Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT: 

Compromised Email Accounts
Reporting Period: Nov 7-12, 2017

Between Nov 7-12, 2017 Wapack Labs identified the following 366 unique email accounts to be compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users.

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members. 

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:

Reporting Period: Nov 12, 2017

Wapack Labs identified connections from the following 256 unique IP addresses checking in with one of the many Wapack Labs sinkholes.

Action recommendation: Users should immediately place each of these email accounts in a monitor or block status in intrusion prevention systems.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members. 

New Underground Market

Wapack Labs recently observed a new underground market that trades a variety of illegal goods including credit cards, fullz, exploits, botnet builders/installs, and other cyber crime related goods. The forum’s structure and listings resemble another well-known market and may be owned by the same individuals. One seller in the market is selling GozNym 2.0 botnet installs. This seller is selling this botnet on other Tor-based black markets and is operating under same alias. The fraud sections of the market are extremely active. Despite being heavily dominated by drugs and other illegal non-cyber sales, these cyber fraud-based sellers appear highly rated. Wapack Labs has discovered that most high-rated sellers primarily deal with stolen discount gift cards obtained through carding, or with stolen electronic goods, such as like-new Apple and Samsung products. Additionally, this level of fraud sellers are often observed making bulk sales of bank accounts and credit cards.

Wapack Labs has cataloged and reported on underground Tor markets in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Malicious URLs Used in Phishing Attempt

On 07 November, 2017 Wapack Labs observed, using Cyber Threat Analysis Center (CTAC), various emails in the URL of two phishing domains. The two phishing domains had different URLs but utilized the same web page interface. One domain is a compromised domain with an anti-virus detection ratio of 10/64 that has been leveraged since 12 June 2017. It is not flagged as suspicious as by Google Chrome browser. The second domain has an anti-virus detection ratio of 11/65 and has been leveraged since 02 October 2017. This domain was flagged as suspicious by Google Chrome browser. Both domains are still active. The phishing attempt appears to be a simple credential stealing scheme. The phishing page is disguised as Microsoft One Drive, attempting to get users to enter their passwords. Wapack Labs is providing this warning report as situational awareness.

Wapack Labs has cataloged and reported on malicious URLs and phishing attempts in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

B.I.T.S Loader Attracting Cybercriminals

TLP AMBER ANNOUNCEMENT:

The Background Intelligent Transfer Service (BITS) is a legitimate Microsoft program used for creating and monitoring jobs over the network. Since it is a Windows legacy program it isn’t widely detected by AV solutions, making it attractive to cybercriminals for malware delivery and persistence. Recent emails targeting the Financial sector utilize BITS functionality by embedding it in heavily obfuscated Word documents, and with the use of LNK files. Monitoring BITS jobs in work environments is important to identify unwanted or unauthorized downloads and uploads. In the past, BITS was used to deliver banking trojans like DarkComet and GlobeImposter ransomware, and it is assessed with high confidence that it will continue to be utilized for both malware delivery and persistence, particularly against Windows based systems that would otherwise be considered highly locked down or security hardened. This report focuses on these two recent implementations of BITS, and looks at other ways BITS is leveraged in the wild.

Wapack Labs has cataloged and reported on malware targeting the financial sector in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Possible Emerging Threat – Elastic Stack Targeting

On 5 November 2017, Wapack Labs identified potential targeting of the Elastic Stack (FKA ELK), for potential ransomware or extortion. While only two data points exist, this could suggest the beginning of a trend of attacks against Elastic instances. What is Elastic? The Elastic Stack, previously known as ELK, is an open source alternative to commercial aggregation and analysis tools like Splunk. With over 500,000 new downloads per month and 100M to date, Elastic is one of the largest distributions of analysis and visualization tools for high end analytics. Elastic is a plentiful target.

Wapack Labs has cataloged and reported on potential targeting of analysis tools in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

New Carding Shop

Wapack Labs observed a threat actor advertising a new carding shop on a hacking/carding forum. This threat actor first advertised the carding services on 21 July, 2017 and has been an active member on the forum, frequently advertising updates to their carding website. Currently the shop has over 500,000 stolen credit cards for sale from over 100+ banks. The shop updates its database with fresh cards on a bi-weekly basis. To access the shop, users must create a free account and enter a username, password, Jabber, and ICQ number (users can enter fake credentials). Once the account is created, users can freely browse the website. Web sections include news, cards, rules, orders, billing, checker, and support. The cards section identifies stolen credit cards. Credit cards are sorted by database, bank name, type, card issuer, country, state, city, city, or BIN. Full card information is provided before purchasing a card. Prices of the cards ranged from $1 to $40 USD. The checker section allows users to enter credit card information to see if the card is still valid. The shop charges 30 cents per check and has a refund policy of 5 minutes after purchase, if the card is invalid.

