
  • Personnel identified as authors of computer and network security articles.
  • Increased spending on unit facilities.
Wapack Labs has reported extensively on Chinese cyber actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: AMBER
ACTOR TYPE: Tier IV
SERIAL: IA-005-2017
COUNTIRES: CN
INDUSTRIES: All
REPORT DATE: 20170217

Monday, February 27, 2017

A (Fruit) Fly on the Wall: Surveillance Malware


The Fruit Fly malware is designed to exploit web cams that are used for surveillance. There are both Windows and Mac versions. Attribution is currently unknown; however, Fruit Fly has been installed in numerous university research centers, which have long been of particular interest to Chinese state actors looking to obtain intellectual property in order to accelerate their own research and development efforts.

Wapack Labs has extensively reported on surveillance and malware in the past. An archive of related reporting can be found in the Red Sky Alliance Portal. 

TLP: AMBER
ACTOR TYPE: (IV)
SERIAL: FR17-001
COUNTRIES: All
INDUSTRIES: All, Academia
REPORT DATE: 20170221

The Economical RAT: Luminosity.Link


The Luminosity.Link Remote Administration Tool (RAT) has been observed by a number of companies over the past year being spread through phishing emails. The Luminosity.Link RAT is sold openly online and contains numerous features that make it popular among cyber criminals. Luminosity.Link is designed using the .NET framework for use on Windows Operating systems. 

The Key Findings of our analysis revealed:
  • Recent samples leverage the AutoIt scripting tool
  • Luminosity.Link uses the SundownEK (Exploit Kit) for delivery
  • Luminosity.Link samples contain encrypted configurations
Luminosity.Link is an economical RAT for cyber criminals. Coupling it with Exploit Kits targeting Windows systems further increases infection success rates. We assess with high confidence that the development and use of the Luminosity.Link RAT will continue...READ MORE

Wapack Labs has extensively reported on Remote Access Tools (RAT) in the past. An archive of related reporting can be found in the Red Sky Alliance Portal. 

TLP: AMBER
ACTOR TYPE: (I&II)
SERIAL: FR17-002 
COUNTRIES: Worldwide 
INDUSTRIES: Any, DIB 
REPORT DATE: 20170221

Wednesday, February 22, 2017

From Russia With Malware: "Boris" and "Natasha"

Wapack Labs research has revealed an association between the author of the BlackEnergy malware and ZORSecurity: one of the Russian companies sanctioned by the U.S. government in retaliation for Russian interference in the U.S. Presidential election. ZORSecurity CEO Alisa Shevchenko denies any involvement with these attacks or connections to Russian intelligence services. Dmytry Oleksyuk has been an employee of ZORSecurity for several years, and has acknowledged his involvement in creating BlackEnergy 1.X, which was used to DDoS Georgia during the 2008 war with Russia.

A more detailed report on these links can be found in the Red Sky portal. If you would like us to continue to monitor this relationship, click this link and hit send and we’ll notify you of any significant developments.

TLP: AMBER
ACTOR TYPE: (IV)
SERIAL: TR-037-2017
COUNTRIES: RU, U.S.
INDUSTRIES: Political, Governmental
REPORT DATE: 20170217

Tuesday, February 21, 2017

New Carding Shop Owner

Wapack Labs reports that an underground forum member, who is a new carding shop owner/operator, has been selling debit and credit cards on hacker/carder forums - boasting a 90% validity rate. The actor created a thread for card dumps and has a large base of various credit cards for sale; some belonging to a Red Sky Alliance member. He is still actively posting credit card dumps and providing a link to a web shop where the cards can be purchased. Lately, he has been selling large amounts of cards from numerous banks in the United States...READ MORE

Wapack Labs has extensively reported on card dumping in the past. An archive of related reporting can be found in the Red Sky Alliance Portal. 

