Finished Intelligence Reports

Technical cybersecurity projects are my bread and butter. I've led and participated in a bulk of research - much of which is highlighted below.


Satori Threat Intelligence Alert: PROXYLIB and LumiApps Transform Mobile Devices into Proxy Nodes

HUMAN Security - March 26, 2024

Residential proxies are frequently used by threat actors to conceal malicious activity, including advertising fraud and the use of bots. Access to residential proxy networks is often purchased from other threat actors who create them through enrolling unwitting users’ devices as nodes in the network through malware embedded in mobile, CTV or desktop applications.

The Impact of Residential Proxy Networks: PROXYLIB

HUMAN Security - March 26, 2024

HUMAN’s Satori Threat Intelligence team recently published their research into an operation we dubbed PROXYLIB. This operation used 28 apps on the Google Play Store to enroll devices as nodes in a proxy network when downloaded - 3 million downloads to be exact - without the consumer ever knowing. This created a large residential proxy network for fraudsters to purchase access to.

In Before the Lock: ESXi

Recorded Future - February 13, 2023

As organizations continue virtualizing their critical infrastructure and business systems, threat actors deploying ransomware have responded in kind. Between 2021 and 2022 we observed an approximately 3-fold increase in ransomware targeting ESXi, with offerings available from many groups including ALPHV, LockBit, and BlackBasta. We identified and described detection strategies for multiple TTPs that are often seen prior to the dropping of the ransomware payload in order to create detections and mitigations that are based on real-world, threat-actor use of these tools. In addition to providing tool-specific detections such as YARA and Sigma rules, we also identified detections for common enumeration,...

Detections in the Sky: Sigma Rules to Enhance Cloud Security for the Big Three

Recorded Future - August 23, 2022

Many organizations are migrating their data, resources, and/or services to the cloud. The cloud offers organizations the ability to scale services and provide capabilities that would not otherwise be feasible with the organization's on-premises resources. With the increased use of cloud services, the need for organizations to properly secure and monitor their cloud environments becomes more critical. Attacks against cloud infrastructure look different and require a unique approach to detection when compared to on-premises infrastructure. As a result, cloud infrastructure security best practices are distinct from other best practices that can be applied to conventional infrastructure. While the Big Three...

Initial Access Brokers Are Key to Rise in Ransomware Attacks

Recorded Future - August 2, 2022

Threat actors can gain initial access to networks through infostealer malware infections, initial access brokerage services on dark web and special-access forums, or the purchase of infostealer logs from dark web shops and marketplaces. Other attack vectors, such as phishing, spearphishing, and code injection, are also common on dark web and special-access forums, but their immediate effects are often much less public and visible than the sale of compromised credentials. Using BlackMatter and Conti as examples, we examine the role of credential access in the execution of the attack, from initial access to ransomware deployment. We provide mitigations for credential...

Overview of the 9 Distinct Data Wipers Used in the Ukraine War

Recorded Future - May 12, 2022

While the Ukraine/Russia war is primarily a kinetic conflict, several destructive data wipers targeting Ukrainian entities emerged in the immediate lead-up to and during the first 2-plus months of the war, bringing the conflict to cyberspace. The 9 wipers analyzed by Insikt Group had the same high-level destructive goal but differed in technical implementation and the operating systems they targeted, suggesting that each was a distinct tool, possibly created by different authors. Over time, the wipers also became more simplistic at a technical level, including reductions in the number of stages, the existence of obfuscation, and attempts to masquerade as...

HermeticWiper and PartyTicket Targeting Computers in Ukraine

Recorded Future - March 2, 2022

Insikt Group analyzed the HermeticWiper malware and the associated ransomware component named PartyTicket that were first publicly reported targeting Ukrainian organizations on February 23, 2022. We determined that both components serve the purpose of data destruction, with the “ransomware” component differing significantly in form and function from known criminal ransomware threats.

Protect Against BlackMatter Ransomware Before It’s Offered

Recorded Future - August 4, 2021

Insikt Group analyzed Windows and Linux variants of BlackMatter ransomware, a new ransomware-as-a-service (RaaS) affiliate program founded in July 2021. During our technical analysis, we found that both variants accomplish similar goals of encrypting a victim’s files and appear to have been developed by a relatively sophisticated group. The Windows version of the ransomware employs several obfuscation and anti-reverse engineering techniques, suggesting that it was created by an experienced ransomware developer. BlackMatter’s Linux variant is another example of an emerging trend of malware targeting Linux-based systems, including ESXi and network-attached storage (NAS) devices. Recorded Future has provided reverse-engineering utilities, a...

BlackMatter Ransomware Emerges As Successor to DarkSide, REvil

Recorded Future - July 27, 2021

BlackMatter is a new ransomware-as-service (RaaS) affiliate program that was founded in July 2021. According to BlackMatter, “The project has incorporated in itself the best features of DarkSide, REvil, and LockBit”. According to their public blog, below, the threat actor group does not conduct attacks against organizations in several industries, including healthcare, critical infrastructure, oil and gas, defense, non-profit, and government.

