It was a great week for the good
guys in the fight against cyber threats!
On Monday, the Department of Justice announced the takedown of the
Gameover Zeus Botnet, the sole distributor of Cryptolocker, a particularly
nasty ransomware that has bilked organizations and individuals of millions of
dollars. That said, like anything else
in cyber, the wins are short lived. Two
days later, The Guardian reported a new strain of ransomware targeting Android
phones named “Simplocker” that could prove even more devastating than
Cryptolocker, but this ransomware has an interesting twist – it’s confined to
the Ukraine, a region we are closely watching at Wapack Labs as being heavily targeted by
cyber hacktivists and criminals.
As of right now, it is unknown
who is behind Simplocker and I would hesitate to draw any conclusions. The implications of what Simplocker could
mean to the Ukraine are hard to determine but one can speculate. It wouldn't be a far leap for many to
suggest that the Russian government may be behind Simplocker simply to inject
itself into Ukraine’s mobile phone network.
True, this would give Russia some control over social media outlets, but
this is highly unlikely. Apple’s iOS represents
a significant share (55%) of the Ukrainian data traffic as opposed to Android’s 35%. It is unlikely Russia would risk infecting
its own data services in a reverse attack for such a small gain.
The answer of who is behind
Simplocker may be found in the encryption algorithm it uses. Initial reports
suggest Simplocker’s encryption used to encode victim data is much weaker than
what is (was) leveraged by Cryptolocker. This may suggest the hacker(s) behind Simplocker are not as skilled as one would expect from nation state sponsored activity; however, like we’ve seen before, these
first generation offerings by hackers tend to be proof-of-concepts of better
(or worse) things to come and this activity is on par with an increase of
ransomware targeting the Android platform over the past few months. Android attacks are not the only upward trend
in cyber threat activity we’re seeing in the lab.
Last week, our lead analyst took
a closer look at the recently reported Saffron Rose activity. Our examination proved fertile and we were
able to provide the Red Sky membership additional details on attribution not
cited in open source reporting. This
new context resulted in tailored signatures for the Stealer malware
family and protocols.
Saffron Rose is a group of
hackers we follow closely at Wapack labs.
Normally involved in website defacements in support of anti-Israel and
anti-American causes, Saffron Rose is thought to be behind recent watering hole
activities targeting the Aerospace sector.
We know Aerospace is a highly targeted sector right now, and why not? Advancements in drone and stealth aircraft
make for highly coveted and sought after technologies by opportunistic and state sponsored actors worldwide. With ties to the Middle East,
any successful attack by Saffron Rose may have far-reaching consequences to the
security of the region.
Watering hole techniques used by
groups such as Saffron Rose appear to be on the rise. Wapack Labs’ analysts are seeing upswings in
this activity by both Chinese and Russian threat actors. As one Wapack analyst said,
“It would appear that summer hunting season is open early this year!” If he’s correct, I predict a long summer for
security teams. But turnabout is fair play, because we're hunting too!
Watering hole activity isn’t the
only thing on the rise. Wapack has
several honeypots that we are continuously monitoring and evidence is pointing
to a much more active threat environment and targeted activity across the board
appears to be increasing significantly.
As Jeff has mentioned in his previous blogs, we currently have several
honeypot projects, the most unique of which is a project that allows us to look
at targeted activity as it develops.
From attack orders to the hackers, to the malware received by the
victims themselves, this unique perspective allows Wapack Labs to see trends in
targeted cyber threat activity one doesn’t normally see.
It’s hard to say why targeted activity
is on the increase as of late. I did
some research and really didn’t find any correlation to summer as being an
uptime for hacker activity but the perception remains. Regardless, there have been a lot of theories
over the years why this is a busy time for activity. From actors knowing
datacenters will be minimally manned during the summer vacation season to
students at Universities on summer break with lots of time on their hands and
little to do. Despite my research, and whatever the reason, it is clear that the targeted threat problem appears to be growing.
BT BT
As the Director of the lab, I get the opportunity to work with really talented people who look at the cyber problems in a very different way. What make us unique is our cultural, business, and technical diversity and how we effectively apply that to a problem. When asked, “What makes you different from other threat intelligence shops?” I confidently tell them that my phone is on my nightstand. When you call the number on my business card, you get me, not a help desk. We sell relationships, not just indicators and reports.
Wapack Labs is truly a custom threat intelligence team. We’ve worked on some of the hardest problems plaguing some of the largest organizations in the world and we’re proud of that fact. Everyone has problems in cyber and I want our team to have the opportunity to solve them for you. Even if you’re mildly curious, reach out to me personally and start the conversation: rgamache@wapacklabs.com
My sales deck is 4 slides and takes 15 minutes to present what we do everyday, assisting organizations of all sizes fighting cyber threats. Every conversation starts with a simple question, "How can Wapack Labs help you?" Even if you see no immediate need for our services, the take away for us is hopefully we've made an positive impression and provided a little education as to what cyber threat intelligence is and isn't.
Have a great remainder to your
weekend!
Rick