Christopher Glyer
@cglyer.bsky.social
Microsoft Threat Intelligence Center - Former Incident Responder & Chief Security Architect @Mandiant
That’s the only one I’ve seen so far
July 6, 2023 at 9:41 PM
That’s the only one I’ve seen so far
Notable Storm-0875 tradecraft (cont’d)
4. Multiple methods of persistence (RMM deployment, remote access internet facing RDP, identity provider federation, golden saml, VMs spun up in victim cloud infrastructure)
5. Generally shy away from deployment of backdoors
6. Social engineering
4. Multiple methods of persistence (RMM deployment, remote access internet facing RDP, identity provider federation, golden saml, VMs spun up in victim cloud infrastructure)
5. Generally shy away from deployment of backdoors
6. Social engineering
July 6, 2023 at 12:58 PM
Notable Storm-0875 tradecraft (cont’d)
4. Multiple methods of persistence (RMM deployment, remote access internet facing RDP, identity provider federation, golden saml, VMs spun up in victim cloud infrastructure)
5. Generally shy away from deployment of backdoors
6. Social engineering
4. Multiple methods of persistence (RMM deployment, remote access internet facing RDP, identity provider federation, golden saml, VMs spun up in victim cloud infrastructure)
5. Generally shy away from deployment of backdoors
6. Social engineering
Notable Storm-0875 tradecraft
1. Initial Access: Sms phishing + AITM or purchase infostealer logs (bypasses most defenses)
2. Privilege escalation via SIM swapping or call number forwarding global admin’s personal phone
3. Time from initial access to global admin often occurs within hours
1. Initial Access: Sms phishing + AITM or purchase infostealer logs (bypasses most defenses)
2. Privilege escalation via SIM swapping or call number forwarding global admin’s personal phone
3. Time from initial access to global admin often occurs within hours
July 6, 2023 at 12:56 PM
Notable Storm-0875 tradecraft
1. Initial Access: Sms phishing + AITM or purchase infostealer logs (bypasses most defenses)
2. Privilege escalation via SIM swapping or call number forwarding global admin’s personal phone
3. Time from initial access to global admin often occurs within hours
1. Initial Access: Sms phishing + AITM or purchase infostealer logs (bypasses most defenses)
2. Privilege escalation via SIM swapping or call number forwarding global admin’s personal phone
3. Time from initial access to global admin often occurs within hours
Wouldn’t a middle ground be to require orgs to notify authorities if they pay an extortion and report the crypto wallet/address and any other pertinent identifiers (copy of ransom note, email addresses used…etc)
June 17, 2023 at 9:16 PM
Wouldn’t a middle ground be to require orgs to notify authorities if they pay an extortion and report the crypto wallet/address and any other pertinent identifiers (copy of ransom note, email addresses used…etc)
“Ransom deployment of a cl0p payload”
Thanks autocorrect
Thanks autocorrect
June 17, 2023 at 9:14 PM
“Ransom deployment of a cl0p payload”
Thanks autocorrect
Thanks autocorrect
Clop/Lace Tempest operates in two modes
1) traditional enterprise compromise/priv esc (using backdoors like truebot), data exfil, and random deployment of a clip ransom payload
2) broad exploitation of file transfer software that leads to data extortion only
They stop doing #1 when focused on #2
1) traditional enterprise compromise/priv esc (using backdoors like truebot), data exfil, and random deployment of a clip ransom payload
2) broad exploitation of file transfer software that leads to data extortion only
They stop doing #1 when focused on #2
June 17, 2023 at 9:14 PM
Clop/Lace Tempest operates in two modes
1) traditional enterprise compromise/priv esc (using backdoors like truebot), data exfil, and random deployment of a clip ransom payload
2) broad exploitation of file transfer software that leads to data extortion only
They stop doing #1 when focused on #2
1) traditional enterprise compromise/priv esc (using backdoors like truebot), data exfil, and random deployment of a clip ransom payload
2) broad exploitation of file transfer software that leads to data extortion only
They stop doing #1 when focused on #2