@SLEUTHCON
thank you so much for having me yesterday! It’s an honor to speak among such legends & I am so impressed with how the team handled the power outage.
I had a great time presenting and I’m so appreciative for all the support (and amazing swag). A+ con, loved it!
Ransomware lineage is an absolute mess these days, so I created this tracker detailing which ransomware families are based on leaked source code/builders.
(1/2)
You know those persistent, pesky USPS smishing texts?
The ones that say you have a package that needs to be redelivered?
In this post, I dive into SNS Sender, a script that abuses AWS SNS to send smishes, and some of the related phishing kits.
I am beyond excited to continue my villain arc by speaking at
@SLEUTHCON
2024!
Come watch me speak about the SLOPSEC driving attribution of open-source cloud attack tools.
Stay for the afters to see who wears the Wazawaka wedding suit better:
@BushidoToken
or Yours Truly.
I am stoked to be presenting at
@HushCon
on December 8!
Come see me talk about cloud malware, or as I say: “Malware, But on Someone Else’s Computer”
Bring your 🍿 and 🍌—it’s going to get cloudy ☁️
Arid Viper is an interesting group with a rich history of mobile malware development. In this post, I focus on recent activity in this space.
These apps are highly modular and designed to mimic messaging and dating applications. (1/3)
🐍 New by
@LabsSentinel
! Threat actor Arid Viper is delivering SpyC23, an Android spyware family, to Arabic-speaking targets through weaponized apps posing as Telegram or as a dating app called Skipped. By
@spiderspiders_
📄 Read more:
Back in 2021, the Babuk source code leaks fascinated me. At the time, it was unprecedented ransomware drama. 🍿 Like any self-respecting malware archivist, I grabbed the zip file and threw away the key for a few years. 1/?
FBot was a joy to research—aside from having to open an AWS account again for testing. 😂
This little Bot keeps popping up, with its most recent appearance on New Year’s Day. (1/x)
THE NET GALA was incredible and exceeded my wildest expectations. Thank you so much to the old & new friends who joined us from near & far, and to our sponsors for making it possible.
A huge thank you to everyone who attended The Net Gala. We are so grateful for each and every one of you!
This was truly a special event. We will share photos over the next few days!
XOXO,
The Gala Girlies / The AAA Girls
@aaronsdevera
,
@spiderspiders_
,
@endingwithali
@mattjay
Great question! SCARLETEEL is the best recent example that I know of. Actor exploited a vulnerable Kubernetes container and pivoted to the underlying cloud service account.
Thank you to all who attended my talk at
@HushCon
this afternoon! 🙏
Here are the links:
AlienFox:
Predator AI:
TeamTNT:
@permisosecurity
-
Cloud malware GH repo to follow soon :)
I am stoked to be presenting at
@HushCon
on December 8!
Come see me talk about cloud malware, or as I say: “Malware, But on Someone Else’s Computer”
Bring your 🍿 and 🍌—it’s going to get cloudy ☁️
Transparent Tribe is back again. This campaign was quite similar to the CapraTube campaign I reported in September. As is tradition, this actor relies heavily on social engineering pretexts to design apps that appeal to their targets. 🧵 (1/4)
A deep dive by my colleague Jim on the activities of the NullBulge group, which allegedly leaked Disney’s Slack data last week. Grab a coffee and check it out! ☕️
Come see me yell about cloud threat intelligence on Saturday afternoon!
This is a very fortuitous time to talk about where cloud threat intel is and where it could be. Grab the popcorn 🍿
📢 Drumroll, please!
@spiderspiders_
will be presenting a talk “Bridging the Gap: Cloud Threat Intelligence for Detection and Offensive Security Practitioners” on August 12th (Day 2) 14:10 PT at
@cloudvillage_dc
@defcon
📝More details on
#defcon31
We 💜
#LABScon23
-- New from our team today:
🟣 by
@milenkowski
(Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit). Related blog from
@juanandres_gs
coming soon ;)
🟣 by
@TomHegel
(Cyber Soft Power | China’s
Ayy, researchers. Friendly Monday reminder to constantly SNAPSHOT YOUR VMs!
I was looking for a TA's website & social media acts & found they were taken down since I researched a few months ago. Opened my VM snapshot from when I researched the actor's tool & found everything.
The Snowflake debacle is undoubtedly a headache for security teams of companies using it. I chatted with
@LindseyOD123
about the situation and what we can infer from Snowflake’s recommendations. Check it out!
