Did you know that last week, Lockheed Martin won a $1 billion contract to build hypersonic aircraft and technologies?
Did you also know that NIST 800-171 compliance is going to be required to participate on the contract?
I thought I might take an opportunity to present an 'easy button'. We took the NIST Assessment document and turned it into a no cost, no obligation, online Self Assessment. Fill in the correct contact information (as opposed to fake contact information) and at the end, we'll send you your individual responses.
The self assessment is located here: https://www.surveymonkey.com/r/BKTXJ89
If you're a small business (<500 employees) and need help, you can ask questions in the 'Compliance Corner' in the Red Sky Small Business Alliance —also provided at no charge for small businesses: https://redsky-sba.ning.com/compliance-corner.
Good luck.
Jeff
Monday, April 30, 2018
Tuesday, April 24, 2018
Implication of Russian Sanctions
Summary
During March-April 2018, dozens of Russian diplomats were expelled; hundreds of Russian Troll Factory- related accounts banned; new travel and economic sanctions levied and more are expected. While Russia did expel diplomats symmetrically, it explores options for an asymmetric response ranging from intellectual property violations to cyberattacks.Details
Blows Targeting Russia
In March 2018, 25 countries and NATO expelled dozens of Russian diplomats (intelligence officers) over an ex-spy poisoning case in the UK (Figure 1).*1 The US closed Russia's Seattle Consulate, and in response, Russia proportionally expelled the same number of diplomats and are closing the US Consulate in St. Petersburg.On 15 March 2018, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) put five Russian entities and 19 individuals under sanctions for significant malicious cyber-enabled activities. This was prompted in part by the NotPetya attack and other cyber events. But the main focus was on the Internet Research Agency (IRA, also known as “Russian Troll Factory”) actors.
On 3 April 2018, Facebook and Instagram banned over 200 accounts which were connected to IRA. Most of the ban affected Russian-speaking accounts. Many were media-related and one was a Moscow local government account. According to Facebook, they “removed this latest set of Pages and accounts solely because they were controlled by the IRA, but not based on the content.”*2 Later in April, Reddit will join Twitter and Facebook in identifying and freezing IRA-related accounts.*3
On 6 April 2018, Trump's administration unleashed a new round of US-Ukraine related sanctions on Russia. This action resulted in Russian oligarchs losing close to $12 Billion in capitalization, and additionally, the Russian ruble lost part of its value.*4
Currently, new sanctions are being discussed and it is probable that the next round of sanctions will be in relation to the Russian collaboration of Syria’s use of chemical weapon against their opposition. Radical measures are being discussed to include placing Russia on the designated Foreign Terrorist Organizations (FTOs) list.
There are no signs of Russia stepping back. Publically Trump is sending signals that he desires a good relationship with Russia, yet both countries are using de-escalation mechanisms to avoid direct military conflict in Syria and other areas of the World.
Russia is and has been on a long-term trajectory to expand its influence. This strategy involves military actions and cyber operations to encompass: supporting rogue regimes of North Korea, Iran, Syria, and Venezuela; not abandoning their foothold in the Crimea; and, or dethroning Assad in Syria. So until these Russian diplomatic philosophies remain intact, relationships with the West will continue to deteriorate.
Russian Possible Response and Cyber
Russian actions and possible counter-actions are divided into five (5) important categories (diplomatic, kinetic, economic, information, and cyber):1) Diplomatic actions included symmetric expulsion of Western diplomats. Russia is not cooperating in the investigations of chemical weapon use in Duma, Syria and with the ex-spy poisoning in the UK. Russia is trying to win new friends in Turkey and Austria.
2) Kinetic actions include continuation of low-scale military conflict in the Ukraine, successful expansion of Assad-controlled territories in Syria, and possible military bases in Sudan and other African countries.
3) Economic actions include expanding existing Russian programs of supporting entities under sanctions. Russia has a prepared bill to potentially target reciprocally Western corporations, and even to abolish Western patents and trademarks in Russia.*5 So far Russia is cautious with these measures as they are likely to backfire, but some steps in this direction are being initiated.
