Members of Curated Intel have compiled a public list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j.
⚠ A well-known Initial Access Broker (IAB) on a cybercriminal underground forum has reappeared after a several month hiatus, now offering a 0day RCE vulnerability, as well as domain admin access, and network hacking services
#cti
#cybercrime
#threaintel
🇷🇺 OSINT on REvil
In this feature,
@SttyK
shares geolocation reports related to the
#REvil
ransomware gang. In January, Russia's
#FSB
announced the arrest of some REvil ransomware gang members; the raid videos reveal some of their home addresses.
🔗
Curated Intel is working with analysts from around the world to provide useful information to organisations in
#Ukraine
looking for additional free threat intelligence feeds.
The CI community will update this repository as the situation progresses.
⚠️PSA: Curated Intel DFIR teams noticed a severe uptick in Akira Ransomware cases in Jan 2024.
Same repeated TTPs:
- Dwell times of < 4 hours on average
- Cisco ASA VPN for Access
- WinSCP for exfil / WinRAR for compression
- AnyDesk RMM for persistence
- 'w.exe' Akira payload
🇺🇦 Curated Intel now tracks Ukrainian personal data shared on underground forums. We added a 'data brokers' table to our Repo.
We have documented ~89 instances of Ukrainian data being shared/discussed on underground forums since December 1, 2021.
🔗
🌐 Curated Intel is tracking hacktivist, cybercriminal, and regional APT groups surrounding the war in Israel. We describe the types of campaigns and attacks we've observed so far and have also provided recommendations for CTI analysts monitoring the war.
🌐 Curated Intelligence is sharing a new resource we created for those of you looking to learn more about
#CyberThreatIntelligence
. This includes a collection of essential reading material & helpful projects created by other
#CTI
professionals
📣 With the help of Equinix Threat Analysis Center (ETAC)™️ team and the Curated Intel community we have created a GitHub repository to assist with tracking the MOVEit Transfer Hacking Campaign
🇧🇾 Curated Intel member,
@SttyK
, asked Cyber-Partisans to share a malware sample from the ransom of Belarusian Railway; they sent an incident response report revealing a past compromise of Belarus' Academy of Public Administration.
We investigated.
🔗
🔎 With the Help of Curated Intel member
@SimulationKYLE
, our curated Ukraine Cyber Operations repo has been updated with all pertinent threat reports!
On 2022-01-24, the group 'Belarusian Cyber-Partisans' claimed responsibility for an attack against Belarus' national railway company. An objective of the attack, they claimed, was aimed at hindering Russian troop movements inside Belarus.
Today, they may have stopped trains.
Today the Belarusian Cyber-Partisons group (
@cpartisans
) staged a cyber attack against the Belarusian railway infrastructure, designed to halt Russian military movements. Trains stopped in Minsk, Orsha, and Osipovichi
The railway system uses Windows XP.
Image via
@cpartisans
.
Thank you
@CISAgov
for recommending
@CuratedIntel
as a resource in your advisory for threat hunting
#Log4Shell
during DFIR procedures! Our team is very proud of this accomplishment.
🔗 Mitigating Log4Shell and Other Log4j-Related Vulnerabilities:
Enjoy the first Curated Intelligence blog of the year! All about analyzing databases from DDoSaaS platforms! Quite interesting following the recent action by international LEAs around Christmas time.
🔗
#cti
#cybercrime
#ddos
#database
#infosec
We expected RaaS, it was a question of time. Some affiliates of the Ransomware-as-a-Service (RaaS) group —
#Conti
— are observed exploiting
#Log4Shell
.
RaaS observations will increase and media pages will report on them; at Curated Intel, our updates on Github will remain clear.
We added a new 'IOC Threat Hunt Feed', for threat groups recently targeting Ukraine, to our repo.
Courtesy of
@RecordedFuture
; we converted their feed to MISP-CSV format, and also added contextual tagging.
🔐Reversing Rook Ransomware
In this feature,
@cPeterr
shares findings after reverse engineering an emerging ransomware family dubbed Rook. He identified encryption methods; notably, Rook borrows some of the code from the leaked Babuk V3 source code.
🔗
🕒 The Long Game of Cyber Threat Intelligence
In this community feature,
@michael_deebo
expresses his views on what he calls the "CTI long game" and how CTI teams, as a core component of many security teams, should approach it and why it matters.
🔗
New blog by
@bushidotoken
following a productive discussion with Curated Intelligence members on threat group naming schemes and why they are important
#CTI
#Attribution
: I find it odd when other vendors hijack CrowdStrike’s original naming scheme for APTs
🇮🇷 RampantKitten, DomesticKitten, FoxKitten, FerociousKitten
🇨🇳 TwistedPanda, ViciousPanda, SharpPanda
These were not named by CrowdStrike, but by 🇮🇱 or 🇷🇺 vendors 🤔
🚨 Curated Intel observed an adversary on a Russian-speaking cybercrime forum (XSS) offering alleged access to SSH Logins for an Industrial Automation system.
⚠ This is cause for alarm for ICS/OT admins around Initial Access Brokers (IABs) seeking access to industrial tech.
