Posts

Unravelling a Mimikatz campaign

Image
  This is a short blog analyzing some artifacts  left over by a Mimikatz operator's campaign. Background While doing to some internet dumpster-diving (as I like to call it) I came across an open directory belonging to a threat actor's Mimikatz staging server (see Figure 1).  The threat actor's server was hosted on DigitalOcean AS14061  (165[.]232[.]*.*) and a takedown request was submitted by myself to the DigitalOcean Abuse team. Figure 1: Mimikatz opendir The files on the server were not that interesting, most of it was default Mimikatz components from the GitHub and other resources online. The files are available on VirusTotal too if needed. im.ps1 (Invoke-Mimikatz PowerShell script) https://www.virustotal.com/gui/file/1b441fde04d361a6fd7fbd83e969014622453c263107ce2bed87ad0bff7cf13f mimidrv.sys (signed Windows Driver Model (WDM) kernel mode software driver) https://www.virustotal.com/gui/file/f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5 mimikatz.exe

Space Invaders: Cyber Threats That Are Out Of This World

Image
Background Destructive  cyberattacks and digital espionage campaigns targeting international space programs is a growing and concerning trend. Some of the most significant cyberattacks over the last five years have been turning points in the state of cybersecurity of international space programs and organizations with satellite infrastructure in space.  Space exploration and the significance of having satellite infrastructure in space is a key driver of scientific research and technological innovation. However, despite receiving billions of dollars in funding, the digital infrastructure and information systems supporting space programs have been impacted by significant cyberattacks from nation-state threat actors and financially motivated cybercriminal groups. This blog aims to use open source intelligence (OSINT) research to compile and highlight significant cybersecurity incidents impacting the space industry that defenders should consider when securing these types of environments. T

Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022

Image
  (Image credit: DALL·E 2 ) Background In 2015 and 2016, the Democratic National Committee (DNC) was hacked by not one, but two Russian intelligence services, the Russian Main Intelligence Directorate (GRU) and the Russian Foreign Intelligence Service (SVR). The two advanced persistent threat (APT) groups attributed to these organizations coexisted inside the DNC's networks for months and provided valuable political intelligence to the Russian government, in the form of stolen files and emails, during the run-up to US presidential election. This audacious act of cyber-espionage brought these two APT groups, also known as FancyBear and CozyBear  (coined by CrowdStrike), into the spotlight and under the microscope ever since. On 24 February 2022, Russia invaded Ukraine and these two well-known APT groups (among many others) have been busy launching widespread intelligence gathering intrusion campaigns to support the Russian government and Russian military. This blog aims to leverag

Ofgem Energy Bill Rebate Phishing Fraud

Image
  On 3 February 2022, the The UK Office of Gas and Electricity Markets (Ofgem) issued a warning that there has been a "record increase in global gas prices" which saw an "energy price cap rise of 54% "; adding that " Ofgem knows this rise will be extremely worrying for many people ". That last sentence is precisely why phishing threat actors are beginning to use Ofgem-themed lures as a pretext for phishing attacks to target and defraud UK-based users online.  On 17 May 2022, Ofgem issued a warning  " of a scam email claiming to be from Ofgem asking for bank details so customers can get a rebate " (see Figure 1). This was followed by an alert from UK Action Fraud stating it has  received "over 750 reports in just four days about these fake O fgem  emails". The UK NCSC also included the warning in its Weekly Threat Report. Figure 1: Ofgem-themed phishing email On 20 May 2022, while researching newly phishing pages a recently created Of

Gamer Cheater Hacker Spy

Image
The title of this blog is a homage to the film Tinker Tailor Soldier Spy and presents the fact that video games and cheating is also tied to hacking and spying. It is a common trope in cybersecurity that professionals first became interested in the field through an encounter while playing games.  Speaking personally, I first became enthralled with hacking in 2008 by matching against some modders using hacked weapons while playing  Halo 3   (my favourite game of all time). This blog aims to highlight why monitoring the video game industry is important for cyber threat intelligence analysts hunting down the latest threats. Video games and hacking are very intertwined. Many hackers start out by creating cheats for games, and have to play the games to begin with to learn how to hack them.  There are also several notable incidents whereby hacking in video games escalated to become critical issues for the software development industry and enterprise security realms. This includes zero-day ex