,
9 tweets,
11 min read
Read on Twitter
We're doing a special #StateOfTheHack episode this week with two of the technical experts who worked for months to graduate the activity clusters into #APT41. I'm sure @cglyer will pepper in #DFIR war stories.
If you've read the report (below),
what QUESTIONS do you still have?
If you've read the report (below),
what QUESTIONS do you still have?
I plan to go deeper on #APT41's:
1️⃣ Supply chain compromises (and nuanced attrib)
2️⃣ Linux & Windows MBR bootkits and how they were found 😉
3️⃣ Third party access 🌶️
4️⃣ Legitimate web services use (and their obsession with Steam)
+concurrent ops, overlaps!
content.fireeye.com/apt-41/rpt-apt…
1️⃣ Supply chain compromises (and nuanced attrib)
2️⃣ Linux & Windows MBR bootkits and how they were found 😉
3️⃣ Third party access 🌶️
4️⃣ Legitimate web services use (and their obsession with Steam)
+concurrent ops, overlaps!
content.fireeye.com/apt-41/rpt-apt…
@FireEye 📺 #StateOfTheHack Stream
"Double Dragon: The Spy Who Fragged Me" 🎮
#APT41 with Jackie, Ray, and @cglyer
pscp.tv/FireEye/1vAGRW…
"Double Dragon: The Spy Who Fragged Me" 🎮
#APT41 with Jackie, Ray, and @cglyer
pscp.tv/FireEye/1vAGRW…
We answered #APT41 questions from @arekfurt, @likethecoins, @SwitHak
We name dropped the hell out of the #FLARE team (incl. @williballenthin, @jay_smif)
Spice zone: we shared that APT41 might do #flareon6, previewed a #ManagedDefense blog, + SMS backdoor:
We name dropped the hell out of the #FLARE team (incl. @williballenthin, @jay_smif)
Spice zone: we shared that APT41 might do #flareon6, previewed a #ManagedDefense blog, + SMS backdoor:
Tagging more #FLARE name drops in the episode: @spresec, @mrdurakovich
Here are some blogs we mentioned:
1️⃣ 2015 blog on bootkits (examples from FIN1 #BOOTRASH + APT41 #ROCKBOOT): fireeye.com/blog/threat-re…
2️⃣ 2018 #BOOTWHAT blog on how we find them at scale: fireeye.com/blog/threat-re…
Here are some blogs we mentioned:
1️⃣ 2015 blog on bootkits (examples from FIN1 #BOOTRASH + APT41 #ROCKBOOT): fireeye.com/blog/threat-re…
2️⃣ 2018 #BOOTWHAT blog on how we find them at scale: fireeye.com/blog/threat-re…
...
3️⃣ 2013 blog on #CHINACHOPPER (by @TekDefense): fireeye.com/blog/threat-re… (part 1 of 2)
I'm including this one since @cglyer gave a quick mention of the web shell, but if it's *somehow* new for you, go read this blog and play with the caidao client.
3️⃣ 2013 blog on #CHINACHOPPER (by @TekDefense): fireeye.com/blog/threat-re… (part 1 of 2)
I'm including this one since @cglyer gave a quick mention of the web shell, but if it's *somehow* new for you, go read this blog and play with the caidao client.
If you have additional questions, previous #StateOfTheHack guests and resident APT41 experts @MrDanPerez, Jackie, and Ray will be doing a webinar on 8/29:
That's it for my mini "The Spy Who Fragged Me" recap thread. 😎
@threadreaderapp unroll show notes!
That's it for my mini "The Spy Who Fragged Me" recap thread. 😎
@threadreaderapp unroll show notes!
Let's try this again... @threadreaderapp unroll me some show notes please!
Also if you liked the mug from today's episode, it was meticulously reconstructed from a dinosaur model by my son.
I took @stonepwn3000's advice
I took @stonepwn3000's advice
