@BushidoToken Threat Intel

  A short blog to document the proliferation of an advanced commercial penetration testing tool among cybercriminal threat actors across various Russian- and English-speaking underground forums. What? Available since December 2020, Brute Ratel C4 (aka BRC4) is one of the hottest new Red Team frameworks to hit the scene. It is similar to other frameworks such as Cobalt Strike but is uniquely concerning for its focus on evading endpoint detection and response (EDR) and antivirus (AV) tools. A technical analysis of BRC4 has already been provided by Palo Alto Networks Unit42 (see their blog here ). At 19:59:20 UTC o n 13 September 2022, an archive file called " bruteratel_1.2.2.Scandinavian_Defense.tar.gz " was uploaded to VirusTotal. This file contains a valid copy of  BRC4 version 1.2.2/5.  On 28 September, the developer of BRC4, Chetan Nayak, tweeted  unfounded and disproven accusations that archive was leaked by MdSec and said they were the ones who ...

Background Active since at least August 2021, a new English-speaking threat actor calling themselves "1977" has developed and advertised a new eCrime market on multiple underground forums called  Darth Maul Shop . This blog aims to highlight some of the key aspects of a new emerging eCrime market, analyze its reception by other threat actors, and discuss the underground cybercrime communities making money buying and selling credentials without launching any intrusions themselves. If you want to learn more about Initial Access Brokers (IABs), SentinelOne recently shared a good up-to-date overview of this type of threat actor and how they interface with various ransomware groups and the types of services they offer. These IABs can be just as dangerous as the ransomware groups themselves, as they are capable of infiltrating a target network and achieving the privileges of "Domain Admin (DA) access with reach to over 10,000 hosts. " The eCrime market has also shifted r...

  This is a short blog analyzing some artifacts  left over by a Mimikatz operator's campaign. Background While doing to some internet dumpster-diving (as I like to call it) I came across an open directory belonging to a threat actor's Mimikatz staging server (see Figure 1).  The threat actor's server was hosted on DigitalOcean AS14061  (165[.]232[.]*.*) and a takedown request was submitted by myself to the DigitalOcean Abuse team. Figure 1: Mimikatz opendir The files on the server were not that interesting, most of it was default Mimikatz components from the GitHub and other resources online. The files are available on VirusTotal too if needed. im.ps1 (Invoke-Mimikatz PowerShell script) https://www.virustotal.com/gui/file/1b441fde04d361a6fd7fbd83e969014622453c263107ce2bed87ad0bff7cf13f mimidrv.sys (signed Windows Driver Model (WDM) kernel mode software driver) https://www.virustotal.com/gui/file/f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5 ...

Background Destructive  cyberattacks and digital espionage campaigns targeting international space programs is a growing and concerning trend. Some of the most significant cyberattacks over the last five years have been turning points in the state of cybersecurity of international space programs and organizations with satellite infrastructure in space.  Space exploration and the significance of having satellite infrastructure in space is a key driver of scientific research and technological innovation. However, despite receiving billions of dollars in funding, the digital infrastructure and information systems supporting space programs have been impacted by significant cyberattacks from nation-state threat actors and financially motivated cybercriminal groups. This blog aims to use open source intelligence (OSINT) research to compile and highlight significant cybersecurity incidents impacting the space industry that defenders should consider when securing these types of e...

  (Image credit: DALL·E 2 ) Background In 2015 and 2016, the Democratic National Committee (DNC) was hacked by not one, but two Russian intelligence services, the Russian Main Intelligence Directorate (GRU) and the Russian Foreign Intelligence Service (SVR). The two advanced persistent threat (APT) groups attributed to these organizations coexisted inside the DNC's networks for months and provided valuable political intelligence to the Russian government, in the form of stolen files and emails, during the run-up to US presidential election. This audacious act of cyber-espionage brought these two APT groups, also known as FancyBear and CozyBear  (coined by CrowdStrike), into the spotlight and under the microscope ever since. On 24 February 2022, Russia invaded Ukraine and these two well-known APT groups (among many others) have been busy launching widespread intelligence gathering intrusion campaigns to support the Russian government and Russian military. This blog aims ...