@BushidoToken Threat Intel

  I wanted to do something a bit different and fun so I created a new site  hackerfiction.medium.com  with one purpose: Telling fictional short stories about hacking using AI. I’ve explained why and how I’m doing this in my Introduction blog, I recommend checking it out first. Ultimately, I made these stories for me. But think others may enjoy them too so I shared them. I’ve enjoyed making these short stories and generating some visuals. And I may make some more. To me, these stories show how the future of all entertainment will be influenced by AI. Interestingly, some have noted that these hacker fiction short stories, initially designed purely for fun, could also be used productively by governments, militaries, and organizations. The ideas are fundamentally generated by the human through a series of "what if" scenarios. The story contents are generated by the AI and then further edited to make sense by the human. For these stories to be useful, though, they would h...

  A “dead drop” is a well-known espionage tactic of passing items or information between two parties using secret locations. The two parties never meet and any sign of communication is concealed. This tactic is commonly used by intelligence officers to interact with their assets in the field to avoid any suspicious meetings or either caught talking to each other. For decades, intelligence agencies have used dead drops. Two infamous double agents from the CIA and FBI - Aldrich Ames and Robert Hanssen respectively - both used dead drops to supply information to their handlers from the Soviet Union. Cyber adversaries have also come to adapt this technique into their espionage campaigns. However, instead of a human source, state-backed computer network operations (CNOs) have leveraged legitimate services for covert communications or so-called “dead drop resolvers”.  In October 2019, ESET Research disclosed a report on Operation Ghost Dukes which detailed the activities of an APT...

  Sophisticated computer security breaches in some of the most heavily defended networks around the world have been orchestrated by so-called Advanced Persistent Threats (APT) groups. Many of these APTs operate on behalf of a nation state’s intelligence agency or military. They can even be private sector hacking groups, hired for specific operations. An APT group specialises in gaining access, maintaining it, and executing post-exploitative activities while remaining undiscovered. There are also many types of APT attack campaigns. This can include, but is not limited to, intelligence gathering operations, intellectual property theft, sabotage and data destruction, and exploitation for financial gain. Intelligence gathering, cyber-espionage One such APT that exemplifies this type of behaviour is known as the Naikon APT group. In May 2020, Check Point disclosed new evidence of an ongoing cyber-espionage campaign against several national government entities in the Asia Pacific (APAC) ...

  On 13 March, SanSec disclosed a new Magecart domain used to host malicious JavaScript (.js) files that can collect credit card information from ecommerce site checkout pages. The site (jquerycdn[.]at) that hosted the scripts was present on at least 299 different victim stores. The most commonly attacked platform is Magento 1 ecommerce platform. Notably, support for Magento 1 ended on 30 June 2020, meaning that it will no longer receive security updates. How does the web skimmer work? “Web skimmers are loaded on the checkout page of a typical store. It lives in the browser of an unsuspecting online customer. Whenever he or she enters her payment information, the private data is siphoned off to an offshore server. Usually, this data is then sold on the dark web within 2-10 weeks.” - SanSec.  In this blog, I analysed the JavaScript Skimmers connected to jquerycdn[.]at in an ongoing campaign :  knockout-fast-foreach.js 46fa357596e58272e6e2865c8b80bb96eb910c577267ce64bcada7...

UPDATE - 29.06.2022: On 28 June 2022, NKNews.org cited this blog in their research on DarkHotel. In November 2021, I decided to revisit this blog and rethink some of the things I said. Parts of this blog are not what I would currently consider analytically sound. This was written over 2 years ago and my skills and my perspective on this group have changed a lot since then. 📝 I decided to review and rethink some of the things I wrote in one of my more popular blogs, which was received well(ish) but was not what I would currently consider analytically sound. This was written nearly 1.5 yrs ago and my perspective has changed 1/7 https://t.co/Nk3amxHHiQ — Will (@BushidoToken) November 29, 2021 Originally published on 14.06.2020 PART 1: DARKHOTEL DarkHotel is a sophisticated and active advanced persistent threat (APT) group. It’s highly capable and is known for finding and taking advantage of previously unknown vulnerabilities in common software also known as a 0day. It is a well-est...