Don’t approach your threat profile irrationally – use our #PiDay #TTPs Matrix to slice through the infinite universe of threats and bring more (mathematically) constant focus on the ones that matter most: https://hubs.la/Q01GPxgV0

Whether you’re a freshly-baked analyst/operator or a crusty infosec veteran, the piping hot and fresh content in Tidal’s free Community Edition is sure to ins-pie-re the next step in your threat-informed defense journey!

Our latest matrix features seven timely threats:

PyPI Malicious Packages: A recent report from Sonatype highlighted software supply chain compromises, where four Python packages hosted on the PyPI software registry contained malicious code that could drop malware, delete system utilities, & tamper with files containing authorization keys

AppleSeed: According to the MITRE ATT&CK knowledge base, “AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.”

Raspberry Robin: A highly active worm that spreads through removable media and abuses built-in Windows utilities after initial infection. Raspberry Robin has evolved into a major malware delivery threat, with links to infections involving Cobalt Strike, SocGholish, Truebot, and ultimately ransomware

Chocolatey Backdoor: Last March, Proofpoint identified an attack on French organizations in multiple sectors that used Chocolatey, an open-source package installer, to fetch malicious scripts that delivered the Serpent backdoor (this represents one of the first documented uses of Chocolatey in a cyber campaign)

(Key) LimeRAT: Trellix researchers documented a July 2022 spearphishing campaign targeting government agencies across South Asia, Europe, and North America that ultimately delivered AsyncRAT & LimeRAT. As a special bonus, this set of Pi Day techniques fittingly features T1056.001 (Input Capture: Keylogging)!

Banana Sulfate: This small set derives from Sekoia.io’s investigation into a large and sophisticated but unattributed infrastructure cluster last February
Golden Chickens: Security researchers assess this is a malware-as-a-service provider whose customers include FIN6, Cobalt Group, and the Evilnum APT group.

#SharedWithTidal #threatinformeddefense #threatintel #threatintelligence

One of the biggest issues in cybersecurity today is the gap in knowledge between security vendors and consumers of exactly how cybersecurity products defend against specific adversary techniques. Is this impossible to overcome? Not at all! Join us on March 23 for an informative fireside chat presentation where we'll discuss how we can bridge this gap.

#cybersecurity #cyberrisk #threatintel #threatinformeddefense

https://www.brighttalk.com/webcast/19703/576891?utm_source=mastodon&utm_medium=brighttalk&utm_campaign=576891

Struggling to differentiate & prioritize among the large set of opportunistic and “indiscriminate” threats in the landscape? Our new blog aims to help

Threat profiling generally focuses on identifying & prioritizing (rank-ordering) threats motivated to harm your organization. These include threats with clear targeting intent relative to your org or your industry, often a smaller set that is more straightforward to surface. Then comes the large pool of threats that seem to impact most sectors, maybe in some cases your vertical specifically or others trending in threat intel generally, regardless of explicitly links to your industry yet

With the high volume of recent activity from threats like #ransomware, #infostealers, & loader/initial access malware like #QakBot, #Gootloader, and many others, I’m seeing more awareness that these often broad-based threats should be on many security teams’ radars. But how do you keep from being overwhelmed by what often feels like an endlessly growing list of new threats?

@tidalcyber's latest blog (https://www.tidalcyber.com/blog/ransomware-threat-profiling-prioritizing-indiscriminate-threats) offers several strategies for helping make more sense out of this subset of threats, using major ransomware-as-a-service operations as a representative case study. Our guidance involves (where possible) leaning on metrics to rank-order groups linked to your industry, using technical sources to identify potential spikes in activity and quantifiably justify increased priority levels, and focusing defenses on discrete TTPs that might be common across the wide pool of these threats (summarized for major #RaaS in the attached table, with data sourced from the Ransomware & Data Extortion mega-matrix available in Tidal’s free Community Edition here: https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a)

These tips are often just a starting point – for more upcoming threat profiling guidance, subscribe to the Tidal blog here https://www.tidalcyber.com/blog and follow us on all major social platforms, and we look forward to hearing what other techniques you use to drive focus in the ever-evolving threat landscape

#threatinformeddefense #threatprofile #risk #intelligence #CTI

#Gootloader is a highly active banking Trojan-turned-loader #malware that has recently appeared on multiple vendors’ priority threat lists, attacking organizations in a wide range of verticals & countries. If your leadership or other stakeholders asked for a list of this threat's most common TTPs, would you be able to provide it quickly?

