Happening NOW! You can still join us here, and I'll be live-tweeting what @Robert_Lipovsky and @adorais share. sans.org/webcasts/star-… Image
.@Robert_Lipovsky kicking off with something I believe as well...crimeware is a greater threat to most orgs than state-sponsored threats. Even this week!
Many cyber crimes involve different jurisdictions - rarely is adversary infrastructure all in the same country, so law enforcement and private industry have to cooperate globally.
Robert talks about the challenge of mapping out the adversary infrastructure at scale...it's like a game of whack-a-mole, and to have an impact, you have to take down as much of the infrastructure as possible. It may be more or less challenging based on the botnet.
Here are the botnets they'll discuss today - #Andromeda #Gamarue #Wauchos #Trickbot #Windigo - each operation was a little different, the #Windigo analysis was largely manual. @ESETresearch Image
Here's how @ESETresearch processes malware samples....this is an awesome diagram to help any teams think through how they action malware! It should be a combo of automation + human analysis. Image
A nice breakdown of the process of tracking botnets Image
Interesting - @adorais corrects this headline and notes that there were MULTIPLE #Andromeda botnetS Image
This is often what happens when malware is shared among adversaries...we see this with ransomware operators and other criminals, and it makes our jobs tough and confusing!
A few interesting spreading mechanisms for #Wauchos/#Andromeda...instant messaging is not dead! Image
.@adorais discussing a challenge of takedowns - not taking down legitimate researcher infrastructure, for example. This is a real concern that not many people consider. @ESETresearch worked with many partners to create a list for #Andromeda disruption.
The #Andromeda bots were redirected to a sinkhole - this allowed researchers to identify victims and notify them. Over a MILLION victim machines connected to the sinkhole. They saw an immediate decline in detections so considered it a success.
Interestingly, a few days later the operator behind it was arrested - they weren't aware this was going on so watched it like everyone else. @adorais commenting on how arrests like this are part of the overall approach to stopping adversaries...arrests matter too. Image
MUCH SUCCESS! Image
Oooo yeah @Robert_Lipovsky talking about the #Trickbot takedown....really excited to hear this. This operation was a huge team effort with Microsoft, ESET, and others. Image
Robert reminding us how pervasive Trickbot was for quite a while - a global impact. Interesting tidbit - #Trickbot has been dropped on systems already infected with #Emotet, showing how adversaries are "business partners". Image
Trickbot's modular architecture lets it do various things with plugins - it can steal creds and recently it's been observed acting as a delivery mechanism for other malware like ransomware
Web injects let operators change what victims see when they visit a website. This is a decrypted config that contains the malicious C2 URLs the bot would contact. Image
The team collected thousands of configs to see how many websites were targeted. There was a big drop in March - that's when the #Trickbot operators dropped a plugin. This drop suggests they switched to focus more on ransomware... like #Ryuk Image
ICYMI, check out our previous #STARwebcast on #UNC1878 and #Ryuk here
This is AWESOME analysis and a great visualization!! These are unique identifiers ("gtags") in the hardcoded #Trickbot configs that identify different campaigns. "mor" is the campaign believed to be Trickbot compromises due to #Emotet. Tracking by campaigns is so powerful. Image
#Windigo is a large-scale operation discovered in 2013 and is one of the largest ops @ESETresearch has tackled. It started with analysis of a Linux backdoor. Really glad to hear about this because this community doesn't focus enough on Linux IMHO. welivesecurity.com/wp-content/upl…
This op involved a few families - #Ebury, #Cdorked, and #Calfbot. This was some of the most complex infrastructure they have seen...as you can see from this diagram! 😂 After they published a whitepaper, the FBI reached out to ask for more info. Very cool result of sharing. Image
They reached out to #Windigo victims, and even got access to a few compromised servers by asking nicely. I've found asking nicely is a great approach in this community! They saw thousands of creds over just *five days*...including thousands of root creds. 😬 Image
I never realized #Glupteba was dropped in this op - it was dropped by #CDorked. Just adding to the complexity of campaigns like this - a lot of shared malware and exploit kits involved, making analysis confusing as heck.
Everything was quiet for a few months until they heard a Russian citizen was arrested. People often say it's not worth going after adversaries because they'll be safe in their home country, but being indicted is life-altering, says @adorais
...arrests happen during travel! Image
Now researchers had a new challenge...trying to figure out how to explain a massively complex operation in plain language. I think this is one of the biggest challenges we face in this community. Luckily they didn't have to be an expert witness since an indictment happened. Image
Private orgs have to trust law enforcement - that they will action the information. Law enforcement also has to trust private partners. The only way they've found to reach that level of trust is to start with small cooperation and build up over time. 💯💯💯

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Katie Nickels

Katie Nickels Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @likethecoins

18 Dec
A threat of thoughts + actionable detection ideas from the latest Microsoft #Solorigate post...microsoft.com/security/blog/… ... this is a sweet diagram and hopefully helps make clear the different ways you could be impacted. Not every victim makes it past initial C2. Image
I think a lot of this we already knew, but lmk if there are nuggets in here that popped out. Image
Another super helpful explanation of the DGA C2 domains. I love the MS graphics people. Image
Read 14 tweets
28 Oct
I'll attempt to live tweet this awesome webcast from @Wanna_VanTa and @x04steve on Ryuk and UNCs behind them! Roughly 1/5 ransomware intrusions have been related to Ryuk. @Mandiant @sansforensics
Tracking Time to RYUK! This is a good metric to track as much as you can.
So what's an UNC? UNC = "uncategorized" - a way to cluster unique activity that is fundamentally related. They're "labels" or "buckets". UNCs might become FINs or APTs someday, but that requires time.
Read 19 tweets
11 Mar
I hope everyone considers mental health as well as physical health right now - take account of how you're feeling as well those around you. I realized earlier this week I was feeling a little down, so here are a few things I've done to help me cope...what has helped you?
Limiting my exposure to coronavirus news. I've muted keywords on Twitter and asked Slacks to limit discussion to a single channel. I watch the news every evening so figure I will get significant news there, or I look at the latest news when I feel mentally up to it.
Identifying things I'm gaining, not just losing. I'm pretty down because I didn't get to go to Zurich or Chicago this month. But I AM establishing healthy sleep habits, eating better, exercising regularly, and spending more time with my husband. I also have time to dig in at work
Read 8 tweets
21 Dec 18
I want a list of all "cyber" indictments from the US DOJ and couldn't find one. Here are the 11 I have so far…which am I forgetting/getting wrong? (I’m using name/topic from the indictment as shorthand.)
(1) May 2014 PLA Unit 61398 (justice.gov/opa/pr/us-char…) (1/n)
(2) March 2017 FSB (justice.gov/opa/pr/us-char…) (2/n)
(3) November 2017 Boyusec (justice.gov/opa/pr/us-char…) (3/n)
Read 19 tweets
21 Dec 18
I previously tweeted that a prior indictment was ~APT10. I was analytically lazy & wrong. So I want to highlight parts of the actual #APT10 indictment from today. First, DOJ used the term APT10. I can't recall other cases where DOJ has used an existing group name, can you? (1/n)
They also mentioned other group aliases. A reminder to consider @RobertMLee's valid points about how group names can't be exact overlaps due to different visibility and analysis methodology between companies (sans.org/webcasts/threa…). (2/n)
Noteworthy that the actors were associated with a company acting "in association with" MSS. This made me think of @Jason_Healey's Spectrum of State Responsibility (atlanticcouncil.org/images/files/p…). (3/n)
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!