Saturday, May 12, 2012

Red Sky Weekly Update - 5/12/12

Morning all,

It's been another great week.
  • On Monday we released our eighth Red Sky Fusion Report detailing a long known attacker group using of a new process! 17 pages of analytics and three pages of snort signatures and kill chain formatted indicators.
  • We identified (on a hunch) a new ISP that after further analysis in the group, turns out to be a bad -really bad ISP. After posting requests for information to the portal, we had members submit several HUNDRED pages of data supporting our initial hunch.
  • We were interviewed by Gartner this week after showing up in CSOOnline last week. I've known Anton through the Honeynet Project for years (and even before that!), so it was a really good talk. 
As of this week, we've closed Founding Memberships in the financial sector. Founding Memberships are still available outside of the Banking/Finance industry, but they're closing fast too. Want one of those framed Plankowner Certificates? Membership rate guarantee? Advisory Board member? Unfiltered access to the portal? Founding members receive all of this with a half price membership for a two year commitment.

It's a warm sunny morning in New Hampshire. Time to fire up the diesel Kubota and spend the morning mowing the lawn and cleaning up the orchard. So, until next time.

Have a great weekend!
Jeff

Monday, May 07, 2012

Published: FR12-008 – “Team Taidoor” with updated TTP


FR12-008 details targeted spear-phishing aimed at a Red Sky member. Red Sky is tracking this group of attackers under the name Team Taidoor.  Interestingly enough, Taidoor has been reported in open source for at least a year. FR12-008 includes a compiled list of more than 150 “Team Taidoor” indicators, with referencing in Kill Chain format, and details of what is believed to be a new downloader and possible updated team TTP. Red Sky analysts also crafted SNORT signatures to detect on the new downloader as well as the Taidoor variant.

Another interesting characteristic of Team Taidoor is their continued and persistent targeting of specific individuals. If at first you don’t succeed, try, try, again! Symantec reported the targeting of one individual, referred to as “Mr. X” who received over 20 emails originating from Taidoor actors during 2011. Another source reports a Taidoor target as being the recipient of over 175 malicious emails over the course of 2010 and 2011.