Wednesday, November 29, 2017

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts 
Reporting Period: Nov 20-27, 2017

Between Nov 20-27, 2017 Wapack Labs identified the following 313 unique email accounts to be compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users.

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.

This TLP AMBER report is available only to Red Sky Alliance members. 

Monday, November 27, 2017

Google Images Technical Support Scams

In two separate instances, Wapack Labs has reported technical support scams. Upon examining these scams, Wapack Labs observed other products being targeted by scammers. Performing a Google Image search for “<technology product> technical support” yields images with phone numbers for technical support. Upon performing basic OSINT collection against these phone numbers, it is apparent these phone numbers are involved in scams. Scammer tactics routinely offer a Remote Desktop Support to troubleshoot the devices. Some of these scams charge monthly fees for remote support services, but do not actually fix technical problems, and others are solely for dropping malware during the Remote Desktop session. The malware dropped during the Remote Desktop sessions will often include free or cracked version of keyloggers and other novice data/credential exfiltration tools...READ MORE

Wapack Labs has cataloged and reported on technical support scams in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

New Threat Group Targeting School Districts

In September and October 2017, a threat actor group began targeting US-based K-12 school districts. The threat group thought to be responsible for the attacks has historically targeted healthcare, defense contractors, and the entertainment industry. However, Wapack Labs believes these are not the same groups based on past targeting and Tactics, Techniques, and Procedures (TTPs). School districts in Wisconsin and Iowa had student’s personal information breached and were threatened with a leak of the student information - if a ransom was not paid. They also direct texted students, threatening them with physical harm. The actors Tweeted, “With the student directory from (local school district) we released, any child predator can now easily acquire new targets and even plan based on grade level.” The Twitter feed threatens victims who do not cooperate. A recent Tweet stated, “To the particular (university): we’re a bit disgruntled. You know who you are. It’s best not to ignore us.” The group responsible for these attacks and threats is a new group with a wide variety of attacks, that appears to focus on only on the US based education sector...READ MORE

Wapack Labs has cataloged and reported on threat actor groups in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Saturday, November 25, 2017

Grand Challenge - Victim Notification at Scale?

I've been thinking about this for several years. There are several people out there using the term "Grand Challenge" — Bill Joy, Bill and Melinda Gates, and others. I think it applies here. 

I have a friend who is a police officer in the mid-west. His wife owns a one person candy store that takes orders for her hand made candy over the internet. She has an online order form, will take orders via a non-toll free telephone number, and she lists a gmail account for her company. My friends wife could just as easily be a three person credit union, a mom and pop logistics shop, or a hair dresser making appointments on his/her iCloud calendar. 

In 2010 there were 27.9 million small businesses, and 18,500 frms with 500 employees or more. Over three-quarters of small businesses were nonemployers one sole proprieter

Why do we care? 

According to the IndependentGoogle says that phishing attacks pose the “greatest threat” to users of its services.  The company has studied the ways in which hackers steal people’s passwords and break into their accounts. In the space of 12 months, it found 788,000 login credentials stolen via keyloggers (tools that secretly record every key you press), 12 million stolen via phishing (a method of tricking you into giving up your personal information), and 3.3 billion exposed by third-party data breaches.

Last week we blogged about the problems that we identified when attempting to notify individuals and small company victims of breach. These did not include the 3.3 billion exposed by third-party breach, rather, those who were infected by keylogger, phishing, drive-by, spam, or automation. What is the process for notifying not only the nearly 13 million Google users mentions above, but also the 22 million showing up in our sinkholes, and the hundreds of millions showing up in others?

Who notifies my friend's wife when her computer gets breached and her customer accounts —payment information, shipping (presumably their home) address, and other privacy information is stolen by unscrupulous cyber thieves? 

As far as I can tell, nobody.

Nobody notifies them. The identity monitoring services would never see the kinds of activity that Google (or we, as intelligence providers) see. They can sign on to notification sites like Have I Been Pwned, but HIBP doesn't run sinkholes either, so they wouldn't know. Troy specializes in third party breach notification, not intelligence.

Let’s fix that.

Last year we sent almost 200,000 notifications to abuse email accounts listed in companies domain registrations. This came with mixed feedback -some positive, mostly negative.  This year we sent notifications to individuals. Out of all of the emails sent, we were marked as spam only once (thank you!), and earned a 97% reputation score with our transactional email provider. The email might have been worded better, but in talking with one of our Red Sky members, we were told that they too had received similar mixed feedback when attempting their own notification campaigns.