4) Information war includes continuation of the active information campaign towards the West. Dana White, the Chief US Pentagon Spokesperson noted that there was a 2,000 percent increase in Russian troll activity following the Syrian airstrikes.*6 At the same time, Russia has tighten the control over their Internet. On 16 April 2018, Russian censor agency banned Telegram messenger which refused to provide encryption keys. By 17 April 2018, the number of banned IPs grew to 16 million as Telegram started using Amazon and Google cloud services.*7 The Russian censor agency currently is threatening to audit and potentially ban Facebook, unless Facebook moves Russian users data to Russia and deletes unwanted information.*8
5) A cyber response from Russia is also likely as part of an asymmetric information war. Wapack Labs does not have much of immediate visibility into the current Russian APT moves, but we observe some inclinations from Russian hackers and we are learning much from the discovered Russian APT activities during the last 2-3 years.
Russia remains a save heaven for financially-motivated hackers that target other countries.
Both Russian APT groups and criminal hackers are using phishing and social engineering methods. For example, in April 2018, Wapack Labs reported how Russian spammers found a way to abuse the legitimate Email Report form for Google Analytics.*9
As Russia begins to censor Telegram messenger, several high profile Russian officials are publicly switching to ICQ. ICQ messenger is still popular among many hackers in different countries and is being controlled by Russia to offer valuable information regarding the cyber underground.
Russia is blamed for escalating cyber attacks as it became clear that Russia had a concerning foothold in the energy sector and in their networking equipment. US reported that since at least March 2016, Russian government cyber actors have targeted government entities and multiple US critical infrastructure sectors; including the energy, nuclear and other.*10
And a joint alert issued on 16 April 2018 by the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom's National Cyber Security Centre (NCSC) warns that Russian state-sponsored cyber actors are actively targeting home and enterprise routers. This alert provides an overview of Russian APT activity beginning in 2015 and ongoing in 2016 and 2017. Hacked devices ranged from small home routers to ISP-grade routers and firewalls, with attackers trying to hoard as many systems as possible. Attack vectors include Telnet, TFTP, SNMP, and SMI — protocols often found on routers, known to include vulnerabilities and easy to corrupt configuration options (see the Indicators table for the recorded IP indicators).*11
Conclusion
Relationships between Russia and the US constantly deteriorate and de-escalation mechanisms have only partially successful. In 2018, Russian information campaigns are of a concern (Russian Trolls); Russian state-sponsored hackers continue to be active; and new methods of spoofing and social engineering are being developed. Russian campaigns were discovered to compromise the US energy sector and networking infrastructure (routers). This prompted the US government to share information and help the wide range of industries to pay more attention. Wapack Labs will continue to monitor new Russian TTPs.For questions or comments regarding this report, please contact the lab directly at 603-606-1246 or feedback@wapacklabs.com
*1 aa.com.tr/en/info/infographic/9483
*2 newsroom.fb.com/news/2018/04/authenticity-matters/ “Authenticity Matters: The IRA Has No Place on Facebook”
*3 www.reddit.com/wiki/suspiciousaccounts and www.reddit.com/r/announcements/comments/8bb85p/reddits_2017_transparency_report_and_suspec t/
*4 bloomberg.com/news/articles/2018-04-09/russia-s-richest-lose-16-billion-in-selloff-over-u-s- sanctions
*5 sozd.parliament.gov.ru/bill/441399-7 [in Russian]
*6 www.dailymail.co.uk/news/article-5615877/Russian-troll-activity-increases-2-000-Syrian- airstrikes.html
