Share this page!

Katie Nickels wants you to #VOTE Profile picture
Twitter logo
28 Oct, 19 tweets, 7 min read
I'll attempt to live tweet this awesome webcast from @Wanna_VanTa and @x04steve on Ryuk and UNCs behind them! Roughly 1/5 ransomware intrusions have been related to Ryuk. @Mandiant @sansforensics
Tracking Time to RYUK! This is a good metric to track as much as you can.
So what's an UNC? UNC = "uncategorized" - a way to cluster unique activity that is fundamentally related. They're "labels" or "buckets". UNCs might become FINs or APTs someday, but that requires time.
Van mentions one of my favorite blog posts, by Matt Berninger: fireeye.com/blog/threat-re…
Overview of their lifecycle
Not all Trickbot is UNC1878!!! This is such an important point. Don't attribute to actors based SOLELY on the tool they use.
Our first mention of Cobalt Strike. Used in EVERY INTRUSION. You need to know how you can detect this. Look into Malleable C2 Profiles. Code signing certs are a great place to look too.
Can confirm, these are super common credential access and lateral movement techniques...for UNC1878 and other actors too. ADFind is a good one to look for and might be rare in your environment.
So much is detectable here. Go search your endpoints. Write some analytics.
Note how much of what UNC1878 uses is open source. This gives defenders the chance to dive into the code and make better detections.
What happened over the summer? They're not sure, but the data clearly shows RYUK has returned. But does that mean UNC1878 has returned? Maybe, but DON'T ATTRIBUTE BASED ON MALWARE FAMILY ALONE. AGAIN FOR THE FOLKS IN BACK....DON'T. ATTRIBUTE. ON. MALWARE. FAMILY. ALONE.
Some things are similar to previous activity, some are different...Kegtap has replaced Trickbot. Cobalt Strike isn't quite the same as it was a few months ago.
Cobalt Strike differences: subdomains, and URIs that seem to be more random
But what hasn't changed? Some patterns in the certs! More detection opportunities....
Diving into attribution...it can be so useful to compare activity over time and look for similarities and differences.
Use of WMI plus shared folder and BITSadmin...ALMOST the same commands. Check out vVv and xxx. This is a strong overlap between UNC1878 and UNC2352.
Ultimately these UNCs were merged. It may seem like a lot of work for something "obvious", but sometimes it takes time to build confidence. THIS IS A KEY POINT FOR INTEL ANALYSIS!!! We shouldn't just accept our "gut feelings" - that's where cognitive biases come in.
You need to respond pretty darn quickly. These are pretty huge ransom demands.
Takeaways! Hopefully we have some time to dive into attribution a bit.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Katie Nickels wants you to #VOTE

Katie Nickels wants you to #VOTE Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @likethecoins

Katie Nickels wants you to #VOTE Profile picture
11 Mar
I hope everyone considers mental health as well as physical health right now - take account of how you're feeling as well those around you. I realized earlier this week I was feeling a little down, so here are a few things I've done to help me cope...what has helped you?
Limiting my exposure to coronavirus news. I've muted keywords on Twitter and asked Slacks to limit discussion to a single channel. I watch the news every evening so figure I will get significant news there, or I look at the latest news when I feel mentally up to it.
Identifying things I'm gaining, not just losing. I'm pretty down because I didn't get to go to Zurich or Chicago this month. But I AM establishing healthy sleep habits, eating better, exercising regularly, and spending more time with my husband. I also have time to dig in at work
Read 8 tweets
Katie Nickels wants you to #VOTE Profile picture
21 Dec 18
I want a list of all "cyber" indictments from the US DOJ and couldn't find one. Here are the 11 I have so far…which am I forgetting/getting wrong? (I’m using name/topic from the indictment as shorthand.)
(1) May 2014 PLA Unit 61398 (justice.gov/opa/pr/us-char…) (1/n)
(2) March 2017 FSB (justice.gov/opa/pr/us-char…) (2/n)
(3) November 2017 Boyusec (justice.gov/opa/pr/us-char…) (3/n)
Read 19 tweets
Katie Nickels wants you to #VOTE Profile picture
21 Dec 18
I previously tweeted that a prior indictment was ~APT10. I was analytically lazy & wrong. So I want to highlight parts of the actual #APT10 indictment from today. First, DOJ used the term APT10. I can't recall other cases where DOJ has used an existing group name, can you? (1/n)
They also mentioned other group aliases. A reminder to consider @RobertMLee's valid points about how group names can't be exact overlaps due to different visibility and analysis methodology between companies (sans.org/webcasts/threa…). (2/n)
Noteworthy that the actors were associated with a company acting "in association with" MSS. This made me think of @Jason_Healey's Spectrum of State Responsibility (atlanticcouncil.org/images/files/p…). (3/n)
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @likethecoins