Profile picture
Christopher Glyer @cglyer
, 7 tweets, 4 min read Read on Twitter
.@TekDefense introducing our next talk about unmasking APT38 - a North Korean threat actor focused on financial attacks

Blog released today with more details
fireeye.com/blog/threat-re

#FireEyeSummit
APT38 targeted banks (SWIFT messaging initiated wire transfers you've read about in the news) and crypto currency exchanges (among other orgs)

#FireEyeSummit
Yes - you read that right. APT38 has used multiple different (and escalating tactics over time) to destroy evidence including deploying ransomware and running disk wiping malware

#FireEyeSummit
"After initiating the SWIFT transfers APT38 would 'burn down the house'"

Have "fun" trying to investigate and successfully get your funds back from other banks when 10,000+ systems have been destroyed by disk wiping malware

#FireEyeSummit
APT38 Opsec techniques

"The SWIFT malware was never written to disk and was only on the system for 3 hours" -- Chris DiGiamo

#FireEyeSummit
APT38 has four different malware families to destroy/wipe systems. They've continued to innovate/improve their wiping techniques over time - showing how important this is to APT38 to do it well

"Hacked by GOP"...talk about a blast from the past

#FireEyeSummit
A week after destroying vast majority of victim Windows & Linux environment APT38 tried to re-enter a week later. They left a few "undestroyed" systems w/ backdoors & internet facing web servers w/ web shells. Attempted to access web shells from Tor exit nodes

#FireEyeSummit
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Christopher Glyer
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#FireEyeSummit

More from @cglyer see all

Profile picture
Long rumored @TheJusticeDept indictment of #APT10 is out. sc.cnbcfm.com/applications/c…
Here are my observations/highlights from reading the indictment (channeling my inner @pwnallthethings):
-the indictment indicates #APT10 operations started in 2006 and went through 2018. The 2006 activity was likely focused on US Government, Military, and defense contractors

1/n
Interestingly the indictment calls out multiple government organizations by name that were victims including:
@NASAGoddard, @NASAJPL, @LLNL, and the @USNavy

2/n
Read 24 tweets
Profile picture
"You've Got Mail"

@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends

#FireEyeSummit
APT34 compromised a trusted partner org - and used that to abuse trust (convinced user to enable macros) and successfully phish victim

Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.

#FireEyeSummit
C-level credential phished while on vacation - APT34 used account access to phish entire company. Even though infosec team blocked URL on web proxy - employees switched to guest wi-fi to access the URL.

#FireEyeSummit
Read 10 tweets
Profile picture
First up Matias and Adrian discussing investigating the threat actor that MSFT calls Platinum

...and right out of the gate the threat actor steals your EDR agent installer 😮 #SignsThisProbablyIsntAScriptKiddie

#FireEyeSummit
It's not often that you see ACI Shims used for persistence

#FireEyeSummit
How do you hunt for ACI Shim persistence? Multiple different techniques - but the Windows Program-Telemetry logs are a great place to look

#FireEyeSummit
Read 5 tweets

Related threads

Profile picture
What they thought *might* be a boring IR based on initial leads, quickly became interesting when the attacker snapped up the endpoint tooling they just deployed.

Peep that renamed rar.exe snapping up our files for nation state attackers (PLATINUM) to analyze 😅

#FireEyeSummit
It takes hard #DFIR work to get this point but there is nothing quite like uncovering novel/rare persistence and playing around with new attacker tools to understand them. A bit jealous of Adrien and Matias finding Platinum's #REDSALT.
Platinum undetected for 9 years at victim.
These guys found multiple APT groups on network.

The talk then gets into additional advanced backdoors with crazier capabilities that were first.

There's so much here. I'm hearing we *might* upload #FireEyeSummit videos to YouTube 🤞
Read 4 tweets
Profile picture
1/ I consider myself to be relatively knowledgeable when it comes to personal finance...I’ve invested a lot of time educating myself over the years. The ~10 focuses & my beliefs will always change which is why it’s such an interesting topic. It also may be the most important.
2/ I’m going to share short and concise opinions each day and see how long I can go on for. Note that personal finance is highly.. personal. Not everything is advisable and applicable to everyone.
3/ Keep your personal burn low. Budgeting is important (and it’s actually easy). @PersonalCapital is the new @mint. Open an account and use their free service. Tracking income and spend is the first step to developing a budget and lowering expenses.
Read 102 tweets
Profile picture
(1) #PhotoThread: Team Trump current events from March 9, 2018 onward. #MAGA🦅🇺🇸🦁

You can find links to all my photo threads at: godlessnz.wordpress.com/2017/10/27/lin…
(2) Signing the aluminium & steel tariffs Thursday then handing souvenir pens to the workers. Sec Mnuchin (Treasury), Sec Ross (Commerce) & US Trade Representative Lighthizer entering the room, smiling. Four hours later, SoKo announced the US-NoKo talks.
(3) Earlier this week the President spoke to the Latino Coalition Legislative Summit. He is pictured below with Latino Coalition Chairman Hector Barreto.
Read 43 tweets
Profile picture
New #TrumpRussia plane tracking thread @Khanoisseur @conspirator0 @SaysDana @dark_wisdom_ @3L3V3NTH @knowledgevendor @SureReality @mcleary @MontanaSkullzx5 @genetic_warrior @brazencapital @ropebelt @MsEnergyHealer @wikiwachee @kate_hawkins776 @Peaceful_411 @ThomasS4217
New #TrumpRussia plane tracking thread @lovetogive2 @RighteousBabe4 @LincolnsBible @MsMariaT @ItIsIMack @dcpoll @KiernanKathleen @Tahoesquaw1 @PalmerReport @MarlaMHughes
The old plane tracking thread is totally broken. Older flights are still there but come up as a single tweet so if you want to find older flights go to Twitter search and type the person's name or tail number (if known).
Read 439 tweets
Profile picture
Oh the geezers are hard at it grafting media, it's always great to have easy scapegoats "North Korean cyber gangs.." a.msn.com/01/en-ie/AAt9g…
2/"Mr Murphy’s firm was the first in the world to liaise with computer giant IBM over the use of the super-computer ‘Watson’ for real-time--
3/artificial intelligence-based defence against cyber criminals." Bear with me, I'm about to post a few more links in #THREAD #CyberSecurity
Read 71 tweets

Trending hashtags

#TreehouseofHorrorXXV #WednesdayWisdom #Fox #Watson #BartSimpson #DrGonzo #platforms #military #SNPP #EndTrafficking #Kogan #Smarch #Tipperary #Bin #Stephen #AnnualGiftMan #article #GilbertandSullivan #normalization #TimmyOToole #NorthKorea #Dublin #historicbuilding #FamiliesBelongTogether #HomervLisaandThe8thCommandment

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!