Happy Friday and early Xmas! Here is the promised Cloud Malware & Hacktools collection:
I would love to see this code rolled into Detections & Red Team Ops.
Thanks for having me
@HushCon
! And thanks for all the interest from attendees of my talk! 🙇♀️
Thank you to all who attended my talk at
@HushCon
this afternoon! 🙏
Here are the links:
AlienFox:
Predator AI:
TeamTNT:
@permisosecurity
-
Cloud malware GH repo to follow soon :)
@vxunderground
@Ubiquiti
@briankrebs
Every incident responder who had a weekend fire drill thanks to Krebs posting at 5 PM on Friday is entitled to schadenfreude rn.
I’m horrified to share that this is the character I’m slowly turning into, minus the problematic tendencies that come with being from a certain generation
For anyone new to knowing or following me, here is what I do for $dayjob: track how actors in developing countries abuse western megacorp services to make a quick buck (or rupiah) 💁♀️
📬 Have you gotten
@USPS
Smishing texts, the ones that say you have a package that needs to be redelivered? In this
@LabsSentinel
post,
@spiderspiders_
dives into SNS Sender, a script that abuses AWS SNS to send smishes and some related phishing kits.
@SynapticRewrite
Vegas local here. Any gripes you have against the Strip are 1000% valid. I hate the Strip!
There are nice parts of town away from the Strip. There is no capacity for the # people coming into town for cons, yet.
If you hate the heat, can’t solve that aside from new con dates.
What an honor to be the Defcon Saturday episode of
@thecyberwire
! I enjoyed chatting with Dave about the TeamTnt-like activity now targeting service credentials from each of the big 3 CSPs. Check it out!
Ok I’ll play. What are five topics you can talk about for 30 minutes with zero prep?
1. Detection Engineering
2. Tech company hiring
3. Dance music (my opinions are fact here)
4. Human rights in the USA
5. Languages
What are five topics you can talk about for 30 minutes with zero prep?
My Infosec ones are:
1. Ransomware
2. Advanced Persistent Threats
3. Cybercrime Forums
4. How Bitcoin Works
5. Basic OPSEC practices
Windows ransomware is like a comfort food for me: familiar & I know what to expect.
Rhysida is an odd newcomer with certain techniques that resemble older ransomware.
It is a dev’s passion project and they are working on some shiny features. ✨ This one is sure to be continued.
🇨🇱 Stay ahead of Rhysida ransomware and its unusual combination of techniques. Our latest blog post offers a high-level overview of its activity, technical details of the malware payloads, hunting rules, and IoCs. By
@spiderspiders_
& Jim Walter
Hey Hackers, remember when, like, every digital billboard was vulnerable to RCE? The Sphere was a 2.3B USD project. How much do we think was allocated to AppSec?
DEFCON is coming soon 🍿
Check out
@0xFawaz
’s blog posts on AWS persistence & privilege escalation from the red & purple team lens!
I’m excited to see more from this researcher. Props to
@techyteachme
for highlighting their blog in Detection Engineering Weekly.
After privilege escalation in AWS, the next goal of an adversary could be to create backdoors in their target AWS account to maintain access.
In this post, we explore some methods that can allow persistence in any AWS environment.
#aws
#cloudsecurity
Today
@ESETresearch
shared great research on more mobile spyware shenanigans from AridViper.
Thanks for referencing my 2023 report on SpyC23
@TheHackersNews
!
🔒 Arid Viper launches mobile espionage campaign using trojanized
#Android
apps to deliver AridSpy
#spyware
, targeting Middle East users via fake messaging and job apps.
Read details:
#cybersecurity
This was an awesome talk! I highly recommend folks check this out.
@_vventura
& the
@TalosSecurity
team dive into the timeline behind a well-funded mobile spyware ecosystem targeting both Android & iOS
If you need to hit a cloud service but can’t forge your own auth tokens, a credential stealer may be for you!
Check out the potential comeback of cryptojacking OG, TeamTNT. Featuring a cameo from Silent Bob.
Annnnnd it’s gone. Evidently MS decided that
@nyxgeek
’s Teams enumeration technique leveraged a bug, not a feature.
This inspired so many data collection ideas, too. 😭
CVEID & CVSS score, please.
Well, that was short-lived.
