China Bank Regulation and Foreign Bank Access

During 2017, Chinese banking regulatory agencies have issued a series of new banking restrictions with serious impact on Chinese banking practices and potential impact on foreign financial institutions as well. They have been forcing compliance with the new regulations with USD $400 million in fines on banking institutions in 2017 alone. The key measures introduced include:

• Stamping out cryptocurrencies - The government has ordered all bitcoin/cryptocurrency exchanges in China to cease operations, and it was using electrical power control to close bitcoin mining operations.
• Suppression of underground banks - To prevent foreign exchange transactions by unauthorized entities abroad, the government blacklisted 40 entities and apparently blocked access to their websites from inside China.
• Slowing capital outflow - The government targeted capital outflows by cracking down on underground money transfers and restricting large overseas mergers and acquisitions.
• Foreign bank access - However, one component of this effort involved a relaxation of regulations rather than a tightening up. In November 2017 China announced that it would soon allow foreign companies to own Chinese banks and investment firms. The cap on foreign investment in Chinese banks will be removed and foreign investors will be allowed to own 51% in financial institutions. Now, foreign banks which set up branches in China will be allowed to conduct business directly with Chinese in Chinese yuan...READ MORE

Wapack Labs has cataloged and reported on Chinese banking regulations in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  

WWW.WAPACKLABS.COM

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts

Reporting Period: Feb 20, 2018

On 20 February 2018, Wapack Labs identified 9 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   

Reporting Period: February 20, 2018

Wapack Labs identified connections from 898 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

 

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

 

This TLP AMBER report is available only to Red Sky Alliance members.

Huawei and ZTE Phones and Other Devices – Security Up for Sale

TLP AMBER ANNOUNCEMENT: 

Huawei, a long time Chinese telecommunications equipment competitor to the U.S. Cisco Systems, has earned a reputation for selling equipment that contains various cybersecurity, intellectual property, and quality control issues. Wapack Labs concurs with U.S. government agencies that Huawei and ZTE equipment are a cause for concern when considering supply chain equipment. Huawei and ZTE have higher than normal rates of cybersecurity issues due to a range of root causes. The United States, United Kingdom, Canada, Australia and South Korea began instituting measures to limit Huawei, and ZTE equipment from being used relative to government and military related communications as far back as 2003. The warnings were issued via reports to the U.S. Congress from the Intelligence Community, with ZTE officially banned for use by U.S. government agencies in 2013. They further started instituting that government contractors and vendors also comply with contracting restrictions against vendor and contractor utilization of Huawei and ZTE equipment for security reasons even before the national security issues were made openly public in 2011...READ MORE

Wapack Labs has cataloged and reported on Huawei and telecommunications in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts

Reporting Period: Feb 12, 2018

On 12 February 2018, Wapack Labs identified 88 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   

Reporting Period: February 12, 2018

Wapack Labs identified connections from 80 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

 

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

 

This TLP AMBER report is available only to Red Sky Alliance members.

AZORult Stealer

AZORult is a publicly available information-stealing malware that is popular among hackers. AZORult is delivered via phishing e-mails and with the use of Exploit Kits (EK), most notably the Rig EK. It collects information from victims by targeting a variety of applications for credential harvesting. In January 2018, Wapack Labs started analysis of AZORult nodes in an effort to identify stolen data. As part of this research, Wapack Labs gained insight into AZORult Command and Controls (C2). This report includes details on the AZORult malware and provides trending on the identified infrastructure. Wapack Labs analysts were able to recover over a million AZORult logs, which include data on victim IPs, e-mails, credentials, and attack server data. This information is listed in the Wapack Labs Blacklist Slack channel and searchable via our CTAC tool to provide situational awareness...READ MORE

Wapack Labs has cataloged and reported on AZORult malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Feb 06, 2018

On 06 February 2018, Wapack Labs identified 36 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   

Reporting Period: February 06, 2018

 

Wapack Labs identified connections from 1511 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

 

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

 

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Jan 29, 2018

On 29 January 2018, Wapack Labs identified 647 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and three organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT: 

 

Reporting Period: January 29, 2018
 

Wapack Labs identified connections from 713 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

 

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

 

This TLP AMBER report is available only to Red Sky Alliance members.

Hacker Shop Selling Exfiltrated Data

TLP AMBER ANNOUNCEMENT:

Wapack labs identified a hacker shop that sells batches of files exfiltrated from computers that belong to companies and corporations from various industries, such as a local law enforcement agency, financial institutions, mining companies, and logistic organizations. The shop's victims are located in several countries, though most are in the United States (US). It sells financial data sources, to include full credit card payment authorization forms. The shop has also exposed online banking check operations without obfuscation...READ MORE

Wapack Labs has cataloged and reported on hacker shops in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  

 WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.