The following organizations were cited in this report: Red Sky Alliance member

TLP: AMBER
ACTOR TYPE: (III)
SERIAL: IA-003-2017
COUNTRIES: RU
INDUSTRIES: Financial
REPORT DATE: 20170217

Wednesday, February 15, 2017

Fake News and Social Media


The liberation of publishing from traditional media outlets has created opportunities for individuals to practice the art of news reporting, with mixed results. For every legitimate attempt at disseminating factual information, faux reporters traffic in “fake news” in order to increase their popularity rather than report accuracy. Apple executive Tim Cook recently expressed a need for a “massive campaign” to raise awareness of this problem, as fake news has or is influencing elections in the U.S., Russia, the Ukraine, France and other countries. Combatting fake news will require not only the active participation of media outlets, but an emphasis in national education systems on critical thinking skills. 

Wapack Labs has reported on fake news in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

The following organizations were cited in this report: Apple

TLP: AMBER
ACTOR TYPE: (IV)
SERIAL: TR-036-2017
COUNTRIES: US, RU, UA, FR
INDUSTRIES: ALL
REPORT DATE: 20170214

TLS 1.3 Adoption


On 5 April 2017 OpenSSL 1.1.1, which implements TLS (Transport Layer Security) 1.3 will be released. OpenSSL 1.1.1 will maintain compatibility with version 1.1.0. TLS 1.3 contains important updates to both, 0-RTT, and the removal of numerous legacy ciphers vulnerable to cryptographic attacks. Current and planned adoptions of TLS 1.3 on commonly used platforms: Cloudflare on 20 September 2016; Chrome version 56+ on 25 January 2017; Opera version 53+ on 7 February 2017; Firefox version 52+ on 17 March 2017; OpenSSL 1.1.1+ on 5 April 2017; Akamai TBD after OpenSSL release. Wireshark, the most prevalent network protocol analyzer, currently does not support TLS 1.3 with version 2.2.4. However, development is currently in progress and the status can be seen on the Wireshark Bugzilla. 

Wapack Labs has reported on encryption protocols in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: GREEN
ACTOR TYPE: (N/A)
SERIAL: TR-035-2017
COUNTRIES: ALL
INDUSTRIES: ALL
REPORT DATE: 20170214

Google Blocks .js Files


Google has long restricted Gmail file attachments ending in: .exe, .msc, and .bat for security reasons. On Monday 13 February 2017, they added blocking for .js file attachments. A JS file is mainly used to run “client side” JavaScript code on a webpage. Javascript downloaders can be used by criminals to download and execute malicious payloads such as Citadel and TeslaCrypt.

Wapack Labs has reported on JavaScript Downloaders in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

The following organizations were cited in this report: Google

TLP: AMBER
ACTOR TYPE: (I&II)
SERIAL: TR-034-2017
COUNTRIES: XZ
INDUSTRIES: ALL
REPORT DATE: 20170214

Monday, February 13, 2017

Threats Associated with an Air Traffic Overhaul

Many aviation experts in the U.S. are urging the current administration to draft a plan to privatize the airline traffic control system. It is hoped that privatization would lead to modernization, which would almost certainly include greater use of information technology. We recently reported on airline “computer glitches” at airlines such as Delta, Southwest, United and Air France that were actual hacking incidents. Hackers have broken into FAA air traffic control mission-support systems in the past. The FAA has made improvements in its cybersecurity posture, but a major modernization effort would increase attack surfaces and introduce numerous new vulnerabilities.

Wapack Labs has reported on airline cyber hacking in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

The following organizations were cited in this report: United, Delta, SWA, & Air France

TLP: AMBER
ACTOR TYPE: (V)
SERIAL: TR-033-2017
COUNTRIES: US, FR, CN, XZ
INDUSTRIES: Transportation, Financial
REPORT DATE: 20170210

Rebranding iSpy Keylogger: Gear Informer

On 21 December 2016 the developer of iSpy Keylogger, the successor to Hawkeye Keylogger, rebranded the malware as Gear Informer. At the same time, the developer changed his persona. Current users of iSpy Keylogger were given until 31 January 2017 to update their clients before it was shut down.

