HTML Smuggling Leads to Domain Wide Ransomware ➡️Initial Access: Thread-Hijacked Email > HTML Attachment ➡️Credentials: LSASS Access, SessionGopher ➡️Lateral Movement: RDP, PsExec ➡️C2: IcedID, Cobalt Strike ➡️Impact: Nokoyawa Ransomware thedfirreport.com/2023/08/28/htm… 1/X

🆕 Pleased to share my latest blog for SANS FOR589: Cybercrime Intelligence 👾 We reviewed the latest cybercrime intrusion trends from the last 12 months & investigated a new Initial Access Br0k3r 🔍 ⬇️ Check it out 👇 🔗 sans.org/blog/evolution… #CTI #ThreatIntel #Cybercrime

⚠️ Use Microsoft Teams? Watch out for TeamsPhisher! While it is not usually possible to send files to MS Teams users outside your org, by security researchers found a bypass by manipulating Teams web requests 🔥 github.com/Octoberfest7/T… Examples of MS Teams phish lures ⬇️ 1/3

TL;DR of ALPHV/BlackCat's essay on the MGM breach - The attack began ~8 Sept. - They stole data and gained admin on their Okta SSO & Azure cloud tenant - ~100 ESXi hypervisors were hit by ransomware on 11 September - No ransom was paid Read in full here: gist.githubusercontent.com/BushidoUK/20b8…

Phill Moore and I posted a blog on a TTP observed in an #Akira Ransomware case. ➡️ Actor gains access to Hyper-V server (with EDR) and creates a fresh VM ➡️ Turns off server VMs and mounts Hyper-V data disk on new VM ➡️Starts encrypting vhdx files! cybercx.com.au/blog/akira-ran…

Pure facts #CTI

A Day in the Life of a CISO

We had some good convos in the Curated Intelligence community today based on this CyberWire Daily, by N2K interview Really interesting that Chris Krebs says the *most important skill* he looks for in a CTI analyst is their “ability to communicate risk to businesses” 🗣️⚠️ thecyberwire.com/podcasts/speci…

🌐 Curated Intel is tracking hacktivist, cybercriminal, and regional APT groups surrounding the war in Israel. We describe the types of campaigns and attacks we've observed so far and have also provided recommendations for CTI analysts monitoring the war. curatedintel.org/2023/10/tracki…

Come along to the first ever Curated Intel workshop. There will also be prizes for the best profile! #CTI

Our friends at CSIRT-CTI have published their first new blog, stay tuned for more APT research from them! csirt-cti.net/2024/01/23/sta…

⚠️PSA: Curated Intel DFIR teams noticed a severe uptick in Akira Ransomware cases in Jan 2024. Same repeated TTPs: - Dwell times of < 4 hours on average - Cisco ASA VPN for Access - WinSCP for exfil / WinRAR for compression - AnyDesk RMM for persistence - 'w.exe' Akira payload

PSA from the Curated Intelligence Community to the CTI industry — watch out for cybercrime groups seeking access to your vendor platforms ⚠️

⚠️PSA: Curated Intel DFIR has noticed a new trend among Akira Ransomware cases in Summer 2024. For a while, Akira has been exploiting Cisco ASA devices. ➡️ They are now targeting SonicWall SSL-VPNs for access with no MFA (!) and weak passwords (!). Other TTPs remain the same 🔍

Got a new project to share later this year which will be published via Curated Intelligence — a community of researchers that are awesome at providing great feedback and insights. Keep a look out for it in the next few months! 📝 Last time we did, we made this: curatedintel.org/2023/07/the-th…

⚠️PSA: VPN & RDWeb password guessing attacks have been observed originating from IP addresses consistently across the following subnets: 85.239.59.0/24 85.239.58.0/24 85.239.57.0/24 85.239.56.0/24 ➡️ Check for low & slow password guessing attempts and successful logins.

Reviving my blog with a complete analysis of the latest #LockBit #ransomware v4.0 Green! 🤠 chuongdong.com/reverse%20engi… h/t to Fabian Wosar & Michael Gillespie for all the crypto helps! Huge thanks to Will & Curated Intelligence for the threat intelligence insight too! 🙏