Showing posts from 2021

Ransomware Decryption Intelligence

Ransomware continues to be the most profitable method of monetising unauthorised access to compromised networks. It is the biggest threat to private and public sector organisations, large and small. In the last three years, we have seen hundreds of hospitals hit by ransomware, as well as other critical infrastructure sector organisations, such as the Colonial Pipeline or JBS foods. Slowing the ransomware epidemic requires a multi-pronged approach. While this includes arrests, action against illicit cryptocurrency transactions, sanctions, or - the topic of this blog - decryption. By reverse engineering the encryption implementation utilised by a ransomware variant, researchers can exploit a cryptographic flaw to decrypt ransomware. This does make it possible to recover files without paying a ransom for the decryption keys. When the ransomware group eventually realises, or learns via public reports, that their ransomware is fundamentally flawed, they often either abandon it, fix the flaw

OSINT blog: Reunion in Scotland

  The Beer Farmers recently issued a geo-location OSINT challenge with a mystery prize for the first person to find them.  Under time pressure, I put my OSINT skills to the test to see how difficult it would be to find them.  Some Saturday fun. Where are @SeanWrightSec and @AppSecBloke in this photo? First to get it right wins something. @netsecfocus knows what it's like to win a prize from us. #HereForYou — The Beer Farmers (@TheBeerFarmers) September 11, 2021 I examined the image closely, looking for any clues. The first thing I think everyone would have immediately noticed was the large greek-style columns behind Mike and Sean. These would come in handy later when roaming the streets on Google Maps.  The second thing I noticed was a backwards JD Sports logo (a highstreet clothing brand in the UK). Therefore, I realised the image was flipped horizontally, so I flipped it back: The task was then to locate which JD Sports this was going to be. Judgin

How Do You Run A Cybercrime Gang?

Cybercrime has many forms, the most common of which is theft and fraud. Aspiring cybercriminals may begin with off-the-shelf malware or phishing kits and run amateur, but profitable, campaigns. Banking Trojans were the next step up, which intercept and manipulate connections during online banking procedures for exploitation and wire fraud. Several infamous groups that graduated from these campaigns went on to form organised crime syndicates and launch 'big game hunting' ransomware campaigns. Ransomware in particular, has caused mass disruption on a national level and huge financial losses. This blog will explore three top-tier cybercrime syndicates which are tracked by the private cybersecurity industry as EvilCorp, WizardSpider, and FIN7. These threat actors are financially motivated cybercriminals whose campaigns have become a scourge to organisations and society at large. So much so, that they are closely tracked by intelligence agencies and international law enforcement. Fi

Summer of Scammers: PancakeSwap cryptocurrency thieves

  Cryptocurrency is experiencing a huge boom. With this explosion in popularity, and people getting rich quick, come the cybercriminals looking to exploit this new technology. Unfortunately, while there may be a large amount of money to be made from cryptocurrecny there are very little controls or regulations preventing scams. Unlike other centralised financial services, such as banks, cryptocurrency users are only as protected as their own personal operational security (OPSEC). While there are long guides on OPSEC for cryptocurrency users, many new users are lacking here and do not use a strong password or two-factor authentication (2FA). This makes them sitting ducks for cybercriminals. This blog will detail how users of a relatively new platform, PancakeSwap, are being highly targeted.  In their own words "PancakeSwap is the leading decentralized exchange on Binance Smart Chain, with the highest trading volumes in the market". Despite its comical name, PancakeSwap is no j

The Lazarus Heist: Where Are They Now?

  Introduction The BBC World Service has recently produced The Lazarus Heist podcast (available here ), researched and presented by Geoff White and  Jean H. Lee . This thrilling podcast dives into the intracacies of the elaborate Bangladesh Bank heist attempt to steal $1 billion. As a security researcher that actively tracks the Lazarus group and any mentions of North Korean cyber activity, I found this podcast series was extremely detailed and well researched. There are so many additional info gems that anyone who has researched North Korea will enjoy. I also highly recommend it for any threat intelligence analysts investigating North Korean cyber activity.  The Lazarus Heist podcast also made me want to revisit what I have learned about North Korean advanced persistent threat (APT) groups. In February 2020, I blogged about who the Lazarus group is and what campaigns they are known for (see here ). This was one of my first blogs and I was eager to learn more while researching this in