Today, from Sinkhole collections alone, we have recorded over 22 million sinkhole connections reaching out to command and control (C2) nodes that we own.  What does that mean? It means that there are a ton of people out there who have no idea that they've been infected, and nobody else who is going to tell them about it. Worse, my bet is, they have no idea where to get help? 

One company? Ten? Fifty?  That's easy… How do we handle 22 million? Should it be done by a government? The US? The National CERTS? Where is the clearing house? And with the numbers growing exponentially, it's only going to get worse. 

I see this as a Grand Challenge opportunity —one that is never going to be fixed with current technology, rather requiring education. 





Tuesday, November 21, 2017

Gibon Ransomware Analysis

TLP AMBER ANNOUNCEMENT:
 
Wapack Labs analysts recently observed a handful of Gibon malware samples in the wild and are providing this report in the event the malware becomes more widespread. Gibon is a new ransomware family named due to its USER-AGENT and name in the specimen’s ASCII strings. The malware was originally marketed on May 11 and 12 to several hacker forums for $500. Advertised functionality includes recursive encryption of all files that are on the computer, a README.txt file with instructions to the victim, and encryption/decryption keys which are sent to the admin panel and used for decryption. It is delivered via spam emails with a link to download a Microsoft Word document...READ MORE

Wapack Labs has cataloged and reported on ransomware variants in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

This TLP AMBER report is available only to Red Sky Alliance members.

Reaper IoT Botnet Exploits and Mitigations

TLP AMBER ANNOUNCEMENT:

The Reaper IoT is a recently discovered Internet of Things (IoT) botnet that is proving to be more sophisticated and aggressive than the infamous 2016 Mirai IoT botnet. Despite the large botnet size reported by Tenable, there are very few IoT Reaper specimens available on Virus Total and other malware sharing sites. This is important to note as the number of specimens is often a reflection of the amount of infections. For example, there are currently thousands of Mirai specimens as opposed to a few dozen IoT Reaper specimens available. To date, no Distributed Denial of Service (DDoS) attacks have been observed with the IoT Reaper botnet. Wapack Labs analysts are providing this document as a summary of mitigations and indicators for Reaper malware and observed exploits. Wapack Labs recommends testing of all signatures before deployment...READ MORE 

Wapack Labs has cataloged and reported on IoT and botnets in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  


This TLP AMBER report is available only to Red Sky Alliance members. 


New Carding Shop with Extensive History

TLP AMBER ANNOUNCEMENT:     

Wapack Labs recently observed a new carding forum. The forum was registered by a Russian proxy registrant and is hosted on a Russian IP address. It was later transferred to several Russian hosts before ending on a Cloudflare IP. The forum began operation on 11 January 2017 and, since, has offered a high volume of credit cards for sale. It is likely the current credit card inventory is a continuation and re-branding of other illegal forums or possesses a large hacking team, as its history is greater than that of the website registration. The owner of the forum has been operating since 23 September 2016 on another forum. Wapack Labs believes this actor likely began this extensive illegal credit card sales history as a verified vendor on another forum previous to the current forum...READ MORE

Wapack Labs has cataloged and reported on carding forums in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 


This TLP AMBER report is available only to Red Sky Alliance members. 


Saturday, November 18, 2017

(Responsible) victim notification?

For three years we've been briefing anyone who'd listen about a wide spread campaign that we identified. The information isn't showing up in the haveibeenpwned site, or many of the other sources. We've talked to everyone from our customers to other information sharing groups, law enforcement, and to national CERTs, briefing it at FIRST technical conferences on two occasions. We've passed on thousands of victim notifications to folks who we thought might help let people know they'd been compromised, but we continue to see victims exploited.

About a month ago we began testing a service called RiskWatch. The idea is, we monitor this campaign and other sources of victim information and if we see a compromised email account, we send out a standardized notification. The notification was built to be polite and informative, yet readable. It starts out with who we are, and links to places that they can verify who we are. It has a 2 minute cartoon explainer video, a few things about what they can do, and if they choose, a link to RiskWatch.  At no charge, the recipient can click through, register, and come into their own session where they see the email addresses, a timeline, and other information.. enough information to be able to get help, or fix things themselves.