Now you can, with the Gootloader #TTP matrix available in Tidal’s free Community Edition: https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2

Gootloader, also referred to by its related payload, #Gootkit, first emerged in 2014 but has been especially active since 2020. Despite this, technical reporting around its TTPs has been relatively light until even more recently. In the past two years alone, verticals including finance, #healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, #IcedID (a common #ransomware precursor), & more. Industry-based #threat profiling can be a powerful tool, but even if your industry (or your corner of it) hasn’t yet directly observed Gootloader activity, we believe broad-based threats like this should be on most teams’ radars

Our matrix summarizes Gootloader TTPs detailed across several great recent technical reports. Reports from SentinelLabs, Cybereason, & The DFIR Report were helpfully pre-mapped to #mitreattack, and we mapped a couple other detailed analyses. Procedural details are even available for nearly all the included technique mappings – be sure to click the Technique Set’s label in the ribbon at the top of the screen to pivot into the Details page with this information & relevant source links throughout

Red Canary & The DFIR Report helpfully provided tool-agnostic suggested #detection logic for key behaviors observed during recent Gootloader campaigns here https://redcanary.com/blog/gootloader/ and here https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/. Take a wider view by layering entire segments of your defensive stack over the #CTI back in the Community Edition, by toggling on any of the mappings available in @tidalcyber's Product Registry https://app.tidalcyber.com/vendors

#SharedWithTidal #threatinformeddefense #CobaltStrike #initialaccess #blueteam

Wondering how to best identify the cyber threats most relevant to your organization? It's not too late to register for our cyber threat profiling webinar! Join us LIVE today at 1 PM ET to learn how to get started building a threat profile and how to use your profile to defend your organization. Can't make it at 1? Register anyway for the recording and slide deck.

#threatintel #cybersecurity #threatinformeddefense #cyberthreatintelligence #webinar

https://www.brighttalk.com/webcast/19703/572855?utm_source=mastodon&utm_medium=brighttalk&utm_campaign=572855

Identifying the threats relevant to your organization is a critical piece of implementing threat-informed defense, but it can also be difficult! Join us on February 15 as Tidal's Director of CTI walks through how to build a threat profile for your organization so you can more effectively and efficiently defend against threats.
#threatinformeddefense #threatintel #webinar #cybersecurity

https://www.brighttalk.com/webcast/19703/572855?utm_source=li-org&utm_medium=brighttalk&utm_campaign=572855

As we've said in previous posts and in our 2023 threat landscape webinar, #infostealers are one of the top threats we're tracking this year. These pieces of malware are often thought of as more of a personal concern due to their association with pirated video games, but they're increasingly targeting enterprises for a bigger and more valuable information haul.

Today we're excited to release our Director of CTI's latest blog, in which he details specific ways you can defend against many of the techniques used by infostealer operators, and shows you how the Tidal Community Edition can help you with these defenses.

Check it out!

#threatintel #ttp #cybersecurity #threatintelligence #threatinformeddefense

https://hubs.la/Q01zZBvf0

With #Hive ransomware infrastructure taken down last week and speculation of similar action against #LockBit, which groups will likely take the “top” #RaaS spots in the first part of the year? If you don’t track #ransomware-as-a-service closely, you may not realize how many other groups regularly carry out attacks (or at least claim & extort victims publicly)

Since the takedown on Thursday, five RaaS groups have claimed nearly 30 victims publicly, with LockBit 3.0, #Clop, and #ViceSociety leading the pack. In our ransomware landscape briefing last week, a participant asked which group concerned us most into the new year. My answer is “most” seen in the slide here (but if I had to narrow, I choose LockBit in the short-term, and Vice Society in the medium/longer term)

Last week I argued that many, if not most, of the “top” groups (measured quickly by last year’s victim count) should be on most security teams’ radars. While there are some notable trends in victim sectors, like a relative increase in attacks on public services organizations, in general most of the leading groups are associated with a broad range of victim verticals (a similar trend holds for victim size too – a relative rise in mid-sized organizations, but still a notable number of large enterprises like in years past)

Rather than burn resources trying to track each new victim associated with each group every day, there is value in identifying top common tactics, techniques, & procedures among groups with generally similar motivations & victim patterns, and focusing response drills, defensive reinforcements, log source & detection tuning, and, where resources allow, unit testing or adversary simulation or emulation around that subset of TTPs

Our living matrix of top ransom & extortion group #TTPs is found here, covering nearly 30 groups and 175 techniques, although the cluster of top common ones is much smaller. Click the labels in the ribbon at the top to see source references for every mapping and procedural details for many: https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a

You can also catch the recording of last week’s session and slides with this and similar metrics & graphics on-demand here: https://www.brighttalk.com/webcast/19703/570527

#threatinformeddefense #TTP #risk

We're excited to welcome @ibmsecurity to the Tidal Product Registry today! You can now explore their mappings in the Tidal Community Edition.

