Tuesday, January 30, 2018

Recent Chinese Exfiltration Method Observed

Chinese nation state attackers (high confidence) recently used a Java web shell (Chropper.java), against a corporate network’s external web server, to download an unidentified malware payload. The initial breach against the server occurred on 15 December 2017, likely leveraging a Cold Fusion exploit. On 18 December 2017, attackers deployed a modified version of the web shell. The web shell came from a large collection of popular Chinese web shells uploaded to GitHub by a user who follows well-known Chinese security researchers. On 19 to 21 December 2017, the attack sequence took place, and was detected on the 21st. Once connected, the attackers executed a PowerShell script to execute a payload, which was never written to the disk. It established persistence, and injected into legitimate Windows processes, to enumerate all drive letters from C to Z, to identify all the mapped drives on the server...READ MORE

Wapack Labs has cataloged and reported on data exfiltration methods in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, January 26, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Jan 22, 2018

On 22 January 2017, Wapack Labs identified 922 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and three organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT: 
 
Reporting Period: January 22, 2018
 
Wapack Labs identified connections from 834 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Wednesday, January 24, 2018

Iranian Protests: Propaganda War

Wapack Labs is monitoring the developments in the ongoing Iran protests. Wapack analysts continue to observe an increase in Internet restriction and disabling of communication applications; Facebook, Twitter, Telegram, Google, WhatsApp, and Signal. To date, ProtonMail’s free VPN service for Android phones, and Psiphon, an app that circumnavigates network firewalls, are the only means of providing anonymity for Iranian citizens. As information censorship increases, so too does pro-regime propaganda. The current climate in Iran may give way to Iranian-backed threat actors targeting the anti-regime demonstrators. Wapack Labs assesses, with moderate confidence, that the cyber activity will remain confined to Iran, but continues to monitor the situation for movement affecting our customer base...READ MORE

Wapack Labs has cataloged and reported on protests and cyber activity in Iran in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Monday, January 22, 2018

Asian Bitcoin Exchanges as Potential Hacker Targets

North Korea has been identified as conducting multiple thefts of Bitcoin cryptocurrency in 2017. These thefts have involved spearphishing attacks against at least two Bitcoin exchanges in South Korea that resulted in compromises of their systems and the loss of millions of dollars in Bitcoin. This appears to be part of a major North Korean campaign to acquire Bitcoin as a way to raise hard currency. This campaign was active through at least, December 2017. Given the North Korean interest in Bitcoin and the success of their hacker efforts to date, other cryptocurrency exchanges in the region may also be at risk. As a guide to further monitoring of this situation, a listing of exchanges in South Korea and Japan was compiled. The Japanese list consists of those recently certified by the Japanese government and one that is still awaiting certification...READ MORE

Wapack Labs has cataloged and reported on cryptocurrency related targeting in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

North Korea’s Illegal Campaign to Acquire Bitcoin

North Korea has been identified as conducting multiple thefts of Bitcoin cryptocurrency in 2017. In conjunction with its identification as the actor behind the Wannacry ransomware, which was also an attempt to acquire Bitcoin, plus limited evidence of bitcoin mining, these actions indicate a major North Korean campaign is underway to acquire Bitcoin as a way to raise hard currency. North Korea was likely motivated to acquire Bitcoin, by any means, because of the currency’s rapidly increasing value in 2017, the possibility of hiding the thefts by converting Bitcoin into more obscure forms of cryptocurrency, and the convertibility of Bitcoin and these other cryptocurrencies to hard currency. While it is unusual for a nation-state to be involved in this type of theft, it is not much different from other North Korean criminal enterprises which have included cyber bank robbery, illegal weapons sales, and counterfeiting U.S. currency...READ MORE

Wapack Labs has cataloged and reported on North Korean cyber activity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, January 19, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT: 
 
Compromised Email Accounts
Reporting Period: Jan 16, 2018


On 16 January 2017, Wapack Labs identified 1371 ‘new’ unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and three organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT: 
 
