@BushidoToken Threat Intel

  Cryptocurrency is experiencing a huge boom. With this explosion in popularity, and people getting rich quick, come the cybercriminals looking to exploit this new technology. Unfortunately, while there may be a large amount of money to be made from cryptocurrecny there are very little controls or regulations preventing scams. Unlike other centralised financial services, such as banks, cryptocurrency users are only as protected as their own personal operational security (OPSEC). While there are long guides on OPSEC for cryptocurrency users, many new users are lacking here and do not use a strong password or two-factor authentication (2FA). This makes them sitting ducks for cybercriminals. This blog will detail how users of a relatively new platform, PancakeSwap, are being highly targeted.  In their own words "PancakeSwap is the leading decentralized exchange on Binance Smart Chain, with the highest trading volumes in the market". Despite its comical name, PancakeSwap is ...

  Introduction The BBC World Service has recently produced The Lazarus Heist podcast (available here ), researched and presented by Geoff White and  Jean H. Lee . This thrilling podcast dives into the intracacies of the elaborate Bangladesh Bank heist attempt to steal $1 billion. As a security researcher that actively tracks the Lazarus group and any mentions of North Korean cyber activity, I found this podcast series was extremely detailed and well researched. There are so many additional info gems that anyone who has researched North Korea will enjoy. I also highly recommend it for any threat intelligence analysts investigating North Korean cyber activity.  The Lazarus Heist podcast also made me want to revisit what I have learned about North Korean advanced persistent threat (APT) groups. In February 2020, I blogged about who the Lazarus group is and what campaigns they are known for (see here ). This was one of my first blogs and I was eager to learn more while resea...

  Threat hunting in public sandboxes has been, admittedly, a hobby of mine for the last two years or so. Recently, I have been looking through the geo-specific uploads that arrive in one such sandbox called Any.Run. It is no secret I am from the UK, so from time-to-time I like to check what malware is currently being sent to companies in the UK. This one caught my eye: The file "astro-grep-setup.exe.doc" (available on Any.Run here ) was not uploaded to the sandbox by me, but instead by some stranger from the UK (or is potentially using a VPN server in the UK). It is 596 pages long and 1.38 MB. The attacker behind this document has used an interesting technique: macros are enabled when the document is opened and they deliver an installer for a legitimate app called "AstroGrep" (an open source Windows grep utility), which is also packed with another malicious application containing the Async RAT.  This technique is known as using a "binder" putting two apps ...

  Phishing threat actors continue to launch successful credential harvesting campaigns via compromised Office 365 accounts. One of the most common themes for these campaigns is a "shared file" notification, whereby a compromised account shares a file with a user that is hosted in the SharePoint drive. The file is usually a PDF document that contains a URL to an external site embedded in an "open document" or "view file" button. If the user clicks on it and enters their credentials they are redirected to login.microsoftonline.com. Although this is an older scam, that has been around for several years, it is still highly effective and is being used to leap from one organisation to another. In this blog, I will analyse a long running phishing campaign that has compromised at least 45 different SharePoint accounts belonging to a variety of organisations over the last year. Fig. 1 - The typical phishing chain used in this campaign Fig. 2 - Various PDF documents...

Aviation is an interest of mine as some of my family worked on airlines and I enjoy volunteering my time to work with organisations such as the Aviation ISAC with vulnerability disclosure, threat intelligence, and security research. So when a nother interesting OSINT challenge with aviation-related attributes cropped up on my radar this week, shared by @fs0131y , I was keen to get stuck into it. Let's begin. Immediate analysis of this image can give us several clues and help us along. From the initial tweet, there are multiple attributes that will help with the rest of the challenge, this includes the time of day and the date, as well as what the aircraft's engine looks like. Using these attributes we can pivot to the next stage of our investigation. Some Googling of engines, as well as Boeing and Air Bus planes, using the grey circle around the front of the engine and the logo on the site, I found a similar looking plane belonging to Air France - an A318 to be precise. Some ...