Our Chief Innovation Officer, Frank Duff, sat down with Jason Keirstead, CTO of Threat Management at IBM Security, as part of our We've Got This Covered: An ATT&CK Coverage Introspection fireside chat series. Check out the video for some great lessons learned over the years of using MITRE ATT&CK® and why IBM Security is excited to be part of the Product Registry!

#cybersecurity #threatinformeddefense

https://hubs.la/Q01zmrvv0

Prioritizing TTPs for ransomware linked to Royal Mail attack

After media reports linking #LockBit ransomware to the attack on the UK’s largest mail delivery service, which halted some delivery operations (https://www.bleepingcomputer.com/news/security/royal-mail-cyberattack-linked-to-lockbit-ransomware-operation/), we revisited our technique set for this #threat and added 20 technique references (including six net-new techniques linked to this malware in our knowledge base). View the data here: https://app.tidalcyber.com/share/bcc36246-50b7-41c0-9e43-57cb07db59ad

LockBit 3.0 emerged in July as the latest variant in this highly active family of ransomware-as-a-service (RaaS). LockBit was likely the single most active #ransomware cluster of 2022, accounting for the most publicly extorted victims last year by far (a very rough approximation for overall activity – more on the nuances of public victim data below)

Considering threats to your industry & immediate peers is a great entry point to building a cyber “threat profile”. Many of the top #RaaS, including LockBit, stand out for the breadth of sectors they’ve victimized – often, if you look hard enough, you can likely find at least one victim in a given vertical associated with a particular RaaS family. It’s therefore usually pertinent to evaluate many of these threats in your profiling efforts and consider taking some steps to reinforce defenses around them

Likely in part due to extra scrutiny, LockBit 3.0 has more linked techniques (57) than any other threat in our Ransomware & Data Extortion Landscape mega-matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a). Orders of magnitude less than the # of associated indicators (see here for just one indication of volume https://valhalla.nextron-systems.com/info/rule/MAL_RANSOM_Lockbit_Jul22_1) but still a fair amount worth prioritizing. A good entry point for this involves gauging the widest gaps between highest-density techniques (those seen most often in your data) and those you’ve determined you are most- or least-defended against. The attached table shows Sigma, Atomic Red Team, & Data Component coverage for select LockBit 3.0 techniques – these and many commercial capabilities can all be easily surfaced, pivoted to, or overlaid in Tidal’s free Community Edition

And while technique counts are usually much smaller than IOC volume, remember adversaries can & and do (increasingly) evolve their TTPs, underscoring the importance of intelligence tracking over time where team resources & bandwidth allow: https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps

#SharedWithTidal #threatinformeddefense #RoyalMail

Finally, several recent thoughtful articles/discussions commenting on important nuances to consider when looking to victim extortion/data leak sites to gauge ransomware prevalence: https://www.ohadzaidenberg.com/post/victimology-analysis-and-data-leaks-site
https://www.curatedintel.org/2022/11/the-difficulties-and-dubiousness-of.html
https://twitter.com/uuallan/status/1597950775216394240

#Rhadamanthys #stealer seems to be having a moment right now. Quick rundown on what we know about infection trends & its post-exploit TTPs

Discovered last summer, it's one of several popular & emerging #infostealer #malware with new/improved evasion and/or theft capabilities observed in recent months. Like many popular families, Rhadamanthys initial infections occur via multiple vectors, including #phishing & #spam email attachments and - increasingly - legitimate web search ads: https://www.malware-traffic-analysis.net/2023/01/03/index.html, https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/

In our broad analysis of the infostealer threat landscape, we identified #mitreattack TTPs associated with 16 families across dozens of public reports. We've already added more reported techniques to Rhadamanthys' set since the report dropped this week https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w