Reporting Period: January 16, 2018
 
Wapack Labs identified connections from 788 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Thursday, January 18, 2018

Vietnamese APT Actors Involved in Watering-Hole Attacks

Beginning in February of 2017 a group of Vietnamese APT actors carried out a large campaign leveraging watering-hole attacks. The campaign is intended to conduct surveillance on entities within Southeast Asia and China. As part of the watering-hole attacks, the group leveraged a JavaScript reconnaissance framework to collect information on their targets. This report looks at the malicious JavaScript framework leveraged by the attackers, provides information on attribution, and looks at the infrastructure behind the campaign...READ MORE 

Wapack Labs has cataloged and reported on APT activity and watering-hole attacks in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

Wednesday, January 17, 2018

Iranian Protests: Communication Bans & Targeting of Protestors

Wapack Labs has been monitoring the developing Iran protests. By Day 9, Wapack analysts observed an uptick in Internet and communication restrictions, including social media platforms, phone applications, encrypted/secure messaging, and Virtual Private Network (VPN) services, and other platforms. Formerly accepted by the Iranian government, the Instant Messaging Service ‘Telegram’, which had tremendous activity on Day 2 of the protests, is now disabled. At the moment, Google is preventing Iranians from using the Google Search Engine and from using ‘Signal’, an end-to-end encryption messenger that circumnavigates government filtering. To date, ProtonMail’s free VPN service for Android phones, is the only means of providing anonymity for Iranian citizens. As the Iranian government continues to disrupt communications, they are implementing scare tactics to persuade protestors to stop the movement. Irancell, a mobile network service provider, is tracking down its users - who have posted videos and pictures online - and sending them text notifications, warning them that they have been participating in illegal protests. Additionally, the Twitter account of the Tasnim News Agency (@Tasnimnews_Fa) is posting pictures of protestors, asking followers to identify protestors and report them to Iranian security forces. The current climate in Iran may give way to another wave of Iranian cyber hacktivists targeting the anti-regime demonstrators...READ MORE

Wapack Labs has cataloged and reported on Iranian protests and communications in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Tuesday, January 16, 2018

Bypassing Antivirus using Amber (Reflective PE Packer)

Amber is a proof-of-concept tool used for bypassing antivirus software. Amber uses techniques that convert Portable Executables (PEs) to reflectively load those PEs. This can be used as a multi-stage payload for infection on a target system. Amber takes advantage of in-memory execution methods. In-memory fileless execution can be defined as executing a compiled PE inside the memory, without actually writing data to storage. This results in fewer footprints, as the malware does not leave a file on the hard drive. This method also makes it difficult for any antivirus or anti-malware solutions to be used for detection...READ MORE

Wapack Labs has cataloged and reported on anti-detection tools in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Friday, January 12, 2018

Nigerian Hacker Leveraging Predator Pain Keylogger

TLP AMBER ANNOUNCEMENT: 

Wapack Labs identified a Nigerian hacker who was responsible for a large 2017 Predator Pain keylogger collection. This actor is actively targeting company sales departments in the Asia-Pacific region with malicious spam e-mails. Once he has established persistence on a target, he monitors internal network activity, records E-mail correspondence, and impersonates company personnel by sending contractors fake invoices...READ MORE 

Wapack Labs has cataloged and reported on Nigerian threat actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal.    
 
 WWW.WAPACKLABS.COM 

This TLP AMBER report is available only to Red Sky Alliance members.

