Hey #100DaysofYARA friends and fans!

I am looking for a successor to take up the 100 days of yara mantle. I’ll still participate of course, but I think the challenge has reached a point where it can grow much more under a more organized eye

Great research by Greg Lesnewich & team. A lot happens before malware/cred harvesting gets delivered - studying this benign conversation starters phase helps shed some light on TA427's objectives (and also helps creating some fine detection / hunting logic...)

Are these Crowdstrike or Microsoft threat actor names?

Iran-aligned APT #TA450 ( #MuddyWater #MangoSandstorm #StaticKitten ) has employed new tactics.

For the first time, Threat Insight has observed TA450 attempt to use a malicious URL in a PDF attachment rather than directly linking the file in an email. ow.ly/nu3U50QYWlm

TA450 ( #Muddywater , Mango Sandstorm) proves legitimate remote software will never go out of APT style. Last week, Threat Insight also saw the Iran-aligned actor return to using the legitimate remote administration software Atera Agent to target technology organizations in Africa.…

In September 2022, attendees at the inaugural LABScon heard about an actor I described then as 'one of the most prolific, most deeply connected, and most technically advanced actors around'. Events this week were a reminder that the video never went out, so here it is 👇

Are you Wi-Fi? Because we are sensing a strong signal here. 😏

The Proofpoint Threat Research team wishes you a #ValentinesDay filled with joy, laughter, and positivity.

⚠️If you're in the DPRK research or policy space⚠️

Proofpoint recommends checking the 'reply to' and 'from' fields of emails of all senders (even those familiar) and adding confirmed email addresses to contact lists. Doing so will help identify TA427's targeted email spoofs.

One threat actor abusing #DMARC is North Korea (DPRK)-sponsored group TA427 (aka #EmeraldSleet #APT43 #THALLIUM #Kimsuky ).

Since December 2023, Threat Insight has seen TA427 abuse lax DMARC policies to spoof think tank personnel and government entities.

#ESETresearch has discovered a China-aligned APT group, which we named #Blackwood , that leverages adversary-in-the-middle (AitM) to deliver the NSPX30 implant via software updates. NSPX30 is a sophisticated implant evolving since at least 2005. facundo Mz welivesecurity.com/en/eset-resear… 1/6

New blog post: 'So you want to work in cybersecurity'.
Every time I post research here, I get DMs asking how to get into cybersecurity. Instead of repeating myself ad nauseam, I wrote down all my thoughts on the subject here: blog.kwiatkowski.fr/cybersecurity-…

Personal opinion obviously.

Key guidelines for developing tools for your Threat Intelligence/DFIR team, explained below 🔽

Starting 17 December, Proofpoint observed a highly targeted phishing campaign against customers with a presence in Israel. This campaign masqueraded as emails claiming to have an update related to a recently disclosed F5 BIG IP vulnerability. The emails from cert[@]f5[.]support…

#PIVOTcon24 #CFP is OPEN!
pretalx.com/pivotcon24/cfp
We focus on cyber threat actors research affiliated with states that conduct espionage, disinformation, and disruption operations, as well as on financially motivated cybercriminals.
Share your methods, findings, and experiences!

#ESETresearch has documented a growing series of OilRig downloaders using legitimate cloud service providers for C&C communication, all deployed against a small group of especially interesting, repeatedly victimized targets in Israel. welivesecurity.com/en/eset-resear… Zuzana Hromcova 1/7

Tis the season for understanding #TA422 ’s latest activity AND for singing podcast guests! 🎤

In this episode, Greg Lesnewich, sr. threat researcher at Proofpoint, shares his insight on the tactics, techniques, and procedures employed by the APT.

Stream: ow.ly/ACr250Qi8VF.

Exceptional event, all ran by a non-profit organization and many, many volunteers. Also, it's a great reason to visit Montreal.

New: Reuters has taken down its blockbuster investigation into how a hacker-for-hire shop after an Indian court order. No sign the piece was wrong, comes as India faces wave of press freedom issues: 404media.co/reuters-takes-…

Archive still exists. Read it: web.archive.org/web/2023111616…

The whole gang got up for this one to wrap up on TA422 (aka APT28, Fancy Bear, Forest Blizzard, FROZENLAKE, BlueDelta, Sednit, etc.) spraying n-day exploits August through November

proofpoint.com/us/blog/threat…

TL,DR:

Fresh blog from Proofpoint's APT research team 👌👇
#apt28 #sednit