Wapack Labs has cataloged and reported on carding shops and fraud in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Russian ISP Doing Business with North Korea

On 01 Oct 2017, TransTeleCom, a Russian owned telecommunications company began routing North Korean Internet. TransTeleCom owns one of the largest fiber optic cable based networks in the world. It is a fully owned subsidiary of Russian Railways, a joint-stock company with 100 percent involvement under the Russian Ministry of Transport. North Korea’s external Internet connections were historically serviced by China Unicom, but will now be provided by both China Unicom and Russia’s TransTeleCom. IPv4 traffic route allocation is 60 percent through TransTeleCom and 40 percent through China Unicom. Unicom will continue providing 100 percent IPv6 routing for North Korea. The contract between TransTeleCom and North Korea was originally signed in 2009. The recent Russian telecommunications escalation seems to be in support of North Korea after U.S. Cyber Command Distributed-Denial-of-Service (DDoS) attacks. Having routes in both China and Russia limits North Korea’s dependence on any one country as they are currently facing intense geopolitical pressures. North Korea’s shift from being predominantly Chinese hosted, to Russian support, is primarily due to U.S. political pressure on China to sever ties with North Korea over the recent nuclear missile tests and China’s failure to protect North Korea from the recent U.S. DDoS attacks. TransTeleCom operates similarly to China Unicom, the current North Korean Internet Service Provider (ISP), which has fiber optics laid along China’s Sino-Korean Friendship Bridge. However, TransTelecom is believed to be delivering North Korea’s Internet over the Korea-Russia Friendship Bridge, the only crossable border between North Korea and Russia. Wapack Labs will continue to monitor malicious cyber activities out of North Korean netblocks.

Wapack Labs has cataloged and reported on North Korean cyber activity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Dark Web Site Selling ATM Malware

Wapack Labs observed ATM malware being sold on a dark web site. The malware targets all models of Wincore Nixdorf ATMs. The website explains that the Wincore 200xe ATMs are the easiest cash machines to exploit. The malware currently costs $1500.00 in Bitcoin for the first month (beginning 15 October 2017). After the first month, the ‘registration’ fee will be doubled. $1500.00 buys the buyer one credit, which is valid for a one time use on one ATM. To execute the attack users must log-in to their account on the website and receive a code (for one credit). The malware will then show the attacker the amount of cash in each money cassette that resides inside the ATM. The malware will then bypass the normal ATM system processes and the ATM will dispense all the bills in a desired cassette. The website also provides video links on their Tor site, demonstrating the method to fraudulently withdraw money, along with a free 10-page step-by-step Word document which explains how to use the malware. This guide describes in detail the tools required, software instructions, and details referencing different types of ATMs. This includes how the ATMs operate and how to find the interior USB ports.

Wapack Labs has cataloged and reported on ATM malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

In Search of Router Scanner Used in Cyber Campaign

TLP AMBER ANNOUNCEMENT:  

Wapack Labs has attempted to identify the router scanner used in a cyber campaign conducted by a threat actor group who is believed to be a Chinese hacker group targeting Taiwan and Japan. All of the reports on this group on the Chinese Internet are translations of the June 2017 report by Trend Micro that identified the group. No independent analysis of the group was found, and no references to the name were found that predate the Trend Micro reporting. Searches on the Chinese term for “router vulnerability scanner” all returned the same tool called RouterhunterBR, that was written by a Brazilian security researcher named Jhonathan Davi who lives in Brasilia. Further investigation could confirm this threat actor group's use of this tool by checking whether the targeted routers contained any of the vulnerabilities listed by the tool’s author. The identification of RouterhunterBR as possibly used in this cyber campaign is circumstantial. Further investigation could help confirm the connection if targeted routers were checked for the vulnerabilities that the author stated were searched for by the tool.

Wapack Labs has cataloged and reported on Chinese hacking groups in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

New Emotet Tactics Employing Embedded URL Links

Emotet is a credential stealing trojan with the ability to drop payloads and move laterally through networks. Emotet spreads by E-mail to addresses gained from the address books of previous victims. In October of 2017, Wapack Labs observed a new Emotet campaign targeting multiple industries. This recent campaign is characterized by changes in Tactics, Techniques, and Procedures (TTPs). These changes include the use of embedded URLs (or links) instead of attachments, and newly adopted obfuscation techniques. Emotet’s ability to spread to compromised email contacts aids in the increase of infections. E-mails propagated in this manner likely have a higher infection rate as they originate from a known contact. This report looks at the new TTPs observed including changes in delivery, obfuscation, and the Visual Basic embedded macros.

