Alex

@TLP_R3D @SentinelOne When I have tried detecting traffic towards these kind of destinations in the past on customer networks it has been way too noisy, I'm curious if there's any additional network indicator raising how suspicious it is. Maybe it is one of those cases which needs endpoint presence.

🔍 Hunting Abused Visual Studio Code Tunnels - first reported by @SentinelOne 🌉🔧 Threat actors are cleverly using Visual Studio Code tunnels and Microsoft Azure's infrastructure for command and control (C2), 🕵️‍♂️ masking their espionage activities under the guise of regular traffic. Reported Targets according to SentinelOne large business-to-business IT service providers in Southern Europe 😱 Recent Research revealed an uptick in this exploitation: Hunt Rule👉 HTTP/1.1 404 Not Found Date: GMT Content-Type: text/html Content-Length: 548 Connection: keep-alive X-Served-By: Strict-Transport-Security: max-age=31536000; includeSubDomains ssl.jarm:"2ad2ad0002ad2ad00042d42d00000023f2ae7180b8a0816654f2296c007d93" ssl:"Kubernetes Ingress Controller Fake Certificate" Some of the Interesting Finds - 👾Malicious Files: ⚡️Ghost.exe (SHA256: 7577262fc95eb1cd41448a817e9bf4cdf4c235ba5db83cb4992eb9b766ffb452) from 20.207.70.99. 💀 ⚡️payload.apk (Metasploit for Android, SHA256: d44bf340d946526fd3e623f724c283d8e1d089c5f120f9cc7c143546a3dd52ee) from 20.120.56[.]11. 🤖 👾Suspicious Reconnaissance: ⚡️Train%20Lag%20Setup%200.2.0.exe (SHA256: dcc411998cf6a8c7108bdd6987d72a42e6ed463d5ece97730c19bb3b9c49e1ec) linked to IPs 20.69.79[.]91 & 20.85.77[.]48, showing potential system reconnaissance. 🚂🔎 🌐 Multiple IPs listed are potentially involved in this campaign. 20.103.221[.]187 -Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels reported by sentinelone. Stay vigilant. 🔒 sentinelone.com/labs/operation…

@greglesnewich Oki great! Thank you for the answer

@AepEap yeah! we see that particular PDF theme (different hash) used in campaigns targeting that same sector, that are high conf TA421/APT29 the infection chain (PDF-URL-ZIP) particular HTA usage, and the use of compromised infrastructure are all similar to TA421 campaigns as well :)

Nice piece on some kit attributed to TA421 / APT29 / Midnight Blizzard / BlueBravo / Cozy Bear See also: mandiant.com/resources/blog…

@t3ft3lb Nice! What is the attribution based on?

#APT #CloudAtlas attacks #Belarus Инженерная записка.doc virustotal.com/gui/file/5af12… app.any.run/tasks/094820ce… URLs: hxxps://triger-working[.]com/en/about-us/unshelling hxxps://triger-working[.]com/unshelling/c0 hxxps://web-telegrama[.]org/podcast/accademia-solferino/backtracker

@SI_FalconTeam @ET_Labs Is there any indication whether this is the "original" actor covered in blog.talosintelligence.com/active-exploit… or an entirely unrelated actor which have uncovered the authentication mechanism and hijacked the devices?

🚨 #Cisco #IOSXE #CVE-2023-20198 #CVE-2023-20273 Patience is a virtue 🙂 We can confirm: New activity from IP 192.3.101[.]111 today. Our HPs 🍯 show exploit attempts on clean appl. + Implant usage e.g. "show ver" for recon. Happy to share PCAPs, TLP:💛 ➡️ DM. cc @ET_Labs

New blog post! "GroundPeony: Crawling with Malice". We updated nao_sec's blog after a long time😎 nao-sec.org/2023/08/ground…

@MichalKoczwara I understand there's some satisfaction from teaching others about techniques not spoken about much in public, but burning queries for many different malware families reduces detection capabilities long-term with very limited benefits.

Last night APT10, APT28, APT29, APT41, and FIN7 DM me here on Twitter and said that my tweets revealed their poor opsec practices so now they will make a few changes: Changes: APT28 is not going to use Cobalt Strike anymore and they will use Koadic C3 from today. APT29 Cobalt Strike watermark is going to be changed from 1359593325 to 1337. APT10 infra is going to be hosted on Digital Ocean only. APT41 is changing all default C2 certifications from Major Cobalt Strike to Minor Cobalt Strike. FIN7 will not use RDP for lateral movements anymore and will use only SSH. So you have to track them now all from the beginning! Sorry about that 🤷‍♂️

@netresec /check/safe urlpath in this report, maybe related rhisac.org/threat-intelli…

#Fabookie? joesandbox.com/analysis/81686…

Help needed: What malware family is this? Received via #SmokeLoader infection DNS: iueg.aappatey[.]com IP: 45.66.159[.]142

@4rchib4ld I think its useful to manually be able to create network graphs which are pedagogical rather than the mess automatically generated graphs often are. But driving the investigations by working within Matltego transforms results in messy large graphs.

Am I the only one not liking to use Maltego when I do investigations ? It feels so unresponsive and hard to use :(

@malmoeb @TheDFIRReport github.com/SigmaHQ/sigma/…

1/ #ThreatHunting: In a compromised network, we saw the following request in the proxy logs: www.advanced-ip-scanner[.]com/checkupdate.php?[..] This scanner is trendy among ransomware groups and has been mentioned in reports by @TheDFIRReport, among others. [1] 🧵

@IdoNaor1 #soclife

Who do you think this belongs to?

@campuscodi 142.4.123.192 likely instance over HTTPS.

@DCSecuritydk @cyb3rops Well its a cost-effective complement in diverse environments when implemented right. If the FP rate is too high the IOC should be excluded automatically. I can understand vendors not taking the IP route as a higher FP rate is generally seen as less acceptable by customers.

I wonder how many hours / days / weeks of analyst time was wasted on outdated IOCs, especially IPs that now have completely different owners #IOCs

We published blog post "Operation RestyLink: APT campaign targeting Japanese companies", translation of "Operation RestyLink: 日本企業を狙った標的型攻撃キャンペーン" insight-jp.nttsecurity.com/post/102hojk/o…

@MadeleyJosh @netresec @cyb3rops I can understand the choice to not publish victim IPs as IOCs even though there are organizations which can perform additional analysis on such data and enable collaborated attribution :)

@netresec @cyb3rops No high fidelity IOCs, but the QUIETEXIT/dropbear SSH handshake would be pretty quiet. Even outbound SSH monitoring tends to be pretty quiet and easy to verify legitimate traffic. Hundreds of gigabytes over SSH to a single IP in a month stands out when you are looking for it.

I guess most people don't know how easy it is to run automatic forensic investigations on any(!) appliance that offers a shell with THOR Thunderstorm & the various collectors nextron-systems.com/thor-thunderst… Example w/ RaspberryPi twitter.com/cyb3rops/statu… Example w/ my old Synology NAS

@craiu Effective ioc ingestion into threat detection engines require automatic sanity checks and constant manual tuning in order to provide effective detection output. But yes, listing shared hosts as IOCs shows a lack of understanding how the indicators are applied later on...

So many public IOCs, including from reliable sources (eg. security agencies, Govcert's) contain unreliable information. In this case below, 192.64.119[.]190 is a Namecheap Parking IP with over 6000 distinct hosts on it. Import into an IDS to generate tons of false hits.

@aRtAGGI @h2jazi Would you be able to comment on what specifically in the C2 infrastructure overlaps between the two?

@h2jazi This same malware was observed in phishing targeting EU diplomatic orgs during the US withdrawal from Afghanistan. The c2 of this payload had overlap with the historic APT group Symantec called Scarab ebook.port25[.]biz. I called it malware PoppyDreams.

This seems like a new attack targeting #Ukraine 1af894a5f23713b557c23078809ed01c Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.rar (About preservation of video materials with fixing of criminal actions of army of the Russian Federation)

@KorbenD_Intel It could be a new actor using it as the SSH key has changed and the previous CS instance were last indexed at 2019-02-18 and then started being active 2021-06-23 with a different C2 header (based on Shodan historical data).

two and half years later, 217.12.218[.]95 still online #cobaltstrike