Discover and read the best of Twitter Threads about #apt

Most recents (23)

Thread on #APT grps, #hacktivists, #Ransomware gangs with their ‘likely’ associations (as per TTPs and reports) that are playing a significant role in impending #Ukraine #Russian conflict. Correct me if i am wrong or missing any one. 1/
Firstly on Russian 🇷🇺side there are #GhostWriter (#Belarus Govt Backed) #CozyBear (Russian Foreign Intel aka #SVR) #UNC1151 (Minsk based) #FancyBears & #SandWorm (Russian Military Intel aka #GRU) #Turla and #Gamaredon (Russian Internal Intel #FSB Former KGB) 2/
Read 7 tweets
This is really interesting!
Maybe it is an #APT attack targeting #Ukriane:

Zip -> dovidka.chm -> WScript.exe ignit.vbs -> wscript.exe desktop.ini -> regasm.exe core.dll

Also it drops "Windows Prefetch.lNk" in Start-Up directory to make "desktop.ini" persistence.
(1/3)
The dropped payload is a small .Net payload that is obfuscated using ConfuserEx. It has been compiled on Jan 31 2022.

IOCs:
e34d6387d3ab063b0d926ac1fca8c4c4
довідка.zip

2556a9e1d5e9874171f51620e5c5e09a
dovidka.chm (According to VT it is exploiting CVE-2019-0541)

(2/3)
ignit.vbs
bd65d0d59f6127b28f0af8a7f2619588

Desktop.ini
a9dcaf1c709f96bc125c8d1262bac4b6

Windows Prefetch.lNk
fb418bb5bd3e592651d0a4f9ae668962

core.dll
d2a795af12e937eb8a89d470a96f15a5

C2:
xbeta[.]online
185.175.158.27
(3/3)
Read 3 tweets
It's been one of the more eventful weeks in cybersecurity history. In my little corner of the world, it went a little something like this... 1/n
The first #log4j / #log4shell blog from #SURGe @splunk splunk.com/en_us/blog/sec… was published a week ago with @meansec leading from the front and jump-started by @DrShannon2000 and @jsy9981 2/n
Meanwhile, hundreds of Splunkers worked through last weekend to publish our official advisory. If you take one thing from this thread, it should be this! It's updated frequently and includes details about CVE-2021-45046 and more. splunk.com/en_us/blog/bul… 3/n
Read 28 tweets
Some updates on this suspected #Lazarus #APT:(thread, 1/4)
1) The remote template is VBA stomped or at least it was able to hide itself from olevba and oledump
2) The remote template drops an obfuscated vbs file and registers it as a scheduled service
3) All the strings in "OneDriveUpdateNew.vbs" are obfuscated and are decoded using "string_decoder" function with a hardcoded key table.

You can see the decoder and list of the decoded strings used by this vbs file here:
github.com/HHJazi/APT
2/4
4) The vbs file collects the victim info and builds an HTTP request:
"Username-ComputerName_UUID;OSName"
5) Then it encodes the request using hard coded key and sends the generated request to C2
6) Receives a payload from the C2 and writes it into "%APPDATA%/OD_update.exe"
3/4
Read 4 tweets
‘Tricks With a Notorious Russian Spy Group’

‘Security researchers have found links between the attackers and #Turla, a sophisticated team suspected of operating out of Moscow’s #FSB intelligence agency.’

#VenomousBear
#Snake
#malware
#UNC2452
#DarkHalo
wired.com/story/solarwin…
“…believe the SolarWinds #hackers and #Turla aren't one and the same. But … one #hacker group at the very least ‘inspired’ the other, and they may have common members between them or a shared #software developer building their #malware.”

wired.com/story/solarwin…
“… That actually makes the connection more significant … ‘It’s more like handwriting. That handwriting or style propagates to different projects written by the same person.'"