Still somewhat limited public reporting on this threat to date, although we've identified 22 (sub-)techniques associated with Rhadamanthys so far. Visualize them and pivot to associated defensive & offensive testing capabilities here: https://app.tidalcyber.com/share/techniqueset/48405ee2-b243-4bda-a6c2-75eb80869056

In addition to the reports above, two other resources here: https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web, https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/. Thanks to the teams that published great reporting & analysis around Rhadamanthys so far, including ThreatMon Accenture @malware_traffic & Cyble

#threatinformeddefense #credentials #cookies #mfa #2fa

Proud to share our second analysis piece, which just went live! BLUF: All the pieces are in place for a serious, near-term uptick in infostealer threats involving higher-value targets, including businesses of all sizes, paralleling the shift among top ransomware groups toward “big-game” targets in years past. Part 1 details our evidence that intent, opportunity, & capability (the components of a “threat”) are all rising, and Part 2 will share our process for using this threat intelligence to drive development of new detections around the TTPs most commonly shared across today’s top stealers.

Despite a little more attention over the past year or so, I’ve sensed for some time that infostealers remain an “underrated” concern relative to the level of threat they pose to organizations, and there has yet to be a broad threat assessment or analysis of common techniques at quite this scale. Entirely based on (a large body of) public reporting, I think we’re able to draw unique insights in this series, and @tidalcyber's Community Edition made it a lot easier to get there.

Despite (what we see as) a rising threat, it’s not all doom and gloom – there are some extremely practical steps defenders can take to really lower the risk profile. Throw a few straightforward detections that we’ve compiled (they’ll come with Part 2, still cleaning up some rules sorry) in place, which cover many flavors of technique implementations associated with a wide range of these threats. Once you’ve set (and ideally validated) this coverage, consider tackling the likely more complex task of reviewing and tuning relevant people- and technology-related mitigations, including around identity & access (where today’s stealers pose some tricky challenges) and policies for responsible device use (to counter trending initial access vectors covered here in Part 1).
#infostealer #RedLine #Raccoon #StealerNoStealing #threatinformeddefense #SharedWithTidal #malware #risk
https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w

Today we’re sharing initial versions of two dashboards that summarize the top attack techniques associated with two major trends from the past year. Both are rich with recent supporting evidence and fill important gaps around timely, aggregated, actionable information related to key threats that we expect will persist (and likely grow) in 2023.

Consider bookmarking both dashboards – we also expect we’ll need to update the groups & malware (and associated techniques) as activity continues into next year.

First is a roundup of #TTP associated with major #infostealer malware. This covers a total of 265 technique references (across 83 unique techniques) associated with 10 credential/info stealers that have been highly active over the past year-plus or emerged in recent months. Some likely familiar names, like Raccoon (and its v2 iteration), RedLine, & Mars, but also many others. The volume of #credentials stolen by malware like these has skyrocketed in recent years, and this vector has contributed to some of the past year’s most high-profile breaches. Many initial infections occur through individual personal downloads, but this is a multi-faceted threat that absolutely creates risk for organizations too. Check out the dashboard in Tidal’s free Community Edition here: https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3

Next is the Data Extortion Ecosystem TTP map. Driven by a few factors, most notably speed, we’ve observed a clear shift among some groups in the #ransom/extortion space toward attacks that feature no actual #ransomware-based encryption, but rather just data exfiltration (and in some cases outright data destruction or manipulation). This combined heatmap covers eight groups & software leading this trend, including some covered recently in U.S. federal government CTI reporting, like LAPSUS$ & Karakurt, but also a few lesser known threats (RansomHouse and…Donut Leaks?). Currently this covers 135 technique references (across 68 unique techniques), but I definitely expect this set to evolve into early next year & beyond: https://app.tidalcyber.com/share/1a265091-97af-4491-bce7-3d94c4935406

Consider these early previews of some of our top #CTI content themes for the first half of 2023 – lots more written analysis to come on these, and if you want the full picture, sign up for our 2023 threat landscape briefing, scheduled for noon ET on January 10! https://hubs.la/Q01v-PN00

#threatinformeddefense #SharedWithTidal

Today we’re sharing initial versions of two dashboards that summarize the top attack techniques associated with two major trends from the past year. Both are rich with recent supporting evidence and fill important gaps around timely, aggregated, actionable information related to key threats that we expect will persist (and likely grow) in 2023.

Consider bookmarking both dashboards – we also expect we’ll need to update the groups & malware (and associated techniques) as activity continues into next year.