*7 www.bleepingcomputer.com/news/government/russia-bans-18-million-amazon-and-google-ips-in- attempt-to-block-telegram/
*8 iz.ru/733380/siuzanna-farizova/so-svobodoi-vse-khorosho-s-otvetstvennostiu-plokho [in Russian]
*9 ctac-01.tac.wapacklabs.com/f5-w-68747470733a2f2f31302e302e312e3532$$/IR-18-095- 001_Russian_Spam_from_Google_Analytics
*10 www.us-cert.gov/ncas/alerts/TA18-074A Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. March 15, 2018
*11 www.us-cert.gov/ncas/alerts/TA18-106A
*2 newsroom.fb.com/news/2018/04/authenticity-matters/ “Authenticity Matters: The IRA Has No Place on Facebook”
*3 www.reddit.com/wiki/suspiciousaccounts and www.reddit.com/r/announcements/comments/8bb85p/reddits_2017_transparency_report_and_suspec t/
*4 bloomberg.com/news/articles/2018-04-09/russia-s-richest-lose-16-billion-in-selloff-over-u-s- sanctions
*5 sozd.parliament.gov.ru/bill/441399-7 [in Russian]
*6 www.dailymail.co.uk/news/article-5615877/Russian-troll-activity-increases-2-000-Syrian- airstrikes.html
*7 www.bleepingcomputer.com/news/government/russia-bans-18-million-amazon-and-google-ips-in- attempt-to-block-telegram/
*8 iz.ru/733380/siuzanna-farizova/so-svobodoi-vse-khorosho-s-otvetstvennostiu-plokho [in Russian]
*9 ctac-01.tac.wapacklabs.com/f5-w-68747470733a2f2f31302e302e312e3532$$/IR-18-095- 001_Russian_Spam_from_Google_Analytics
*10 www.us-cert.gov/ncas/alerts/TA18-074A Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. March 15, 2018
*11 www.us-cert.gov/ncas/alerts/TA18-106A
Monday, April 23, 2018
Wapack Labs Keylogger Blacklist
Compromised Email Accounts
Reporting Period: April 23, 2018
On 23 April 2018, Wapack Labs identified 1,037 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.
On 23 April 2018, Wapack Labs identified 1,037 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.
Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.
WWW.WAPACKLABS.COM
This TLP AMBER report is available only to Red Sky Alliance members.
Wapack Labs Sinkhole Blacklist
TLP AMBER ANNOUNCEMENT:
Reporting Period: April 23, 2018
Wapack Labs identified connections from 1,994 new unique IP addresses,
which are checking in with one of the many Wapack Labs sinkhole
domains.
Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.
WWW.WAPACKLABS.COM
WWW.WAPACKLABS.COM
This TLP AMBER report is available only to Red Sky Alliance members.
Tuesday, April 17, 2018
Wapack Labs Sinkhole Blacklist
TLP AMBER ANNOUNCEMENT:
Reporting Period: April 16, 2018
Wapack Labs identified connections from 706 new unique IP addresses,
which are checking in with one of the many Wapack Labs sinkhole
domains.
Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.
WWW.WAPACKLABS.COM
WWW.WAPACKLABS.COM
This TLP AMBER report is available only to Red Sky Alliance members.
Wapack Labs Keylogger Blacklist
Compromised Email Accounts
Reporting Period: April 16, 2018
On 16 April 2018, Wapack Labs identified 53 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.
On 16 April 2018, Wapack Labs identified 53 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.
Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.
WWW.WAPACKLABS.COM
This TLP AMBER report is available only to Red Sky Alliance members.
Monday, April 16, 2018
New Pony Loader Obfuscation Technique via Smoke Loader
Cyber actors are leveraging the infamous
Smoke Loader downloader to deliver several malware families to include: Zeus,
Neutrino, Chthonic banking trojan and crypto mining software. The RIG exploit kit (EK) developers are
currently using this downloader to deliver the Monero coin miner. Attackers are now delivering the Pony/Fareit
malware via the PowerArchiver compressor (XXEncode 0.0), which significantly
reduces the rate of detection by anti-virus vendors (less than six vendors) and
the file format is detected as a text file.
Wapack Labs identified the secondary command and control (C2)
infrastructure which continues to be developed by operators.
An archive of related
reporting can be found in the Red Sky Alliance portal.
