APT's Code Used Against Global Government Financial Websites

The code, tactics, techniques, and procedures (TTP) used against government financial regulatory websites in Poland, Mexico, and Uruguay are all too similar to be coincidental. These attacks are almost certainly being carried out by a known APT Group. Security researchers in Poland are uncovering artifacts from a recent breach where attackers used that country’s financial regulatory organization’s website to spread malware. Indicators of Compromise (IOCs) that led to the discovery included abnormal network traffic and unknown encrypted executables resident on victim machines. This APT Group has targeted Asian based financial institutions and manufacturing companies since at least 2009; in addition to stealing $81M from global financial institutions. They were also attributed with cyber espionage campaigns. Technical details of the attack in Poland, and mitigations are provided herein...READ MORE

Wapack Labs has cataloged and reported extensively on APT malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


WWW.WAPACKLABS.COM

"Hacking” – lead411.com Anyone?

During recent analysis, Wapack analysts discovered a sales lead email from app.lead411.com. Lead411 is a sales lead generation tool that mines open sources for opportunities. Hackers have been known to apply such tools for a lesser known use-case: pre-attack reconnaissance. In this case, a bad actor signed up for a lead411 account and is using it to identify potential victims for future targeting and topics or issues that can be used to lend legitimacy to a phishing email or possible CEO fraud.

Wapack Labs has cataloged and reported extensively on reconnaissance in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Russian Troll Factory Open for Business

Russian media source, RBC, is claiming English-speaking pro-Trump groups, Facebook Secured Borders, and Twitter Tea Party News are operated by a Russian “Troll Factory.” Russian businessman, Yevgeniy Prigozhin, is known for financing a Russian troll factory which employs Internet “trolls” who post and comment for the purpose of swaying public opinion both domestically and internationally. Prigozhin has been implicated in many other public and questionable business ventures. Currently, positive Russian ownership of these pro-Trump focused troll factories remains uncertain.

Wapack Labs has reported extensively on public sentiment in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

WWW.WAPACKLABS.COM

Transfer Money Anonymously with Russian Cryptocheck

Cryptocheck (Cc) is a dubious Russian based payment system discovered in recent collections. Cc heralds a safe and anonymous way to transfer money online. Cc combines electronic vouchers, traditional payment systems and cryptocurrency. This payment service is used in many Russian speaking forums; however, Cc has also been found in a number of English speaking forums. Cc promoted their service as a combination of all the best cyber payment systems that exist using cryptocurrency. Personal user data is not requested or used in Cc. Cc provides payments with unique check and code numbers. The check number can have 58^6 combinations and the code number consists of 58^9 possible combinations, offering anonymity.

Wapack Labs has cataloged and reported extensively on payment services in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Major Underground Carder Utilizes Point of Sale (PoS) Malware

Wapack Labs is researching a major underground carder who solicits on various carding/hacking forums. This actor advertises thousands of stolen credit cards from countless international banks. Actor's activity can be seen on several online shops, as well as many other connection points. The actor is also carding numerous retail stores in international venues with Point of Sale (PoS) malware, or skimmers. Wapack Labs is researching the actor's Tactics, Techniques and Procedures (TTPs).

Wapack Labs has cataloged and reported extensively on carding forums in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Morse Code - Old is New Again

Wapack Labs assesses, with high confidence, that Morse code was used to encode the planning of the recent attack in London, U.K. Researchers uncovered bad actors involved in the planning of the Westminster attack utilized Morse code within an imageboard. This was used to communicate and plan details to Khalid Masood’s WhatsApp account, three minutes before the attack. A 2014 imageboard exposes a tutorial of Morse code. This indicates Morse code use is more prevalent than realized. Morse code is now being utilized because of how difficult it can be to parse via automated means. By changing the characters used, but still following Morse code precepts, a conventional Morse code parser will not pick up on a message. This makes Morse code ideal for hiding information in plain sight, without being caught by an automated script scanning for nefarious activities.

Wapack Labs has reported on encoding in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

WWW.WAPACKLABS.COM

Stolen Credit Cards for Sale Via CryptoCheck Payments

A member of a clear web hacker forum is hosting an active website advertising services.  The website provides links to stolen credit/debit card databases from banks around the world.  This individual is linked to an infamous Ukrainian hacker (indicating actor's popularity) who has long specialized in the sale of stolen credit card information.  Services within this website can be purchased via Bitcoin (BTC), Western Union, Money Gram, and by a service called CyptoCheck.  CryptoCheck is a Russian payment service, which is being researched further.

Wapack Labs has cataloged and reported extensively on carding forums in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

WWW.WAPACKLABS.COM

Circling the Wagons Against Apache Struts2 0-Day

Apache Struts is an open source framework for creating Java applications. A new Apache Struts 0-day is currently being exploited in the wild. Multiple variants of attack code, as well as pastes of Proof of Concept (PoC) code, have already been discovered in open sources. The Apache Struts2 vulnerability affects numerous industries and potentially worldwide critical infrastructure. We assess with high confidence that the Apache Struts2 vulnerability will continue to be heavily exploited until network systems are patched. Members are highly encouraged to implement countermeasures and install patches as soon as possible.

Wapack Labs has cataloged and reported extensively on Apache Struts in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal.

WWW.WAPACKLABS.COM

ATM Access For Sale in Spanish Underground

An underground seller is marketing ATM maintenance manuals, access keys/codes, and private software for a major ATM manufacturer on an underground Spanish language forum. The seller claims to be an ATM mechanic, working in Mexico. This ATM information could compromise several, major Mexican banks. The ATM manufacturer has a presence in over 130 countries and provides hardware / software for banking and retail systems.

Wapack Labs has cataloged and reported on ATM hacking in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

WWW.WAPACKLABS.COM

AlphaBay: Avenue on the “new” Silk Road?

Carding forum AlphaBay’s (AB) rules, posted on Twitter, have sparked debate in the underground that the forum is controlled by malicious actors in Russia. Rumors of AB being linked to Russian organized crime are not new, but rules prohibiting malware that targets Russian citizens or the sale of financial information on Russian citizens lends credence to such claims. Russian carding forums routinely include rules of this type to avoid drawing the attention of Russian authorities. AB’s adoption of such rules can only help them in their efforts to become the dominant underground marketplace for illicit goods and activities online. 

Wapack Labs has cataloged and extensively reported on Russian cyber activity in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

WWW.WAPACKLABS.COM

Nigerian Passport Fraud

A known Nigerian keylogger and threat actor was observed was observed on 27 February 2017 sending a phishing email with a United States, Citizenship and Immigration Services (USCIS) and U.S. Embassy lure. The phishing email referenced recent immigration executive orders by President Trump. The email attempted to lure the target into sending the threat actor a copy of his passport presumably to be used as part of the threat actor’s fraudulent activities. Fraudulent use of any legitimate passport can result in financial fraud, terrorist activity, and a whole host of other illegal activities.

Wapack Labs has cataloged and extensively reported on keylogger operations in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

WWW.WAPACKLABS.COM

The Long Game: PLA Cyber Actor & Mission

A continued review of academic work by members of the PLA revealed certain units publishing an increasing amount of papers on cyber security. One of these units was examined in detail to identify its personnel, expertise, location, facilities, and leadership. The results of this examination showed:

• The name and location of the unit was confirmed.
• Personnel identified as authors of computer and network security articles.
• Increased spending on unit facilities.

Wapack Labs has reported extensively on Chinese cyber actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

UK Based Carder Boasts Decades of Experience

Wapack Labs Analyst is following an established carder who lives in the northwest region of England. He actively posts on various hacker/carder forums offering card information for values up to 5000 (£). His confederate, who works in an unknown bank in Great Britain, assists him with money transfers. This carder offers an instant cash out and will split the profits 50/50. He has been active on carder forums since 2015 - while boasting 20+ years of carding experience.

Wapack Labs has cataloged and extensively reported on carders in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

Get Alerts as the Wapack Cyber Technical Reports are Posted. Become a Subscriber, Click here and Get 14 days for 99 cents!

TLP: AMBER

ACTOR TYPE: (II)

SERIAL: TR-044-2017

COUNTRIES: US, GB

INDUSTRIES: Financial

REPORT DATE: 20170307

Satan RaaS Becomes an Attractive Plan-B

Satan Ransomware-as-a-Service (RaaS) is similar to previous RaaS platforms but employs far superior default obfuscation and evasion techniques. Most RaaS payloads are highly detectable and require the use of a “crypter,” while Satan provides XoR functions to encode and other means of delivering/proxying fully undetectable (FUD) payloads.

With Petya, Mischa, and Shark RaaS platforms no longer in underground operation, Satan is the most popular and free RaaS platform; making it very attractive to black hat hackers. Several members are utilizing Satan RaaS and reporting pending victim payments...READ MORE

Wapack Labs has extensively reported on ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: AMBER

ACTOR TYPE: (III)

SERIAL: IA-009-2017

COUNTRIES: All

INDUSTRIES: All 

REPORT DATE: 20170307

Threat Day Q-1 - Threat Intelligence University (TIU)

We decided to try something NEW for 2017 and use some of our Threat Days for learning!