Introduction to Sigma Rules and Detection of Credential Harvesting

Recorded Future - March 08, 2021

The use of credential harvesting tools is a common and powerful way for threat actors to gain additional access to your infrastructure. Details of a recent Ryuk incident show a 15-step procedure for victim compromise, 2 of which include the use of the credential harvesting tools Mimikatz and LaZagne. These tools were used to move laterally throughout the victim’s environment and compromise other hosts on the network. This article details our research regarding Sigma based detection rules for Mimikatz, LaZagne, T-Rat 2.0, and Osno Stealer. Additionally, we provide an initial incident priority level and a high-level response procedure to help...

New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit’

Recorded Future - June 10, 2020

In January 2020, while using the Recorded Future® Platform to monitor the weaponization of the RIPlace technique, Insikt Group uncovered a new family of ransomware for sale on Exploit Forum called Thanos, developed by a threat actor with the alias “Nosophoros.” Nosophoros offered Thanos as a private ransomware builder with the ability to generate new Thanos ransomware clients based on 43 different configuration options. Recorded Future analyzed the Thanos ransomware builder to detect, understand, and exercise the breadth of functionality that the Thanos ransomware can support. The Thanos client is simple in its overall structure and functionality. It is written...

How Insikt Group’s Operational Outcomes Team Drives Action to Reduce Risk

Recorded Future - April 16, 2020

I’m Lindsay Kaye, the director of operational outcomes for Insikt Group®. Insikt Group as a whole produces analyst-generated insights to generate validated intelligence sources within the Recorded Future® Platform. Insikt Group also performs novel security intelligence research in a variety of different areas, including nation-state threat actor groups, threat actors operating in the criminal underground, and all manner of technical topics.

Understanding Accellion’s FTA Appliance Compromise, DEWMODE, and Its Supply Chain Impact

Recorded Future - March 12, 2021

The compromise of the Accellion File Transfer Appliance (FTA) file sharing service impacting nearly 100 clients of the company was enabled primarily by 4 zero-day vulnerabilities in the tool that allowed threat actors to place the DEWMODE web shell on victim servers and exfiltrate files from those servers. As of February 25, 2021, 13 organizations in multiple sectors (finance, government, legal, education, telecommunications, healthcare, retail, and manufacturing) and multiple countries (Australia, New Zealand, Singapore, the UK, and the US) have suffered data breaches as a result of the Accellion FTA compromise. Victim data has appeared on the website CL0P LEAKS,...

Follow the Money: Qualifying Opportunism Behind Cyberattacks During the COVID-19 Pandemic

Recorded Future - January 22, 2021

The COVID-19 pandemic has created significant disruption to the global economy, and the cyber threat landscape has responded accordingly; criminal, extremist, and state-sponsored threat actors have capitalized on the pandemic’s worldwide economic crisis. Throughout the pandemic, the tactics used by threat actors have evolved to focus on the most pressing, timely concerns and exploit those public fears and uncertainty that present the greatest opportunity for successful victimization. Recorded Future correlated aspects of this opportunism with changes in the socioeconomic climate spurred by the different stages of the pandemic, and their resulting effects on organizations and the public. Initially, threat actors...

Deconstructing the Adversary Exploit Process

Recorded Future - June 3, 2020

Threat actors often use exploits to facilitate their intrusions without increased need to engineer or interact with victim users. As an example, these exploits may help deploy malware by making it possible to execute code on a victim system, aid in gathering normally inaccessible data, or gain access to restricted systems. However, to use an exploit, a threat actor must first identify the need an exploit should serve, find an exploit to meet that need, and then weaponize the exploit as part of a proof of concept prior to production. To understand how this process might play out in the...

Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide

Recorded Future - March 12, 2020

The emergence of coronavirus disease 2019 (COVID-19), the novel coronavirus that originated in late December 2019, has brought with it chaos in many different economic sectors — finance, manufacturing, and healthcare, to name a few. However, it has also originated a new cybersecurity threat, igniting a bevy of COVID-19-themed phishing lures and newly registered COVID-19-related domains. The technical threat surrounding COVID-19 primarily appears to be around phishing, with actors promising that attachments contain information about COVID-19. Recorded Future observed an extensive list of actors and malware employing these techniques, including Trickbot, Lokibot, and Agent Tesla, targeting a broad set of...

Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot

Recorded Future - December 3, 2020

Egregor ransomware is a complex piece of malware that appears to be associated with the operators of QakBot. The ransomware has been used against organizations across many industries since its debut in September 2020 and is likely to continue to present a threat to organizations in the future. Unlike most ransomware variants, Egregor’s payload cannot be executed or decrypted fully without the correct cryptographic key provided to the malware at runtime, rendering static or dynamic analysis im possible. Because very little is known about the deployment of the ransomware in open sources and how the threat actors target victims, Recorded...

Banking Web Injects Are Top Cyber Threat for Financial Sector

Recorded Future - October 16, 2020

Banks and financial organizations are the primary targets for cybercriminals attempting to steal personally identifiable information (PII), money, and financial data. Banking web injects are one of the most effective methods of acquiring that data. Web injects leverage the man-in-the-browser (MitB) attack vector, usually in combination with banking trojans, to modify the content of a legitimate bank web page in real time by performing API hooking. Web injects are widely available on underground forums. In this report, Recorded Future profiles five of the primary developers and sellers of different banking web inject variants on the dark web, provides an example...