Share this page!

Maybe Scrolly?
Christopher Glyer Profile picture
Twitter logo
16 Sep, 12 tweets, 6 min read
There’s a lot to unpack in @MsftSecIntel’s latest blog on the CVE-2021-40444 vulnerability. Here’s a thread of some of the details that I think are notable
The volume of initial exploitation was limited. Most security orgs I talked to didn’t observe it directly in their telemetry

“In August…MSTIC identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML”
The attribution behind the various components involved in the campaigns is a little more complicated than I typically see (we’ll unpack that more shortly).

But the end motivation was human-operated ransomware by cyber criminals
Attack surface reduction rules (ASR) mitigated the specific attack vector we observed in the wild.

I feel like ASR rules are an overlooked defensive capability by many enterprises. Seriously - go read up on ASR and implement as many as you can
docs.microsoft.com/en-us/microsof…
The exploit chain involved a series of steps that when combined sort of resembles a “cyber Rube Goldberg machine”

These “features” will play into future detection opportunities for defenders due to the processes and arguments that need to be spawned
Every cyber security company tracks threat actors in a unique way based on their telemetry and insights. At @MsftSecIntel - we track threat actors initially as DEV-### clusters that may get collapsed into other clusters (based on new analysis) or “promoted” to a proper name
Now this is where attribution gets challenging. It’s clear that large set of C2 infrastructure registered by a distinct set of operators

But the same infrastructure has been used by multiple different ransomware actors

Hypothesis: Cobalt Strike C2-as-a-service (aka CS-C2aaS)😜
I feel like (possibly new) as-a-service model can really throw intel attribution curve ball (I know we had internal convos trying to make heads or tails of the disparate activity we were/are seeing)

We saw same CS-C2aaS delivering Trickbot/Bazaloader payloads w/o CVE-2021-40444
One explanation of the sophistication of the lure document (or lack thereof) vs. use of an unpatched exploit - could indicate that the group deploying the exploit didn’t develop the exploit
Cc: @HackingLZ
It probably doesn’t take a rocket 🚀scientist to figure out - I’m no expert in oleObject relationships and what is normal vs. anomalous. Fortunately I work with folks on the #MSTIC team who are gifted at spotting nuanced anomalies in maldocs - and dig deeper to get to the truth
Getting back to “cyber Rube Goldberg” machine

Due to the nature of exploit requiring path traversal & URL protocol handlers - makes for more durable hunting signal that is difficult for attackers to evade

Note: this may pick up activity that may not be related to CVE-2021-40444
If you want to learn more about the infrastructure that is related to the possible Cobalt Strike C2-as-a-Service (CSC2aaS) (aka DEV-0365) - check out @RiskIQ’s companion blog

riskiq.com/blog/external-…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Christopher Glyer

Christopher Glyer Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cglyer

Christopher Glyer Profile picture
9 Oct 20
This shouldn’t be news to anyone,but human operated ransomware is a problem that has gotten completely out of control

The reasons are relatively straightforward:
The cost to pay is often significantly less than cost to business impact from downtime

The “supply” of possible targets is significantly higher than traditional financial crime which have to target payment/gift cards, banks (or related orgs)

Monetization is also wayyyyy easier
I don’t think you will see a material change in % of orgs who pay ransom unless governments make payment of ransoms illegal (which will have a lot of other unintended consequences).

Do you think governments should outlaw payment of cyber ransoms?
Read 14 tweets
Christopher Glyer Profile picture
25 Jul 20
One of most undervalued aspects of incident response is incident documentation

In my experience as a consultant step 1 is interviewing client & reviewing whatever scattered notes 🔖📝they have about an incident & organizing it in a logical manner b/c most orgs do this poorly 🙈
Challenge is analysts (due to crisis) move fast to respond quickly & most orgs don’t experience impactful breaches often

This leads to scattered knowledge/understanding & each analyst documenting things in their own way that is efficient for them but not overall investigation
In my experience - here are the most important things to track (a spreadsheet is my preferred tool)

One table for each of the following:
-Timeline of forensic artifacts
-Systems
-Indicators (I prefer separate table for host and network)
-Compromised accounts
Read 12 tweets
Christopher Glyer Profile picture
26 Mar 20
After more than a decade - today is my last day @FireEye.

Taking a job @Mandiant was one of the best decision's I've ever made & I wanted to share some of the stories & experiences of what it was like as well as recognize some of the people that helped me learn and grow
When I started @Mandiant in 2009 the infosec space (it was called information security and not cyber security for starters) was so different from today. It was fairly rare for companies to get breached and when they did there was an amazing amount of stigma associated with that.
I was employee 63 (not because there were 63 active employees but because I was the 63rd employee hired since the inception of the company in ~2005). There were offices in 3 cities (DC, NY, LA) & company split roughly 50/50 between consultants and software devs on MIR
Read 20 tweets
Christopher Glyer Profile picture
25 Mar 20
BREAKING: APT41 initiated a multi-month global campaign at over 75 @FireEye customers attempting to exploit Internet facing systems using recently released exploits for Citrix NetScaler/ADC, Cisco Routers & Zoho ManageEngine.

fireeye.com/blog/threat-re…
I've been analyzing @FireEye's telemetry over the last few months for attempts to exploit CVE-2019-19781 (Citrix ADC) and this is the first campaign I was able to find and tie to a specific threat actor.
The CVE-2019-19781 exploitation had three main phases 1) initial reconnaissance on January 20-21 executing the command 'file /bin/pwd' (APT41 was the only actor I could find executing this command)
Read 13 tweets
Christopher Glyer Profile picture
28 Jan 20
We've all received emails with no attachment and assume it's "safe" to open in a mail client (as long as we don't explicitly click on any URLs). Right?

Not so much...
Let's talk about email tracking pixels for a minute and how sales/marketing (as well as real threat actor's) can use them to evaluate the success of an email marketing (or phishing) campaign...or for information gathering before sending a follow-up payload.

#DFIR #APT32
Let's start with the basics of tracking pixels.

I'm not attending @RSAConference - but I get marketing emails like this one. If you use the Outlook client - have you ever noticed the "to help protect your privacy; Outlook prevented automatic download of some pictures."?
Read 11 tweets
Christopher Glyer Profile picture
22 Jan 20
BREAKING - To help organizations identify compromised systems with CVE-2019-19781, @FireEye & @Citrix have released a tool that searches for indicators of compromise associated with attacker activity observed by @Mandiant
fireeye.com/blog/products-…
github.com/fireeye/ioc-sc…
@FireEye @citrix @Mandiant The tool looks for both specific indicators of malware
(coinminers, NOTROBIN and more) as well as methodology indicators that should generically identify compromise (e.g. processes spawned by user nobody, files with 644 user permission...etc.)
#DFIR
@FireEye @citrix @Mandiant Lots of late nights and work on the weekend/holiday to get this out. Many thanks to @williballenthin @MadeleyJosh @_bromiley @jkoppen1 @ItsReallyNick for help making it happen.
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @cglyer has new unrolls!

Check out other threads from @cglyer!

Read all threads by @cglyer

:(