Meltdown and Spectre Exploitation Reporting

TLP AMBER ANNOUNCEMENT: 

On 2 January 2018, British newspaper The Register published an article describing a design flaw present in all of Intel’s modern processors. The bug is a possible vulnerability in the kernel page table isolation feature. The concept concerns with how microarchitecture design makes speculative references in memory and how they may be exploited by an attacker to read kernel address space layout randomization. This report provides situational awareness for our members. Stay cognizant for updates as major technology companies such as Apple, Amazon, Google, Microsoft, and VMware respond. Intel has already responded stating that the allegations of these exploits are false and that any exploit is not unique to its chip design.

Wapack Labs has cataloged and reported on vulnerability exploitation in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  

 WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

The Iranian Cyber Evolution: RATs, Backdoors, and Droppers

Wapack Labs has been monitoring Iranian cyber activity for several years, specifically the evolving OilRig and Greenbug campaigns. Their adoption of a cyber operational paradigm involving both cyber hacktivism and cyber espionage tactics resembles cyber activity patterns employed by Chinese APT groups, whereby different groups perform different campaigns, with multiple teams conducting separate phases of a cyber campaign. With President Trump’s refusal to re-certify Iran’s compliance with the 2015 Iran nuclear agreement, Wapack analysts are researching the continued efforts of Iranian-backed cyber threats in order to detect and defend against next moves. 

One common attribute is that they all engage in prolonged reconnaissance campaigns of their targets; at times lasting over a year. Greenbug, a cyber-espionage group with suspected Iranian ties, has been dynamically progressing in such campaigns. In August 2017, a Greenbug tool, dubbed ISMAgent (an ISMDoor variant), resurfaced in the wild to harvest account credentials. Wapack Labs discovered evidence of ISMDoor variants relying on the VB:Trojan.Valyria (possibly Clayside) for delivery, linking Greenbug to another group of Iranian actors known as OilRig. Wapack Labs assesses with moderate confidence that recent activity involving ISMDoor is an indicator of the ramping up of another cyber campaign cycle.

Wapack Labs has cataloged and reported on Iranian cyber activity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


WWW.WAPACKLABS.COM

2018 Cyber Security Threat and Vulnerability Predictions

This report encapsulates our predictions regarding the most significant cyber threats and vulnerabilities for 2018.

  • Phishing: Will likely become more popular among novice and criminal hackers.
  • Account Targeting: Account credentials are increasingly more available.
  • Democratization of Cyber Weapons: 2017 saw the most high-profile ransomware attack to-date with the Wannacry worm.
  • Tor Network: 2018 is the year of fighting and winning against the abuse of the Tor network.
  • Macro Malware: The popularity of malicious macros for malware delivery continued strong in 2017.
  • Geopolitical Tensions: Iran and North Korea tensions continue.
  • Blockchain-related Cybercrime: With the establishment of Bitcoin futures and general interest to blockchain technologies, exploitation in this field grows too.

Wapack Labs has cataloged and reported on cyber threats and vulnerabilities in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Implications of the EU General Data Protection Regulation

The European Union (EU) General Data Protection Regulation (GDPR) will go into force in May 2018. This is a comprehensive change to data protection regulations in the EU, but it will also require foreign companies that collect data on EU citizens to comply with its provisions. The GDPR establishes requirements in many areas that go beyond existing regulations or the security practices of U.S. companies. The greatest potential impact on U.S. companies and cybersecurity personnel is the schedule of penalties that can be imposed for data breaches or other failures to comply with the GDPR. Fines of up to $24 million or 4% of worldwide annual turnover for the year of the infraction can be levied against a company. This creates a possible opportunity for hackers that breach the data holdings of a major corporation. They can threaten to expose the breach, which would trigger huge fines unless the hackers are paid a substantial ransom to keep quiet.

Wapack Labs has cataloged and reported on data protection regulations in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM 

Fraudulent Banking Website Part of Larger BEC Infrastructure

TLP AMBER ANNOUNCEMENT:

Business Email Compromise scams (BEC or BES) are a lucrative way for cybercriminals to gain high value credentials and commit fraud. Losses resulting from BEC scams surpassed 5 billion dollars this year and rising. BEC scams target groups and individuals by masquerading as legitimate services and organizations. Recent activity in Iceland involves the use of a fake website with ties to a larger infrastructure of domains designed for use in BEC scams. In this incident over 100 people were victimized with the use of the fake website, tricking victims into giving up financial credentials. These scams are difficult to defend against because they rely on social engineering and deceit instead of malware that can be detected by early warning software. The best defense against BEC scams is information sharing and networking.

Wapack Labs has cataloged and reported on Business Email Compromise scams in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Gibon Ransomware Analysis

TLP AMBER ANNOUNCEMENT:

Wapack Labs analysts recently observed a handful of Gibon malware samples in the wild and are providing this report in the event the malware becomes more widespread. Gibon is a new ransomware family named due to its USER-AGENT and name in the specimen’s ASCII strings. The malware was originally marketed on May 11 and 12 to several hacker forums for $500. Advertised functionality includes recursive encryption of all files that are on the computer, a README.txt file with instructions to the victim, and encryption/decryption keys which are sent to the admin panel and used for decryption. It is delivered via spam emails with a link to download a Microsoft Word document.

