Mark Lechtik
@marklech.bsky.social
Senior TI Analyst @ MSTIC.
Former Senior RE @ FLARE.
Former Senior RE @ FLARE.
Reposted by Mark Lechtik
BinaryDefense has published a technical analysis of the payload (Java webshell) dropped on hacked Cleo file transfer servers
www.binarydefense.com/resources/bl...
www.binarydefense.com/resources/bl...
Cleo MFT Mass Exploitation Payload Analysis | Binary Defense
ARC Labs recently capture and analyzed the second and third stage payloads used during a Cleo MFT compromise.
www.binarydefense.com
December 12, 2024 at 10:30 AM
BinaryDefense has published a technical analysis of the payload (Java webshell) dropped on hacked Cleo file transfer servers
www.binarydefense.com/resources/bl...
www.binarydefense.com/resources/bl...
That smells like a Typhoon.
The email contained a password protected RAR archive named “Detailed Explanation of AS Relationships and the Impact of BGP Flapping on Upstream Networks.rar”. The RAR contains a Microsoft Shortcut (LNK) file which executes a Portable Executable (PE) file contained in a hidden folder named “_MACOSX”.
December 12, 2024 at 11:55 PM
That smells like a Typhoon.
Reposted by Mark Lechtik
Developing story - attack against #BGP peers of a European telco. The malicious emails impersonated that same telco and included the ASN of each recipient in the subject line.
The emails contained a password-protected RAR attachment with the malicious payload.
The emails contained a password-protected RAR attachment with the malicious payload.
In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.
🧵⤵️
🧵⤵️
Interesting susp targeted phish targeting an Italian telecom.
1) spoofing swisscom (note 'S', domain just reg'd)
2) leveraging encrypted rar + lnk + self signed pdf reader
3) BGP lure (fits with theme of email). BGP is the third leg in the outage triumvirate)
1) spoofing swisscom (note 'S', domain just reg'd)
2) leveraging encrypted rar + lnk + self signed pdf reader
3) BGP lure (fits with theme of email). BGP is the third leg in the outage triumvirate)
December 12, 2024 at 9:21 PM
Developing story - attack against #BGP peers of a European telco. The malicious emails impersonated that same telco and included the ASN of each recipient in the subject line.
The emails contained a password-protected RAR attachment with the malicious payload.
The emails contained a password-protected RAR attachment with the malicious payload.
Reposted by Mark Lechtik
Our latest report presents Earth Minotaur, a threat actor targeting Tibetans and Uyghurs using Moonshine, an exploitation framework for Android apps described in 2019 by
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
December 5, 2024 at 8:48 AM
Our latest report presents Earth Minotaur, a threat actor targeting Tibetans and Uyghurs using Moonshine, an exploitation framework for Android apps described in 2019 by
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
Reposted by Mark Lechtik
@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.
Read more here: www.volexity.com/blog/2024/11...
Read more here: www.volexity.com/blog/2024/11...
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...
www.volexity.com
November 22, 2024 at 2:58 PM
@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.
Read more here: www.volexity.com/blog/2024/11...
Read more here: www.volexity.com/blog/2024/11...
Reposted by Mark Lechtik
#ESETresearch reveals the first Linux UEFI bootkit, Bootkitty. It disables kernel signature verification and preloads two ELFs unknown during our analysis. Also discovered, a possibly related unsigned LKM – both were uploaded to VT early this month. www.welivesecurity.com/en/eset-rese... 🧵
Bootkitty: Analyzing the first UEFI bootkit for Linux
ESET's discovery of the first UEFI bootkit designed for Linux sendss an important message: UEFI bootkits are no longer confined to Windows systems alone.
www.welivesecurity.com
November 27, 2024 at 8:34 AM
#ESETresearch reveals the first Linux UEFI bootkit, Bootkitty. It disables kernel signature verification and preloads two ELFs unknown during our analysis. Also discovered, a possibly related unsigned LKM – both were uploaded to VT early this month. www.welivesecurity.com/en/eset-rese... 🧵