Christopher Glyer
@cglyer.bsky.social
Microsoft Threat Intelligence Center - Former Incident Responder & Chief Security Architect @Mandiant
Reposted by Christopher Glyer
Are you ready to pivot?!
Come to Malaga on May 8-10, 2024!
#PIVOTcon24 is crafted to bring together professionals from diverse backgrounds – private sector, government, law enforcement, military, academics, and investigative journalists.
#ThreatIntel #CTI
Come to Malaga on May 8-10, 2024!
#PIVOTcon24 is crafted to bring together professionals from diverse backgrounds – private sector, government, law enforcement, military, academics, and investigative journalists.
#ThreatIntel #CTI
December 14, 2023 at 2:10 PM
Are you ready to pivot?!
Come to Malaga on May 8-10, 2024!
#PIVOTcon24 is crafted to bring together professionals from diverse backgrounds – private sector, government, law enforcement, military, academics, and investigative journalists.
#ThreatIntel #CTI
Come to Malaga on May 8-10, 2024!
#PIVOTcon24 is crafted to bring together professionals from diverse backgrounds – private sector, government, law enforcement, military, academics, and investigative journalists.
#ThreatIntel #CTI
Sneak preview of my #cyberwarcon slides 👀
November 3, 2023 at 12:10 AM
Sneak preview of my #cyberwarcon slides 👀
"You compile me. You had me at RomCom" - When cybercrime met espionage"
Get ready for a #CYBERWARCON talk full of romantic comedy memes!
www.cyberwarcon.com/you-compile-...
Get ready for a #CYBERWARCON talk full of romantic comedy memes!
www.cyberwarcon.com/you-compile-...
October 6, 2023 at 5:33 PM
"You compile me. You had me at RomCom" - When cybercrime met espionage"
Get ready for a #CYBERWARCON talk full of romantic comedy memes!
www.cyberwarcon.com/you-compile-...
Get ready for a #CYBERWARCON talk full of romantic comedy memes!
www.cyberwarcon.com/you-compile-...
Here are technical details on Storm-0558
https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
Analysis of Storm-0558 techniques for unauthorized email access | Microsoft Security Blog
Analysis of the techniques used by the threat actor tracked as Storm-0558 for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.
www.microsoft.com
July 14, 2023 at 5:26 PM
Here are technical details on Storm-0558
https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
IMO: Storm-0875 (overlaps UNC3944/Scattered Spider) is the most dangerous financial threat actor right now
Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)
Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)
July 6, 2023 at 12:45 PM
IMO: Storm-0875 (overlaps UNC3944/Scattered Spider) is the most dangerous financial threat actor right now
Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)
Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)
Reposted by Christopher Glyer
if i was a FVEY CI officer, my first thought on a RU-based company publishing on FSB ops wouldn’t be “look at the analytic freedom!” — it would be “why is the FSB comfortable with the world knowing about this now? did they figure out we were onto it in some way?”
June 16, 2023 at 9:22 PM
if i was a FVEY CI officer, my first thought on a RU-based company publishing on FSB ops wouldn’t be “look at the analytic freedom!” — it would be “why is the FSB comfortable with the world knowing about this now? did they figure out we were onto it in some way?”
I’ve been in touch w/different victims of MOVEit exploitation by Lace Tempest. One thing orgs should be prepared for is initial $ demand that is (in some cases) order of magnitude or more than a typical org would pay (relative to size of payment in other ransom/extortion cases)
Attribution update from MSTIC on MOVEit Transfer 0-day exploitation by Lace Tempest. Victims w/ data theft are likely to be extorted via the cl0p leak site in coming weeks
We’ve shared intel on dozens of exfil IP addresses used in attacks w/customers & industry partners
We’ve shared intel on dozens of exfil IP addresses used in attacks w/customers & industry partners
June 15, 2023 at 1:14 AM
I’ve been in touch w/different victims of MOVEit exploitation by Lace Tempest. One thing orgs should be prepared for is initial $ demand that is (in some cases) order of magnitude or more than a typical org would pay (relative to size of payment in other ransom/extortion cases)
Attribution update from MSTIC on MOVEit Transfer 0-day exploitation by Lace Tempest. Victims w/ data theft are likely to be extorted via the cl0p leak site in coming weeks
We’ve shared intel on dozens of exfil IP addresses used in attacks w/customers & industry partners
We’ve shared intel on dozens of exfil IP addresses used in attacks w/customers & industry partners
June 15, 2023 at 1:13 AM
Attribution update from MSTIC on MOVEit Transfer 0-day exploitation by Lace Tempest. Victims w/ data theft are likely to be extorted via the cl0p leak site in coming weeks
We’ve shared intel on dozens of exfil IP addresses used in attacks w/customers & industry partners
We’ve shared intel on dozens of exfil IP addresses used in attacks w/customers & industry partners