Are you ready to pivot?!
Come to Malaga on May 8-10, 2024!
#PIVOTcon24 is crafted to bring together professionals from diverse backgrounds β private sector, government, law enforcement, military, academics, and investigative journalists.
#ThreatIntel #CTI
Sneak preview of my #cyberwarcon slides π
03.11.2023 00:10 β π 5 π 0 π¬ 0 π 0
"You compile me. You had me at RomCom" - When cybercrime met espionage"
Get ready for a #CYBERWARCON talk full of romantic comedy memes!
www.cyberwarcon.com/you-compile-...
Here are technical details on Storm-0558
https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
Thatβs the only one Iβve seen so far
06.07.2023 21:41 β π 2 π 0 π¬ 0 π 0
Notable Storm-0875 tradecraft (contβd)
4. Multiple methods of persistence (RMM deployment, remote access internet facing RDP, identity provider federation, golden saml, VMs spun up in victim cloud infrastructure)
5. Generally shy away from deployment of backdoors
6. Social engineering
Notable Storm-0875 tradecraft
1. Initial Access: Sms phishing + AITM or purchase infostealer logs (bypasses most defenses)
2. Privilege escalation via SIM swapping or call number forwarding global adminβs personal phone
3. Time from initial access to global admin often occurs within hours
IMO: Storm-0875 (overlaps UNC3944/Scattered Spider) is the most dangerous financial threat actor right now
Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)
Wouldnβt a middle ground be to require orgs to notify authorities if they pay an extortion and report the crypto wallet/address and any other pertinent identifiers (copy of ransom note, email addresses usedβ¦etc)
17.06.2023 21:16 β π 1 π 0 π¬ 1 π 0
βRansom deployment of a cl0p payloadβ
Thanks autocorrect
Clop/Lace Tempest operates in two modes
1) traditional enterprise compromise/priv esc (using backdoors like truebot), data exfil, and random deployment of a clip ransom payload
2) broad exploitation of file transfer software that leads to data extortion only
They stop doing #1 when focused on #2
if i was a FVEY CI officer, my first thought on a RU-based company publishing on FSB ops wouldnβt be βlook at the analytic freedom!β β it would be βwhy is the FSB comfortable with the world knowing about this now? did they figure out we were onto it in some way?β
16.06.2023 21:22 β π 2 π 2 π¬ 1 π 0Iβve been in touch w/different victims of MOVEit exploitation by Lace Tempest. One thing orgs should be prepared for is initial $ demand that is (in some cases) order of magnitude or more than a typical org would pay (relative to size of payment in other ransom/extortion cases)
15.06.2023 01:14 β π 0 π 0 π¬ 0 π 0
Attribution update from MSTIC on MOVEit Transfer 0-day exploitation by Lace Tempest. Victims w/ data theft are likely to be extorted via the cl0p leak site in coming weeks
Weβve shared intel on dozens of exfil IP addresses used in attacks w/customers & industry partners