#Turla
wired.com/story/solarwin…
Read 16 tweets
📢 On air! 📢
Tony Hedoux talks about
#ebiosRM and #riskmanagement

Join us on YouTube:
Join us on LinkedIn: linkedin.com/video/live/urn…
@TonyHedoux graduated from ISTIC in Rennes, and already had an interest in software engineering. He is now Product Owner Cyber at @all4tec_fr and Secretary General of the @club_ebios.
@TonyHedoux @all4tec_fr @club_ebios As always, interact with us on Slido: sli.do/cyberCNI-4
Read 27 tweets
ICYMI, @PwC_UK’s 2020 #threatintel Year in Retrospect report is out now! All team contributed but h/t to @KystleM_Reid! :fire: You can check it out here: pwc.to/2ZPx7fo In this thread, I will summarise some of what I thought were key findings: 🧵👇 1/n
#Ransomware has become the most significant cyber security threat faced by organisations, irrespective of industry/location. TTPs have pivoted to mass data exfiltration prior to encryption, along with leaks & extortion. S/o to @andyp346 for all your work countering this.🙏 2/n
In 2020, 86% of the incidents that PwC’s Incident Response team responded to were attributable to cyber criminals. 79% of leaks happened in 2nd half of 2020. Our data sees Manufacturing, TMT, & Professional Services most impacted. 3/n
Read 19 tweets
#Sidewinder #APT

It seems that #Indian APTs have been raging war on #Pakistan with the same payloads over and over again. Meanwhile, Pakistani #Government and #Military is either helpless or over occupied. Following is another new sample that goes ages back.
A variant of this sample has attributed to #Sidewinder #APT by Govt. of Pak. The #malware is deployed using the shared image in a #phishing email using a similar methodology to that of Image
DOCX MD5: 2a6249bc69463921ada1e960e3eea589 Mech 8 ZIRC0N-TSIRK0N.doc
#Exploit: hashcheck[.]xyz/PY8997/yrql/plqs
RTF MD5: 7c11d5125c3fb167cca82ff8b539e3c7 plqs
#C2: sportfunk[.]xyz/topaz/foti
CVE-2017-11882 Image
Read 12 tweets
1/ Solving the root cause of #GoldenSAML attacks, recently used in #Sunburst attacks.
Don't of scale security "UP", burying #SAML's private key deeper in HSM,
scale it "OUT": distribute it w/ modern crypto (#TSS #MPC)+ service architecture, as we do for #cryptocurrency @ZenGo
2/ Advanced attackers (#APT) steal long term secrets ("the stamp") that allow them to issue access tokens and thus access all services in victims' environment, bypassing all security, including multi-factor auth (#MFA,#2FA)
3/ @CISAgov recommends protecting such secrets with hardware (HSM), but this solution is not always feasible, does not scale well and is susceptible to vulnerabilities especially when facing #APT attackers (hence: "aggressively updated")
media.defense.gov/2020/Dec/17/20…
Read 8 tweets
Looking for the ultimate list of #CyberSecurity books you should read in 2021?!

Hold on a secon, cause here we go!
Please fav your top entries and comment your own picks bellow. And please please retweet to make this list a huge one. #InfoSec
Social Engineering: The Science of Human Hacking, 2nd Edition by the @humanhacker Christopher Hadnagy #socialengineering

amazon.com/-/dp/111943338…
Threat Modeling: Designing for Security (Englisch) Taschenbuch by
@adamshostack
#cybersecurity #threatmodelling #stride

amazon.com/-/dp/111880999…
Read 11 tweets
Analysis: #NYSE $APT

Case 423: #Alpha_Pro_Tech Ltd.

UPDATE from Jul 28:

DISCLAIMER: The analysis is strictly for educational purposes and should not be construed as an invitation to trade.

#APT 1/3
Chart 1
Price failed to close above 24.52 on a weekly basis and failed to close above the daily (Feb. 2020) #pivot at 25.25. In the meantime we've liquidated 50% of our entire position.

