Curated Intelligence

ICYMI: In October 2024, we released the CTI Research Guide. It aims to help practitioners learn more about how to effectively perform the collection, processing, analysis, and production stages of the CTI lifecycle. 🔗curatedintel.org/2024/10/the-ct…

Reviving my blog with a complete analysis of the latest #LockBit #ransomware v4.0 Green! 🤠 chuongdong.com/reverse%20engi… h/t to @fwosar & @demonslay335 for all the crypto helps! Huge thanks to @BushidoToken & @CuratedIntel for the threat intelligence insight too! 🙏

⚠️PSA: VPN & RDWeb password guessing attacks have been observed originating from IP addresses consistently across the following subnets: 85.239.59.0/24 85.239.58.0/24 85.239.57.0/24 85.239.56.0/24 ➡️ Check for low & slow password guessing attempts and successful logins.

@jamieantisocial Thank you, Jamie

such an excellent paragraph🤌 this + lacking intelligence engineering can really be the difference between ok/good and great 💪

Related articles 1. arcticwolf.com/resources/blog… 2. horizon3.ai/attack-researc… 3. dashboard.shadowserver.org/statistics/com…

⚠️PSA: Curated Intel members in DFIR have noticed a trend in exploitation of CVE-2024-57727 in the SimpleHelp RMM tool to deploy Medusa ransomware. ➡️ This tool is often used by IT Managed Service Providers (MSPs) to remotely control customer endpoints and have been impacted.

Got a new project to share later this year which will be published via @CuratedIntel — a community of researchers that are awesome at providing great feedback and insights. Keep a look out for it in the next few months! 📝 Last time we did, we made this: curatedintel.org/2023/07/the-th…

⚠️PSA: Curated Intel DFIR has noticed a new trend among Akira Ransomware cases in Summer 2024. For a while, Akira has been exploiting Cisco ASA devices. ➡️ They are now targeting SonicWall SSL-VPNs for access with no MFA (!) and weak passwords (!). Other TTPs remain the same 🔍

PSA from the @CuratedIntel Community to the CTI industry — watch out for cybercrime groups seeking access to your vendor platforms ⚠️

@MHiemer22 Technical details available here: 1. blogs.cisco.com/security/akira… 2. truesec.com/hub/blog/akira…

@CuratedIntel VPN access via legit creds and on mfa or are they attacking a Cisco ASA VPN vulnerability?

⚠️PSA: Curated Intel DFIR teams noticed a severe uptick in Akira Ransomware cases in Jan 2024. Same repeated TTPs: - Dwell times of < 4 hours on average - Cisco ASA VPN for Access - WinSCP for exfil / WinRAR for compression - AnyDesk RMM for persistence - 'w.exe' Akira payload

Our friends at CSIRT-CTI have published their first new blog, stay tuned for more APT research from them! csirt-cti.net/2024/01/23/sta…

Come along to the first ever Curated Intel workshop. There will also be prizes for the best profile! #CTI

🌐 Curated Intel is tracking hacktivist, cybercriminal, and regional APT groups surrounding the war in Israel. We describe the types of campaigns and attacks we've observed so far and have also provided recommendations for CTI analysts monitoring the war. curatedintel.org/2023/10/tracki…

We had some good convos in the @CuratedIntel community today based on this @thecyberwire interview Really interesting that @C_C_Krebs says the *most important skill* he looks for in a CTI analyst is their “ability to communicate risk to businesses” 🗣️⚠️ thecyberwire.com/podcasts/speci…

A Day in the Life of a CISO

Pure facts #CTI

@phillmoore and I posted a blog on a TTP observed in an #Akira Ransomware case. ➡️ Actor gains access to Hyper-V server (with EDR) and creates a fresh VM ➡️ Turns off server VMs and mounts Hyper-V data disk on new VM ➡️Starts encrypting vhdx files! cybercx.com.au/blog/akira-ran…

TL;DR of ALPHV/BlackCat's essay on the MGM breach - The attack began ~8 Sept. - They stole data and gained admin on their Okta SSO & Azure cloud tenant - ~100 ESXi hypervisors were hit by ransomware on 11 September - No ransom was paid Read in full here: gist.githubusercontent.com/BushidoUK/20b8…

⚠️ Use Microsoft Teams? Watch out for TeamsPhisher! While it is not usually possible to send files to MS Teams users outside your org, by security researchers found a bypass by manipulating Teams web requests 🔥 github.com/Octoberfest7/T… Examples of MS Teams phish lures ⬇️ 1/3