Implication of Russian Sanctions

During March-April 2018, dozens of Russian diplomats were expelled; hundreds of Russian Troll Factory-related accounts banned; new travel and economic sanctions levied.

Currently, new sanctions are being discussed and it is probable that the next round of sanctions will be in relation to the Russian collaboration of Syria’s use of chemical weapon against their opposition. Radical measures are being discussed to include placing Russia on the designated Foreign Terrorist Organizations (FTOs) list.

There are no signs of Russia stepping back. Publically Trump is sending signals that he desires a good relationship with Russia, yet both countries are using deescalation mechanisms to avoid direct military conflict in Syria and other areas of the World...READ MORE

Wapack Labs has cataloged and reported on Russian cyber threats and geopolitical events in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Read More
Pamela Bierau
Intel will not fix all Processor Models affected by Spectre v2

The Intel Corporation has publicly admitted they will not fix all of the processor models which were affected by the Spectre (variant 2, V2) side channel analysis attack.

In a recent Microcode Revision Guidance update published by Intel, various models of CPUs will not be receiving fixes.  Intel stated they it would not be possible to address the Spectre design flaw in their old CPUs.  This because it requires changes to the processor architecture to mitigate the issue fully.

Full Report Link

Wapack Labs has cataloged and reported on AZORult malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Read More
Pamela Bierau
AZORult Stealer

AZORult is a publicly available information-stealing malware that is popular among hackers. AZORult is delivered via phishing e-mails and with the use of Exploit Kits (EK), most notably the Rig EK. It collects information from victims by targeting a variety of applications for credential harvesting. In January 2018, Wapack Labs started analysis of AZORult nodes in an effort to identify stolen data. As part of this research, Wapack Labs gained insight into AZORult Command and Controls (C2). This report includes details on the AZORult malware and provides trending on the identified infrastructure. Wapack Labs analysts were able to recover over a million AZORult logs, which include data on victim IPs, e-mails, credentials, and attack server data. This information is listed in the Wapack Labs Blacklist Slack channel and searchable via our CTAC tool to provide situational awareness.

Full Report Link.

Wapack Labs has cataloged and reported on AZORult malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Read More
Pamela Bierau
Recent Chinese Exfiltration Method Observed

Chinese nation state attackers (high confidence) recently used a Java web shell (Chropper.java), against a corporate network’s external web server, to download an unidentified malware payload. The initial breach against the server occurred on 15 December 2017, likely leveraging a Cold Fusion exploit. On 18 December 2017, attackers deployed a modified version of the web shell. The web shell came from a large collection of popular Chinese web shells uploaded to GitHub by a user who follows well-known Chinese security researchers. On 19 to 21 December 2017, the attack sequence took place, and was detected on the 21st. Once connected, the attackers executed a PowerShell script to execute a payload, which was never written to the disk. It established persistence, and injected into legitimate Windows processes, to enumerate all drive letters from C to Z, to identify all the mapped drives on the server.

Full Report Link

Wapack Labs has cataloged and reported on data exfiltration methods in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Read More
Pamela Bierau
North Korea’s Illegal Campaign to Acquire Bitcoin

North Korea has been identified as conducting multiple thefts of Bitcoin cryptocurrency in 2017. In conjunction with its identification as the actor behind the Wannacry ransomware, which was also an attempt to acquire Bitcoin, plus limited evidence of bitcoin mining, these actions indicate a major North Korean campaign is underway to acquire Bitcoin as a way to raise hard currency. North Korea was likely motivated to acquire Bitcoin, by any means, because of the currency’s rapidly increasing value in 2017, the possibility of hiding the thefts by converting Bitcoin into more obscure forms of cryptocurrency, and the convertibility of Bitcoin and these other cryptocurrencies to hard currency. While it is unusual for a nation-state to be involved in this type of theft, it is not much different from other North Korean criminal enterprises which have included cyber bank robbery, illegal weapons sales, and counterfeiting U.S. currency.

Full Report Link

Wapack Labs has cataloged and reported on North Korean cyber activity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Read More
Pamela Bierau
Vietnamese APT Actors Involved in Watering-Hole Attacks

Beginning in February of 2017 a group of Vietnamese APT actors carried out a large campaign leveraging watering-hole attacks. The campaign is intended to conduct surveillance on entities within Southeast Asia and China. As part of the watering-hole attacks, the group leveraged a JavaScript reconnaissance framework to collect information on their targets. This report looks at the malicious JavaScript framework leveraged by the attackers, provides information on attribution, and looks at the infrastructure behind the campaign. 

Full Report Link

Wapack Labs has cataloged and reported on APT activity and watering-hole attacks in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  

WWW.WAPACKLABS.COM

Read More
Pamela Bierau
2018 Cyber Security Threat and Vulnerability Predictions

This report encapsulates our predictions regarding the most significant cyber threats and vulnerabilities for 2018.

  • Phishing: Will likely become more popular among novice and criminal hackers.
  • Account Targeting: Account credentials are increasingly more available.
  • Democratization of Cyber Weapons: 2017 saw the most high-profile ransomware attack to-date with the Wannacry worm.
  • Tor Network: 2018 is the year of fighting and winning against the abuse of the Tor network.
  • Macro Malware: The popularity of malicious macros for malware delivery continued strong in 2017.
  • Geopolitical Tensions: Iran and North Korea tensions continue.
  • Blockchain-related Cybercrime: With the establishment of Bitcoin futures and general interest to blockchain technologies, exploitation in this field grows too...


Full Report Link

Wapack Labs has cataloged and reported on cyber threats and vulnerabilities in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Read More
Pamela Bierau