In this update we demonstrate how the technicals and model prediction are .....

APT 2/3
..... interestingly aligned. The rectangular blocks imply profit taking levels and buying interest. With closes below the base of the box targeting the next block. A close below 16.00 will slowly target 13.89-12.54, and a close below 12.54 quickly targets 10.17-8.58.

$APT 3/3
Read 3 tweets
[TLP:White] The #APT Mustang Panda group targets the Vatican state with lures. This uses the TTPs already used for pushing the payloads as vulnerable Word version (office 2007) by side-loading method for execute a dll.
This dll perform a request for getting the dat file (configuration file) for the PlugX implant, performs a side-loading technique on another vulnerable software (Adobe AAM) for execute it.
By tracking the group which use this vulnerable software and the TTPs, this gives the attribution to Mustang Panda. This is the second time that the group targets the catholic organizations due to this have targets Union of Catholic Asian News.
Read 6 tweets
#ESETresearch unearths modus operandi of the elusive #InvisiMole group, digging up their arsenal used to stay invisible. Our investigation also shows previously unknown ties between InvisiMole and #Gamaredon groups welivesecurity.com/2020/06/18/dig… @cherepanov74 @zuzana_hromcova 1/9
#InvisiMole #APT group resurfaced in targeted attacks against high-profile organizations in Eastern Europe, targeting military sector and diplomatic missions. We previously documented their two feature-rich backdoors RC2CL and RC2FM; now we reveal the rest of their TTPs. 2/9
We discovered that the most interesting targets of #Gamaredon are upgraded to far stealthier #InvisiMole spyware, with Gamaredon’s .NET downloader delivering InvisiMole’s TCP downloader. This cooperation allows InvisiMole to devise creative ways to operate under the radar. 3/9
Read 9 tweets
Analysis: #NYSE $APT

Case 259 #Alpha_Pro_Tech Ltd.

DISCLAIMER: The analysis is strictly for educational purposes and should not be construed as an invitation to trade.

#APT 1/4
Chart 1
Weekly Chart: Price exploded higher in Feb. 2020 in illquid conditions and then retraced back quickly towards the #Fib. 0.786 at 9.25. It is important to hold above the long term #trendline resistance turned #support at 14.58 - this will usher a .....

APT 2/4
..... move towards short term #resistance 19.20-21.00. A close above the latter is required to target 29.17 and then 37.00 further out. Good support is seen from the main #SMA spacing and then the #pivot zone 8.55-6.00.

APT 3/4
Read 4 tweets
🆕 Job Update: I'm joining @Microsoft!

On the #MSTIC R&D team:
☁️🏹hunting & investigations in the cloud (#AzureSentinel, @Office365)
🎯✍️🏽writing detections for several platforms
👥🎁community-based research & sharing
🛡️🤲🏽protecting those who need it the most #DefendingDemocracy
Honored to work for @JohnLaTwC & @LeahLease
I'm pumped to grow with & learn from so many amazing security engineers and analysts in #MSTIC: twitter.com/i/lists/112798… #FF

My new East Coast crew includes the #APT hunters in Reston, @Cyb3rWard0g, and some random @cglyer guy 😅

Also:
I'm going to lean on (& try¹ to contribute to) teams across the MS security family:
@MicrosoftMTP crew w/ @jepayneMSFT @endisphotic @GossiTheDog et al🤩
@msftsecresponse w/ the awesome @n0x08
@Lee_Holmes for everything Azure

¹if I say it here, it has to happen right?😉
Read 4 tweets
Threat Hunting In #CyberSecurity : Waiting for an alert can be too dangerous.
Threat hunting means to proactively search for malware or attackers that are hiding in your network — and may have been there for some time.
Most time, the goals of these malware or attackers can be to quietly siphoning off data, patiently listening in for confidential information, or working their way through the network looking for credentials powerful enough to steal key information.
Read 19 tweets
@tttthreads unroll
Read 7 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!