Huawei and ZTE Phones and Other Devices – Security Up for Sale

TLP AMBER ANNOUNCEMENT:

Huawei, a long time Chinese telecommunications equipment competitor to the U.S. Cisco Systems, has earned a reputation for selling equipment that contains various cybersecurity, intellectual property, and quality control issues. Wapack Labs concurs with U.S. government agencies that Huawei and ZTE equipment are a cause for concern when considering supply chain equipment. Huawei and ZTE have higher than normal rates of cybersecurity issues due to a range of root causes. The United States, United Kingdom, Canada, Australia and South Korea began instituting measures to limit Huawei, and ZTE equipment from being used relative to government and military related communications as far back as 2003. The warnings were issued via reports to the U.S. Congress from the Intelligence Community, with ZTE officially banned for use by U.S. government agencies in 2013. They further started instituting that government contractors and vendors also comply with contracting restrictions against vendor and contractor utilization of Huawei and ZTE equipment for security reasons even before the national security issues were made openly public in 2011.

Wapack Labs has cataloged and reported on Huawei and telecommunications in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Feb 12, 2018

On 12 February 2018, Wapack Labs identified 88 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:  

Reporting Period: February 12, 2018

Wapack Labs identified connections from 80 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

AZORult Stealer

AZORult is a publicly available information-stealing malware that is popular among hackers. AZORult is delivered via phishing e-mails and with the use of Exploit Kits (EK), most notably the Rig EK. It collects information from victims by targeting a variety of applications for credential harvesting. In January 2018, Wapack Labs started analysis of AZORult nodes in an effort to identify stolen data. As part of this research, Wapack Labs gained insight into AZORult Command and Controls (C2). This report includes details on the AZORult malware and provides trending on the identified infrastructure. Wapack Labs analysts were able to recover over a million AZORult logs, which include data on victim IPs, e-mails, credentials, and attack server data. This information is listed in the Wapack Labs Blacklist Slack channel and searchable via our CTAC tool to provide situational awareness.

Wapack Labs has cataloged and reported on AZORult malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Feb 06, 2018 

On 06 February 2018, Wapack Labs identified 36 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:  

Reporting Period: February 06, 2018

Wapack Labs identified connections from 1511 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Jan 29, 2018

On 29 January 2018, Wapack Labs identified 647 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and three organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:

Reporting Period: January 29, 2018

Wapack Labs identified connections from 713 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Hacker Shop Selling Exfiltrated Data

TLP AMBER ANNOUNCEMENT:

Wapack labs identified a hacker shop that sells batches of files exfiltrated from computers that belong to companies and corporations from various industries, such as a local law enforcement agency, financial institutions, mining companies, and logistic organizations. The shop's victims are located in several countries, though most are in the United States (US). It sells financial data sources, to include full credit card payment authorization forms. The shop has also exposed online banking check operations without obfuscation.

Wapack Labs has cataloged and reported on hacker shops in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

 WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Recent Chinese Exfiltration Method Observed

Chinese nation state attackers (high confidence) recently used a Java web shell (Chropper.java), against a corporate network’s external web server, to download an unidentified malware payload. The initial breach against the server occurred on 15 December 2017, likely leveraging a Cold Fusion exploit. On 18 December 2017, attackers deployed a modified version of the web shell. The web shell came from a large collection of popular Chinese web shells uploaded to GitHub by a user who follows well-known Chinese security researchers. On 19 to 21 December 2017, the attack sequence took place, and was detected on the 21st. Once connected, the attackers executed a PowerShell script to execute a payload, which was never written to the disk. It established persistence, and injected into legitimate Windows processes, to enumerate all drive letters from C to Z, to identify all the mapped drives on the server.

Wapack Labs has cataloged and reported on data exfiltration methods in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Jan 22, 2018

On 22 January 2017, Wapack Labs identified 922 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and three organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:

Reporting Period: January 22, 2018

Wapack Labs identified connections from 834 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

 This TLP AMBER report is available only to Red Sky Alliance members.

Iranian Protests: Propaganda War

Wapack Labs is monitoring the developments in the ongoing Iran protests. Wapack analysts continue to observe an increase in Internet restriction and disabling of communication applications; Facebook, Twitter, Telegram, Google, WhatsApp, and Signal. To date, ProtonMail’s free VPN service for Android phones, and Psiphon, an app that circumnavigates network firewalls, are the only means of providing anonymity for Iranian citizens. As information censorship increases, so too does pro-regime propaganda. The current climate in Iran may give way to Iranian-backed threat actors targeting the anti-regime demonstrators. Wapack Labs assesses, with moderate confidence, that the cyber activity will remain confined to Iran, but continues to monitor the situation for movement affecting our customer base.


