Toby Lewis
@tobaslouis.co.uk
Global Head of Threat Analysis at @Darktrace.com
All things Cyber Security Ops, Threat Hunting, Threat Intel and Incident Mgmt.
All things Cyber Security Ops, Threat Hunting, Threat Intel and Incident Mgmt.
However, we can see two other likely scenarios: Either a common supplier or technology used by all three retailers has been breached; or the scale of the M&S incident has prompted security teams to relook at their logs and act on activity they wouldn’t have previously judged a risk.
2/2
2/2
May 1, 2025 at 6:12 PM
However, we can see two other likely scenarios: Either a common supplier or technology used by all three retailers has been breached; or the scale of the M&S incident has prompted security teams to relook at their logs and act on activity they wouldn’t have previously judged a risk.
2/2
2/2
The outcome in your case is manipulated data. Cyber might provide a means, but so could send an official letter on letterheaded paper asking them to “correct a record”.
Or does it still count as cyber if I used a computer to write the letter? 😉
Or does it still count as cyber if I used a computer to write the letter? 😉
January 7, 2025 at 3:10 PM
The outcome in your case is manipulated data. Cyber might provide a means, but so could send an official letter on letterheaded paper asking them to “correct a record”.
Or does it still count as cyber if I used a computer to write the letter? 😉
Or does it still count as cyber if I used a computer to write the letter? 😉
Absolutely. The outcome in your case is stealing sensitive data. You can do that by paying a guy to walk out with it in a briefcase.
January 7, 2025 at 3:06 PM
Absolutely. The outcome in your case is stealing sensitive data. You can do that by paying a guy to walk out with it in a briefcase.
In the end, nothing too revealing, but a nice exercise in understanding some of the behind the scenes of how these analysis tools work, and how you *could* get caught out.
Fin.
Fin.
December 31, 2024 at 12:19 PM
In the end, nothing too revealing, but a nice exercise in understanding some of the behind the scenes of how these analysis tools work, and how you *could* get caught out.
Fin.
Fin.
By default, and unless you have a premium subscription, Graphs made in VirusTotal are public and form part of their community engagement.
Want to know if anybody is researching an IOC? Want to know what other steps they've made in the investigation? VirusTotal public graphs will tell you.
Want to know if anybody is researching an IOC? Want to know what other steps they've made in the investigation? VirusTotal public graphs will tell you.
December 31, 2024 at 12:19 PM
By default, and unless you have a premium subscription, Graphs made in VirusTotal are public and form part of their community engagement.
Want to know if anybody is researching an IOC? Want to know what other steps they've made in the investigation? VirusTotal public graphs will tell you.
Want to know if anybody is researching an IOC? Want to know what other steps they've made in the investigation? VirusTotal public graphs will tell you.
There's a feature in VirusTotal called "Graphs". It's a way of visualising your investigation in a graph format, with your IOCs as nodes.
Much like the classic Always Sunny in Philadelphia / Pepe Silvia meme:
Much like the classic Always Sunny in Philadelphia / Pepe Silvia meme:
a man standing in front of a bulletin board that says " pepe silvia "
Alt: Always Sunny in Philadelphia/Pepe Silvia Meme
media.tenor.com
December 31, 2024 at 12:19 PM
There's a feature in VirusTotal called "Graphs". It's a way of visualising your investigation in a graph format, with your IOCs as nodes.
Much like the classic Always Sunny in Philadelphia / Pepe Silvia meme:
Much like the classic Always Sunny in Philadelphia / Pepe Silvia meme:
But wait, there's more (again)
a man standing in front of a shelf of oxi clean
Alt: But wait, there's more meme
media.tenor.com
December 31, 2024 at 12:19 PM
But wait, there's more (again)
Some of that research doesn't seem to have survived the passing of time (it was 10 years ago!), but the principles of his work survive in this Google Doc:
VT Research
Purpose Research Foundation VT-MIS and Private API Metadata Results Structure Collection Process Derived Hash Values and Account Types Identifying Interesting Activity Actor Account Characteristics Up...
docs.google.com
December 31, 2024 at 12:19 PM
Some of that research doesn't seem to have survived the passing of time (it was 10 years ago!), but the principles of his work survive in this Google Doc:
The submitter hash itself is not queryable in VirusTotal, but I remember some research by @9bplus.bsky.social back in 2014, that showed it was possible to track what files a specific submitter had uploaded, and with it, track threat actors testing their malware.
December 31, 2024 at 12:19 PM
The submitter hash itself is not queryable in VirusTotal, but I remember some research by @9bplus.bsky.social back in 2014, that showed it was possible to track what files a specific submitter had uploaded, and with it, track threat actors testing their malware.
I've come across this before, with an organisation I was working with, who had integrated a mail scanning appliance with VirusTotal, which meant it was automatically uploading EVERY email attachment to VirusTotal for analysis.
Probably not a great approach in hindsight.
Probably not a great approach in hindsight.
December 31, 2024 at 12:19 PM
I've come across this before, with an organisation I was working with, who had integrated a mail scanning appliance with VirusTotal, which meant it was automatically uploading EVERY email attachment to VirusTotal for analysis.
Probably not a great approach in hindsight.
Probably not a great approach in hindsight.
We can also use VirusTotal to tell us how many times this file has been uploaded, and a little bit of information about them.
In this case, by a single user based in the US (by IP-GEO) and uploaded via API.
This means that it either formed part of a script, or via an integration with another tool.
In this case, by a single user based in the US (by IP-GEO) and uploaded via API.
This means that it either formed part of a script, or via an integration with another tool.
December 31, 2024 at 12:19 PM
We can also use VirusTotal to tell us how many times this file has been uploaded, and a little bit of information about them.
In this case, by a single user based in the US (by IP-GEO) and uploaded via API.
This means that it either formed part of a script, or via an integration with another tool.
In this case, by a single user based in the US (by IP-GEO) and uploaded via API.
This means that it either formed part of a script, or via an integration with another tool.
But wait, there's more...
a man standing in front of a shelf of oxi clean
Alt: But wait, there's more meme gif
media.tenor.com
December 31, 2024 at 12:19 PM
But wait, there's more...
What else was in that "sharedStrings.xml" file - VirusTotal gives you the ability to view the contents of files.
In this case, the only unique strings in the parent XLSX files are the IOCs we already know about. Maybe not the most exciting in this case, but worth a check!
In this case, the only unique strings in the parent XLSX files are the IOCs we already know about. Maybe not the most exciting in this case, but worth a check!
December 31, 2024 at 12:19 PM
What else was in that "sharedStrings.xml" file - VirusTotal gives you the ability to view the contents of files.
In this case, the only unique strings in the parent XLSX files are the IOCs we already know about. Maybe not the most exciting in this case, but worth a check!
In this case, the only unique strings in the parent XLSX files are the IOCs we already know about. Maybe not the most exciting in this case, but worth a check!
In other words, somebody uploaded an XLSX of IOCs to VirusTotal, which then broke apart the constituent components as separate files.
Then, realising that they made a mistake, requested that VirusTotal take down the original XLSX file.
Unfortunately, that still left behind the constituent files
Then, realising that they made a mistake, requested that VirusTotal take down the original XLSX file.
Unfortunately, that still left behind the constituent files
December 31, 2024 at 12:19 PM
In other words, somebody uploaded an XLSX of IOCs to VirusTotal, which then broke apart the constituent components as separate files.
Then, realising that they made a mistake, requested that VirusTotal take down the original XLSX file.
Unfortunately, that still left behind the constituent files
Then, realising that they made a mistake, requested that VirusTotal take down the original XLSX file.
Unfortunately, that still left behind the constituent files