Morgan Demboski

Check out this awesome report by Sophos on Chinese APT threat actors. There is much to learn from this technical breakdown; it's not your ordinary threat actor. Reading this report, you will notice that they used tools like impacket for lateral movement, which provides an opportunity for detection. ➡️Interesting use of Living-Off-the-Land binaries that I personally haven't seen before - instsrv.exe and srvany.exe. ➡️Multiple defense evasion methods to hide their tracks and evade detection, including a clever way to read DNS traffic and block AV/EDR-related domains. (but still uses impacket 🤷‍♂️🤦‍♂️) ➡️Interesting choice of data being staged for exfiltration. Overall, this prolonged intrusion had everything, and the authors did an incredible job of laying out all the details for the rest of the community. 🙏👏 Check it out here 🔗: news.sophos.com/en-us/2024/06/…

We have high confidence that the goal of the campaign was cyberespionage in support of Chinese state interests. We are moderately confident that these activities were directed by a single organization due to coordination and sharing of TTPs. /3

In the investigation that followed, MDR tracked at least three clusters of intrusion activity from March 2023 to December 2023, and found previously unreported malware. We also observed tools & infrastructure that overlapped with other public reporting on Chinese actors /2

Along with a technical deep dive into the TTPs of each threat cluster: news.sophos.com/en-us/2024/06/…

This has been a monster of an investigation & writeup to put together - A campaign we call Operation Crimson Palace involving several Chinese state-sponsored actors coordinating activity in a single network Happy to finally share this intel ⤵️ news.sophos.com/en-us/2024/06/…

gotta ❤️ these attribution diagrams

Operation Crimson Palace: Sophos threat hunting unveils multiple clusters of Chinese state-sponsored activity targeting Southeast Asian government | news.sophos.com/en-us/2024/06/… @Sophos

The recent #Fortinet #FortiClient Endpoint Management Server (EMS) SQL injection vulnerability, CVE-2023-48788, allows an unauth attacker to obtain RCE as SYSTEM on the server. IOCs, POC, and deep-dive blog to be released next week. In the meantime, check DAS service logs for malicious looking queries. fortiguard.fortinet.com/psirt/FG-IR-24…

One of the best talks I've seen on this topic to date by @MorganDemboski. A thorough explanation of how to cluster Threat Actors by using multiple data sources focused on TTPs. If you're interested in tracking & attribution, you should watch this! youtu.be/ZNf0T1yHl8s?si…

@SophosXOps has seen a peak in attacks targeting unpatched ConnectWise ScreenConnect installations, leading to the deployment of various malware and RATs. Read the team's latest update here ⤵️ news.sophos.com/en-us/2024/02/…

When a Lockbit affiliate tries to log into the Lockbit panel this is what they see

Lockbit just emailed this to all of their affiliates.

My hometown getting a great rep 😂

ALPHV has lost their god damn mind

Really enjoying @MorganDemboski's talk on clustering RaaS affiliates, I love hearing how other teams approach this kind of work! The case studies she shared are great examples of focusing on tracking early details & behaviors, and not just the ransomware/payload. #CTISummit

Awesome talk about clustering badness from @MorganDemboski today at SANS CTI Summit - highly recommend checking out the replay when it’s available!

“A threat activity cluster (TAC) is not an attribution, but it can be a stepping stone. When we say a victim was attacked by #BlackCat ransomware, it’s not attribution but rather a TAC. It’s about the WHAT (the pattern), rather than the WHO.” @MorganDemboski discussing the RaaS ecosystem at #CTISummit

Clustering != Attribution "But luckily, people are typically creatures of habit" ~"Look for narrowly focused details that would be hard for anyone besides the adversary to replicate" 🔍 @MorganDemboski #CTISummit

Since October, we've not only seen an uptick in Akira #ransomware attacks, but also a new trend of Akira actors stealing data without deploying ransomware for extortion. Check out my latest article for more info on Akira's latest tactics ⤵️ news.sophos.com/en-us/2023/12/…

The real highlight of my Spotify Wrapped 🎁 Thanks @riskybusiness for your weekly episodes and for being my #1 podcast!