Wapack Labs has cataloged and reported on protests and cyber activity in Iran in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Asian Bitcoin Exchanges as Potential Hacker Targets

North Korea has been identified as conducting multiple thefts of Bitcoin cryptocurrency in 2017. These thefts have involved spearphishing attacks against at least two Bitcoin exchanges in South Korea that resulted in compromises of their systems and the loss of millions of dollars in Bitcoin. This appears to be part of a major North Korean campaign to acquire Bitcoin as a way to raise hard currency. This campaign was active through at least, December 2017. Given the North Korean interest in Bitcoin and the success of their hacker efforts to date, other cryptocurrency exchanges in the region may also be at risk. As a guide to further monitoring of this situation, a listing of exchanges in South Korea and Japan was compiled. The Japanese list consists of those recently certified by the Japanese government and one that is still awaiting certification.

Wapack Labs has cataloged and reported on cryptocurrency related targeting in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

North Korea’s Illegal Campaign to Acquire Bitcoin

North Korea has been identified as conducting multiple thefts of Bitcoin cryptocurrency in 2017. In conjunction with its identification as the actor behind the Wannacry ransomware, which was also an attempt to acquire Bitcoin, plus limited evidence of bitcoin mining, these actions indicate a major North Korean campaign is underway to acquire Bitcoin as a way to raise hard currency. North Korea was likely motivated to acquire Bitcoin, by any means, because of the currency’s rapidly increasing value in 2017, the possibility of hiding the thefts by converting Bitcoin into more obscure forms of cryptocurrency, and the convertibility of Bitcoin and these other cryptocurrencies to hard currency. While it is unusual for a nation-state to be involved in this type of theft, it is not much different from other North Korean criminal enterprises which have included cyber bank robbery, illegal weapons sales, and counterfeiting U.S. currency.

Wapack Labs has cataloged and reported on North Korean cyber activity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT: 

Compromised Email Accounts
Reporting Period: Jan 16, 2018

On 16 January 2017, Wapack Labs identified 1371 ‘new’ unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and three organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:

Reporting Period: January 16, 2018

Wapack Labs identified connections from 788 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Vietnamese APT Actors Involved in Watering-Hole Attacks

Beginning in February of 2017 a group of Vietnamese APT actors carried out a large campaign leveraging watering-hole attacks. The campaign is intended to conduct surveillance on entities within Southeast Asia and China. As part of the watering-hole attacks, the group leveraged a JavaScript reconnaissance framework to collect information on their targets. This report looks at the malicious JavaScript framework leveraged by the attackers, provides information on attribution, and looks at the infrastructure behind the campaign.

Wapack Labs has cataloged and reported on APT activity and watering-hole attacks in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Iranian Protests: Communication Bans & Targeting of Protestors

Wapack Labs has been monitoring the developing Iran protests. By Day 9, Wapack analysts observed an uptick in Internet and communication restrictions, including social media platforms, phone applications, encrypted/secure messaging, and Virtual Private Network (VPN) services, and other platforms. Formerly accepted by the Iranian government, the Instant Messaging Service ‘Telegram’, which had tremendous activity on Day 2 of the protests, is now disabled. At the moment, Google is preventing Iranians from using the Google Search Engine and from using ‘Signal’, an end-to-end encryption messenger that circumnavigates government filtering. To date, ProtonMail’s free VPN service for Android phones, is the only means of providing anonymity for Iranian citizens. As the Iranian government continues to disrupt communications, they are implementing scare tactics to persuade protestors to stop the movement. Irancell, a mobile network service provider, is tracking down its users - who have posted videos and pictures online - and sending them text notifications, warning them that they have been participating in illegal protests. Additionally, the Twitter account of the Tasnim News Agency (@Tasnimnews_Fa) is posting pictures of protestors, asking followers to identify protestors and report them to Iranian security forces. The current climate in Iran may give way to another wave of Iranian cyber hacktivists targeting the anti-regime demonstrators.

Wapack Labs has cataloged and reported on Iranian protests and communications in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Bypassing Antivirus using Amber (Reflective PE Packer)

Amber is a proof-of-concept tool used for bypassing antivirus software. Amber uses techniques that convert Portable Executables (PEs) to reflectively load those PEs. This can be used as a multi-stage payload for infection on a target system. Amber takes advantage of in-memory execution methods. In-memory fileless execution can be defined as executing a compiled PE inside the memory, without actually writing data to storage. This results in fewer footprints, as the malware does not leave a file on the hard drive. This method also makes it difficult for any antivirus or anti-malware solutions to be used for detection.

Wapack Labs has cataloged and reported on anti-detection tools in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM