Ned Moran
1.6K posts
Ned Moran
@moranned
Professor. Consultant. Analyst. Technologist. Security Geek. Privacy Advocate. Runner. Couch Potato.
Washington, DC Katılım Mayıs 2007
401 Takip Edilen1.6K Takipçiler
PDBs to hunt for:
E:\Working\Projects\EmailDownloader\EmailDownloaderCookieMode\EmailDownloader\obj\Debug\EmailDownloader.pdb
E:\Working\Projects\EmailDownloader\EmailDownloaderCookieMode\Mahdi\LiveLib\obj\Release\LiveLib.pdb
@12thMan 🏈 fans? 🔮 says another 8-4 season
English
Cool discovery and writeup from Ajax on our team in @Google TAG on a bespoke 🐈🇮🇷 capability, HYPERSCRAPE, used for downloading email 📧
blog.google/threat-analysi…
English
@ChicagoCyber also important to note that Muddy as a unitary actor != Muddy as a supporting org that enables other ops. This is an easy thing to miss.
English
@ChicagoCyber this is correct. from my view, there were multiple actors in at least one of the thanos victims so difficult to pin it solely on Muddy.
English
@ChicagoCyber Otrio! Cant wait for my kids to be old enough to play this
English
English
@simandsec Fantastic job. Tell @moranned he needs more emotion on stage.
English
@Dragonkin37 @BojackTrojan @OhadMZ @Dragonkin37 is correct. At Cyberwarcon I noted that the only links between 33 and DEADWOOD were timing and targeting - which in and of themselves are low-confidence. We track DEADWOOD separately from 33.
English
@BojackTrojan @OhadMZ @moranned Interesting I do recall that breif (great work by ned btw), but again I dont believe there was firm or high confidence attribution its them, I think it was more along the lines of APT33 does destructive attacks but we lack the evidence if this activity is tied to them.
English
Shamoon = APT33
ZeroCleare = APT34
Dustman = ?????
Deadwood = ????
Can agree Iranian nexus but there has NO been positive confirmation DEADWOOD was shared between APT33 and APT34.
English
Details of implant at SolarWinds responsible for inserting malicious code
It “finds Orion solution file path in MsBuild.exe process, it replaces a source code file in solution directory, w/malicious variant to inject SUNBURST while Orion is being built”
crowdstrike.com/blog/sunspot-m…
English
Ned Moran retweetledi
While MuddyWater's link to ransomware remains tenuous and unproven, the group is heavily invested in custom tool development. From PowerShell to .NET to C++ malware, Muddy is fast approaching other groups' capabilities. @snlyngaas reports w/ lines from me cyberscoop.com/muddywater-ira…
English
Ned Moran retweetledi
It's almost as if there are companies providing/selling capabilities whether its Implants, Exploits, or all of the above and what you may see here are downstream customers. @moranned and I covered this a little bit in shadowserver.org/news/the-itali… from 2015.
Daniel Lunghi@thehellu
It turns out the RCSession family described by Secureworks is the same as the "Type 2" malware family that we described in our report documents.trendmicro.com/assets/white_p… So either RCSession/Type 2 malware family is shared among multiple threat actors, or #DRBControl is part of #MustangPanda
English
Ned Moran retweetledi
There are a number of these kinds of examples where this kind of sharing can be inferred too in the infrastructure side of things, but.. this is Twitter and they probably also read the same tweets the defenders do.
English
Ned Moran retweetledi
Thanks for your patience, class! Took a little hiatus for a month. But we're back! In week 5 of “Lies & Disinformation” @Georgetown, we pivoted from Russian influence activities to Chinese and Iranian IO state actors.
Оlga Belogolova 🌻@olgs7
I’ve been meaning to do this for some time: starting this week, I will be sharing my syllabus and recommended readings from the “Lies, Damned Lies, and Disinformation” course I taught in the spring semester @Georgetown SSP. I’ll be sharing some highlights from each week’s lesson.
English
@PJ47596176 @RonDeibert @LenMaschmeyer @jonrlindsay this is true, but also much easier said than done for a variety of reasons.
English
@moranned @RonDeibert @LenMaschmeyer @jonrlindsay Diverse client base, by region and sector, provides the best collection.
English
A tale of two cybers - how threat reporting by cybersecurity firms systematically underrepresents threats to civil society tandfonline.com/doi/full/10.10…. New open access article I coauthored with @LenMaschmeyer and @jonrlindsay
English
@9bplus @Mao_Ware @TheCollierJam Im still traumatized by years of 2k erg tests in college, but I will throw down on intervals (500m w/ 1min rest * 8) or a straight 5k.
English
@RidT @BuchananBen i think its important that you measure effects across intrusion sets - even those that arent targeted via doxxing, indictments, etc. others can watch and learn and not repeat the mistakes their peers may have made.
English