Saturday, June 07, 2014

Red Sky Weekly: Cryptolocker down! Simplocker up! - Early open to summer hunting season.

It was a great week for the good guys in the fight against cyber threats!  On Monday, the Department of Justice announced the takedown of the Gameover Zeus Botnet, the sole distributor of Cryptolocker, a particularly nasty ransomware that has bilked organizations and individuals of millions of dollars.  That said, like anything else in cyber, the wins are short lived.  Two days later, The Guardian reported a new strain of ransomware targeting Android phones named “Simplocker” that could prove even more devastating than Cryptolocker, but this ransomware has an interesting twist – it’s confined to the Ukraine, a region we are closely watching at Wapack Labs as being heavily targeted by cyber hacktivists and criminals.

As of right now, it is unknown who is behind Simplocker and I would hesitate to draw any conclusions.  The implications of what Simplocker could mean to the Ukraine are hard to determine but one can speculate.  It wouldn't be a far leap for many to suggest that the Russian government may be behind Simplocker simply to inject itself into Ukraine’s mobile phone network.  True, this would give Russia some control over social media outlets, but this is highly unlikely.  Apple’s iOS represents a significant share (55%) of the Ukrainian data traffic as opposed to Android’s 35%.  It is unlikely Russia would risk infecting its own data services in a reverse attack for such a small gain.

The answer of who is behind Simplocker may be found in the encryption algorithm it uses. Initial reports suggest Simplocker’s encryption used to encode victim data is much weaker than what is (was) leveraged by Cryptolocker.  This may suggest the hacker(s) behind Simplocker are not as skilled as one would expect from nation state sponsored activity; however, like we’ve seen before, these first generation offerings by hackers tend to be proof-of-concepts of better (or worse) things to come and this activity is on par with an increase of ransomware targeting the Android platform over the past few months.  Android attacks are not the only upward trend in cyber threat activity we’re seeing in the lab.

Last week, our lead analyst took a closer look at the recently reported Saffron Rose activity.  Our examination proved fertile and we were able to provide the Red Sky membership additional details on attribution not cited in open source reporting.  This new context resulted in tailored signatures for the Stealer malware family and protocols.

Saffron Rose is a group of hackers we follow closely at Wapack labs.  Normally involved in website defacements in support of anti-Israel and anti-American causes, Saffron Rose is thought to be behind recent watering hole activities targeting the Aerospace sector.  We know Aerospace is a highly targeted sector right now, and why not?  Advancements in drone and stealth aircraft make for highly coveted and sought after technologies by opportunistic and state sponsored actors worldwide.  With ties to the Middle East, any successful attack by Saffron Rose may have far-reaching consequences to the security of the region.

Watering hole techniques used by groups such as Saffron Rose appear to be on the rise.  Wapack Labs’ analysts are seeing upswings in this activity by both Chinese and Russian threat actors.  As one Wapack analyst said, “It would appear that summer hunting season is open early this year!”  If he’s correct, I predict a long summer for security teams. But turnabout is fair play, because we're hunting too!

Watering hole activity isn’t the only thing on the rise.  Wapack has several honeypots that we are continuously monitoring and evidence is pointing to a much more active threat environment and targeted activity across the board appears to be increasing significantly.   As Jeff has mentioned in his previous blogs, we currently have several honeypot projects, the most unique of which is a project that allows us to look at targeted activity as it develops.  From attack orders to the hackers, to the malware received by the victims themselves, this unique perspective allows Wapack Labs to see trends in targeted cyber threat activity one doesn’t normally see.  

It’s hard to say why targeted activity is on the increase as of late. I did some research and really didn’t find any correlation to summer as being an uptime for hacker activity but the perception remains.  Regardless, there have been a lot of theories over the years why this is a busy time for activity. From actors knowing datacenters will be minimally manned during the summer vacation season to students at Universities on summer break with lots of time on their hands and little to do. Despite my research, and whatever the reason, it is clear that the targeted threat problem appears to be growing.

BT BT

As the Director of the lab, I get the opportunity to work with really talented people who look at the cyber problems in a very different way.  What make us unique is our cultural, business, and technical diversity and how we effectively apply that to a problem.   When asked, “What makes you different from other threat intelligence shops?” I confidently tell them that my phone is on my nightstand.  When you call the number on my business card, you get me, not a help desk.  We sell relationships, not just indicators and reports.

Wapack Labs is truly a custom threat intelligence team.  We’ve worked on some of the hardest problems plaguing some of the largest organizations in the world and we’re proud of that fact.   Everyone has problems in cyber and I want our team to have the opportunity to solve them for you.   Even if you’re mildly curious, reach out to me personally and start the conversation: rgamache@wapacklabs.com

My sales deck is 4 slides and takes 15 minutes to present what we do everyday, assisting organizations of all sizes fighting cyber threats.  Every conversation starts with a simple question, "How can Wapack Labs help you?"  Even if you see no immediate need for our services, the take away for us is hopefully we've made an positive impression and provided a little education as to what cyber threat intelligence is and isn't.

Have a great remainder to your weekend!


Rick