Wapack Labs has cataloged and reported on ransomware variants in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Reaper IoT Botnet Exploits and Mitigations

TLP AMBER ANNOUNCEMENT:

The Reaper IoT is a recently discovered Internet of Things (IoT) botnet that is proving to be more sophisticated and aggressive than the infamous 2016 Mirai IoT botnet. Despite the large botnet size reported by Tenable, there are very few IoT Reaper specimens available on Virus Total and other malware sharing sites. This is important to note as the number of specimens is often a reflection of the amount of infections. For example, there are currently thousands of Mirai specimens as opposed to a few dozen IoT Reaper specimens available. To date, no Distributed Denial of Service (DDoS) attacks have been observed with the IoT Reaper botnet. Wapack Labs analysts are providing this document as a summary of mitigations and indicators for Reaper malware and observed exploits. Wapack Labs recommends testing of all signatures before deployment.

Wapack Labs has cataloged and reported on IoT and botnets in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

WWW.WAPACKLABS.COM 

This TLP AMBER report is available only to Red Sky Alliance members. 

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Nov 7-12, 2017

Between Nov 7-12, 2017 Wapack Labs identified the following 366 unique email accounts to be compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users.

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members. 

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:

Reporting Period: Nov 12, 2017

Wapack Labs identified connections from the following 256 unique IP addresses checking in with one of the many Wapack Labs sinkholes.

Action recommendation: Users should immediately place each of these email accounts in a monitor or block status in intrusion prevention systems.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members. 

Possible Emerging Threat – Elastic Stack Targeting

On 5 November 2017, Wapack Labs identified potential targeting of the Elastic Stack (FKA ELK), for potential ransomware or extortion. While only two data points exist, this could suggest the beginning of a trend of attacks against Elastic instances. What is Elastic? The Elastic Stack, previously known as ELK, is an open source alternative to commercial aggregation and analysis tools like Splunk. With over 500,000 new downloads per month and 100M to date, Elastic is one of the largest distributions of analysis and visualization tools for high end analytics. Elastic is a plentiful target.

Wapack Labs has cataloged and reported on potential targeting of analysis tools in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

New Emotet Tactics Employing Embedded URL Links

 Emotet is a credential stealing trojan with the ability to drop payloads and move laterally through networks. Emotet spreads by E-mail to addresses gained from the address books of previous victims. In October of 2017, Wapack Labs observed a new Emotet campaign targeting multiple industries. This recent campaign is characterized by changes in Tactics, Techniques, and Procedures (TTPs). These changes include the use of embedded URLs (or links) instead of attachments, and newly adopted obfuscation techniques. Emotet’s ability to spread to compromised email contacts aids in the increase of infections. E-mails propagated in this manner likely have a higher infection rate as they originate from a known contact. This report looks at the new TTPs observed including changes in delivery, obfuscation, and the Visual Basic embedded macros.

WWW.WAPACKLABS.COM

VSAT and “x0rz”

In a recent cyber security report written by William Doyle and published in the Maritime Reporter magazine, Doyle interviews an internet security researcher identified as, “x0rz”. x0rz provides insight into how many shipboard VSAT systems can be penetrated through the public internet, causing data results to broadcast live in real time on Twitter. Thus, ships can be tracked and identified through services like Shodan. Shodan is a search engine which allows users to find electronic devices and computer systems connected to the internet, i.e., power plants, traffic signals and even ships. x0rz discovered that some ship’s systems are not securely configured which permits a remote attacker to gain access using default credentials.

x0rz describes in The Next Web News, that he conducted research of a ship’s VSAT system. The system x0rz gained access into, allowed a review of the call history from their VSAT phone. This permitted x0rz the ability to change the system settings, and even upload new firmware. x0rz logged the username “admin”, then used the password “1234”, thereby gaining access to the ship’s communication system. VSAT terminals are also popular aboard private jets and military aircraft as well.

WWW.WAPACKLABS.COM

Russia May Have Tried Maritime GPS Spoofing System

In a 22 June 2017 report, twenty (20) ships near the Russian Black Sea coast indicated their GPS location, inland at Gelendzhyk Airport. Similar GPS position malfunctioning was noticed in automobiles driving near the Kremlin in Moscow, Russia. These GPS anomalies indicate the likelihood Russia is testing security measures by utilizing GPS spoofing to test their capability in the event of a military conflict both on land and at sea.

Iraninan Cyber Campaign Evolutions – The Next Wave: Greenbug and Ismdoor

Greenbug is an Advanced Persistent Threat (APT) cyber-espionage group with suspected Iranian ties. In August 2017, a Greenbug tool dubbed Ismdoor resurfaced in the wild. The malware possesses many reconnaissance capabilities, and in August of 2016 was deployed to harvest account credentials prior to an attack against Saudi Arabian infrastructure. Wapack Labs assesses with moderate confidence that the presence of Ismdoor is an indicator that Greenbug may be performing reconnaissance for a future campaign.