So next Tuesday, March 14, we will have our first Threat Intelligence University (TIU) Threat Day. Chris Hall and Patrick Maroney, Wapack Labs Principle Engineers, have put together an agenda that includes the first three modules of our Threat Intelligence University courses and an introduction to our NEW Cyber Threat Analysis Center (CTAC). Take a look at our agenda. 

Click here for more information or call us at 1-844-4-WAPACK (1-844-492-7225)

Sanctioned ANO PO KSI: Surveillance and Ballot Reading

The Autonomous Noncommercial Organization Professional Association of Designers of Data Processing Systems (ANO PO KSI) was sanctioned by the U.S. in response to Russian interference in the 2016 U.S. Presidential election. The company works with the Russian Defense Ministry, FSB, and other government organizations. They produce election ballot and census form scanners, and aero-surveillance cameras...READ MORE

Wapack Labs has extensively reported on election interference in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: GREEN
ACTOR TYPE: (V)
SERIAL: TAR-17
COUNTRIES: RU, U.S.
INDUSTRIES: Military, Political

REPORT DATE: 20170306

Russian Cyber-Influence in the 2017 European Elections

Wapack Labs assess with high confidence that Russia is behind influence campaigns to support right-wing nationalist candidates in Dutch, French, and German national elections who are campaigning on anti-immigration platforms, reducing participation in the European Union (EU) and NATO. The nationalist parties likely have little chance of winning a majority (medium confidence) in parliamentary elections or the second round of the French presidency; however, gaining seats provides them the opportunity to influence policy in a coalition government.

We assess, with medium confidence, that Russian cyber actors will conduct espionage and media manipulation operations to influence the outcome of each country’s election, but will modify the previous Tactics, Techniques, and Procedures (TTPs) used against the U.S. in 2016. Russian threat actors will dedicate additional resources to improving operational security to avoid discovery or blowback, and will avoid mimicking the tactics used in Ukraine and Montenegro...READ MORE

Wapack Labs has extensively reported on election interference in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: AMBER
ACTOR TYPE: (VI)
SERIAL: PIR-00x-2017
COUNTRIES: Europe, NL, FR, DE, RU
INDUSTRIES: Gov, Political
REPORT DATE: 20170303

Hacking Community Re-directs Novice Forums

Wapack Labs Analysts are providing an update regarding an underground carding, malware, and skimming community run by hackers. One of the members is known for his involvement in PoS (Point of Sales) breaches of several retail chains. Our analysts recently observed this community advertising in novice carder forums, which they had not done before. Their websites all re-direct buyers to a different carding shop which are copies of domains. Some individuals in the underground carding community consider these sites to be compromised by law enforcement. Pushing their capabilities to a wider, even if less experienced audience, may trigger a rise in PoS attacks.

Wapack Labs has cataloged and extensively reported on underground communities in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Get Alerts as the Wapack Cyber Technical Reports are Posted. Become a Subscriber, Click here and Get 14 days for 99 cents!

TLP: AMBER
ACTOR TYPE: (III)
SERIAL: TR-043-2017
COUNTRIES: UA, RU
INDUSTRIES: All
REPORT DATE: 20170302

The Amateur from Algeria

On March, 1, 2017 Wapack Labs Researcher observed a hacker providing malicious tools on various Arabic, Russian, and English hack-forums. He was observed selling gift cards for Bitcoin (BTC), promoting phishing scams, and posting website defacements. The hacker has the necessary skills to create basic exploits. The fact that his malicious software is free, may speak to its quality - or people’s trust in a novice...READ MORE

Wapack Labs has extensively reported on carders in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

TLP: AMBER

ACTOR TYPE: (II)

SERIAL: TR-042-2017

COUNTRIES: DZ

INDUSTRIES: Financial

REPORT DATE: 20170301

The Reemergence of a Threat Actor: Six More Weeks of DDoS

Wapack Labs research is observing the reemergence of a known threat actor. After a year-long hiatus, he is displaying habitual activity online. The threat actor is one of the leaders of an established Russian based hacking group who sells their DDoS-as-a-service. In the past, he advertised DDoS services in a number of English, Spanish, and Russian forums. Increased DDoS activity from this group is likely in the near future.

When dealing with high-end threat actors, it is usually safe to take them at their word. This allows us to assess, with medium to high confidence, that this group will resume offering DDoS services, and that this activity will likely result in an increase in DDoS attacks against a wide range of organizations worldwide. We have seen no indications that any Red Sky Alliance members are being targeted at this time, but any organization that has not already done so should verify their ability to mitigate the effects of a DDoS attack either with their own capabilities or those of a third party...READ MORE

Wapack Labs has cataloged and extensively reported on DDoS attackers in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: AMBER

ACTOR TYPE: (III)

SERIAL: IA-006-2017

COUNTRIES: RU

INDUSTRIES: All

REPORT DATE: 20170301