Wednesday, January 10, 2018

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT: 
 
Reporting Period: January 08, 2018
 
Wapack Labs identified connections from 1004 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT: 
 
Compromised Email Accounts
Reporting Period: Jan 08, 2018


On 08 January 2017, Wapack Labs identified 357 ‘new’ unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and three organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Tuesday, January 9, 2018

Meltdown and Spectre Exploitation Reporting

TLP AMBER ANNOUNCEMENT: 

On 2 January 2018, British newspaper The Register published an article describing a design flaw present in all of Intel’s modern processors. The bug is a possible vulnerability in the kernel page table isolation feature. The concept concerns with how microarchitecture design makes speculative references in memory and how they may be exploited by an attacker to read kernel address space layout randomization. This report provides situational awareness for our members. Stay cognizant for updates as major technology companies such as Apple, Amazon, Google, Microsoft, and VMware respond. Intel has already responded stating that the allegations of these exploits are false and that any exploit is not unique to its chip design...READ MORE 

Wapack Labs has cataloged and reported on vulnerability exploitation in the past. An archive of related reporting can be found in the Red Sky Alliance portal.   


This TLP AMBER report is available only to Red Sky Alliance members.

Friday, January 5, 2018

Iranian Protests and Cyber Hacktivism

Wapack Labs analysts have been monitoring the recent demonstrations in Iran involving discontent toward the Islamic Republic seated in the aftermath of the 1979 Revolution. Iranian dissidents and activists took to the streets by the thousands, chanting slogans like “We don’t want an Islamic Republic” and “Death to the dictator”, as they tore down pictures of Supreme Leader Khamenei and set fire to the Governor’s office. Protests began in the second most populous city in Iran, Mashhad, built centered on the Holy Shrine of Imam Reza, which remains a place for religious pilgrimage. By day two, the protests, with the help of the instant messaging service ‘Telegram’, gained momentum reaching the very western city of Kermanshah. As the Iranian government took steps to block media platforms like Instagram, Twitter, and Telegram, the third day of protests had already spread from the northern city of Tabriz to the southern port city of Bandar Abbas...READ MORE
 
Wapack Labs has cataloged and reported on cyber hacktivism in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Thursday, January 4, 2018

The Iranian Cyber Evolution: RATs, Backdoors, and Droppers

Wapack Labs has been monitoring Iranian cyber activity for several years, specifically the evolving OilRig and Greenbug campaigns. Their adoption of a cyber operational paradigm involving both cyber hacktivism and cyber espionage tactics resembles cyber activity patterns employed by Chinese APT groups, whereby different groups perform different campaigns, with multiple teams conducting separate phases of a cyber campaign. With President Trump’s refusal to re-certify Iran’s compliance with the 2015 Iran nuclear agreement, Wapack analysts are researching the continued efforts of Iranian-backed cyber threats in order to detect and defend against next moves. 

One common attribute is that they all engage in prolonged reconnaissance campaigns of their targets; at times lasting over a year. Greenbug, a cyber-espionage group with suspected Iranian ties, has been dynamically progressing in such campaigns. In August 2017, a Greenbug tool, dubbed ISMAgent (an ISMDoor variant), resurfaced in the wild to harvest account credentials. Wapack Labs discovered evidence of ISMDoor variants relying on the VB:Trojan.Valyria (possibly Clayside) for delivery, linking Greenbug to another group of Iranian actors known as OilRig. Wapack Labs assesses with moderate confidence that recent activity involving ISMDoor is an indicator of the ramping up of another cyber campaign cycle...READ MORE

Wapack Labs has cataloged and reported on Iranian cyber activity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

2018 Cyber Security Threat and Vulnerability Predictions

This report encapsulates our predictions regarding the most significant cyber threats and vulnerabilities for 2018.
  • Phishing: Will likely become more popular among novice and criminal hackers.
  • Account Targeting: Account credentials are increasingly more available.
  • Democratization of Cyber Weapons: 2017 saw the most high-profile ransomware attack to-date with the Wannacry worm.
  • Tor Network: 2018 is the year of fighting and winning against the abuse of the Tor network.
  • Macro Malware: The popularity of malicious macros for malware delivery continued strong in 2017.
  • Geopolitical Tensions: Iran and North Korea tensions continue.
  • Blockchain-related Cybercrime: With the establishment of Bitcoin futures and general interest to blockchain technologies, exploitation in this field grows too...READ MORE
Wapack Labs has cataloged and reported on cyber threats and vulnerabilities in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM