Matthew Kennedy
@matthewkennedy.bsky.social
Manager at Microsoft Threat Intelligence Center (MSTIC). Adjunct Faculty at Georgetown University. Penn State Alum. Tweets are my own.
Reposted by Matthew Kennedy
Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. msft.it/6045sE1ux
July 22, 2025 at 1:11 PM
Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. msft.it/6045sE1ux
Reposted by Matthew Kennedy
Microsoft is moving antivirus providers out of the Windows kernel
Microsoft is moving antivirus providers out of the Windows kernel
Microsoft wants to avoid another CrowdStrike incident.
buff.ly
June 26, 2025 at 4:20 PM
Microsoft is moving antivirus providers out of the Windows kernel
Excellent work by Mandiant and crew! Great blog!
🔥 new blog detailing 0day exploitation of Ivanti appliances as well as some newly observed malware families tracked as PHASEJAM and DRYHOOK. We also detail activity related to the previously observed SPAWN* malware ecosystem tied to China-nexus cluster UNC5337.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog
Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024.
cloud.google.com
January 9, 2025 at 12:05 PM
Excellent work by Mandiant and crew! Great blog!
MSTIC is hiring in the UK and EU for entry level and senior analyst roles!
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
January 9, 2025 at 12:03 PM
MSTIC is hiring in the UK and EU for entry level and senior analyst roles!
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
Be sure to check out part 2!
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine
www.microsoft.com/en-us/securi...
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine
www.microsoft.com/en-us/securi...
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine | Microsoft Security Blog
Since January 2024, Microsoft has observed Secret Blizzard using the tools or infrastructure of other threat groups to attack targets in Ukraine and download its custom backdoors Tavdig and KazuarV2.
www.microsoft.com
December 11, 2024 at 9:54 PM
Be sure to check out part 2!
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine
www.microsoft.com/en-us/securi...
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine
www.microsoft.com/en-us/securi...
MSTIC is hiring! Current roles in US and AU.
The Microsoft Threat Intelligence Center (MSTIC) is recruiting experienced nation-state threat hunters with highly honed threat intel analysis skills. MSTIC is responsible for delivering timely threat intelligence across our product & services teams.
The Microsoft Threat Intelligence Center (MSTIC) is recruiting experienced nation-state threat hunters with highly honed threat intel analysis skills. MSTIC is responsible for delivering timely threat intelligence across our product & services teams.
December 5, 2024 at 6:22 PM
MSTIC is hiring! Current roles in US and AU.
The Microsoft Threat Intelligence Center (MSTIC) is recruiting experienced nation-state threat hunters with highly honed threat intel analysis skills. MSTIC is responsible for delivering timely threat intelligence across our product & services teams.
The Microsoft Threat Intelligence Center (MSTIC) is recruiting experienced nation-state threat hunters with highly honed threat intel analysis skills. MSTIC is responsible for delivering timely threat intelligence across our product & services teams.
Excellent work by the team!
Another fascinating example of Secret Blizzard using “the tools/infrastructure of at least six other threat actors during the past seven years”
Another fascinating example of Secret Blizzard using “the tools/infrastructure of at least six other threat actors during the past seven years”
www.microsoft.com/en-us/securi...
Based on both Microsoft Threat Intel findings and governments and other sec vendors, we assess that the Russian nation-state actor tracked as Secret Blizzard has used the tools and infrastructure of at least six other threat actors during the past seven years.
Based on both Microsoft Threat Intel findings and governments and other sec vendors, we assess that the Russian nation-state actor tracked as Secret Blizzard has used the tools and infrastructure of at least six other threat actors during the past seven years.
Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage | Microsoft Security Blog
Microsoft has observed Secret Blizzard compromising the infrastructure and backdoors of the Pakistan-based threat actor we track as Storm-0156 for espionage against the Afghanistan government and Indi...
www.microsoft.com
December 5, 2024 at 12:22 AM
Excellent work by the team!
Another fascinating example of Secret Blizzard using “the tools/infrastructure of at least six other threat actors during the past seven years”
Another fascinating example of Secret Blizzard using “the tools/infrastructure of at least six other threat actors during the past seven years”
Reposted by Matthew Kennedy
New, by me: Security researchers say North Korean hackers, posing as VCs, recruiters, and remote IT workers, have infiltrated "hundreds of organizations" and stolen billions of crypto in recent years to fund the regime's nuke program.
My dispatch from Cyberwarcon: techcrunch.com/2024/11/28/n...
My dispatch from Cyberwarcon: techcrunch.com/2024/11/28/n...
North Korean hackers have stolen billions in crypto by posing as VCs, recruiters and IT workers | TechCrunch
Security researchers say North Korean hackers have infiltrated hundreds of organizations with the goal of taking money and stealing data to further the regime's nuclear weapons program.
techcrunch.com
November 28, 2024 at 2:02 PM
New, by me: Security researchers say North Korean hackers, posing as VCs, recruiters, and remote IT workers, have infiltrated "hundreds of organizations" and stolen billions of crypto in recent years to fund the regime's nuke program.
My dispatch from Cyberwarcon: techcrunch.com/2024/11/28/n...
My dispatch from Cyberwarcon: techcrunch.com/2024/11/28/n...
Every holiday season I do a “security tune up” across all my accounts to ensure I’m making use of the best new security features.
What features / tech should I prioritize this year?
What features / tech should I prioritize this year?
November 28, 2024 at 8:40 PM
Every holiday season I do a “security tune up” across all my accounts to ensure I’m making use of the best new security features.
What features / tech should I prioritize this year?
What features / tech should I prioritize this year?
Reposted by Matthew Kennedy
We are generally way too overconfident in understanding adversary intent.
Activity is straightforward, attribution is tricky and intent is often opaque and relies on organizational politics and bureacracy inside organizations.
Activity is straightforward, attribution is tricky and intent is often opaque and relies on organizational politics and bureacracy inside organizations.
November 24, 2024 at 9:59 PM
We are generally way too overconfident in understanding adversary intent.
Activity is straightforward, attribution is tricky and intent is often opaque and relies on organizational politics and bureacracy inside organizations.
Activity is straightforward, attribution is tricky and intent is often opaque and relies on organizational politics and bureacracy inside organizations.
One of my favorite aspects about @cyberwarcon.bsky.social is how it’s a yearly homecoming for a group of people with the primary focus of making a positive impact in the digital domain.
Regardless of healthy business competition, there’s a shared camaraderie being in the fight together.
Regardless of healthy business competition, there’s a shared camaraderie being in the fight together.
November 23, 2024 at 3:56 PM
One of my favorite aspects about @cyberwarcon.bsky.social is how it’s a yearly homecoming for a group of people with the primary focus of making a positive impact in the digital domain.
Regardless of healthy business competition, there’s a shared camaraderie being in the fight together.
Regardless of healthy business competition, there’s a shared camaraderie being in the fight together.
Can’t forget to shout out these three GOATs who presented on Storm-2077 today!
Don’t miss Microsoft’s deep dive into Storm-2077, a China-based threat actor targeting U.S. agencies, NGOs, and industries like defense and telecom.
Join Ned Moran, Judy Ng, and Mark Parsons to explore their tactics, from app exploits to spear-phishing.
🔗 www.cyberwarcon.com/registration
Join Ned Moran, Judy Ng, and Mark Parsons to explore their tactics, from app exploits to spear-phishing.
🔗 www.cyberwarcon.com/registration
November 23, 2024 at 2:03 AM
Can’t forget to shout out these three GOATs who presented on Storm-2077 today!
James crushing it as always. But what’s even better is getting to work alongside of him each day. An amazing teammate and friend!
James Elliott's DPRK cybercrime talk is a great way to end the day. i love this stuff. nomnomnom. #cyberwarcon #cybercrime #sleuthcon
November 22, 2024 at 10:04 PM
James crushing it as always. But what’s even better is getting to work alongside of him each day. An amazing teammate and friend!
Reposted by Matthew Kennedy
James Elliott absolutely crushing the last talk of the day at #CYBERWARCON.
November 22, 2024 at 9:44 PM
James Elliott absolutely crushing the last talk of the day at #CYBERWARCON.
Reposted by Matthew Kennedy
Doppelgänger insight from Meta: Professional/contracted IO has two audiences: the target of the campaign and those who hired them (Kremlin)
November 22, 2024 at 4:05 PM
Doppelgänger insight from Meta: Professional/contracted IO has two audiences: the target of the campaign and those who hired them (Kremlin)
Reposted by Matthew Kennedy
Made a list of accounts at @cyberwarcon.bsky.social to make it easier to follow along: bsky.app/profile/did:...
