Are you ready to pivot?!
Come to Malaga on May 8-10, 2024!
#PIVOTcon24 is crafted to bring together professionals from diverse backgrounds – private sector, government, law enforcement, military, academics, and investigative journalists.
#ThreatIntel #CTI

Sneak preview of my #cyberwarcon slides 👀

"You compile me. You had me at RomCom" - When cybercrime met espionage"

Get ready for a #CYBERWARCON talk full of romantic comedy memes!

www.cyberwarcon.com/you-compile-...

Analysis of Storm-0558 techniques for unauthorized email access | Microsoft Security Blog Analysis of the techniques used by the threat actor tracked as Storm-0558 for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.

Here are technical details on Storm-0558

www.microsoft.com/en-us/security/blog/2023...

That’s the only one I’ve seen so far

Notable Storm-0875 tradecraft (cont’d)
4. Multiple methods of persistence (RMM deployment, remote access internet facing RDP, identity provider federation, golden saml, VMs spun up in victim cloud infrastructure)
5. Generally shy away from deployment of backdoors
6. Social engineering

Notable Storm-0875 tradecraft
1. Initial Access: Sms phishing + AITM or purchase infostealer logs (bypasses most defenses)
2. Privilege escalation via SIM swapping or call number forwarding global admin’s personal phone
3. Time from initial access to global admin often occurs within hours

IMO: Storm-0875 (overlaps UNC3944/Scattered Spider) is the most dangerous financial threat actor right now

Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)

Wouldn’t a middle ground be to require orgs to notify authorities if they pay an extortion and report the crypto wallet/address and any other pertinent identifiers (copy of ransom note, email addresses used…etc)

“Ransom deployment of a cl0p payload”

Thanks autocorrect

Clop/Lace Tempest operates in two modes
1) traditional enterprise compromise/priv esc (using backdoors like truebot), data exfil, and random deployment of a clip ransom payload
2) broad exploitation of file transfer software that leads to data extortion only

They stop doing #1 when focused on #2

if i was a FVEY CI officer, my first thought on a RU-based company publishing on FSB ops wouldn’t be “look at the analytic freedom!” — it would be “why is the FSB comfortable with the world knowing about this now? did they figure out we were onto it in some way?”

I’ve been in touch w/different victims of MOVEit exploitation by Lace Tempest. One thing orgs should be prepared for is initial $ demand that is (in some cases) order of magnitude or more than a typical org would pay (relative to size of payment in other ransom/extortion cases)

Attribution update from MSTIC on MOVEit Transfer 0-day exploitation by Lace Tempest. Victims w/ data theft are likely to be extorted via the cl0p leak site in coming weeks

We’ve shared intel on dozens of exfil IP addresses used in attacks w/customers & industry partners