At the same time, if they want to come back and view the findings regularly, or receive weekly or monthly notifications, they can purchase a subscription starting at $9 per month. This is in no way required, but it's available.

Why?

Early last year, in an attempt to notify, we sent over 200,000 notifications to the abuse email addresses listed in domain registrations. We used a text-based format similar to that used by Carnegie Mellon/CERT-CC back in the early days of victim notification. We received mixed feedback. Some were appreciative of the notification, others, well, not so much. Today however, many use registration privacy proxies. So… we sent what we thought was a polite email, with that explainer video, short instructions, and a link. We tried this for about a month, retiring the email as part of A | B testing with a new format currently in the works.

We struggled with the idea of email. As security folks, we teach people not to click. We've tried direct personalized notifications, we've talked with scores of folks that we thought might be of assistance in getting the word out; yet, the problem grows exponentially.

We've seen a few clean-ups as a result of the notifications —even without having them come to our site, but the others? They continue to be exploited.

So here's the question? If we know about all of these victims, many with exposed passwords, others hitting sinkholes, most having no idea what to do about it, why not let them know? If their social security numbers are lost, and their privacy information were on the web, are they notified? Yes.

Is email the best way? No. We knew that going in.  This is a hard question. We're not sure what the right answer is. We're not a big company. We share information and we try our best to always do the right thing, but in this case, there are SO many victims.

We're open to suggestions. How do we get the word out without looking like spammers? If there are others with thoughts on how this might be accomplished, We'd love to hear it.

For those of you who've received the notifications and thought it was spam? We apologize. That however, does not make the notification any less real. We might have done it better (and we will in the future) but we would urge you to take it seriously.

Friday, November 17, 2017

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT: 

Compromised Email Accounts 
Reporting Period: Nov 7-12, 2017

Between Nov 7-12, 2017 Wapack Labs identified the following 366 unique email accounts to be compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users.

Action recommendation
: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.

This TLP AMBER report is available only to Red Sky Alliance members. 

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:
 
Reporting Period: Nov 12, 2017

Wapack Labs identified connections from the following 256 unique IP addresses checking in with one of the many Wapack Labs sinkholes.

Action recommendation: Users should immediately place each of these email accounts in a monitor or block status in intrusion prevention systems.


This TLP AMBER report is available only to Red Sky Alliance members. 


New Underground Market

Wapack Labs recently observed a new underground market that trades a variety of illegal goods including credit cards, fullz, exploits, botnet builders/installs, and other cyber crime related goods. The forum’s structure and listings resemble another well-known market and may be owned by the same individuals. One seller in the market is selling GozNym 2.0 botnet installs. This seller is selling this botnet on other Tor-based black markets and is operating under same alias. The fraud sections of the market are extremely active. Despite being heavily dominated by drugs and other illegal non-cyber sales, these cyber fraud-based sellers appear highly rated. Wapack Labs has discovered that most high-rated sellers primarily deal with stolen discount gift cards obtained through carding, or with stolen electronic goods, such as like-new Apple and Samsung products. Additionally, this level of fraud sellers are often observed making bulk sales of bank accounts and credit cards...READ MORE

Wapack Labs has cataloged and reported on underground Tor markets in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Wednesday, November 15, 2017

Malicious URLs Used in Phishing Attempt

On 07 November, 2017 Wapack Labs observed, using Cyber Threat Analysis Center (CTAC), various emails in the URL of two phishing domains. The two phishing domains had different URLs but utilized the same web page interface. One domain is a compromised domain with an anti-virus detection ratio of 10/64 that has been leveraged since 12 June 2017. It is not flagged as suspicious as by Google Chrome browser. The second domain has an anti-virus detection ratio of 11/65 and has been leveraged since 02 October 2017. This domain was flagged as suspicious by Google Chrome browser. Both domains are still active. The phishing attempt appears to be a simple credential stealing scheme. The phishing page is disguised as Microsoft One Drive, attempting to get users to enter their passwords. Wapack Labs is providing this warning report as situational awareness...READ MORE

Wapack Labs has cataloged and reported on malicious URLs and phishing attempts in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


Monday, November 13, 2017

B.I.T.S Loader Attracting Cybercriminals

TLP AMBER ANNOUNCEMENT:

