Friday, March 23, 2018

China Government Hacker Resurgent

In 2015, China and the United States pledged a bilateral Cyber Agreement that they would refrain from conducting cyber operations to steal intellectual property from one another. In 2016, a major drop in such intrusions was noted. By 2017, however, several new cases of cyber intrusion against defense contractors and other commercial entities were identified, which raises the question of whether the Chinese have in fact been constrained by the 2015 agreement. Wapack Labs reviewed the major cyber operations cases of 2017, that appeared to have Chinese origins, to assess the current trends in government-sponsored operations and answer the question: is China currently abiding by this agreement? Has being a signatory to the agreement constrained Chinese government behavior in any meaningful way?...READ MORE

Wapack Labs has cataloged and reported on Chinese state-sponsored cyber operations in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
  
WWW.WAPACKLABS.COM

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
 
Compromised Email Accounts
Reporting Period: Mar 19, 2018 
 
On 19 March 2018, Wapack Labs identified 60 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   

Reporting Period: March 19, 2018
 
Wapack Labs identified connections from 782 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Wednesday, March 21, 2018

An Overview of Middle Eastern and North African Hacking Activity

Cybercriminals in the Middle East/North Africa (MENA) region are some of the most cooperative and united group of hackers in the world when their goal is to attack the West. Hacktivists collaborate for finanical and political gain, as well as for religious righteousness. Cyber prevention is often difficult because many cyber security experts do not always understand Arabic hacker websites, databases and infrastructure. Wapack Labs believe MENA actors will remain active and successful in various cyber campaigns against the West until the West attains a better understanding of the region’s language, culture, and religions...READ MORE

Wapack Labs has cataloged and reported on cyber threats operating in the Middle East/North Africa in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Tuesday, March 20, 2018

Kuwait Energy Targeting

Wapack Labs has exposed a large number of cyber events affecting the oil rich country of Kuwait and their oil and gas industry. Over 34,000 hits were observed in Wapack Labs Cyber Threat Analysis Center (CTAC). These incidents represent ongoing penetration attempts with malicious emails, as well as systems already being compromised by hackers. Among targeted industries are a shipping company, which is a supplier for oil and gas, petrochemical, marine, and other industries; and a regional Kuwaiti construction company servicing oil, education and other sectors. More incidents were discovered via CTAC and are being further analyzed...READ MORE
 
Wapack Labs has cataloged and reported on cyber threats targeting the oil and gas industry in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, March 16, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Mar 12, 2018 

On 12 March 2018, Wapack Labs identified 223 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   

Reporting Period: March 12, 2018
 
Wapack Labs identified connections from 858 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Thursday, March 15, 2018

SWIFT: India City Union Bank Heist

TLP AMBER ANNOUNCEMENT:

On Saturday 17 February 2018, India’s City Union Bank disclosed that its systems were hacked. They discovered that three fraudulent remittances, totaling nearly $2 million, were sent to accounts in Dubai, Turkey, and China via the SWIFT financial platform. SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is the world’s largest electronic payment messaging system, facilitating the exchange of more than $6 trillion a day. The majority of international interbank messages use the SWIFT network. This network enables financial institutions worldwide to send and receive information about financial transactions in a secure, standardized and reliable format. SWIFT sends payment orders, which must be settled by correspondent accounts that the institutions maintain with each other. SWIFT bank heists in the past have been attributed, with medium confidence, to North Korean actors...READ MORE

Wapack Labs has cataloged and reported on cyber threats targeting SWIFT in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Friday, March 9, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Mar 05, 2018

On 05 March 2018, Wapack Labs identified 211 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   

Reporting Period: March 05, 2018
 
Wapack Labs identified connections from 104 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

REMCOS Remote Administration Tool

REMCOS is a new, publicly available Remote Administration Tool (RAT) that has become popular with hackers. Since January 2018, over 14 hundred samples were submitted to Virus Total, indicating the RAT is growing in popularity. Recent changes to Tactics, Techniques, and Procedures (TTP) include embedding payloads in MP3 and JPEG files; resulting in little to no Antivirus (AV) detections and significantly increasing the likelihood for infections. The malware in this report downloads payloads embedded in other files with little or no current detections, which may indicate the possibility of a high infection rate...READ MORE

Wapack Labs has cataloged and reported on Remote Administration Tools in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, March 2, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Feb 26, 2018

On 26 February 2018, Wapack Labs identified 80 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   

Reporting Period: February 26, 2018

Wapack Labs identified connections from 893 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Thursday, March 1, 2018

Bosnia and Herzegovina Cyber Profile

Bosnia and Herzegovina is a country in Southeastern Europe formerly under the Republic of Yugoslavia. After the dissolution of Yugoslavia, Bosnia and Herzegovina has experienced infighting of ethnically and religiously motivated hacktivist groups, as well as commercially motivated hackers. Current cyberlaws are not fully enacted, yet the country completely cooperates to fight cybercrime. Bosnian hackers use Bosnian, Serbian, German, English, and other languages to communicate. Due to recent international arrests, many Bosnian groups have been driven underground. The current Western threat of Bosnian hackers is low, based on our current data...READ MORE

Wapack Labs has cataloged and reported on international cyber profiles in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM