Possible Emerging Threat – Elastic Stack Targeting

On 5 November 2017, Wapack Labs identified potential targeting of the Elastic Stack (FKA ELK), for potential ransomware or extortion. While only two data points exist, this could suggest the beginning of a trend of attacks against Elastic instances. What is Elastic? The Elastic Stack, previously known as ELK, is an open source alternative to commercial aggregation and analysis tools like Splunk. With over 500,000 new downloads per month and 100M to date, Elastic is one of the largest distributions of analysis and visualization tools for high end analytics. Elastic is a plentiful target.

Wapack Labs has cataloged and reported on potential targeting of analysis tools in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


New Emotet Tactics Employing Embedded URL Links

 Emotet is a credential stealing trojan with the ability to drop payloads and move laterally through networks. Emotet spreads by E-mail to addresses gained from the address books of previous victims. In October of 2017, Wapack Labs observed a new Emotet campaign targeting multiple industries. This recent campaign is characterized by changes in Tactics, Techniques, and Procedures (TTPs). These changes include the use of embedded URLs (or links) instead of attachments, and newly adopted obfuscation techniques. Emotet’s ability to spread to compromised email contacts aids in the increase of infections. E-mails propagated in this manner likely have a higher infection rate as they originate from a known contact. This report looks at the new TTPs observed including changes in delivery, obfuscation, and the Visual Basic embedded macros.


VSAT and “x0rz”

In a recent cyber security report written by William Doyle and published in the Maritime Reporter magazine, Doyle interviews an internet security researcher identified as, “x0rz”. x0rz provides insight into how many shipboard VSAT systems can be penetrated through the public internet, causing data results to broadcast live in real time on Twitter. Thus, ships can be tracked and identified through services like Shodan. Shodan is a search engine which allows users to find electronic devices and computer systems connected to the internet, i.e., power plants, traffic signals and even ships. x0rz discovered that some ship’s systems are not securely configured which permits a remote attacker to gain access using default credentials.

x0rz describes in The Next Web News, that he conducted research of a ship’s VSAT system. The system x0rz gained access into, allowed a review of the call history from their VSAT phone. This permitted x0rz the ability to change the system settings, and even upload new firmware. x0rz logged the username “admin”, then used the password “1234”, thereby gaining access to the ship’s communication system. VSAT terminals are also popular aboard private jets and military aircraft as well.


Russia May Have Tried Maritime GPS Spoofing System

In a 22 June 2017 report, twenty (20) ships near the Russian Black Sea coast indicated their GPS location, inland at Gelendzhyk Airport. Similar GPS position malfunctioning was noticed in automobiles driving near the Kremlin in Moscow, Russia. These GPS anomalies indicate the likelihood Russia is testing security measures by utilizing GPS spoofing to test their capability in the event of a military conflict both on land and at sea.

Iraninan Cyber Campaign Evolutions – The Next Wave: Greenbug and Ismdoor

Greenbug is an Advanced Persistent Threat (APT) cyber-espionage group with suspected Iranian ties. In August 2017, a Greenbug tool dubbed Ismdoor resurfaced in the wild. The malware possesses many reconnaissance capabilities, and in August of 2016 was deployed to harvest account credentials prior to an attack against Saudi Arabian infrastructure. Wapack Labs assesses with moderate confidence that the presence of Ismdoor is an indicator that Greenbug may be performing reconnaissance for a future campaign.