The Background Intelligent Transfer Service (BITS) is a legitimate Microsoft program used for creating and monitoring jobs over the network. Since it is a Windows legacy program it isn’t widely detected by AV solutions, making it attractive to cybercriminals for malware delivery and persistence. Recent emails targeting the Financial sector utilize BITS functionality by embedding it in heavily obfuscated Word documents, and with the use of LNK files. Monitoring BITS jobs in work environments is important to identify unwanted or unauthorized downloads and uploads. In the past, BITS was used to deliver banking trojans like DarkComet and GlobeImposter ransomware, and it is assessed with high confidence that it will continue to be utilized for both malware delivery and persistence, particularly against Windows based systems that would otherwise be considered highly locked down or security hardened. This report focuses on these two recent implementations of BITS, and looks at other ways BITS is leveraged in the wild...READ MORE

Wapack Labs has cataloged and reported on malware targeting the financial sector in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Tuesday, November 7, 2017

Possible Emerging Threat – Elastic Stack Targeting

On 5 November 2017, Wapack Labs identified potential targeting of the Elastic Stack (FKA ELK), for potential ransomware or extortion. While only two data points exist, this could suggest the beginning of a trend of attacks against Elastic instances. What is Elastic? The Elastic Stack, previously known as ELK, is an open source alternative to commercial aggregation and analysis tools like Splunk. With over 500,000 new downloads per month and 100M to date, Elastic is one of the largest distributions of analysis and visualization tools for high end analytics. Elastic is a plentiful target...READ MORE

Wapack Labs has cataloged and reported on potential targeting of analysis tools in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, November 3, 2017

New Carding Shop

Wapack Labs observed a threat actor advertising a new carding shop on a hacking/carding forum. This threat actor first advertised the carding services on 21 July, 2017 and has been an active member on the forum, frequently advertising updates to their carding website. Currently the shop has over 500,000 stolen credit cards for sale from over 100+ banks. The shop updates its database with fresh cards on a bi-weekly basis. To access the shop, users must create a free account and enter a username, password, Jabber, and ICQ number (users can enter fake credentials). Once the account is created, users can freely browse the website. Web sections include news, cards, rules, orders, billing, checker, and support. The cards section identifies stolen credit cards. Credit cards are sorted by database, bank name, type, card issuer, country, state, city, city, or BIN. Full card information is provided before purchasing a card. Prices of the cards ranged from $1 to $40 USD. The checker section allows users to enter credit card information to see if the card is still valid. The shop charges 30 cents per check and has a refund policy of 5 minutes after purchase, if the card is invalid...READ MORE

Wapack Labs has cataloged and reported on carding shops and fraud in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
  
WWW.WAPACKLABS.COM

Russian ISP Doing Business with North Korea

On 01 Oct 2017, TransTeleCom, a Russian owned telecommunications company began routing North Korean Internet. TransTeleCom owns one of the largest fiber optic cable based networks in the world. It is a fully owned subsidiary of Russian Railways, a joint-stock company with 100 percent involvement under the Russian Ministry of Transport. North Korea’s external Internet connections were historically serviced by China Unicom, but will now be provided by both China Unicom and Russia’s TransTeleCom. IPv4 traffic route allocation is 60 percent through TransTeleCom and 40 percent through China Unicom. Unicom will continue providing 100 percent IPv6 routing for North Korea. The contract between TransTeleCom and North Korea was originally signed in 2009. The recent Russian telecommunications escalation seems to be in support of North Korea after U.S. Cyber Command Distributed-Denial-of-Service (DDoS) attacks. Having routes in both China and Russia limits North Korea’s dependence on any one country as they are currently facing intense geopolitical pressures. North Korea’s shift from being predominantly Chinese hosted, to Russian support, is primarily due to U.S. political pressure on China to sever ties with North Korea over the recent nuclear missile tests and China’s failure to protect North Korea from the recent U.S. DDoS attacks. TransTeleCom operates similarly to China Unicom, the current North Korean Internet Service Provider (ISP), which has fiber optics laid along China’s Sino-Korean Friendship Bridge. However, TransTelecom is believed to be delivering North Korea’s Internet over the Korea-Russia Friendship Bridge, the only crossable border between North Korea and Russia. Wapack Labs will continue to monitor malicious cyber activities out of North Korean netblocks....READ MORE

Wapack Labs has cataloged and reported on North Korean cyber activity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.