@BushidoToken Threat Intel

This blog is part of my Tracking Adversaries blog series, whereby I perform a summary analysis of a particular adversary that has caught my attention and made me feel like they deserve special attention and investigation. Qilin has been covered already by experts from Trend Micro , Secureworks , Group-IB , SentinelOne , SOCRadar , BleepingComputer , and MalwareHunterTeam . Kudos to them, because without these researchers sharing their findings with the community, we would be a lot less informed about this prominent ransomware gang. Background Active since at least May 2022, Qilin ransomware is named after the mythical Chinese creature  which you may  pronounce as "Chee-lin". The origin of this cybercriminal threat group, however, is believed to be from Russia. Like many other ransomware campaigns run by organised cybercriminal gangs, Qilin ransomware is used for domain-wide encryption of servers and workstations and its operators steal vast quantities of data. A ran

  This is the first part of a threat hunting blog series I want to start. I plan to share some insights on several related ideas such as risk hunting, incident-based hunting, and leveraging a system similar to requests for intelligence (RFIs) in cyber threat intelligence (CTI) but for threat hunting. These ideas and concepts came to me from creating and running a professional threat hunting program over the course of more than two years, from early 2022 to mid 2024. In this blog are many of the lessons I have learned in my time venturing on this journey. If you are just looking for some threat hunting resources in general, please find this collection on my GitHub I’ve compiled and were helpful to me during my journey. Introduction If you are like myself and have been generating and disseminating cyber threat intelligence (CTI) for many years, it may be an obvious choice to transition into a role whereby you consume and leverage it. Threat Hunting is an activity that experienced

  This is the second part of my threat hunting blog series. Please click here for the first part. Introduction It was once put to me that, much like hunting in the wilderness, so much of what matters is not the last pursuit of target, but the long stalk. It is crucial to learn to read the land and the patterns of the local wildlife as well as the predators. Understanding the lay of the land is as important as it was for our hunter-gatherer ancestors as it is to hunting threats in your organisation’s network. To increase the overall security posture of an organisation as an in-house security or managed security service provider (MSSP) you need to learn what is normal and what is abnormal in that organisation. You must understand what that organisation’s current policies around software downloads are, website filtering, vulnerability patching, remote login abilities, or file access permissions, among other controls (or lack thereof). The types of risky behaviour you will naturally uncov

Welcome to the Cyber Threat Intelligence (CTI) Analyst Challenge!  I am excited to introduce a comprehensive repository designed to enhance the skills and expertise of CTI analysts through a challenging and engaging intelligence analysis exercise. Purpose This repository is created to test and improve the capabilities of CTI analysts by providing a structured challenge that covers both proactive and reactive CTI tasks. It aims to simulate real-world scenarios and offer hands-on experience in fulfilling a demo client's Priority Intelligence Requirements (PIRs) and Requests for Intelligence (RFIs). Key Features Self-Directed Challenge: CTI analysts are provided with instructions and resources to independently navigate through the tasks, encouraging self-discipline and critical thinking. Realistic Scenarios: The tasks are designed based on real-world inspired situations, making the training highly relevant and practical. Comprehensive Training Materials: The repository includes all

Those who have worked in our industry for a certain amount of time will be acutely aware that executives often encounter information security media articles and flag them to their teams.  This is something myself and my peers at other organizations also face. So I decided to write about it, expand my thoughts, offer some tips from my experience and research to hopefully provide a practical solution for a common problem. This usually prompts inquiries to the Cyber Threat Intelligence (CTI) Team who have to do their best to provide timely and accurate answers, reassuring their executive stakeholders everything is OK or being handled.  This often leads to shepherding various Cybersecurity Teams to acquire these answers. G etting to the stage whereby timely and accurate responses can always be provided can be a bit of a mountain to climb, especially for newly created CTI Teams. An Ideal 7-STEP Solution  While inevitable, these interactions can be optimized to enhance organizational resilie

In this blog, we shall investigate a Russia-based mercenary group that has appeared in multiple CERT-UA reports after sending waves of spam to Ukrainian organisations. These mercenaries use tried and tested tactics, techniques, and procedures (TTPs) that are low effort, but operationally functional. This includes use of off-the-shelf commodity crimeware as well as legitimate remote management and monitoring (RMM) tools. These mercenaries also are notable as they have low operational security (OPSEC) and offer their services publicly, to Russians, via Facebook, Instagram, Telegram, various cybercrime forums, as well as their own websites. Background on UAC-0050 A report by the Computer Emergency Response Team of Ukraine (CERT-UA) on 22 February 2024 shared a notable statement of attribution to a threat group tracked as UAC-0050 that CERT-UA has shared updates on several times already. The CERT-UA team and other security researchers online believe that UAC-0050 is linked to a Rus