Wapack Labs has reported on iSpy Keylogger in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: GREEN
ACTOR TYPE: (N/A)
SERIAL: TR-0XX-2017
COUNTRIES: ALL
INDUSTRIES: Financial
REPORT DATE: 20170210

Russian Keylogger Persevers: Intelligence Assessment

On 24 January 2017, Wapack Labs began collecting keylogger data associated with a threat actor's email address. All of the collected data that was associated with the threat actor indicated that the keylogging campaign has not yet become operational. Metadata contained within the keylogger output indicated the threat actor is located in Western Russia. A screenshot of the threat actor, installing a cracked copy of a popular keylogger program, indicates it was obtained from a Russian underground forum. The actor makes white-supremacist references, but it is unknown if the references are indicative of the threat actor’s motivations or intended to mislead/insult malware researchers...READ MORE

Wapack Labs has reported extensively on Russian threat actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: AMBER
ACTOR TYPE: (II)
SERIAL: IA-002-2017
COUNTRIES: XZ
INDUSTRIES: N/A
REPORT DATE: 20170210

Thursday, February 9, 2017

Maritime Shipping Concerns

Shipping companies investing in maritime port terminals may increase the risk of cyber-attacks. Such investments reduce costs associated with moving cargo, which can improve profitability. Two years of cheap credit and low fuel prices have propped up weaker carriers, lowered demand, and delayed mergers and alliances needed to resolve these concerns. An example: Hyundai Merchant bought a 20 % stake in Total Terminals International LLC from Mediterranean Shipping Co, who operates the Port of Long Beach. In addition to risks associated with integrating ship to shore cyber connections, adding another company (and its sub-contractors) to the corporate mix increases supply-chain risks.

Wapack Labs has reported on maritime shipping in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

The following organizations were cited in this report: Hyundai Merchant, Port of Long Beach, Total Terminals International LLC

TLP: AMBER
ACTOR TYPE: (III)
SERIAL: TR-031-2017
COUNTRIES: US, KR, ES
INDUSTRIES: Maritime
REPORT DATE: 20170208

Wednesday, February 8, 2017

Chinese Police Use of Commercial Mobile Apps

The use of common mobile apps by Chinese authorities is a double-edged sword; supporting both public services as well as enhanced surveillance activities. As an example, Chinese authorities recovered over 660 missing children in 2016 using the "Tuan Yuan" (“reunion”) app. App users near the location where a child is reported missing receive push notifications, including photos and descriptions of the lost child. Notifications are sent to app users farther and farther from the location of the disappearance if the child is not immediately found. Chinese police use of apps like Tuan Yuan, ride sharing, and even shopping apps, significantly accelerate efforts to find persons of interest.

TLP: AMBER
ACTOR TYPE: (N/A)
SERIAL: TR-028-2017
COUNTRIES: CN
INDUSTRIES: 
RERPORT DATE: 20170206

The Taxman Cometh: Selling W-2 Forms in the Darkweb


Wapack Labs has identified an actor in the Tor-based markets - we have labeled “Taxman”. Taxman is selling U.S. W-2 Forms from 2016 as well as taxpayer dates of birth. He also sells bank account information for at least one U.S. and one Australian bank, as well as Credit Reports. Taxman also sells botnets, along with installation and support for same. He is a verified vendor on several Darkweb Tor-based .onion domains and deals exclusively in Bitcoin. 

TLP: AMBER
ACTOR TYPE: (III)
SERIAL: TR-030-2017
COUNTRIES: US, Australia
INDUSTRIES: Financial
REPORT DATE: 20170207

Tuesday, February 7, 2017

Roughnecks v. IoT/SCADA

The oil industry is the latest to recognize the benefits – and the risks – of the Internet of Things (IoT). Increased use of automation and robotics is causing many traditional “Roughneck” jobs to be abolished. IoT-enabled (SCADA) systems control automated oil drilling sites, which drives down both labor costs and human errors, but introduces new risks. Such systems and the devices they are composed of are built for functionality and reliability, not security. “Air gaps” and other protections help, but the same service and maintenance pathways legitimate vendors use to meet service level agreements are also avenues of attack for malicious actors.

Wapack Labs has extensively reported on IoT in the past. An archive of related reporting can be found in the Red Sky Alliance Portal. 

