@1njection I agree with your general sentiment but in the interest of pedantry—
-Regin is your main 4 Eyes APT
-Equation group is (sort of) your missing eye
-Lamberts/‘Longhorn’ == CIA
And then there’s a few presumably western outliers that haven’t been attributed (ex: ProjectSauron)
@1njection To your larger point, you’ll notice that there’s very little follow up on any of these. There’s a complex calculus in the EDR/AV industry on whether to report on ‘friendly’ ops. I understand if they choose not to publish reports but imo intentionally not *detecting* is fraud.
@1njection The best ex to cut through this perverse logic is the shadowbrokers leak. Few companies were prepared w detections or even understanding of the tooling. And I always wonder… had someone seen an unauthorized use of DoublePulsar itw pre-leak, might NSA have known it was coming?
@1njection The TI industry is a form of voyeuristic counterintelligence layered on top of detection products. It’s our job to detect these things and we have a choice as to whether we can stomach a public vs private report (considering well being of customer + health of business).
@1njection That said, if you choose not to detect ‘friendlies’, you should disclose that to your European and Middle Eastern customers before contract signing and see how that goes. ‘Global companies’ playing provincial tactics.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Ok friends, you know it's a wonderful day when you get woken up by @Bing_Chris on madness in Iran. If you haven't seen what's going on, another trollish attack played out today with gas stations in Iran not being able to dispense gas #64411
Screens on the gas pump PoS systems say 'cyberattack, 64411' in Farsi. For avid readers, this should be a throwback to the Iranian railway systems attack in July where the attackers also directed calls to 64411, the Office of Iran's Supreme Leader, Ali Khamenei' #MeteorExpress
We were able to reconstruct the attack chain used in the Iranian railway system, a combination of well-written crafty batch scripts + an externally configurable wiper called 'Meteor'. That led us to calling this group MeteorExpress. s1.ai/meteor
Tbh, when I tweeted out the story about VPNs getting consolidated under a shady company with a reputation for malware/adware distribution, I didn't expect that it would get that big of a response. Since folks are interested, I wanted to discuss my biggest issue w this... #Thread
Sure, shady monetization schemes w ads are the bulk of the business model but it doesn't take into account the targeted espionage concern. Ad networks are fantastically positioned to profile internet users to an impressive level of granularity but they're limited–
For a determined adversary with control or influence over an ad network, you might have access to selectively injecting iframes or malicious ads in the hopes of hitting that one precious target. But a VPN introduces a much smoother avenue of attack.
It's awesome to see analysis of Lamberts and Equation Group tools. They're some of the most noteworthy findings in the short history of Cyber Threat Intelligence and we're doing a disservice by collectively ignoring their existence. Great work @runasand and @patrickwardle!
If you missed it, I'm sure the video will be up in the near future. In the meantime, here's Runa's blog on Green Lambert OS X objective-see.com/blog/blog_0x68…
For additional (non-MacOS) background, here's an overview of the color-coded constellation of the Lambert's toolkit up to a point– securelist.com/unraveling-the…
There are three things you don't want to see made– laws, sausages, and threat intelligence.
Frankly, I'm bummed out at the framing of this issue. It adds fuel to the air-quote 'privacy' debate that keeps eating away at our ability to do security research, as in the case of GDPR.
I've played with Augury before. Netflow can be useful. But for the most part it's spotty, incomplete, and inconclusive. You don't turn into a SIGINT agency because you have visibility into a few hops along a path for a sliver of time. Internet routing doesn't work that way.
You're seeing points connecting to other points at a given time. If the connection is routed a different way, if it takes a hop you don't have access to, if any number of factors changes the connective tissue of the internet, you don't see anything.
When researching MeteorExpress, I couldn't have guessed the direction the discussion would take. Let's take a minute to evaluate these different claims– Indra, non-state-sponsored, MBC, SEA... (thread)
(1)Let's dispense with the patently brittle claims– just because a ransomware group claims they perpetrated an attack doesn't make a credibly claim... looking at you DarkTracer.
(2)Subsequent claims that it's related to SEA are using a reference so outdated as to be meaningless. Additionally, SEA was a pro-regime group so nothing about this adds up other than a vague Syria connection.
Alright, let's add some substance to this Pegasus discussion. Contrary to what you might read, research into NSO has been going on for years and has involved a lot of great research groups (@citizenlab, @kaspersky, @Lookout, to name a few). It has also included leaks.
Folks are speculating about how we might know about the targets of Pegasus customers. NSO simultaneously claims that they don't know their customers targets but at the same time they know that none of the @AmnestyTech infections are real. Two obviously incompatible statements.
Assuming NSO doesn't have access to their customers targets, a list of targets of interest would have to come from a structural fault in the agent/exploit delivery infrastructure that NSO uses. We have a high-level view of how that system is architected.