November 22, 2024 at 2:44 PM
Made a list of accounts at @cyberwarcon.bsky.social to make it easier to follow along: bsky.app/profile/did:...
As always, great insights from Josh and Pratik at Google TAG on IRGC operations. #cyberwarcon
November 22, 2024 at 2:51 PM
As always, great insights from Josh and Pratik at Google TAG on IRGC operations. #cyberwarcon
Find out more on what MSTIC plans to present at CyberWarCon today!
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON | Microsoft Security Blog
At CYBERWARCON 2024, Microsoft Threat Intelligence analysts will share research and insights on North Korean and Chinese threat actors representing years of threat actor tracking, infrastructure monit...
www.microsoft.com
November 22, 2024 at 1:21 PM
Find out more on what MSTIC plans to present at CyberWarCon today!
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
The DPRK IT Worker apparatus is a well oiled machine. Few grasp the depth of how many pieces enable these operations.
🚨 New Research Drop:
🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China
Summary:
⚪ Newly Disrupted Front Companies by USG
⚪ Impersonating US based software and tech orgs
⚪ Links to still-active front orgs, CN association
Report:
www.sentinelone.com/labs/dprk-it...
🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China
Summary:
⚪ Newly Disrupted Front Companies by USG
⚪ Impersonating US based software and tech orgs
⚪ Links to still-active front orgs, CN association
Report:
www.sentinelone.com/labs/dprk-it...
DPRK IT Workers | A Network of Active Front Companies and Their Links to China
SentinelLabs has identified multiple deceptive websites linked to businesses in China fronting for North Korea's fake IT workers scheme.
www.sentinelone.com
November 21, 2024 at 8:01 PM
The DPRK IT Worker apparatus is a well oiled machine. Few grasp the depth of how many pieces enable these operations.
Reposted by Matthew Kennedy
There's been a lot of attention on the Salt Typhoon intrusions. Don't forget the Volt Typhoon prepositioning is still a major problem as well!
www.tenable.com/blog/volt-ty...
www.tenable.com/blog/volt-ty...
Volt Typhoon: What State and Local Government Officials Need to Know
Increased activity from the state-sponsored threat group Volt Typhoon raises concerns about the cybersecurity of U.S. critical infrastructure. Here’s how you can identify potential exposures and attac...
www.tenable.com
November 19, 2024 at 7:39 PM
There's been a lot of attention on the Salt Typhoon intrusions. Don't forget the Volt Typhoon prepositioning is still a major problem as well!
www.tenable.com/blog/volt-ty...
www.tenable.com/blog/volt-ty...
Excited to support my teammates as they share fascinating insights into threat actors from North Korea and China. Don’t miss these!
www.cyberwarcon.com/agenda-2024 truly incredible agenda. Great mix of OGs and up-and-comers
November 18, 2024 at 1:00 AM
Excited to support my teammates as they share fascinating insights into threat actors from North Korea and China. Don’t miss these!
It’s CYBERWARCON week!!!
CTI homecoming is here!
CTI homecoming is here!
It's good to see some of your pioneering nerds again. We'll have the CYBERWARCON/SLEUTHCON presence updated soon.
November 17, 2024 at 4:28 PM
It’s CYBERWARCON week!!!
CTI homecoming is here!
CTI homecoming is here!
Reposted by Matthew Kennedy
We have liberated this image from the oppressors @cyberwarcon.bsky.social
November 13, 2024 at 3:51 PM
We have liberated this image from the oppressors @cyberwarcon.bsky.social
One of the most fascinating aspects of following DPRK threat actors is observing leading indicators from numerous intrusion sets target the same technology months before an announcement.
North Korean leader Kim Jong Un called for the mass production of attack drones after Pyongyang accused Seoul of flying unmanned aerial vehicles in the airspace over its capital in what it called a “war provocation.”
Kim Jong Un Calls for Mass Production of Suicide Attack Drones
North Korean leader Kim Jong Un called for the mass production of attack drones after Pyongyang accused Seoul of flying unmanned aerial vehicles in the airspace over its capital in what it called a “w...
www.bloomberg.com
November 16, 2024 at 12:13 AM
One of the most fascinating aspects of following DPRK threat actors is observing leading indicators from numerous intrusion sets target the same technology months before an announcement.