Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Greg Lesnewich Profile picture
@greglesnewich
Aug 28 5 tweets 2 min read Twitter logo Read on Twitter
🚨 Job Openings!

Our team is looking to hire for 2 positions on our APT tracking team.

Primary responsibilities & day-to-day will be disrupting state-aligned or state-sponsored actors trying to deliver malware, phish, or otherwise engage with our customers, in email data.
We're big on culture ADD - we'd love fresh and additive ideas that might challenge our assumptions & biases to help bonk the adversaries

members of this team have prev been network wizards, incident responders, computer scientists, developers, & traditional gubbymint analysts
We're looking for folks who've either experience tracking APT groups in similar data, or who have worked in tracking actors within email-based telemetry, with bonus points for those with detection experience.
you'll get to partner across the Threat Research org with amazing teams including the wizards of the wire (@ET_Labs), the malware maestros of CORSIG/DDX, the brave souls who stand vanguard against ecrime & fraud everyday, and many many more!
we're hiring at senior & staff levels

preference for US or Canada (remote of course)

staff:

senior: proofpoint.wd5.myworkdayjobs.com/ProofpointCare…
proofpoint.wd5.myworkdayjobs.com/ProofpointCare…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Greg Lesnewich

Greg Lesnewich Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @greglesnewich

Greg Lesnewich Profile picture
Jul 26
lots of important work in CTI on 🇰🇵 DPRK crypto-ops 🪙 going on at the moment!

I wanted to highlight a few talks that were very helpful for me in understanding how we got here!

1st, Katie Blankenship gave an excellent overview of DPRK cyber evolution
Before we dive into crypto-ops fully, let’s take a step back and see where most of them evolved from: APT38 The folks at Mandiant gave an awesome talk on this back in the day:

Sticking with the SWIFT targeting @saffronsec provides a deep look at North Korean intrusions leading to SWIFT heists:

Read 8 tweets
Greg Lesnewich Profile picture
Jul 5
What, dear reader, are in your opinion, some of the best conference talks on discovering & tracking APT groups?

Think less “here’s a stock profile of this actor”, more “here’s how we found this thing”

I’ll start:
No Easy Breach from @ItsReallyNick & @matthewdunwoody

Operation ShadowHammer from @craiu & @vkamluk https://t.co/7UzsRuansF

Mystery of the Metador from @juanandres_gs @AmitaiBs3 @milenkowski https://t.co/R5tMd7jqPj

Since y’all ain’t adding any yet, some more faves:

Work on platinum and APT10 From @Int2e_

https://t.co/ozaUsOVg6N

And finding SWC from @matthieu_faou https://t.co/Yqw4Q8yZwD

Read 7 tweets
Greg Lesnewich Profile picture
Jan 25
Baby’s first blog!

Check out our reporting on TA444 which has more AKAs than the Bodega Boys - but long story short they steal 💰cryptocurrencies for 🇰🇵

We rolled up their activity from 2022 where they rolled out new products, changed their GTM, and maybe tested in prod??
We saw TA444 try out a lot of chains in 2022, from their usual password.txt.lnk -> CageyChameleon, to MSIs, VHDs, CHMs, and ISOs.

We also saw them, very strangely, send out a phishing campaign that… kinda stunk? Typos everywhere, super broad targeting, real clunky feel
Our reporting builds on a lot of great reporting, especially December work from @unpacker , diving into TA444/Bluenoroff MoTW bypasses and malware usage, and highlights some of the peculiarities of their varied file formats used for malware delivery: securelist.com/bluenoroff-met…
Read 7 tweets
Greg Lesnewich Profile picture
Jan 15, 2022
Day 15 of #100DaysofYARA is all about named pipes! We'll be looking for both the \\.\pipe\ strings as well as common references to named and anonymous pipe methods and obfuscation methods. Lots malware fams use named pipes!

github.com/g-les/100Dayso…
However, YARA is probably not the best way to keep track of these things on your network - check out Sysmon Event IDs 17 and 18!

@rpargman has some advice for using KQL to find some specific pipe names
and Splunk has some great blogs on monitoring them across the environment:

splunk.com/en_us/blog/sec…
splunk.com/en_us/blog/sec…
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(