TLP: AMBER
ACTOR TYPE: (III)
SERIAL: TR-029-2017
COUNTRIES: US
INDUSTRIES: OIL
REPORT DATE: 20170207

Seafarer Personality Assessment PII Risk


Seafarer personality assessments can be valuable in preventing accidents at sea caused by human error. Often these assessments are conducted by organizations that are not covered by the U.S. Health Insurance Portability and Accountability Act (HIPAA)’s scope, which means they do not need to be stored or protected in compliance with HIPAA standards. Should a data breach occur, not only are the seafarers at risk of fraud but insights into the seafarer’s personality could be leveraged by criminals, competitors, or hostile intelligence agencies. The 2014 Office of Personnel Management (OPM) breach is the textbook example of the perils of this type of breach. 

Wapack Labs has reported on data breach liabilities in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

TLP: GREEN
ACTOR TYPE: (N/A)
SERIAL: TR-026-2017
COUNTRIES: ALL
INDUSTRIES: Maritime
REPORT DATE: 20170207

Vast Quantities of Credit Cards Being Sold in the Underground

Wapack Labs has monitored an underground forum member, who provides a web page link, where he sells debit and credit cards. The actor created a thread for card dumps and has a large base of various credit cards for sale; some belonging to a Red Sky Alliance member. He is still actively posting credit card dumps and providing a link to a web shop where the cards can be purchased. Lately, he has been selling large amounts of cards from numerous banks in the United States.

Wapack Labs has extensively reported on card dumping in the past. An archive of related reporting can be found in the Red Sky Alliance Portal. 

The following organizations were cited in this report: Red Sky Alliance member

TLP: AMBER
ACTOR TYPE: (II)
SERIAL: TR-027-2017
COUNTRIES: US
INDUSTRIES: Financial
REPORT DATE: 20170203

Monday, February 6, 2017

The Power of Social Media: #DeleteUber


Uber failed to abide with a NYC taxi strike at JFK Airport this past weekend, which was called in response to the Trump Administration’s Executive Order on immigration targeting various Muslim countries. Social media activists staged an online strike of Uber, dubbed: #DeleteUber. The hashtag #UberRideswithHate was also used in conjunction with planned protests in Oakland, New Orleans, Los Angeles, Seattle, Hoboken, and other cities. This on-line protest resulted in Lyft, Uber’s rival, to gain customers despite Uber reducing its rates on basic service (uberX) in New York City by 15 %. In fact the price reduction lead to an Uber driver strike. Negative coverage of these events and public sentiment of Uber employees led to Uber CEO Travis Kalanick resigning from President Trump’s Business Advisory Council. 

Wapack Labs extensively reported on social media protests in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

The following organizations were cited in this report: Uber, Lyft

TLP: AMBER
ACTOR TYPE: (II)
SERIAL: TR-025-2017
COUNTRIES: US
INDUSTRIES: Transportation, Financial
REPORT DATE: 20170203

Friday, February 3, 2017

Selling PayPal Accounts: Spanish Language Facebook Group

On 31 January 2017, Wapack Labs discovered a private Spanish language group on Facebook. This group sells compromised Mexican and German PayPal accounts for amounts between $500 and $1,000 Mexican Pesos. Wapack Labs believes, with medium to high confidence, that the administrators of the group are from Mexico; as they conduct transactions in Mexican Pesos. It is unclear at this time how they gain control of the accounts they are selling. Once a buyer pays for an account, the group provides expanded details on the account. 

Wapack Labs extensively reported on PayPal fraud schemes in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

The following organizations were cited in this report: PayPal, Facebook

TLP: AMBER
ACTOR TYPE: (N/A)
SERIAL: TR-024-2017
COUNTRIES: US (FL) & MX, DE
INDUSTRIES: Financial
REPORT DATE: 20170202

Wednesday, February 1, 2017

Update: PLA Cyber Actor & Mission

A review of academic work by members of the PLA revealed certain units publishing an increasing amount of papers on cyber security. One of these units was examined in detail to identify its personnel, expertise, location, and leadership. The results of this examination showed:
  • Personnel identified as authors of computer and network security articles.
  • Unit locations.
  • Increased spending on unit facilities.
Wapack Labs has reported extensively on Chinese cyber actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: AMBER
Actor Type: Tier IV
Serial: IA-001-2017
Country: CN
Report Date: 20170131