Wapack Labs has cataloged and reported on Emotet malware and campaigns in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

WWW.WAPACKLABS.COM

RSA ROCA Attack CVE-2017-15361

Wapack Labs observed a new variant of the Coppersmith attack against RSA encryption, which impacts a number of vulnerable Google Chromebooks and Windows devices by Fujitsu, HP, Lenovo, and Microsoft. The attack, called the Return of Coppersmith’s Attack (ROCA) against RSA encryption, allows an attacker to decrypt cryptographic smartcards, security tokens and other secure hardware chips, like the Trusted Platform Modules (TPMs) used by BitLocker and Windows 10 Secure Boot, with less computational effort than previously thought. The ROCA attack allows an attacker to calculate the private key, while only having access to the public key, while using less computational resources than previous attacks. Updates are already being posted by device manufacturers. Wapack Labs recommends that users of Google Chromebooks, Google, Fujitsu, HP, Lenovo, and Microsoft devices upgrade their RSA cryptographic libraries (likely a firmware update) as soon as the patches are issued.

Wapack Labs has cataloged and reported on cryptographic attacks and vulnerabilities in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

WWW.WAPACKLABS.COM

Anonymous Sub-Group

A small sub-group of the Anonymous collective has recently initiated underground offerings of hackers-for-hire. The group is known for their past experiences in website defacement and for their participation in #opISIS, #OpIceISIS, #OpKillingBay, and #OpFunKill, which are all official Anonymous operations. The group has a forum based on Tor, which is believed to be for clients to interact with the team, however, no clients have yet posted. Wapack Labs believes the leader and founder of the group has advanced hacking skills. His Instagram and Twitter accounts provide several videos exposing DDoS attacks against websites. The group's leader also has used numerous aliases, which are provided in the report. He was once a member of several other groups, including, Powerful Greek Army (P.G.A), Phantom Squad, and Zero0d3. Wapack Labs will continue to monitor the group, their leader, and their hacker- for-hire Tor based service.

Wapack Labs has cataloged and reported on Tor based groups and threat actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

WWW.WAPACKLABS.COM

Key Reinstallation Attacks (KRACK)

Wapack Labs has identified a new research paper regarding a Key Reinstallation Attack (KRACK),  a cryptographic attack that can be used to attack all modern Android and Linux-based Wi- Fi routers utilizing the WPA2 protocol - 41% of Android devices are vulnerable to this type of attack. If the attacker is within range of the victim's Wi-Fi, KRACK makes it possible to inject and manipulate data and eavesdrop on communications. This is done by tricking the devices to re-install a zero value for the encryption key. This attack is carried out against the 4-way handshake of the WPA2 protocol. When a client connects to a network, a 4-way handshake between the client and server (router) is performed. A fresh encryption key is then issued and used to encrypt all subsequent traffic. A KRACK attacker tricks the victim into re-installing an already-in-use key. By replaying the cryptographic handshake messages, the cryptographic keys can be re-used. Wapack Labs has observed Linux patches being released and expects major distributions to have updates within the next 24-48 hours. As of yet, there is no available Proof-of-Concept (PoC) code or scanners for this vulnerability. Microsoft has issued a patch, but Apple has not yet publicly addressed this vulnerability. Many router manufacturers have issued public statements, yet no patch information has been provided. An additional concern is that many variations of operating systems are maintained by countless distributors, making the release of patch information a complicated task.

Wapack Labs has cataloged and reported on cryptographic attacks in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

WWW.WAPACKLABS.COM

Cyber Threats Affecting Mauritania, Senegal, and Algeria

Cyber-crime in Africa is most often associated with the well-known 419 email scams. Although these fraud-motivated phishing tactics, particularly from West African threat actors, are still a major contributor to cyber-crime in this region, emerging Internet markets in these countries have led to an increase in more sophisticated hacking operations. A recent INTERPOL survey showed that West African cybercriminals make an average $2.7 million from fraud-based cyber-attacks targeting businesses and corporations and as much as $422,000 from individuals. As the Internet becomes more accessible, governments and businesses in this region who are growing their online presence will become prime targets for cybercrime due to the substantial payout and poor security measures. Wapack Labs recommends clients be aware of cyber threats when conducting business in this region and continue to track and monitor campaigns and threat actors in these countries. This report provides details on cyber threats affecting three North and West African countries, Mauritania, Senegal, and Algeria, including Wapack Labs reporting on actors and campaigns involving these countries, data trends, and implemented cyber legislation.

