Sunday, July 21, 2019

REDXRAY Threat Report - National Defense Transportation

National Defense Transportation

REDXRAY Threat Report

This RedXRay report shows intelligence identified in the last 24 hours. For each organization show, Wapack Labs counts the number of times the organization was identified in each of the eight databases we maintain. Paid subscribers receive full access to logs and alerts associated with each of these summary report. For more information, please visit https://www.wapacklabs.com/redxray.

All hits in this notification should be investigated by an analyst before being actioned or blocked. For more information, please contact Wapack Labs at 888-733-9729.

Radiant Global Logistics

Botnet Tracker - 0 Breach Data - 0 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 225 Sinkhole Traffic - 0 ThreatRecon Records - 0

UPS

Botnet Tracker - 0 Breach Data - 0 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 1 Sinkhole Traffic - 0 ThreatRecon Records - 0

USAF AMC/A9

Botnet Tracker - 0 Breach Data - 0 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 816 Sinkhole Traffic - 0 ThreatRecon Records - 0

USTRANSCOM

Botnet Tracker - 0 Breach Data - 0 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 14 Sinkhole Traffic - 0 ThreatRecon Records - 0

Verizon.net

Botnet Tracker - 0 Breach Data - 0 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 8 Sinkhole Traffic - 0 ThreatRecon Records - 0

Wounded Warrior Project

Botnet Tracker - 0 Breach Data - 0 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 455 Sinkhole Traffic - 0 ThreatRecon Records - 0

XPO Logistics

Botnet Tracker - 0 Breach Data - 0 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 1

What does this mean?

Botnet_tracker

If your IP address is found in botnet tracker, it means that it was seen in communication with a malicious endpoint. This does not automatically indicate a malware infection as there are a number of reasons why two IP addresses might communicate. The traffic should first be inspected before escalating to incident responders.

Keylogger

A keylogger hit means your domain or IP address appeared in a keylogger output file. This would mean one of the following things: 1) A keylogger malware is running on your network. 2) A username and password belonging to an employee was captured by a keylogger. 3) An email address was observed in clipboard data on an infected computer. For example, somebody cut and paste an email address belonging to your organization. The raw source data must first be investigated to determine the course of action. 

Malicious Emails

If your domain or IP address shows up in this collection, it means it was observed in the header of an email that has been identified as malicious (1 or more AV detection). The raw email should be inspected to see whether it was sent to or from your organization, or if it was spoofed using your organization's data. It should be noted that some AV vendors classify emails as malicious when they are actually benign. All malicious emails hits only indicate targeting, not malware infections.

Pastebin

A pastebin hit simply means your information was observed in a paste on pastebin.com. There are numerous reasons information would be contained in a paste – some malicious and some benign. Each pastebin hit must be individually analyzed to determine context.

Sinkhole data

A sinkhole hit means your IP was observed in weblogs from our sinkhole server. Similar to the botnet_tracker hits, it only means that communication was observed. The nature of that communication needs to be determined from the raw sinkhole record. If the sinkhole hit is a result of a malware infection, then the information should be referred to incident responders. 

Breach Data

Breach data hits are from public database leaks. Depending on the nature of the leaked database, exposed information may vary from just email addresses, to username and password combinations and other personally identifiable information. RedXray contains the raw breach data so you can easily see what type of data has been exposed. If the breach data contains passwords then Wapack Labs recommends enforcing a password reset and investigating whether there has been unauthorized access of the account.

Threat Recon

Threat recon consists of both primary sourced indicators and open sourced indicators from dozens of sources. Each hit from this collection should be individually analyzed as each source has different context. Threat recon records contain references to the original source.