Podcasts 🎧

Popular posts from this blog

Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022

Image
  (Image credit: DALL·E 2 ) Background In 2015 and 2016, the Democratic National Committee (DNC) was hacked by not one, but two Russian intelligence services, the Russian Main Intelligence Directorate (GRU) and the Russian Foreign Intelligence Service (SVR). The two advanced persistent threat (APT) groups attributed to these organizations coexisted inside the DNC's networks for months and provided valuable political intelligence to the Russian government, in the form of stolen files and emails, during the run-up to US presidential election. This audacious act of cyber-espionage brought these two APT groups, also known as FancyBear and CozyBear  (coined by CrowdStrike), into the spotlight and under the microscope ever since. On 24 February 2022, Russia invaded Ukraine and these two well-known APT groups (among many others) have been busy launching widespread intelligence gathering intrusion campaigns to support the Russian government and Russian military. This blog aims to leverag
Read more

Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms

Image
  Cyber threat intelligence largely involves the tracking and studying of the adversaries outside of your network. Gaining counterintelligence about your adversaries' capabilities and weaponry is one of the final building blocks for managing a strong cyber defense.  In the pursuit of performing this duty, I have been studying how to discover adversary infrastructure on the internet. One good way of doing this has been via leveraging the scan data available through the popular Shodan search engine. If you've not used it before, Shodan periodically scans the entire internet and makes it available for users to query through. It is often used to monitor networks, look for vulnerabilities, and ensure the security of an organization's perimeter.  But we can also use Shodan for tracking the adversaries. Through the process of fingerprinting - that is to identify unique attributes of IPs on the internet - we can find command and control (C2) servers and login panels belonging to cy
Read more

Brute Ratel cracked and shared across the Cybercriminal Underground

Image
  A short blog to document the proliferation of an advanced commercial penetration testing tool among cybercriminal threat actors across various Russian- and English-speaking underground forums. What? Available since December 2020, Brute Ratel C4 (aka BRC4) is one of the hottest new Red Team frameworks to hit the scene. It is similar to other frameworks such as Cobalt Strike but is uniquely concerning for its focus on evading endpoint detection and response (EDR) and antivirus (AV) tools. A technical analysis of BRC4 has already been provided by Palo Alto Networks Unit42 (see their blog here ). At 19:59:20 UTC o n 13 September 2022, an archive file called " bruteratel_1.2.2.Scandinavian_Defense.tar.gz " was uploaded to VirusTotal. This file contains a valid copy of  BRC4 version 1.2.2/5.  On 28 September, the developer of BRC4, Chetan Nayak, tweeted  unfounded and disproven accusations that archive was leaked by MdSec and said they were the ones who uploaded it to VirusTota
Read more