Wapack Labs has cataloged and reported on geopolitical factors and cybercrime trends in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

WWW.WAPACKLABS.COM

Iranian Cyber Campaign Evolutions – The Next Wave: Greenbug and Ismdoor

Greenbug is an Advanced Persistent Threat (APT) cyber-espionage group with suspected Iranian ties. In August 2017, a Greenbug tool dubbed Ismdoor resurfaced in the wild. The malware possesses many reconnaissance capabilities, and in August of 2016 was deployed to harvest account credentials prior to an attack against Saudi Arabian infrastructure. Wapack Labs assesses with moderate confidence that the presence of Ismdoor is an indicator that Greenbug may be performing reconnaissance for a future campaign. While the Greenbug group is not directly affecting the membership, the targeting of Middle Eastern gas and energy companies affects multiple supply chains with repercussions for U.S. and Allied interests in the region. Wapack Labs’ analysts have also detected an evolution in Iranian cyber campaigns indicating likely adoption of cyber espionage and cyber hacktivism models similar to those employed by the Chinese APT groups, whereby different groups are utilized in different campaigns and multiple teams conduct separate phases of a cyber campaign. The Iranian originated campaigns, similar to the Chinese APT model, are also conducted in waves. The resurgence of Greenbug and Ismdoor indicate another Iranian based cyber campaign cycle is being initiated in the Middle East.

Wapack Labs has cataloged and reported on APT groups and campaigns in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

WWW.WAPACKLABS.COM

CVE-2017-12615

Wapack labs observed a recent Common Vulnerabilities and Exploit (CVE), CVE-2017-12615, being discussed in a Romanian hacker forum. A moderator on the forum posted an explanation of the exploit, a link to the National Vulnerability Database, and a GitHub link documenting how to weaponize the exploit in the Metasploit-framework. CVE-2017-12615 is assessed with a high severity rating (8.1/10) as it allows an attacker unauthorized modification to Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled. HTTP PUT places a file or resource at a specific URI, and exactly at that URI. If there is already a file or resource at that URI, PUT replaces that file or resource. If there is no file or resource there, PUT will create one. PUT is idempotent, but, paradoxically, PUT responses are not cacheable. Successful exploitation enables an attacker to upload a JSP file, request the file and execute its contents to gain remote access to the system. Wapack Labs is providing this report to Red Sky Alliance members for situation awareness. With the CVE and methods being posted in the wild, hackers may be more likely to attempt this attack. Wapack Labs recommends all Red Sky Members who use Apache Tomcat apply a security update and ask their Red Team members to test network assets to ensure the patch updated correctly.

Wapack Labs has cataloged and reported CVEs in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Attacker TTP: Discord Chat Application

On 12 October 2017, Wapack Labs observed underground conversations regarding Discord, a new communication method which is gaining popularity among hackers. Discord is a chat and voice-over-IP (VoIP) application designed for gamers to use with teammates, and rivals other providers in the gamer market, including TeamSpeak and Ventrilo. Discord provides services for free with plans to monetize additional content such as chat application skins, emoticons, stickers, etc., in the future. Discord's ease of use, along with the fact that it is available for free, has drawn attention from novice hackers. This new complimentary communication method does not appear to replace forums, IRC, Jabber, or any other previous platforms. Various underground forum and image boards have begun to set up Discord servers for member chat functions, in addition to the usual offerings of IRC, Tor, Jabber, and E-Mail. Discord allows both voice and textual chats. Discord seems to be a current and affordable option for gamers, but with further sophistication, could develop into a viable communication channel for hackers.

Wapack Labs has cataloged and reported dark web communication channels in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Carding Shop in Possession of Stolen Credit Cards

The administrator of a dark web carding shop may be in possession of stolen credit cards from the recent Sonic breach, and is advertising carding services on numerous carding forums. On 28 September 2017, the shop posted a dump of five million credit cards - mostly US. Analysts believe with moderate confidence that all the data from this dump may be from the recent Sonic breach, and two unknown buyers (high confidence) recently purchased some of these cards. Wapack Labs believes with moderate confidence that the administrator may not be the culprit of the breach, but is the seller of the stolen information. This is due to a feature that allows members to sell stolen cards to the shop. Wapack Labs will continue to monitor the forum and persona to identify the threat actor.

Wapack Labs has cataloged and reported carding shops and stolen credit card dumps in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

8chan Vs. Anonymous

On 4 October 2017, Wapack Analysts observed a post made to 8chan’s image board with a link to a raid against Anonymous on the "insurgency" board. Raids are commonly organized on image boards and are the act of harassing an organization by means of exposing one’s personal information (doxing), SWATing, hacking, spamming, prank phone calling, and other forms of remote harassment. The raid organizers claim that they are sick of the Anonymous movement and that hacktivists are a bunch of annoying Social Justice Warriors (SJW). The term SJW is very common derogatory slang among image board users, directed at individuals who fight strongly for a cause. Several doxes of Anonymous members have been posted, but still need to be verified. Alternative communication sources for the raid, such as IRC and Discord, were once active, but currently are not. The raid started in June and is still active on 8chan’s "insurgency" board, but alternative communication sources are no longer active, suggesting the raid is dying down in popularity and will likely soon end. Wapack Labs Analysts will continue to monitor 8chan’s cyber operations, conducted against Anonymous, for any potential implications to our subscribers.

Wapack Labs has cataloged and reported image boards and activity involving Anonymous in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM