PeterM🌻

My WFH office is finally done. This took months and multiple lockdowns to complete. I converted part of my garage for this. Enter through a hidden door (with a camera watching). The projector also connects to my CCTV system.

Nice post about exfil tools: Ransomware-driven data exfiltration: techniques and implications blog.sekoia.io/ransomware-dri…

This is amazing! Sophos' transparency should be lauded; pretty much all big security vendors have swept things like this under the rug, but this shows the industry could be driving a lot more value if vendors were just willing to be accountable. sophos.com/en-us/content/…

Another great article full of technical info!👏 Great job by @MorganDemboski and @securitydumpstr as always for this blog! Chinese State-sponsored TAs have become the punching bag for Sophos this year lol 😂 It inspired me to illustrate how they must be feeling right now😆🎬👇

I get asked a lot "how do you prepare for a ransomware attack". I always give the same answer; have an Incident Response Plan and practice it in advance. But how do you do that easily? well I highly recommend the NCSC's Exercise in a box, it's free! exerciseinabox.service.ncsc.gov.uk

⚠️PSA: Curated Intel DFIR has noticed a new trend among Akira Ransomware cases in Summer 2024. For a while, Akira has been exploiting Cisco ASA devices. ➡️ They are now targeting SonicWall SSL-VPNs for access with no MFA (!) and weak passwords (!). Other TTPs remain the same 🔍

🚨 Ransomware still beats up-to-date protection - even decade-old strains! Want to know how? See @AltShiftPrtScn in "Know the Enemy". Wednesday, August 7, 11:25 am – 12:15 pm (Business Hall Theater A) More: #know-the-enemy-a-defenders-real-world-view-on-the-latest-ransomware-attack-techniques-41832" target="_blank" rel="nofollow noopener">blackhat.com/us-24/sponsore… #BlackHat

news.sophos.com/en-us/2024/06/… 👀

Working in DFIR and dealing with encrypted VMDKs? here is how we have been extracting forensic evidence from them. Well done to everyone involved in developing these methods. news.sophos.com/en-us/2024/05/…

Lots of IOCs and intel just published on the #ScreenConnect exploits. news.sophos.com/en-us/2024/02/…

@sneakymonk3y @zeropointsecltd If a coinminer can get in so can a ransomware TA. Treat them seriously before it's to late.

I thought this was one of the best modules from the @zeropointsecltd CRTO course today, lateral movement & code execution via MS SQL Server. Do not overlook your SQL instances, harden these as much as possible. I've seen plenty of PURPLEFOX and LEMONDUCK malware take advantage.

#AlphV files an SEC complaint against #MeridianLink for not disclosing a breach to the SEC #Ransomware databreaches.net/alphv-files-an…

#HuntersInternational IOCs - Cobalt: virustotal.com/gui/ip-address… & virustotal.com/gui/ip-address…, Other C2s: virustotal.com/gui/ip-address… & virustotal.com/gui/ip-address…. Rclone->SFTP: virustotal.com/gui/ip-address…. Filnames include vmware.exe, vmware.dll, vm.dll in ProgramData and Windows\Temp.

Most ransomware IR's

@cyb3rops Well, as your reputation preceeds you, I will accept JAB is the b64 to hunt for, but I specifically like finding JABz as I know it inalmost every case means Cobalt. We can be friends though :-)

@AltShiftPrtScn gist.github.com/Neo23x0/6af876…

If you work in DFIR and recognize b64 starting with "JABz" we can be friends.

@0xMatt Fun, rewarding, stressful, tiring, CSV

@tonyszko @0gtweet I agree that you are correct about them being correct :-) depends on the incident and what the client/lawyers/insurance want.

@0gtweet I think you both might be right, depending on the Tylenol cases you are involved in and what is the success criteria

Cannot agree. Dump analysis takes a lot of resources (time * skills) and provides only a minimal benefit for the victim. Typical IR scenarios focus on cost minimizing, and not on the scientific values.

@rik_ferguson Imagine if it was true and the only people left in the world after today are the type of people who choose not to get vacinated for this reason. Theres a dystopian movie idea.

@NSA_CSDirector Thats not a hug, he has him in a headlock, strangling the last of the budget out of him :-)

@quentynblog Anything above the A40 is the north imo.