Lots of foreign election influence news/drops this week. Here's one from Cybersecurity and Infrastructure Security Agency, FBI, & Office of the DNI highlighting a few tactics we're seeing from the 'usual suspects' (Russia, China, Iran): narrative farming, AI generated images & Audio clips, hack & leaks, paying witting &…

Turns out, we've got APT44 (Sandworm) here:

Ref: services.google.com/fh/files/misc/…

It's coming... #LABScon24
labscon.io

Come see Alex Delamotte at SLEUTHCON 👇!

This week on @clickhereshow, we learn about #NorthKorea 's obsession with The Daily NK and the special unit of #hackers that targeted them.

LISTEN: podcasts.apple.com/us/podcast/120… #cyber #tech

🇷🇺 New from SentinelLabs: We have discovered a novel malware variant of AcidRain, which we call AcidPour and connect to threat clusters previously publicly attributed to Russian military intelligence. This new malware could be targeting telecoms networks in Ukraine.

Read the…

Ah, that is interesting. Well, the parents ('droppers') ar better detected, but clever that they're just pullling the malicious code in remotely rather than embedding it in the binary.

A good time to resurface a truly excellent talk by Poul-Henning Kamp on a fictional operation to take over / derail OSS security.
youtube.com/watch?v=fwcl17…

Fascinating set of activity I was happy to research - Not your everyday hack-and-leak! 👇

The US and UK just announced sanctions and criminal charges against a group of Chinese state-backed hackers for a long list of hacking allegations including a hack that gave them access to 40 million people's data. wired.trib.al/Jr6LFKx

A few more of the missing XProtectRemediator names:
ColdSnap = POOLRAT (cf XProtect_MACOS_c723519);
GreenAcre = OSX.Gimmick
SheepSwap = Adload
SnowBeagle = Lazarus TraderTraitor
RedPine = TriangleDB (✅)
WaterNet = Proxit-Go
Still have a few more to work through.

I often get asked what tools I use for various aspects of threat research / analysis --

Here's a quick list of my favorites that most are not taking advantage of.. 🧵

“Cyber support for this hot conflict continues to evolve two years after [Viasat hack]. [GRU] are adept at orchestrating wide-ranging disruptions and have demonstrated their unwavering intent to do so”

Great research from J. A. Guerrero-Saade and Tom Hegel

sentinelone.com/labs/acidpour-…

SentinelLabs has discovered a novel malware variant of AcidRain, a wiper that rendered Eutelsat KA-SAT modems inoperative in Ukraine and caused additional disruptions throughout Europe at the onset of the Russian invasion. sentinelone.com/labs/acidpour-… SentinelLabs

Wouldn't it be useful to have a tool that tells you the XProtect rule for common #macOS #malware names, or that told you the industry names for Apple's coded rule names? YES IT WOULD!
A little/useful addition to our ongoing repo tracking XProtect:
github.com/SentineLabs/XP…

The revamped AcidRain malware variant first flagged by Tom Hegel and J. A. Guerrero-Saade on Monday may be linked to an attack on at least four Ukrainian ISPs March 13, an attack this is still having an impact. My story here:

J. A. Guerrero-Saade and I just dropped additional research on AcidPour:

- New capabilities from original AcidRain which impacted KA-SAT Modems in early '22
- Attributing to Russia's GRU / subgroup of Sandworm
- Link to GRU's fake hacktivist grp SolntsepekZ

👇
sentinelone.com/labs/acidpour-…

Nice find here by the SentinelLabs team Tom Hegel & J. A. Guerrero-Saade. More Russian shenanigans in Ukraine. Will be interesting to see how the targeting set lines up….

This is a threat to watch. My concern is elevated because this variant is a more powerful AcidRain variant, covering more hardware and operating system types.

hat tip to Tom Hegel and J. A. Guerrero-Saade for the research. The shift to what looks like a real focus on LVMs (or at least handling LVMs diff) is super nasty. That 'type' of destruction would be very challenging to rebuild/recover from.