First is a roundup of #TTP associated with major #infostealer malware. This covers a total of 265 technique references (across 83 unique techniques) associated with 10 credential/info stealers that have been highly active over the past year-plus or emerged in recent months. Some likely familiar names, like Raccoon (and its v2 iteration), RedLine, & Mars, but also many others. The volume of #credentials stolen by malware like these has skyrocketed in recent years, and this vector has contributed to some of the past year’s most high-profile breaches. Many initial infections occur through individual personal downloads, but this is a multi-faceted threat that absolutely creates risk for organizations too. Check out the dashboard in Tidal’s free Community Edition here: https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3

Next is the Data Extortion Ecosystem TTP map. Driven by a few factors, most notably speed, we’ve observed a clear shift among some groups in the #ransom/extortion space toward attacks that feature no actual #ransomware-based encryption, but rather just data exfiltration (and in some cases outright data destruction or manipulation). This combined heatmap covers eight groups & software leading this trend, including some covered recently in U.S. federal government CTI reporting, like LAPSUS$ & Karakurt, but also a few lesser known threats (RansomHouse and…Donut Leaks?). Currently this covers 135 technique references (across 68 unique techniques), but I definitely expect this set to evolve into early next year & beyond: https://app.tidalcyber.com/share/1a265091-97af-4491-bce7-3d94c4935406

Consider these early previews of some of our top #CTI content themes for the first half of 2023 – lots more written analysis to come on these, and if you want the full picture, sign up for our 2023 threat landscape briefing, scheduled for noon ET on January 10! https://hubs.la/Q01v-PN00

#threatinformeddefense #SharedWithTidal

⚠️ Cuba Ransomware resources drop ⚠️

A new ransomware advisory comes in hot to one of your intelligence channels – what are your next steps? In our latest video, we walk through our approach to a situation like this, which analysts face almost every day amid growing volumes of CTI shared in the community today https://www.youtube.com/watch?v=K1a6Mac1-y4

Link to the latest @CISA @FBI #StopRansomware alert on Cuba Ransomware, published Dec 1 (and updated just yesterday) https://www.cisa.gov/uscert/ncas/alerts/aa22-335a

Past advisories on five other #ransomware highly active in targeting U.S. critical infrastructure – and many other – organizations just this year: https://www.cisa.gov/stopransomware/stopransomware

According to the alert, “Since spring 2022, Cuba ransomware actors have modified their TTPs and tools to interact with compromised networks and extort payments from victims.” We’re likely to see more of this “TTP evolution” theme in 2023. As adversaries continue to evolve their TTPs rapidly and often, we had the chance to write more about this trend on our blog recently: https://www.tidalcyber.com/blog/adversary-ttp-evolution-and-the-value-of-ttp-intelligence

(And here’s another piece covering TTP evolution relative to another top malware, QakBot https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps)

In the walkthrough, we highlight metrics around threats made on ransomware “extortion blogs” as just one public data point around Cuba’s growing threat in recent months. The figures come from this incredible public dataset https://github.com/joshhighet/ransomwatch

The rest of the walkthrough centers on our free Community Edition tool. Jump into it here: https://app.tidalcyber.com/. No registration is required to access a ton of features (including everything shared below) but you know the drill: you’ll ultimately find the most value with a quick email sign-up 📋

#Cuba Ransomware details from #mitreattack https://app.tidalcyber.com/software/095064c6-144e-4935-b878-f82151bc08e4-Cuba

Technique set for Cuba TTPs published in February https://app.tidalcyber.com/share/6fbf994c-d6c9-42fd-8ee9-8954865d6d6f (source: https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware)

Cuba technique set based on CISA’s/FBI’s new alert: https://app.tidalcyber.com/share/11c631bc-be34-463d-9d24-852a6f414b2a

Script to quickly convert techniques & procedures from recent #CTI into a technique “layer” json file: https://github.com/mitre-attack/attack-navigator/blob/master/layers/attack_layers/attack_layers_simple.py

LSASS Memory technique details page, with pivots to aligned defensive capabilities, detection analytics, & tests: https://app.tidalcyber.com/technique/ab0da102-5a14-42b1-969e-5d3daefdf0c5-LSASS%20Memory

Cuba Ransomware report referencing LSASS Memory & Disable or Modify Tools techniques: https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/

Disable or Modify Tools technique details page: https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6-Disable%20or%20Modify%20Tools

