The Com, 764, and Associated Groups

In evaluating capabilities for LLMs (AI) recently, I’m looking at the viability of creating more content with them. I’m explicitly calling out where I do, aside from my writing style, I’m also keen to show the pros and cons. Do LLMs replace humans? Not from my experience so far. I’ve been looking at combined physical + digital attacks recently and the associated threat classes… I’m trying to avoid the word group or gang, because collectives are slightly different and are dynamic, almost mission focused if you will.

Read more “The Com, 764, and Associated Groups”

An evolution of threat actor

Motivation and a diverse network of people and capabilities can go a long way, then add in digital skills and winning steak… and you have: scattered spider!

There’s a big difference between zero day spraying the internet and planting webshells or copying someone’s open S3 bucket and say…. doxing staff, their families and attacking them and their assets in the real and digital worlds.

I think people won’t broadly grasp the effects that can be achieved (harm) when the adversary is motivated, dedicated, capable, resourced and has very little moral qualms.

There is no magic bullet to defend against an adversary like this, you need a whole of organisation defence (and to pursue even more than that!).

Read more “An evolution of threat actor”

Defending Against Scattered Spider

Defending against different skilled threat classes is an important thing to consider when you are planning, designing and operating a business. I’ve used GROK (AI) to create an html page which has both information on the kill chains, but also looks at countermeasures. I’m experimenting lots with VIBE coding and LLM assisted content generation so hopefully this proves useful. I do feel it needs a more human touch added as well… but let’s see! life without experimentation would be dull would it not!

Read more “Defending Against Scattered Spider”
CTI Investigation Demo

Threat Analysis Tools

I’ve not blogged in a while, but I wanted to put down a note of some useful tools people can use to help them combat cyber crime.

This isn’t going to be an in depth look at each tool, however I do want to, in the near future, try and do some demos/videos etc. of how to investigate potential/suspected or identified threats. I’ll drop a list of some of the useful tools below and also do a quick demo of investigating an event (from this blog)

Read more “Threat Analysis Tools”

Cisco IOS XE Incident Update

Update 30-10-2023 (fast publish)

This is a fast publish. Based on honeypot data from @SI_FalconTeam we can make some analysis:

  1. The webshell has an authorisation header is 40 characters long. (it is unknown how this was generated)
  2. The user agent in the sample: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
  3. The source IP: 192.3.101.11
  4. The stages:
    1. Check for webshell
    • If not in place:
      1. Bypass Authentication (CVE-2023-20198
      )
      1. Create a local LEVEL 15 User AccountSet IP HTTP/HTTPS SERVER and Enable Local Authentication (AAA)Use this account to conduct a device inventory.
    • Inventory the System
    • Kill the created Level 15 account

In the lab we have attacked HTTP and HTTPS and have been able to get AUTH bypass. (thanks @leak_ix)

Read more “Cisco IOS XE Incident Update”

Pro Russian Hacktivist Groups

Cyberwarfare in Ukraine was hyped as a MASSIVE thing, yet largely it’s been more bark and bite, but perhaps people need to understand that you can’t just “CYBER” a remote network, and even if you could, let’s say you get RCE on 30 networks in a country, so what? There needs to be value, purpose and something that will support other objectives, this isn’t a CTF.

  • Espionage (Collection/CNE)
  • Information Warfare (PsyOps)
  • Computer Network Attacks/Operations (CNA/CNO)
Read more “Pro Russian Hacktivist Groups”

Active Cybercrime Groups

Ransomware this, ransomware that! The problem is, you can be tired of the subject but that doesn’t mean the threat has gone away! So what are the currently active ransomware groups posting victims?

Well here’s a list of currently active group (Both Ransomware and Marketplaces) names who have ONLINE “DARK WEB” (TOR) hidden services online and who are posting victims or are markets:

Read more “Active Cybercrime Groups”
Snake Oil

DNSSEC – why not having a signed zone is…

Firstly, what is DNSSEC?

https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

Ok read all that good. What we are talking about here is signing a DNS zone to “assure” that the client is getting DNS responses from the right ZONE data. DNSSEC does not encrypt the conversation between DNS client and DNS server. It does enable the client to be able to check if the data it gets back is valid. In short what we are doing is validating that the “data” being returned is authorized and not tampered with.

Read more “DNSSEC – why not having a signed zone is almost never going to lead to you getting pwn3d”

ESXiargs Summary 09-02-2023 10:03

What do we know?

Adversary: Unknown, likely Criminal Actor/s

Initial Access Vector: Unknown/Unproven

Impact: ~3K+ Hosts have had Remote Code Execute and their ESXi logon pages changed (plus had encryption routines run to encrypt virtual machines, with varying success). A Second encryption routine has been deployed to some hosts; the threat actor is expanding/changing capabilities.

Risk: Further impact, Additional Threat Actors Exploit the vulnerability

Read more “ESXiargs Summary 09-02-2023 10:03”
Copyright (c) Xservus Limited