Heading into the weekend, here's a new issue of Sources & Methods to mark 2 years of running this CTI newsletter. Thank you for reading, I hope it serves you well! #CTI #threatintel https://sourcesmethods.com/sources-methods-newsletter-20/

New @misp playbook! Tackle the week with JARM fingerprint investigations to track threat actor infrastructure using @censys , @shodan and MISP. Boost your #cti game with #automation and #infrastructure insights. https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_jarm_verification-with_output.ipynb

New episode of DISCARDED where I chat with @bingohotdog about how she catches phish. 🎣

We dive into how to write detections, what to hunt for when finding phish kits, and some of her recent research on phishing scams. Tune in wherever you get your podcasts!

Apple: https://podcasts.apple.com/us/podcast/discarded-tales-from-the-threat-research-trenches/id1612506550?i=1000677061400

Spotify: https://open.spotify.com/episode/0NpdI41xywdaxgwlGQXew3?si=30jQ45GnQeO0pVOGZ9rrew

Web: https://www.spreaker.com/episode/scams-smishing-and-safety-nets-how-emerging-threats-catches-phish--62744117

Alleged Boss of "Scattered Spider" Hacking Group Arrested in Spain

A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations over the past two years.

https://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/

#scatteredspider #0ktapus #tylerb #sosa

Say you, say me. Can it say together? The Natto Team is afraid to say probably not. Cyber attribution is complicated. It looks as if we have more questions than answers after all.

https://nattothoughts.substack.com/p/who-is-volt-typhoon-a-state-sponsored

My latest blog for SANS is about the importance of and the misunderstandings surrounding threat hunting in industrial networks. https://www.sans.org/blog/ot-threat-hunting-more-critical-than-ever/

Power outage during this year's #SLEUTHCON reminds me of #CYBERWARCON 2022 when the same thing happened... ⚡️🤔 Talks are still being recorded, and thank you to everyone working to get the livestream back!

Just published the second-longest blog post in my 14 year career as an independent reporter.

This story is the result of a ridiculous amount of research. I hope you like it, because I learned tons reporting this, and there needs to be a broader conversation about some of the issues raised by this research. The lede:

Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.

https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/

We have compiled our Cyber Brief for the month of April 2024, with a summary of the main IT security developments, reported by open sources. It is available at https://cert.europa.eu/publications/threat-intelligence/cb24-05/.

🔖 Policy: EC encourages MS to adopt a unified approach to cryptography-safe digital infrastructure. 🇺🇸 🇯🇵 announce partnerships in AI research. 🇺🇸 published an advisory on securing election infrastructure against FIMI and charged 🇮🇷 nationals for involvement in cyber intrusions.

🕵️‍♀️ Cyberespionage: reporting of activity by allegedly 🇷🇺 🇨🇳 🇰🇵 threat actors. Additionally, Apple alerted iPhone users about potential targeting of a spyware by PSOAs.

💶 Cybercrime: top ransomware in 🇪🇺: Lockbit3, Blackbasta, Akira, Bianlian, and Hunter.
💥 Disruption: 🇫🇷 a hospital experienced a cyberattack, disrupting operations. Reportedly 🇷🇺 Sandworm and Muddling Meerkat have targeted 🇫🇷 energy infrastructure and manipulated 🇨🇳 Great Firewall's DNS responses, respectively. 🇨🇿 accused 🇷🇺 of attempting to sabotage European railways.

ℹ️ InfoOps: Reportedly 🇷🇺 🇨🇳 disinformation campaigns are heavily targeting 🇪🇺 and 🇺🇸 elections, 🇷🇺 through social media and fake websites, 🇨🇳 attempts to influence 🇺🇸 elections through covert accounts posing as Trump supporters. AI chatbots have inadvertently contributed to misinformation about the 🇪🇺 elections.

The 2024 Verizon #DBIR is out and it's the Year of the Vuln, as exploit attempts surge + orgs struggle to patch in time. Check out our analysis on the evolving landscape + how GreyNoise helps ID targeted attacks faster + buys remediation time. 🦾 https://buff.ly/3JJK6WR

Here's the April 2024 issue of the Sources & Methods newsletter 📨 This month, we dive into the importance of collaboration and systems thinking in #CTI, explore the latest updates to MITRE ATT&CK, and ponder the role of analysts in an AI-driven world. We also showcase some exciting new tools for enhancing your CTI workflows and share valuable insights from the community. Enjoy! https://sourcesmethods.com/sources-methods-newsletter-18/

Here's the April 2024 issue of the Sources & Methods newsletter 📨 This month, we dive into the importance of collaboration and systems thinking in #CTI, explore the latest updates to MITRE ATT&CK, and ponder the role of analysts in an AI-driven world. We also showcase some exciting new tools for enhancing your CTI workflows and share valuable insights from the community. Enjoy! https://sourcesmethods.com/sources-methods-newsletter-18/

SANS #OSINT Summit 2024
YouTube playlist

- The Impact of AI with OSINT
- How to Dump Raw Data from TikTok
- Using Astronavigation Techniques to Do Image Geo-Positioning
- Thinking Like a Historian for OSINT Practitioners

and other talks.

https://www.youtube.com/playlist?list=PLs4eo9Tja8bi1RZyKT_HlN48QLIRW6HhG

twitter.com/SANSInstitute

On vacation but me n @Ffforward dropped a banger today. TA547 targeting DE with Rhadamanys and a suspected LLM generated powershell script https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer

This is an Initial Access Broker with a twist. We like to spotlight important and relevant ATT&CK techniques, so this week we’re taking a look at UNC5174’s N-day exploit spree. Let's go:

From OneNote to RansomNote: An Ice Cold Intrusion

🌟Analysis & reporting completed by @iiamaleks, @IrishD34TH, and @Miixxedup

🎵Audio (New Voice!): Available on Spotify, Apple, YouTube and more!

📚Report: https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/‎

🏹Services: https://thedfirreport.com/services/

#threatintel #dfir #cti #infosec #blueteam

GIST: Backdoor Discovered in xz/liblzma Compression Library #CTI https://sourcesmethods.com/xz-utils-backdoor-discovered/

I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.

The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().

It's RCE, not auth bypass, and gated/unreplayable.

More details in this thread: https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b

Threatnote.io is back 🎉 https://threatnote.io/example-blog/threatnote-io-relaunch

Behind the doors of a Chinese hacker-for-hire contractor, a tawdry culture of bid-rigging, influence-peddling and alcohol- and sex-fueled customer wooing. By colleagues @dakekang and
@zensoo https://apnews.com/article/chinese-hacking-leak-documents-surveillance-spying-6276e8662ddf6f2c1afbae994d8b3aa2