Posts

Tracking Adversaries: UAC-0050, Cracking The DaVinci Code

Image
In this blog, we shall investigate a Russia-based mercenary group that has appeared in multiple CERT-UA reports after sending waves of spam to Ukrainian organisations. These mercenaries use tried and tested tactics, techniques, and procedures (TTPs) that are low effort, but operationally functional. This includes use of off-the-shelf commodity crimeware as well as legitimate remote management and monitoring (RMM) tools. These mercenaries also are notable as they have low operational security (OPSEC) and offer their services publicly, to Russians, via Facebook, Instagram, Telegram, various cybercrime forums, as well as their own websites. Background on UAC-0050 A report by the Computer Emergency Response Team of Ukraine (CERT-UA) on 22 February 2024 shared a notable statement of attribution to a threat group tracked as UAC-0050 that CERT-UA has shared updates on several times already. The CERT-UA team and other security researchers online believe that UAC-0050 is linked to a Rus

Lessons from the iSOON Leaks

Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About

Top 10 Cyber Threats of 2023

Image
Introduction 2023 was packed with a multitude of significant events that caused many to rethink their entire security strategies, especially their vendors and their team size. Unfortunately, we saw thousands of layoffs in the technology sector, including cybersecurity teams. This is despite the unrelenting and omnipresent threat of an ever growing number of cyber adversaries. The Top 10 Cyber Threats of the year that I believe are worth focusing on in this blog revolve around several common themes, like the use of zero-day exploits, supply chain attacks, targeting identity providers, as well as intentionally disruptive campaigns. #1 CL0P mass exploitation campaigns Since 2020, a professional cybercrime syndicate known as CL0P shifted from targeted big game hunting ransomware campaigns to mass data-theft-extortion attacks, minus the deployment of ransomware. Around 27 May 2023, the CL0P group exploited a zero-day vulnerability in the MOVEit file transfer server, tracked as CVE-2