One (potentially overlooked) aspect from today’s latest breach news is the recent trend of password stealer malware as the initial vector to gain access to orgs

See those “LOGID-“ files in screenshot? They are output files from password stealers (e.g RedLine, raccoon stealer) We discussed how DEV-0537/LAPSUS$ used this technique to gain initial access to a low privileged identity at targeted orgs in our ransomware ecosystem compendium
microsoft.com/security/blog/…

The LAPSUS$ Group/DEV-0537 was not on my 2022 bingo card - given impact of their activities @MsftSecIntel wanted to detail unique blend of tradecraft. I've personally given dozens of threat briefings in the last few weeks

Here's a 🧵with my highlights
microsoft.com/security/blog/… They monetize intrusions (some of them) through extorting orgs to prevent public data release. Nowadays we associate that with ransomware gangs but this isn't a new trend

Reminds me of investigation I led at South Carolina Department of Revenue in 2012
oag.ca.gov/system/files/M…

There’s a lot to unpack in @MsftSecIntel’s latest blog on the CVE-2021-40444 vulnerability. Here’s a thread of some of the details that I think are notable

https://twitter.com/MsftSecIntel/status/1438291542142246920

The volume of initial exploitation was limited. Most security orgs I talked to didn’t observe it directly in their telemetry

“In August…MSTIC identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML”

This shouldn’t be news to anyone,but human operated ransomware is a problem that has gotten completely out of control

The reasons are relatively straightforward: The cost to pay is often significantly less than cost to business impact from downtime

The “supply” of possible targets is significantly higher than traditional financial crime which have to target payment/gift cards, banks (or related orgs)

Monetization is also wayyyyy easier

One of most undervalued aspects of incident response is incident documentation

In my experience as a consultant step 1 is interviewing client & reviewing whatever scattered notes 🔖📝they have about an incident & organizing it in a logical manner b/c most orgs do this poorly 🙈 Challenge is analysts (due to crisis) move fast to respond quickly & most orgs don’t experience impactful breaches often

This leads to scattered knowledge/understanding & each analyst documenting things in their own way that is efficient for them but not overall investigation

After more than a decade - today is my last day @FireEye.

Taking a job @Mandiant was one of the best decision's I've ever made & I wanted to share some of the stories & experiences of what it was like as well as recognize some of the people that helped me learn and grow When I started @Mandiant in 2009 the infosec space (it was called information security and not cyber security for starters) was so different from today. It was fairly rare for companies to get breached and when they did there was an amazing amount of stigma associated with that.

BREAKING: APT41 initiated a multi-month global campaign at over 75 @FireEye customers attempting to exploit Internet facing systems using recently released exploits for Citrix NetScaler/ADC, Cisco Routers & Zoho ManageEngine.

fireeye.com/blog/threat-re… I've been analyzing @FireEye's telemetry over the last few months for attempts to exploit CVE-2019-19781 (Citrix ADC) and this is the first campaign I was able to find and tie to a specific threat actor.

We've all received emails with no attachment and assume it's "safe" to open in a mail client (as long as we don't explicitly click on any URLs). Right?

Not so much... Let's talk about email tracking pixels for a minute and how sales/marketing (as well as real threat actor's) can use them to evaluate the success of an email marketing (or phishing) campaign...or for information gathering before sending a follow-up payload.

#DFIR #APT32

BREAKING - To help organizations identify compromised systems with CVE-2019-19781, @FireEye & @Citrix have released a tool that searches for indicators of compromise associated with attacker activity observed by @Mandiant
fireeye.com/blog/products-…
github.com/fireeye/ioc-sc… @FireEye @citrix @Mandiant The tool looks for both specific indicators of malware
(coinminers, NOTROBIN and more) as well as methodology indicators that should generically identify compromise (e.g. processes spawned by user nobody, files with 644 user permission...etc.)
#DFIR

I’m going to be live tweeting the #FireEyeSummit technical track chaired by @stvemillertime First up is @HoldSecurity discussing how to harvest information from botnets

#FireEyeSummit

Here’s the thing about the US Defense Industrial Base. The average person thinks of the largest companies (BAE, Boeing, General Dynamics, Lockheed Martin, Northrop Grumman, Raytheon, SAIC...etc.) when we think of who builds the missiles/tanks/ships/airplanes/satellites.
1/n

https://twitter.com/josephmenn/status/1105599568765378562

The reality is the large defense contractors have enormous supply chains of sub contractors and suppliers - many of which are small(er) businesses that don’t have the size/resources/security maturity to adequately protect the data - that the bigger defense contractors have
2/n

Long rumored @TheJusticeDept indictment of #APT10 is out. sc.cnbcfm.com/applications/c… Here are my observations/highlights from reading the indictment (channeling my inner @pwnallthethings):
-the indictment indicates #APT10 operations started in 2006 and went through 2018. The 2006 activity was likely focused on US Government, Military, and defense contractors

1/n

"You've Got Mail"

@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends

#FireEyeSummit APT34 compromised a trusted partner org - and used that to abuse trust (convinced user to enable macros) and successfully phish victim

Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.

#FireEyeSummit

.@TekDefense introducing our next talk about unmasking APT38 - a North Korean threat actor focused on financial attacks

Blog released today with more details
fireeye.com/blog/threat-re…

#FireEyeSummit APT38 targeted banks (SWIFT messaging initiated wire transfers you've read about in the news) and crypto currency exchanges (among other orgs)

#FireEyeSummit

First up Matias and Adrian discussing investigating the threat actor that MSFT calls Platinum

...and right out of the gate the threat actor steals your EDR agent installer 😮 #SignsThisProbablyIsntAScriptKiddie

#FireEyeSummit It's not often that you see ACI Shims used for persistence

#FireEyeSummit

Remediation strategy in #DFIR is always a fun topic - with many opinions & not always a clear rule book to follow. It's like the English language for every rule there are 5 exceptions. My views have evolved over time - from combo of experience & as monitoring tools have improved If you catch attacker early in attack lifecycle - this one is pretty easy. Take action immediately before they get a strong foothold. Very few exceptions to this rule. Tipoffs you are early in attack lifecycle. Malware owned by primary user of system or malware in startup folder

I've been thinking about the recent conspiracy theory of "where is the physical DNC server".

https://twitter.com/realDonaldTrump/status/1018072081676865536

Here is a thread on the "missing" DNC server and my experience/advice from conducting similar investigations. First, some background for my comments. Over the last decade, I've personally led investigations at over 100 organizations & taught dozens of classes for both federal law enforcement and the private sector on incident response and digital forensics.

Reading justice.gov/opa/pr/russian… today reminded me how I got my start in #DFIR in 2008 investigating FIN1. Let's take a walk down memory lane. FIN1 (in my experience) has had a few major periods of activity (2007-2009, 2011-2012, and 2014-2015) - each with their own distinct set of TTPs. They've significantly improved their capabilities over the years (even though multiple members have been arrested)