If you just get a "doh" error when you run the tool, that's because the request now gives a 403.
This might be the fastest fix that I've seen from Microsoft. I did not expect them to fix it, because it would break the Graph Explorer demo.
Cloud Village
@cloudvillage_dc
was a lovely & accommodating place to give my first conference talk. I highly recommend anyone with a cloud focus submits to the CFP!
Howdy Folks,
The
#cfp
for Cloud Village
@defcon
32 is open now!
Submit us the cool
#cloudsecurity
research y'all have been doing!
Submission Link -
Visit us for more details -
Cheers!
#dc32
#defcon
For everyone who is already asking: Don’t stay at Fontainebleau for Defcon—service and logistics are a mess.
Go for Wynn or Resorts World first. You’re welcome.
SLEUTHCON is coming!!! Registration and CFP are now open for this year's SLEUTHCON! This year's keynote will be given by Bryan Vorndran, FBI's Assistant Director Cyber Division. We are virtual and in-person in Arlington, VA on May 24th! 1/x
Las Vegas - Casino Security on the LV Strip responding on a welfare check - report of a male being walked through the casino on a leash by a tall muscular woman - caller says it “doesn’t look consensual”
This week is amazing.
@LasVegasLocally
retweeting
@vxunderground
is like my skater friends and internet nerd friends are suddenly hanging out after years of being completely unaware the other group exists
There are still seats available for my &
@sud0suw
’s Blackhoodie workshop at Recon in Montréal!
We will cover ransomware design fundamentals & how they’re implemented on Linux & Windows RW, as evasion. & the amazing
@0x0bea
is joining to lead a section on writing decryptors!
BlackHoodie is coming back to
@reconmtl
this June 26 & 27 with a training on Reverse Engineering Ransomware brought to you by
@sud0suw
and
@spiderspiders_
, registration is now open
@ly7erg1c
@defcon
I did not see these kits but very happy to read about them!
You may want to put some in restrooms next year. I saw lots of outreach info & supplies in the Forum restrooms this year, I took time to read those I encountered.
Bob is very silent…but there is an even stealthier C2 domain in this campaign.
Check out our collab detailing what a TeamTNT-like actor has been up to in 2023!
Thanks for working with us,
@danielhbohannon
CLOUD TOOLSET BLOG: If you've ever been interested in re-winding all the incremental code & infrastructure changes an attacker makes to expand their victim targeting in the cloud then you'll enjoy this blog by
@permisosecurity
! (esp the attacker's FQDNs)
@sherrod_im
Aside from the redundancy of “all time,” I like the exploit question.
It shows you’re in touch with news & how attacks work. Mostly measures how you respond to open-ended questions—or as tech companies like to say, “navigating ambiguity.”
Join us next Wednesday for the
@redcanary
Detection Series to talk crypters & loaders! I’ll be discussing where they intersect with the cloud and how detection differs from traditional endpoint threats.
Register here:
We're zagging slightly with the Detection Series and focusing on threats rather than techniques/tactics. Join
@jfslowik
,
@spiderspiders_
, &
@ForensicITGuy
7/24 @ 2 PM ET to talk crypters and loaders, why they matter, and what you can do about them!
Rumors are circulating about a Signal 0day.
If a Signal 0day existed it would be worth roughly $33,560,600,000,000 (just enough to pay off the United States national debt).
It would be used by state-sponsored threat actors. It would not be used to spy on anime hoarding nerds
Before people freak out about the Signal outage being a hack, I’d like to note that it started exactly at 4 PM PST aka 00:00 UTC. Prime for a ‘cron job gone wrong’ kind of outage.
SentinelOne's
@spiderspiders_
writes about a new toolkit dubbed AlienFox. Actors use multiple scripts in this toolset to extract sensitive information such as API keys & exposed configuration files to compromise email & web hosting services.
Thanks
@InformationWeek
for sharing my thoughts on Azure AD misconfigurations!
Astute readers will also see a familiar refrain of mine: Downfall & other speculative execution bugs still live in the theoretical attack space, e.g. no confirmed ITW exploitation. Don’t lose sleep.
🎙
@LabsSentinel
's
@spiderspiders_
in
@InformationWeek
: She comments on two big vulnerabilities discussed at
#BlackHat
2023 to consider: Azure AD misconfigurations and the "Downfall" bug.
"[An Azure AD misconfiguration] can be a massive project depending on the org's