"Last week, I was fortunate to attend CYBERWARCON and hear some great talks by a number of speakers on numerous threats that organizations are researching across the globe. While presentations and videos have not been posted, I came across this blog that the MSTIC team at Microsoft published that provides a synopsis of the talk they gave and I felt like it was a good way to give you a taste of the kind of content presented at Cyberwarcon and the talk the team gave. The MSTIC team presented on Iranian Threat Activity and a series of ransomware they have deployed, and more specifically on a campaign they call Phosphorus. Phosphorus targeted Fortinet SSL VPNs and Exchange servers. When you read the blog, it is interesting to note that the adversary functions like a persistent threat actor would in their process. Post compromise, they determined the systems that aligned with their goals and established admin accounts on the systems. For their encryption they used Bitlocker. Possibly the most interesting piece of this entire operation though is the level of effort taken to gain initial access to the victim systems and the social engineering. You can read about it in the blog but it is all about gaining trust, either at a personal level or through the guise of interview questions, and exceedingly helpful technical support to harvest credentials."
"Kelly's Security Chaos Engineering is one of my favorite books; she always seems to be ideating new paths forward for security and this article with Ryan Petrich is no different. The idea is to move from honeypots to honeyhives/replicombs, which are far more convincing deception environments simulating and replaying scrubbed production data that only spin up and utilize resources when an attack begins. This mature deception is more likely to gain insight into attacker TTPs as they are presented with a more convincing production environment. Excited to see folks take this idea and run with it!"
"When you wait for a MFA code to come through to your phone, do you ever wonder if it's legitimate? This is what the article from VICE Motherboard is all about. There is now a market for Bots that steal 2FA codes. The hacker that struggled with social engineering now has a new tool to overcome some of that."
"On Nov. 22, the Bioeconomy Information Sharing and Analysis Center, or BIO-ISAC, released an advisory regarding an APT attack on the bioeconomy named Tardigrade. The ransomware was first discovered this past spring inside the systems of a biomanufacturing facility. Researchers say espionage, disruption, and destruction appear to be the primary motive. The sophisticated malware is able to "adapt to its environment, conceal itself, and even operate autonomously when cut off from its command and control server," WIRED reports. BIO-ISAC expedited public disclosure after the Tardigrade malware was found inside a second facility in October. Security researchers say biomanufacturing sites and their partners should assume they are targets for this attack."