Red
Sky Analysts released Fusion Report 16 this week. FR12-016 detailed a newly
observed web-based Remote Access Tool (RAT) which was used in the same campaign
as Trojan.Eclipse (named Eclipse by
Red Sky analysts) from FR12-015. FR12-016 offered a custom C2 decoding script, Snort
signatures, and a number of new indicators that may be used to detect and
proactively mitigate the intrusion attempt.
BT BT
When
preparing this week’s blog entry, I miscounted, thinking this was six months in
operation. In fact it’s five, with our corporate one-year anniversary coming up
at the end of August. Regardless, five
or six, the numbers are still pretty exciting.
·
Our Advisory
Board is currently looking at one more company for membership. The company is
one of the five largest law firms in the country, boasting 1750 attorneys and
27 global offices. We currently have four companies being vetted by our
Advisory board, and if all are offered membership, we’ll have 16 top companies
in nine of the US’s critical infrastructures. Our ranks have grown 36.5% in the
last two months!
·
We're actively tracking on at
least eight groups. Two groups were both known in one sector, but not widely
known in others. The cross sector participation of Red Sky has produced (as I
read it) two cases where a group moves from one industry sector to another.
·
In five months we’ve profiled a
bad ISP, analyzed two 0-days, at least three newly discovered pieces of code,
named two new TTPs and published over 2000 indicators in Kill Chain format.
Over 500 threads are tracking with over 9000 comments and page views generated.
Five
months in, results like this are the tip of the iceberg. The conversational
format of the social environment can be rough getting used to, but the richness
of the information is FAR better than the format we used in report driven
portals that I’ve participated in in my past. (Report driven portals are easy
to parse but the data is generally light.) Cross sector and international
participation has been huge! The ability to contact members in Japan directly,
or analyze malware captured on members’ global networks is a luxury I’ve not
been accustomed to. I like it.
Bottom
line is this. I'm happy it's working. Not without growing pains, but nothing
good ever comes without a few bumps/bruises. Five months. It’s working.
See
you at Black Hat!
Jeff
