Wapack Labs is researching a cybercriminal group who is targeting online gamers and the video gaming industry. The group commonly uses digital certificates, stolen from online game developers, to sign their malware, thereby decreasing the risk of Anti-Virus (AV) detection. Americans alone spend an estimated $25 billion dollars a year on online video games. Many online games are MMORPGs (Massive Multiplayer Online Role-Playing Games), which run on virtual currency that is bought and sold with real money. Additionally, the group aims to steal source code from games under development in order to aid in virtual currency mining. We assess with high confidence that the cybercriminal group will continue to evolve and take advantage of the increasing online gaming industry...READ MORE
Wapack Labs has cataloged and reported extensively ontargeting the gaming industry in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
Wapack Labs Analysts assess with high confidence a growing cyber espionage campaign, with a Chinese nexus, that has been targeting Managed Service Providers (MSPs) in order to compromise multiple organizations. This campaign is responsible for intrusions in the United States, Europe, and Japan. Typical targets include construction, engineering, aerospace, telecom, and government institutions. The actors involved leverage a wide variety of tools and custom malware, allowing flexibility when it comes to the methods used for intrusion...READ MORE
Wapack Labs has cataloged and reported extensively on espionage campaigns in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
Yevgeniy Nikulin is a potent Russian hacker responsible for major breaches including Linkedin, Dropbox and Formspring, as well as less known funds theft from a Bitcoin hedge fund and from individuals. After his arrest in Prague, Russia filed its own extradition request to fight the one from the US. There are unconfirmed allegations that Nikulin may have some insights on the 2016 Presidential Elections related hacking. Nikulin is a high-skilled dangerous hacker. While the true nature of his connections to the Russian government is unproven, it is possible that it prompted the legal help that he is getting...READ MORE
Wapack Labs has cataloged and reported extensively on hackers in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
Wapack Labs discovered a Tor-based website conducting illegal financial sector activities; ranging from carding and counterfeit money to electronics and narcotics. The site, which requires no registration, claims that the forum is totally anonymous and highly secure; largely in part to encrypting all data with AES 256-bit encryption. The site provides a multi-signature escrow for all transactions; allowing safe Bitcoin (BTC) transactions between both parties...READ MORE
Wapack Labs has cataloged and reported extensively on Tor-based and carding activities in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
Wapack Labs analysts exposed a threat to the financial sector, one who is actively posting in several clear web and underground forums. Within these forums, the actor creates threads of free, downloadable log-in credentials, for an online payment system. Analysts assess that it is likely that the actor is brute-forcing the accounts to obtain the passwords. A brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords - highly effective if the account uses simple passwords. The language, emails, and passwords indicate that the actor is a Spanish or Portuguese speaker, likely operating in South America...READ MORE Wapack Labs has cataloged and reported extensively on Spanish speaking, threat actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
A new variant of Wannacry appears to be making a bad situation worse. Wapack Labs has recently identified a new malware specimen that is 75% similar to Wannacry. Instead of leveraging a “kill-switch” domain, the program uses a combination of several static domains as well as a domain generation algorithm (DGA) so as to bypass network based mitigations. Furthermore, the domains appear to be related to Virut (medium confidence), a cybercrime botnet in operation since 2006. A more detailed analysis on this development is pending.
Wapack Labs has cataloged and reported on Wannacry ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
…For Red Sky Alliance members: A new #WannaCry report, including malware analysis and discussions of the backdoor are now available for members in the Red Sky Alliance portal. As well, a demonstration of one of the backdoor techniques used yesterday and today are discussed in an April 22nd Red Sky Alliance post by Wapack's JB, entitled "ShadowBrokers EQGRP's FuzzBunch Windows 0day framework - Install, Use, Mitigations." It's a good read.
Wapack Labs is tracking a reported ransomware attack on various countries affecting operations in the health and financial sectors. The malware has been titled: WCry, WannaCry or WanaCrypt0r ransomware. Open source reporting indicates that Russia, Ukraine, Taiwan, Spain, and the United Kingdom are being targeted. CCN-CERT (SP) has confirmed the malware propagates through the leaked Equation Group ETERNALBLUE SMB exploit. Microsoft Security Bulletin MS17-010 details mitigations for this exploit.
Wapack Labs has cataloged and reported extensively on ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
Wapack Labs is researching key components of the Dark Cloud network - including all associated malware to date. “Dark Cloud” is an infrastructure that encompasses thousands of fast-flux proxy botnets in a ‘bullet proof’ hosting environment, renting thousands of botnets for use in criminal activity to underground users. Roughly 20% of the observed bots were actively leveraged by Dark Cloud. Sality file infector malware was by far the most commonly observed activity and represents a likely propagation mechanism for the botnet...READ MORE
Wapack Labs has cataloged and reported extensively on malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal. WWW.WAPACKLABS.COM
About two years ago we realized the need to centralize and monitor our logs. With every speaking engagement with small companies, someone —usually more than one someone, will ask "How do you guys do _________?" Well, this week we went live with CTAC. This is how we monitor our logs, and as of today, you can too.
We built CTAC to allow us to monitor our own logs, compare it to our own intelligence collections, and to be able to twist and turn data to our hearts content.
As well, most companies that we talk to are 'all set' with intelligence, but that assumes a few things.. first, it's true that many do have intelligence but it's also true that many companies today, while they do have intelligence, are overwhelmed with it and have no idea what to do with it. Add in vendor noise, a lack of qualified analytic labor, enormous amounts of data, and daily phone calls from folks trying to sell them more. The process can be overwelming!
Our answer? We want to teach you to fish, not just fish for you.
CTAC is a place where you can mine our raw intelligence collections. We like to think of it as the Bloomberg Terminal for our space —except we can also injest and interact with your data. Wait, what? Interact with your data? Yes! Push your log data into CTAC and monitor it there.
There's no need to buy log aggregation! It's included in your subscription!
Intelligence? It's in there!
Need support? Hit up my guys through the Red Sky portal or IM! Need more? Buy a few hours!
A natural extension of our Red Sky Alliance information sharing environment, CTAC offers tools, training, help when needed, and it scales as big as you need.
Having 800-171 issues? Monitor the cyber threat intelligence for your suppliers, partners, and third parties. We'll help you set up the dashboard! It's easy!
Need Log Monitoring? Push your data securely to our Elastic stack in CTAC. We're happy to help. We'll monitor it (for a fee of course!), you can monitor it, or we can both monitor it!
Need more information? You should schedule a demo! Drop me a note —jeff.stutzman@wapacklabs.com.
This makes me really happy. We wrapped up our last class of interns this week. One vet, one non-vet from Southern NH University where they get three credits for every term spent with us.
What makes me happy? This is our third set of SNHU interns. We've trained several vets —both from SNHU and the Manchester VA Hospital and this week, when I arrived back in the office on Thursday after having been gone for a couple of weeks, found these outside my office —"What I learned" notes left on the writey boards.
Do you think they teach Google dorking at SNHU? Any college? Keyloggers? Analyzed intelligence derived from a pile of data?
This group has completed their internship. We've got a couple more working with us through the summer and we'll see a class begin again in September. As well, we're looking for a vet system administrator from the VA, and have already put out the request to the Occupational Transition office.
Beyond that? We continue to talk with new folks about joining Red Sky… two new companies are going through the process this week!
Wapack Labs, Team Jaeger (TJ) analysts identified four Japanese law firms that were victimized by keylogging malware during research using the Cyber Threat Analysis Center (CTAC). All of the affected firms specialize in patent law. While the malware utilized by the threat actor is unsophisticated, their fraudulent activity is persistent, effective, and has the potential to negatively impact clients of the affected organizations...READ MORE
Wapack Labs has cataloged and reported extensively on keylogging malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.