Friday, April 13, 2018
China's Network Systems Department Update Summary
Continuing research on China’s military cyber force, restructured at the start of 2016 and now called the Strategic Support Force Network Systems Department, indicates that operational security around this unit remains tight. Official references to this entity remain rare. Chinese citizens themselves are in the dark, often speculating online about what elements of the former PLA Third and Fourth Departments have been incorporated into the new structure.The research did show that a new cover designator for the Network Systems Department is in use: PLA 32069 Unit. This designator has shown up in several references, including procurement data tied to the address for the Network Systems Department compound in Beijing.
Many questions remain about whether this entity has a cyber attack mission, in addition to a cyber collection. What relationship it has to know cyber actors in the PLA’s Technical Reconnaissance Bureaus remains unclear.
Wapack Labs has cataloged and reported on numerous Chinese cyber threats in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
WWW.WAPACKLABS.COM
Tuesday, April 10, 2018
Wapack Labs Keylogger Blacklist
TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: April 9, 2018
On 9 April 2018, Wapack Labs identified 62 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.
On 9 April 2018, Wapack Labs identified 62 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.
Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.
WWW.WAPACKLABS.COM
This TLP AMBER report is available only to Red Sky Alliance members.
Wapack Labs Sinkhole Blacklist
TLP AMBER ANNOUNCEMENT:
Reporting Period: April 9, 2018Wapack Labs identified connections from 652 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.
WWW.WAPACKLABS.COM
WWW.WAPACKLABS.COM
This TLP AMBER report is available only to Red Sky Alliance members.
Friday, April 6, 2018
Hacking Inside China
Western media frequently reports on Chinese cyber operations against other countries but rarely on hacking operations inside China itself. Chinese media does describe problems with cybercrime inside their own country and how these problems are being confronted by Chinese law enforcement. In general, Chinese official and other media describe internal cybercrime as operations by Chinese hackers against Chinese targets for financial gain. This is reported as a serious problem that is growing significantly year-on-year. Official reporting is incomplete and usually refers just to cases that have been uncovered and prosecuted. Some 2017 reporting discussed up to 4,000 arrests in a year and nearly US $500 million tied to criminal cases.The internal cybercrime that received the most reporting included:
- Theft of personal data for sale to others
- Theft of cash by compromising financial applications
- Writing malware for sales to others who use them for financial gain
- Writing game cheats used for financial gain or better gameplay
The Chinese government reporting on cybercrime and their efforts to quell it, could be interpreted as an indication that whatever intrusions are being conducted against targets in the United States, are being accomplished by or with the sanction of the Chinese government. READ MORE ...
Wapack Labs has cataloged and reported on numerous Chinese cyber threats in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
Tuesday, April 3, 2018
Wapack Labs Keylogger Blacklist
TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: April 2, 2018
On 2 April 2018, Wapack Labs identified 98 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.
On 2 April 2018, Wapack Labs identified 98 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.
Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.
WWW.WAPACKLABS.COM
This TLP AMBER report is available only to Red Sky Alliance members.
Wapack Labs Sinkhole Blacklist
TLP AMBER ANNOUNCEMENT:
Reporting Period: April 2, 2018Wapack Labs identified connections from 656 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.
WWW.WAPACKLABS.COM
WWW.WAPACKLABS.COM
This TLP AMBER report is available only to Red Sky Alliance members.
Wapack Labs Keylogger Blacklist
Compromised Email Accounts
Reporting Period: Mar 26, 2018
On 26 March 2018, Wapack Labs identified 21 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.
On 26 March 2018, Wapack Labs identified 21 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.
Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.
WWW.WAPACKLABS.COM
This TLP AMBER report is available only to Red Sky Alliance members.
Monday, April 2, 2018
Wapack Labs Sinkhole Blacklist
Reporting Period: March 26, 2018
Wapack Labs identified connections from 692 new unique IP addresses,
which are checking in with one of the many Wapack Labs sinkhole
domains.
Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.
WWW.WAPACKLABS.COM
WWW.WAPACKLABS.COM
This TLP AMBER report is available only to Red Sky Alliance members.
Subscribe to:
Posts (Atom)