Bojack Trojan Horseman

@nas_bench @cyb3rops @SecurityAura Code as screenshots sometimes makes sense to avoid your report triggering overzealous AVs. The rest is true. IPs should always half first seen/last seen.

@SecurityAura - Code shared as screenshots - Samples that do not exist on the internet - IOC section containing only IPs half of them are already pointing to something else - And the blog has 20K words

I swear these CTI teams be spending mad time discussing the naming and the art of the APT they're gonna talk about and zero time on the actual IOCs and a good format to share them 😒

@Europe_not_eu @cazjwheeler @forster_k reuters.com/world/uk/uk-fi…

BREAKING: Jeremy Hunt has been caught in a secret recording during a private meeting with Tory activists suggesting that Sunak will call a general election once inflation has fallen below three per cent - giving the strongest hint yet that a poll will be held next autumn.

@iblametom Red teams using it and criminals using it is not mutually exclusive (and Crowdstrike never said it was criminal here, a RT is a threat actor). There are well documented cases of known APT and criminal groups using Brute Ratel C4.

So an ex-Crowdstrike guy writes malware for red team exercises, Crowdstrike detects it as criminal, and some forum members claim they're using it? Cool cool cool.

@godslittlemacro @ImposeCost What came to mind for me was things like malware/infrastructure/exploit supply chains that are not necessarily part of the direct operational team.

@ImposeCost Not directly related to intelligence (but touches on it at times), but "Once Upon a Time in Northern Ireland" docuseries by the BBC is fantastic and the best if you're looking to learn about the history of The Troubles more.

@Boreal_Star @realhackhistory @vxunderground @_SaxX_ That is overwhelmingly the case yes.

@realhackhistory @vxunderground @_SaxX_ but here you assume that most ransomware groups belong to the CIS?

Let's talk about ransomware for a second. Ransomware Threat Actors are opportunity driven. They do not have specific targets in mind. If you've got a dollar, they want it. The reality of the matter, in the ransomware ecosystem, is initial access brokering is cheap and affordable, it is a worthwhile investment for ransomware affiliates to establish a good relationship with an initial access broker. There is an initial access broker who will sell you roughly 1,000,000 misconfigured VPN's for $1,500. These 'misconfigured' VPNs typically will be companies which have accidentally set a VPN user login to something like 'test' as the username AND password. Although this may sound absurd, or unlikely, these are extremely common as companies may simply overlook small errors. However, these misconfigured VPNs are not curated. Ransomware affiliates might have to spend weeks, or months, sorting through the list determing which companies discovered have: 1. Money 2. Do not violate the rules of the ransomware group 3. Have insufficient security posture 4. Are outside with CIS (ex-soviet countries). This is often how ransomware groups collide with each other. Two different initial access brokers may have identified (or gotten access) to the exact same organization and then sold this identified vulnerable organization, or access, to two different ransomware groups. There have been stories where ransomware affiliates gain access, only to discover upon entry the organization has already been ransomed! Companies that have correctly configured EDRs (a detected blue team), a SOC, and have good policy and/or asset control will defeat most ransomware affiliates. More often than not, if an affiliate encounters a company that has a good EDR, or hardened machines, they may simply abandon the target all together (or sell it to a different ransomware operator) because it may not be worth their time. Metaphorically speaking, time is money to the Ransomware Threat Actor. Regarding targets, there is another aspect often overlooked. Ransomware operators residing outside NATO often do not understand the culture or targets they have identified. For example, we have witnessed ransomware groups target public school systems, failing to understand how the United States allocates money for schools. They mistakenly believe tax-funded schools are ripe with cash and simply do not believe negotiators when they say the victim doesn't have the money. They rely on publicly available information (often wrong information) from places like Wikipedia or ZoomInfo. They see big numbers and believe that this is the profit margins. tl;dr if you very seriously want to defeat ransomware, security companies need to understand the financial limitations many organizations face. They do not have the money, or man power, larger companies have to combat an ever evolving threat landscape. NOTE: There are some caveats to this rant. Every ransomware affiliate will seek different avenues of gaining access. Blah, blah, blah. Thanks for reading. Have a goodnight (or morning).

@lordx64 This is my last reply as this is going in circles and you're constantly changing your argument. They're claiming it's likely a CN APT. They're not claiming that due to observed minimal overlap with Violet Typhoon as you keep saying. You're misunderstanding that part of the report

@BojackTrojan They not claiming that? 11 july 2023 "Microsoft has mitigated an attack by a China-based threat actor Microsoft tracks as Storm-0558 which targeted customer emails" msrc.microsoft.com/blog/2023/07/m…

@lordx64 It could mean they use shared infrastructure procurement anonymization networks but are distinct groups (something extremely common among CN APTs). Distinct groups can still have overlap for this reason. They should have been more specific in what the observed overlap was. (2/2)

@lordx64 They're quite clearly not claiming that because of observed minimal overlap with Violet Typhoon therefore STORM-0558 is Chinese APT like you're suggesting. "Minimal overlap" can mean lots of things. (1/2)

@lordx64 Yes, rereading your other reply to another user in this thread I think you're misunderstanding what they are saying regarding this minimal overlap part.

@lordx64 It's just saying it's likely a distinct activity group to Violet Typhoon but acknowledging some minimal degree of overlap (which is very common among Chinese APTs due to shared infrastructure and other procurement chains). Really struggling to understand your point around that.

@lordx64 From above link "individuals connected to Taiwan and Uyghur geopolitical interests" microsoft.com/en-us/security…

@BojackTrojan can you share any reference material/reporting indicating that Storm-0558 targeted the Uyghur?

@lordx64 The piece is clearly not intended to lay out all of their country attribution evidence as you seem to be insinuating. You've also left out the historical targeting of Uyghur and Taiwan-linked entities specified in the blog.

@BojackTrojan twitter.com/lordx64/status…

@0x3c7 @adulau @Timo_Steffens Ah so it's a header order hash essentially?

@BojackTrojan @adulau @Timo_Steffens Only header names are included in the hash.

HHHash python library updated to add the ability to hash from a set of HTTP headers. This can be useful for already crawled/collected headers. Thanks to @0x3c7 for the idea and contribution. github.com/adulau/HHHash #ThreatIntelligence

@phr00ts @sherrod_im It's not because of marketing (mostly) I promise :) cyb3rops.medium.com/the-newcomers-… youtu.be/fV_9X9gnTIk

@sherrod_im How about get them all on one naming convention. I don't know if TA7839 is the same as sparkle unicorn kitty or lotus blossom panda express. I get you gotta have cool marketing but FFS.

I am going to convince the entire threat intelligence industry that naming threat actors neutral and even silly names is better than glorifying them with Hollywood villain style praise names.

@SecuritySphynx @sherrod_im @d4vesgrill I like the multilayer categorisation but I think names still need to be easy to say out loud for internal/external oral briefings (and just general conversation with coworkers).

@malwrhunterteam Macma is just a generic Mac AV detection no?

"USAgent": fce66c26deff6a5b7320842bc5fa8fe12db991efe6e3edc9c63ffaa3cc5b8ced MACMA with US targeting? 🤔

@cisonaut @ImposeCost Actor says ok well I'll just not use malware then and then industry doesn't report on them because they only know how to look for malware. Actor happy. (2/2)

@cisonaut @ImposeCost Industry prioritizes looking for new shiny malware families that actors take ages developing to the detriment of other collection methods and report on them constantly. Actor sad. (1/2)