Discover and read the best of Twitter Threads about #APT41

Most recents (7)

This morning, NBC released a scorching article on #APT41’s campaign to steal Covid relief funds from U.S. State Governments, based on a @SecretService investigation. 🧵
nbcnews.com/tech/security/…
.@rufusmbrown and I spoke on this very topic @labscon_io (video coming we’re told), as a continuation of research we published in March of 2022 on a persistent #APT41 campaign to gain access into U.S. State Government networks.
mandiant.com/resources/blog…
Our initial research uncovered new 0-days, malware variants, updates to their tried-and-true toolset, and more, all to gain access to state government networks. So much net new, but one question we persistently (heh) lost sleep over was WHY? What were they after?
Read 16 tweets
[1/n] Today I'm sharing the details of a research done by @vaber_b, @legezo, Ilya Borisov and myself on a UEFI firmware implant found in the wild, dubbed #MoonBounce. We assess that this formerly unknown threat is the work of the infamous #APT41. A 🧵
securelist.com/moonbounce-the…
[2/n] During investigation of anomalous UEFI level behaviour in our telemetry, we found a tampered CORE_DXE module, originally used, among other tasks, to bootstrap system startup through initialization of externally callable routines (Boot Services, Runtime Services etc.)
[3/n] The attackers appended malicious pieces of shellcode and a kernel-mode driver into a newly created section within the CORE_DXE image and caused the invokation of the former through inline hooks set in several Boot Services routines.
Read 10 tweets
#ESETresearch has recently discovered a new undocumented modular backdoor, SideWalk, that was used by an APT group we named SparklingGoblin during one of its recent campaigns targeting a US-based computer retail company 🇺🇸. welivesecurity.com/2021/08/24/sid… @passil_t @mathieutartare 1/6
SideWalk is a modular backdoor that can dynamically load additional modules sent from the C&C server, makes use of Google Docs as a dead drop resolver, and @Cloudflare workers as a C&C server. It can also properly handle communication behind a proxy. 2/6
This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK, which FireEye was first to attribute to #APT41. This backdoor is referenced as ScrambleCross by Trend Micro 3/6
Read 6 tweets
A quick thread on observer bias…
In 2011, I was fortunate to be a part of @Mandiant, when the threat intelligence team was just beginning to coalesce. Back then, threat activity came in 3 flavors: APT, FIN, and everything else, and it was a problem...
I created the UNC concept specifically to thwart a form of Observer Bias I had witnessed both inside and outside the IC. If newly observed activity wasn’t quickly attributed to a known threat group it wasn’t deemed important
This, in turn, caused analysts to “try” to fit observed activity into existing groups or have their (often painstaking) reporting lost in the noise, or worse, have their budgets trimmed. This bias caused several attribution cross-pollinations that took years to untangle
Read 7 tweets
Hey #ATTACKcon here's a recap of
#GuardrailsOfTheGalaxy: The Prologue
including the *first* three awards – #Guardies 🏆
+ the slides
I'm your thread host, @ItsReallyNick from the #AdvancedPractices 🦅 Adversary Methods team where we "reverse engineer" attacker techniques... ImageImage
Why a lightning talk on Execution Guardrails (#T1480)?
• We worked with @stromcoffee & @MITREattack team who added the new technique in April 2019:
• Smart people suggest that guardrails are correlated with adversary sophistication
• 💂🛤️ are fun! ... ImageImageImage
Guardrail Definition & Detection Concepts
$coverage = /de(fini|tec)tion/

The unique combination of behaviors that define guardrailing – and their order – can be used to detect it.

Pitfalls: stage 1 recon, confusing with broader AV/tech evasions, and "legitimate" guardrailing... ImageImageImage
Read 7 tweets
I’m going to be live tweeting the #FireEyeSummit technical track chaired by @stvemillertime
First up is @HoldSecurity discussing how to harvest information from botnets

#FireEyeSummit
@HoldSecurity Harvests information periodically from various botnet information panels (that give them view into the size and systems in the botnet).

Fun fact - Gozi botnet has so many systems connected all queries on the information panel time out

#FireEyeSummit
Read 91 tweets
We're doing a special #StateOfTheHack episode this week with two of the technical experts who worked for months to graduate the activity clusters into #APT41. I'm sure @cglyer will pepper in #DFIR war stories.

If you've read the report (below),
what QUESTIONS do you still have?
I plan to go deeper on #APT41's:
1️⃣ Supply chain compromises (and nuanced attrib)
2️⃣ Linux & Windows MBR bootkits and how they were found 😉
3️⃣ Third party access 🌶️
4️⃣ Legitimate web services use (and their obsession with Steam)
+concurrent ops, overlaps!
content.fireeye.com/apt-41/rpt-apt…
@FireEye 📺 #StateOfTheHack Stream
"Double Dragon: The Spy Who Fragged Me" 🎮
#APT41 with Jackie, Ray, and @cglyer
pscp.tv/FireEye/1vAGRW…
Read 9 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!