🇺🇦 We feel for the people of Ukraine. We do hope to help.
Curated Intel is assessing the resources available to us. We are determining how cyber threat intelligence can be coordinated to support Ukrainian organizations and their allies.
Please keep up the good work, everyone.
🌐 Additional updates to the Curated Intel GH tracking MOVEit exploitation
Up to 30 new victims added in July, thus far. See our repo tracking the progression of uploads by CL0P as well as victim disclosures.
Also, follow
@BrettCallow
for updates too
There is an ongoing campaign creating mass amounts of pro-Russian political propaganda, written in Chinese-language, via GitHub issue reports.
These messages criticize open-source projects/maintainers for supporting Ukraine, including our 'Ukraine Cyber Operations' repo.
Curated Intel members have solved the confusion around unconfirmed "new ransomware" being deployed via
#Log4Shell
.
This ransomware is named "TellYouThePass", it mostly attacks Chinese systems, and it does not operate using the feared RaaS model.
Details:
🔐 Curated Intel member,
@1ZRR4H
, observed QNAP ransomware events being reported via IoT search engines, including Shodan and Censys.
🔗 Shodan (1160 events):
🔗 Censys (3687 events):
Tip: use country tags to search by country.
Con ustedes 🥁.... el panel de la botnet
#BazarLoader
aka
#BazarBackdoor
utilizado por los operadores de Conti Ransomware 🔥🔥🔥
608 dominios únicos extraídos desde la sección de bots (posiblemente compañías comprometidas) 🌶️
[+]
#ContiLeaks
🕵️♂️
🔒 Curated Intel Community Feature:
@cPeterr
shares his findings after reverse engineering PLAY ransomware's code obfuscation and encryption features
🔗
#CTI
#ThreatIntel
🌍 Curated Intel continues to provide OSINT situational awareness updates on the
#WarInUkraine
. Threat reports from the start of June 2022 have been added:
At that time, a member of Curated Intel,
@SttyK
, reached out to the group.
The Belarusian Cyber Partisans shared documents related to another hack, and explained that [we] would “understand some of the methods used.”
We wrote a report, to add context:
🛰️
#GEOINT
on Russian Military at the Border of Ukraine
CI's Eye in the Sky
@rag_sec
investigates what
#Russia
is potentially bringing to the fight if (or when) they invade
#Ukraine
🔗
We thank KPMG-Egyde's CTI team, particularly
@0xDISREL
, for their Github Repository contributions:
- Added Ukraine-Russia IOC Threat Hunt Feeds
- Updated Log4Shell IOC Threat Hunt Feeds
The IOCs are formatted as MISP-CSV, useful for indicator sweeps.
🔗
ℹ️ CI Chat E03 - Conti Ransomware
"The playbook for Conti was recently leaked by an affiliate, but what does that mean for enterprise operations and defenders?"
🎤A special thank you to everyone who participated!
🔗Available on Spotify, etc:
#Conti
#RaaS
We collectively express gratitude to
@campuscodi
for keeping everyone updated on the latest cybersecurity news! Reporting that is both accurate and swift is no easy feat, especially spanned over many years.
Congratulations on your success, Catalin — enjoy this break!
Curated Intel is working with analysts from around the world to provide useful information to organisations in
#Ukraine
looking for additional free threat intelligence feeds.
The CI community will update this repository as the situation progresses.
📷 BlackVue dashcam privacy leaks disclosed
In this feature,
@ZephrFish
uncovered concerning private information leak in BlackVue vehicular dashcams. Anyone with the app can find vehicles broadcasting their geolocation and monitor the dashcam footage.
🔗
We did a thing! Freddy M and I have worked since early 2023 on a side project to create:
_The Threat Actor Profile Guide for CTI Analysts_
We hope wider the
#CTI
community finds this as helpful as the
@CuratedIntel
members.
🔗
🔗
💰 Curated Intel member,
@Bank_Security
, shared an overview of the most commonly advertised information related to financial institutions on the Dark Web in 2021. He notes that cybercriminals are most focused on acquiring databases via the underground.
🔗
We added a new 'IOC Threat Hunt Feed', for recently registered Ukrainian domain names, to the 'Ukraine Cyber Operations' repo.
Courtesy of
@DomainTools
; we converted their feed to MISP-CSV format, and also added contextual tagging (h/t
@0xDISREL
).
🔗
We were honored to have three Curated Intelligence members take part in the CTI panel "Threat Report Roulette" which was live streamed by the Blue Team Village at DEFCON29:
@BushidoToken
,
@0xDISREL
and
@Ch33r10
We are actively tracking emerging Log4j threats within the Curated Intel community:
- Added analyst notes to add contextual insight about IOC usability and reliability.
- Exploring centralizing all IOC sources in a daily threat hunting feed (format: CSV, MISP).
Members of Curated Intel have compiled a public list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j.
This week, we will update the
#Log4Shell
threat hunt feeds to include IOCs not captured since our last update.
Since we set IOC retention to 90 days, it is a good time to update: ~90 days have occurred since that crisis blew up.
cc
@0xDISREL
@matthieugarin
@CuratedIntel
c'est moi ou tout le monde a oublié
#log4hell
.. c'est moi ou peu de personne comprenne qu'ils sont dans ses réseaux depuis des semaines .. et quand ca va péter ca va faire très très mal ... Une partie des targets qui ont déjà été ciblé ..
We are working with corporate collaborators to prepare centralised, all-encompassing threat hunt feeds. We will be prepared to publish them next week.
"Slava Ukraini. Glory to Ukraine."
The ID-Ransomware (IDR) analysis of
@PolarToffee
, cross-validated with a ransom note analysis of
@nokae8
, indicates that
#TellYouThePass
ransomware has been deployed after exploiting
#Log4j2
(CVE-2021-44228).
@GossiTheDog
@80vul
On IDR, we've see a very sudden spike in submissions for what is a very old ransomware (TellYouThePass) today. Not saying they are using log4j2 but that's certainly interesting.
🎤 Curated Intel member,
@euphoricfall
, will be speaking about the importance of human networking in the CTI industry.
The presentation takes place on January 28 and requires pre-registration for the SANS CTI Summit, which is free:
Catch me this Friday at the
@SANSInstitute
CTI Summit to talk about the current state and potential of CTI networking.
Here's a teaser of the research findings I'll be revealing for the first time 👇
In one "issue" report, the new GitHub account "ChinaLoverussia" (created today) has lots to say. Shortly after we closed the issue, the issue was deleted, and their account disappeared.
Disclaimer: stating the obvious here, but this is false Russian propaganda.
Curated Intel members,
@SteveD3
and
@BushidoToken
, go on record to discuss what we know about the 'Belarusian Cyber Partisans' and their targets.
Thank you
@AJVicens
for covering this story.
BREAKING: Taiwan’s Presidential Office just confirmed that at around 17:15 local time, the Presidential Office’s website was hit by an overseas DDoS attack. The attack traffic was 200 times that of a normal day, causing the official website to be down for 20 minutes. (1/2)
For our first blog, learn with the diligent
@BushidoToken
about leveraging Virus Total for threat investigations (report interpretation, mapping relationships in graphs, et al.)!
#TrackThePlanet
#VirusTotal
#CTI
⚠️So you have heard about the Twilio breach?
SMS
#phishing
messages were sent to Twilio staff resulting in multiple employees accounts being compromised 📱
🥷Threat actors then accessed 163 customers resulting in further compromise
Here is a timeline of events...
Thread🧵⤵️
On the note of
#ransomware
decryption,
@emsisoft
's team is setting the stage for good practices 🙏
@fwosar
published a blog explaining their decryption campaign, helping many
#BlackMatter
victims recover 💙
More:
🔗
🔗
You figured out how to
#decrypt
a
#ransomware
through a cryptographic flaw. You want to help as many victims as possible. You want to make a good decision. So... what's next?
Researcher
@BushidoToken
lays out five real-world scenarios of what's to come!
On Friday, I had a chat with the folks at
@CuratedIntel
on Discord about ransomware.
We wrapped just as news of the
#KaseyaVSA
/
#REvil
attack broke.
Here is a clip from that conversation, focusing on ransomware deployment.
Full episode is live now:
Use for
#Log4Shell
threat hunting, not for blocklisting!
CSV
#1
+ CSV
#2
are medium confidence; false positives exist, as they are unfiltered curations kindly provided by
@KPMG
CTI.
CSV
#3
is high confidence; the feed is a filtered curation kindly provided by
@Equinix
ETAC.
Curated Intelligence's
@BushidoToken
recently discovered a cyber espionage campaign targets renewable energy companies using OSINT techniques like DNS scans and public sandbox submissions:
Our team at Curated Intelligence have created a blog for you to follow
We will share everything from general insights to tips & tricks for threat analysts, researchers, and responders!
If you’re responsibly looking into
#OSINT
about Ukraine/Russia, here’s a resource of publicly available cyber threat intelligence sources.
Created by
@CuratedIntel
Includes threat reports and related vendors
You figured out how to
#decrypt
a
#ransomware
through a cryptographic flaw. You want to help as many victims as possible. You want to make a good decision. So... what's next?
Researcher
@BushidoToken
lays out five real-world scenarios of what's to come!
Curated Intel is just one of several trust groups in the industry. However, we do hope that by documenting our experience of how we responded to
#Log4Shell
, we can help other groups organize themselves and contribute to the wider community.
On 2021-12-20 [2/2], Curated Intel members parsed
@AlienVault
OTX to be MISP compatible with the help of the
@KPMG
team (Egyde CTI). Pertinent IOCs are stored on OTX that are not covered by the other 11 holistic sources.
🔗 h/t
@0xDISREL
@TrevorGiffen
This was first confirmed in the Chinese-speaking security community, but not the English-speaking security community.
Sangfor Threat Intel Team captured TellYouThePass ransomware samples and conducted an analysis, deployed via the
#Log4Shell
exploit.
We hope that this
#Log4Shell
resource has eased the pressure off of some and helped others with their own intelligence collection and analysis plans.
And finally — Merry Christmas and Happy Holidays — from our team to yours! 🎄