Profile picture
Christopher Glyer @cglyer
, 10 tweets, 6 min read Read on Twitter
"You've Got Mail"

@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends

#FireEyeSummit
APT34 compromised a trusted partner org - and used that to abuse trust (convinced user to enable macros) and successfully phish victim

Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.

#FireEyeSummit
C-level credential phished while on vacation - APT34 used account access to phish entire company. Even though infosec team blocked URL on web proxy - employees switched to guest wi-fi to access the URL.

#FireEyeSummit
2FA is critical to protect internet facing logins...but it's not effective if attacker can register their own phone number to receive 2FA.

Screenshot is of a Canadian phone number accessing 2FA. Organization didn't have any presence in Canada.

#FireEyeSummit
Outlook Ruler/homepage persistence FTW!

"This has been patched but we still see it leveraged b/c most orgs haven't applied patch"

Just by obtaining user email creds you can get code execution on victim machine using something like a COM scriptlet #DailyScriptlet

#FireEyeSummit
Exchange servers have lots of default web related files - so easy for attacker to blend in a web shell

#FireEyeSummit
A recent enhancement on web shells - dynamic web shells

#FireEyeSummit
Example of forwarding rules setup (commonly seen in business email compromise cases)

#FireEyeSummit
"To encourage the user to open the email - attacker calls a user directly. We've also seen it used to get a users second factor token code" @danielcabaniel

#FireEyeSummit
This talk had too many knowledge bombs for me to keep up with the live tweeting. You should check out the video when we post it later.

#FireEyeSummit
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Christopher Glyer
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#FireEyeSummit #DailyScriptlet

More from @cglyer see all

Profile picture
Long rumored @TheJusticeDept indictment of #APT10 is out. sc.cnbcfm.com/applications/c…
Here are my observations/highlights from reading the indictment (channeling my inner @pwnallthethings):
-the indictment indicates #APT10 operations started in 2006 and went through 2018. The 2006 activity was likely focused on US Government, Military, and defense contractors

1/n
Interestingly the indictment calls out multiple government organizations by name that were victims including:
@NASAGoddard, @NASAJPL, @LLNL, and the @USNavy

2/n
Read 24 tweets
Profile picture
.@TekDefense introducing our next talk about unmasking APT38 - a North Korean threat actor focused on financial attacks

Blog released today with more details
fireeye.com/blog/threat-re

#FireEyeSummit
APT38 targeted banks (SWIFT messaging initiated wire transfers you've read about in the news) and crypto currency exchanges (among other orgs)

#FireEyeSummit
Yes - you read that right. APT38 has used multiple different (and escalating tactics over time) to destroy evidence including deploying ransomware and running disk wiping malware

#FireEyeSummit
Read 7 tweets
Profile picture
First up Matias and Adrian discussing investigating the threat actor that MSFT calls Platinum

...and right out of the gate the threat actor steals your EDR agent installer 😮 #SignsThisProbablyIsntAScriptKiddie

#FireEyeSummit
It's not often that you see ACI Shims used for persistence

#FireEyeSummit
How do you hunt for ACI Shim persistence? Multiple different techniques - but the Windows Program-Telemetry logs are a great place to look

#FireEyeSummit
Read 5 tweets

Related threads

Profile picture
Unpopular opinion of the day: #phishing awareness campaigns and teaching your users to stay frosty is a close to useless endeavour. A waste of resources. Read on to see my point (1/n) /cc @troyhunt @randomdross @sirdarckcat
I know anti-phishing is a business that feeds a lot of people but the way this war is fought today just seems off to me.
First, I differentiate targeted phishing campaigns (usually APTs) from massive or moderately massive phishing. I don't think I need to point out why you can't fight the former with awareness.
Read 27 tweets
Profile picture
I wrote a piece about #phishing adverts on @Twitter a couple of weeks ago. @TwitterSupport had put it about that they had it under control. Here’s the article...

link.medium.com/UXh4iZtCMR

#security #digitaladvertising
Incredibly, it’s still going on. This is a #safety and #privacy issue that is not being addressed by @TwitterSupport.

This time @capgemini_aust are the main target and it is EXACTLY the same promoted advert that I highlighted in my article. link.medium.com/UXh4iZtCMR
The accounts used to legitimise the #scam this time are

@BenAllenCA @azariarachel @ARTNIGHTLDN @AKIpress_com and @67Kelechi.

Once again, all of them are @verified accounts. And this is still live over half an hour after it was posted.

#security #privacy
Read 5 tweets
Profile picture
It’s Time Twitter Cleaned Up The #Phishing Ads

I’ve just written this. I’m passionate about Twitter - always have been. I love how it is tackling fake accounts and hoping to reduce the amount of extremism online. But these adverts should be a priority.

link.medium.com/gCqRV3BVAR
Today’s scam has roped in @patheuk, @swansladies, @sarahscoop, @angola2411, @bookmyshow_sup - last time it was @monsterjobs, @GeoffroyDidier, @wsu_womensgolf, @CarteNoireUK and @rpsgmavericks - all without their knowledge and all trying to scam people out of their #bitcoin.
Each of the accounts used in the scams are @verified and, last time this happened, I copied in @TwitterSupport so they knew it was happening. It looks like it takes about 30 mins-1 hour to take down these scams but that is long and the damage to innocent accounts lasts longer.
Read 5 tweets
Profile picture
What they thought *might* be a boring IR based on initial leads, quickly became interesting when the attacker snapped up the endpoint tooling they just deployed.

Peep that renamed rar.exe snapping up our files for nation state attackers (PLATINUM) to analyze 😅

#FireEyeSummit
It takes hard #DFIR work to get this point but there is nothing quite like uncovering novel/rare persistence and playing around with new attacker tools to understand them. A bit jealous of Adrien and Matias finding Platinum's #REDSALT.
Platinum undetected for 9 years at victim.
These guys found multiple APT groups on network.

The talk then gets into additional advanced backdoors with crazier capabilities that were first.

There's so much here. I'm hearing we *might* upload #FireEyeSummit videos to YouTube 🤞
Read 4 tweets
Profile picture
This is how bad guys can reset (and later resell) your stolen iPhone. The average Joe stands *no chance*, here is why (Thread)
This is a recent text message someone provided to me.
You receive a message from "Apple" to your recovery phone. In your native language, perfectly spelled. This looks legit, and you're happy because you might have a chance to get back your lost phone, right?
Domain name looks like an official icloud service, you know how this ends for most people. This is a very simple #phishing, yet very effective.
Read 5 tweets

Trending hashtags

#UKMail #legalweek #USAToday #CityofLondon #unlawful #Cressidadick #HillingdonCouncil #Muhardah #EuropeanNews #mortgage #Criminalbar #Steele #breakingNews #CPS #mayoroflondon #dailyNews #TrumpRussia #recruiting #sundaytimes #bbcbreakfast #Bostonherald #CEOs #Fuah #bigoted #Gender

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!