I am flattered that I have the opportunity to present my 2-day training "A Beginner's Guide To Threat Hunting: How to Shift Focus from IOCs to Behaviors and TTPs" again at Black Hat USA 2024 and that early bird registration is open and you have two opportunities to take the course!
Day 1 begins with a theory section where we discuss resources and models that can help aid our threat hunting from both an intel and communication perspective. We then move to a section that covers how to extract artifacts from an intel report and how to make those artifacts actionable. Then we create some hypotheses and test them against a set of data to see what we can find.
Day 2 will put all the theory and applications to the test where the students will break into teams, process another intel report, create hypotheses, and hunt again!
Last year was a lot of fun and we receive high ratings, so we hope you can join us again this year for the fun! I hope to see you there, but until then, Happy Hunting!
Hmm. People are speculating on the nation state that’s behind the #xzbackdoor and seem to be taking a decidedly Western perspective on this. The suspected threat actors they’re naming are typically Russia, China, Iran, and North Korea.
Folks, I just want to point out that you shouldn’t exclude UK, Israel, France, USA, and many others who are more than capable of this as well. And yes, this could have also been some black hat or even a commercial spyware shop doing this to later sell to the highest bidder.
On install they decrypt Fernet encrypted code, which loads further code from https://funcaptcha[.]ru/paste2?package=asyncioo (replace the parameter with the package name).
I was blocked from accessing that code (am on mobile right now, so I don't have the means to investigate for real, Fernet decryption was already fun :abloblamp: ).
NHS Dumfries and Galloway finally confirm ransomware, say:
“We absolutely deplore the release of confidential patient data as part of this criminal act.
“This information has been released by hackers to evidence that this is in their possession.
“We are continuing to work with Police Scotland, the National Cyber Security Centre, the Scottish Government, and other agencies in response to this developing situation.”
INC Ransomware group should go on the shit list if they don’t delete the data and help decryption, it’s a shit target - it’s public healthcare. #threatintel
NHS D&G are saying a small number of patient info has been leaked but there is a lot of wordsmithing going on - they’re talking about just the INC portal posts, and they’re only contacting those patients.
I am hoping the Scottish government tells them not to pay the extortion.
LockBit claim to have got into Lifeline, who do US federal government hosting. They’ve dumped a bunch of Active Directory data which appears authentic, and spans managed and SaaS customers, in an effort to get payment. Some of the domains have FedRAMP in them.
“Lifeline Data Centers Chosen to Supply FedRAMP Services to $50B EIS Federal Contract”
Another Fujitsu security breach, unrelated to other one - they setup an open S3 bucket called fjbackup, including client data, email server backups, private AWS keys, LastPass vaults, plaintext credentials and more and left it exposed for over a year until security researchers pointed it out. This happened over a year ago, it looks like they didn't tell anybody.
(And no, I'm not a massive fan of the meme in that article).
Ransomhub #ransomware group are claiming AlphV stole their money for Change Healthcare (this is believed to be true btw), and the operator has given them the data. So now they’re extorting Change Healthcare again. #threatintel