Are you ready to pivot?!
Come to Malaga on May 8-10, 2024!
#PIVOTcon24 is crafted to bring together professionals from diverse backgrounds β private sector, government, law enforcement, military, academics, and investigative journalists.
#ThreatIntel #CTI
14.12.2023 14:10 β π 9 π 7 π¬ 1 π 1
Sneak preview of my #cyberwarcon slides π
03.11.2023 00:10 β π 3 π 0 π¬ 0 π 0
"You compile me. You had me at RomCom" - When cybercrime met espionage"
Get ready for a #CYBERWARCON talk full of romantic comedy memes!
www.cyberwarcon.com/you-compile-...
06.10.2023 17:33 β π 2 π 1 π¬ 0 π 0
Thatβs the only one Iβve seen so far
06.07.2023 21:41 β π 2 π 0 π¬ 0 π 0
Notable Storm-0875 tradecraft (contβd)
4. Multiple methods of persistence (RMM deployment, remote access internet facing RDP, identity provider federation, golden saml, VMs spun up in victim cloud infrastructure)
5. Generally shy away from deployment of backdoors
6. Social engineering
06.07.2023 12:58 β π 1 π 0 π¬ 1 π 0
Notable Storm-0875 tradecraft
1. Initial Access: Sms phishing + AITM or purchase infostealer logs (bypasses most defenses)
2. Privilege escalation via SIM swapping or call number forwarding global adminβs personal phone
3. Time from initial access to global admin often occurs within hours
06.07.2023 12:56 β π 4 π 1 π¬ 1 π 0
IMO: Storm-0875 (overlaps UNC3944/Scattered Spider) is the most dangerous financial threat actor right now
Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)
06.07.2023 12:45 β π 8 π 5 π¬ 1 π 2
Wouldnβt a middle ground be to require orgs to notify authorities if they pay an extortion and report the crypto wallet/address and any other pertinent identifiers (copy of ransom note, email addresses usedβ¦etc)
17.06.2023 21:16 β π 1 π 0 π¬ 1 π 0
βRansom deployment of a cl0p payloadβ
Thanks autocorrect
17.06.2023 21:14 β π 1 π 0 π¬ 0 π 0
Clop/Lace Tempest operates in two modes
1) traditional enterprise compromise/priv esc (using backdoors like truebot), data exfil, and random deployment of a clip ransom payload
2) broad exploitation of file transfer software that leads to data extortion only
They stop doing #1 when focused on #2
17.06.2023 21:14 β π 1 π 0 π¬ 2 π 0
if i was a FVEY CI officer, my first thought on a RU-based company publishing on FSB ops wouldnβt be βlook at the analytic freedom!β β it would be βwhy is the FSB comfortable with the world knowing about this now? did they figure out we were onto it in some way?β
16.06.2023 21:22 β π 2 π 2 π¬ 1 π 0
Iβve been in touch w/different victims of MOVEit exploitation by Lace Tempest. One thing orgs should be prepared for is initial $ demand that is (in some cases) order of magnitude or more than a typical org would pay (relative to size of payment in other ransom/extortion cases)
15.06.2023 01:14 β π 0 π 0 π¬ 0 π 0
Attribution update from MSTIC on MOVEit Transfer 0-day exploitation by Lace Tempest. Victims w/ data theft are likely to be extorted via the cl0p leak site in coming weeks
Weβve shared intel on dozens of exfil IP addresses used in attacks w/customers & industry partners
15.06.2023 01:13 β π 1 π 0 π¬ 0 π 1
Distinguished Threat Researcher, Research Lead @SentinelOne.
Advisor with @ValidinLLC.
https://tomhegel.com/blog.html
Author of No Shortcuts & Ransom War
Co-director Virtual Routes (https://virtual-routes.org/), previously ECCRI
Managing Editor Binding Hook (https://bindinghook.com)
Senior Researcher, ETH Zurich
I cover digital threats for NBC News. Tip me! @kevincollier.01 on signal, kevin.collier@nbcuni.com. NYC, from West Virginia.
Bellingcat is an independent investigative collective of researchers, investigators and citizen journalists brought together by a passion for open source research.
Want to support our charity? bellingcat.com/donate
Security Geek. We build Thinkst Canary - https://canary.tools
VP Security at Google. Co-Chair Cybersafety Review Board, Co-Author Building Secure and Reliable Systems. r00t. Medieval historian.
Just someone that dabbles in threat research, malware analysis, RE, incident response, CTFs, and old school forensics.
Apologetic ginger.
Distinguished Strategist @Splunk. Leader of #SURGe. Enjoys clicking too fast, long walks in the woods, & advocating. Hates printers. Co-Creator of the BOTS CTF
Reveals APTs with one easy application! | Artificial amateurs, aren't at all amazing // Analytically, I assault, animate things
Writer. Contact me here: https://raphae.li
Romanian antihacker from another planet. #threatintel #yara #chess #taekwondo black belt
Motto: "One reboot a day keeps the implant away"
Senior Manager, Amazon/AWS Threat Intelligence. @CitizenLab.ca Research Fellow. Former federal agent. Fan of space, books, technology, and Mother NatureπͺοΈ. Personal account. πΊπΈ πΊπ¦ πΉπΌ #ThreatIntel
Storm chasing: https://bsky.app/profile/wxdox.com
Technologist, entrepreneur, and hacker | CEO @ OODA | Founder @DevSec | Past Founder of FusionX & Terrorism Research Center. Black Hat board member.
Born to Lose. Live to Win.
CTI βͺ@wizsecurity.bsky.socialβ¬
Previously NSC44, Mandiant, Google
Go Mammoths
Espionage Intelligence Alchemist. Threat Intel, teller of truths, annoyer of the feeble minded, known to ramble. CyberDad
#LABScon / #PIVOTcon
Tech Lead, Elastic Security
Director Operations, NCSC, GCHQ. 30+ years in Government Cyber Operations. Views entirely my own and do not necessarily reflect those of my organisation. π΄σ §σ ’σ ·σ ¬σ ³σ Ώ πΊπ¦
@propublica.org reporter: hacking, intelligence and foreign affairs. @johnshopkinssais.bsky.social grad. π§email: christopher.bing@propublica.org / πSignal:771-217-8550. More contact info: http://bit.ly/2wagIS7