Final Cuba Ransomware technique time series comparison/overlay: https://app.tidalcyber.com/share/7631b2a7-2c0d-49ee-ac12-ca9c92ad4a72

Dashboard we’re maintaining covering all TTPs from the #StopRansomware alert series, currently spotlighting six high-priority ransomware and updated each time CISA publishes a new alert: https://app.tidalcyber.com/share/9c1f08a2-b823-4e11-a8a5-01335fb0215e

Join the Tidal Community Slack channel to engage with & learn from others throughout the #threatinformeddefense space https://join.slack.com/t/tidalcommunity/shared_invite/zt-1ljrtdtkm-VGi8fa5VYhLma4o1Vu33nA

Catch this and other walkthroughs on the @tidal Cyber YouTube channel https://www.youtube.com/@tidalcyber6071

#cyberthreatintelligence #cybersecurity #OSINT #SharedWithTidal

Recently, CISA put out an alert highlighting Cuba Ransomware. In this video, Tidal's Director of #cyberthreatintelligence breaks down the report, how the TTPs associated with Cuba Ransomware have evolved, and how to track that evolution using the Tidal Community Edition.

https://www.youtube.com/watch?v=K1a6Mac1-y4

#cybersecurity #threatinformeddefense #cti #threatintel #osint #ransomware

Recently, CISA put out an alert highlighting Cuba Ransomware. In this video, Tidal's Director of #cyberthreatintelligence breaks down the report, how the TTPs associated with Cuba Ransomware have evolved, and how to track that evolution using the Tidal Community Edition.

https://www.youtube.com/watch?v=K1a6Mac1-y4

#cybersecurity #threatinformeddefense #cti #threatintel #osint #ransomware

Brush up on #APT41 TTPs in light of the news the China-linked group ran a campaign to steal millions’ worth of U.S. state government COVID-19 relief funds https://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636

APT41 is relatively unique among suspected Chinese #APT for carrying out repeated cyber attacks for both #espionage and likely personal financial gain. The recent news isn’t the first to highlight the group’s dual motivations – it has been observed conducting financial operations since at least the mid-2010’s: https://content.fireeye.com/apt-41/rpt-apt41

A few reports from this year give insight into APT41’s recent attack techniques:
Original report on APT41 attacks involving U.S. state government entities from March: https://www.mandiant.com/resources/blog/apt41-us-state-governments
Review of four APT41 campaigns observed last year, published in August: https://blog.group-ib.com/apt41-world-tour-2021
Threat activity details associated with a “new subgroup” of APT41, which seems especially focused on victims in south/southeastern Asia (published last month): https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html

ATT&CK’s knowledge base gives a good baseline of APT41 behavior, covering 59 techniques sourced from eight reports published through June 2021 (yellow in my dashboard screenshot). I layered on the 62 techniques referenced in the latter two reports above (blue & purple in my matrix, respectively) for a broader picture that also lets us compare & contrast techniques observed in different series of activity. Links to everything follow:

APT41 profile & techniques: https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9-APT41
Technique set for August report: https://app.tidalcyber.com/share/ae8d346d-45d8-4686-b2cd-1a645ffb76dc
“Earth Longzhi” techniques: https://app.tidalcyber.com/share/b60fe3ab-3328-404c-9bc5-1141ec0918c4
Combined heatmap: https://app.tidalcyber.com/share/463e944a-da97-4272-8a38-2caad7124a4a
Search or filter attack Groups by Motivation, Suspected Attribution, and Observed Sectors & Countries: https://app.tidalcyber.com/groups

#CTI #fraud #TTP #threatinformeddefense #SharedWithTidal

Excited to share @tidalcyber's first original #TTP intel analysis piece! I've noticed a steady stream of #QakBot news in my feeds the past few weeks, making it challenging to keep track of what is new, what's already known, and what can be done about this persistent threat.

Breaking up QakBot's TTP evolution into a few smaller chunks helped make better sense of the trends by highlighting distinct techniques observed more over certain recent time periods. We can then turn to a number of great public resources that community members have recently shared, to take measurable steps toward improving defenses in line with these behaviors.

#CTI
#threatinformeddefense #SharedWithTidal

https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps

Is #QakBot on your mind? It probably should be! This prolific piece of malware is of concern to most organizations, and its operators have been steadily evolving their techniques. Learn more in our latest blog from our Director of #CTI!

#cybersecurity #cyberthreatintelligence #threatinformeddefense

https://hubs.la/Q01tGrR20