Tylermcl
@tylermcl.bsky.social
Advanced Practices at Google Cloud’s Mandiant
Hot Zeroday Sunner continues with Ivanti Sentry CVE-2023-38035 affecting a limited number of users https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US
Ivanti Community
forums.ivanti.com
August 21, 2023 at 2:44 PM
Hot Zeroday Sunner continues with Ivanti Sentry CVE-2023-38035 affecting a limited number of users https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US
July 21, 2023 at 9:18 PM
Reposted by Tylermcl
The takeaway: The GRU has followed the same five phase disruptive playbook throughout the war. Alternatives have existed, but the GRU has opted for the same tradecraft on repeat. We assess that these choices are calculated adaptations to a wartime operating environment.
July 12, 2023 at 2:31 PM
The takeaway: The GRU has followed the same five phase disruptive playbook throughout the war. Alternatives have existed, but the GRU has opted for the same tradecraft on repeat. We assess that these choices are calculated adaptations to a wartime operating environment.
GRU’s playbook on cyber disruption and infoops
@danwblack.bsky.social & I published a blog today building on a ton of work across Mandigoogle, UA CERT & the industry. We’ve identified technical & strategic patterns in GRU wartime disruptive ops we call the GRU Disruptive Playbook. https://www.mandiant.com/resources/blog/gru-disruptive-playbook
The GRU's Disruptive Playbook
We have tracked GRU disruptive operations against Ukraine adhering to a standard five-phase playbook.
www.mandiant.com
July 12, 2023 at 8:05 PM
GRU’s playbook on cyber disruption and infoops
Reposted by Tylermcl
Notable Storm-0875 tradecraft
1. Initial Access: Sms phishing + AITM or purchase infostealer logs (bypasses most defenses)
2. Privilege escalation via SIM swapping or call number forwarding global admin’s personal phone
3. Time from initial access to global admin often occurs within hours
1. Initial Access: Sms phishing + AITM or purchase infostealer logs (bypasses most defenses)
2. Privilege escalation via SIM swapping or call number forwarding global admin’s personal phone
3. Time from initial access to global admin often occurs within hours
July 6, 2023 at 12:56 PM
Notable Storm-0875 tradecraft
1. Initial Access: Sms phishing + AITM or purchase infostealer logs (bypasses most defenses)
2. Privilege escalation via SIM swapping or call number forwarding global admin’s personal phone
3. Time from initial access to global admin often occurs within hours
1. Initial Access: Sms phishing + AITM or purchase infostealer logs (bypasses most defenses)
2. Privilege escalation via SIM swapping or call number forwarding global admin’s personal phone
3. Time from initial access to global admin often occurs within hours
If you haven’t turned on non sms/push 2FA and are a tech/bpo, retail, or telco org, they will find a weak spot and ruin your summer.
IMO: Storm-0875 (overlaps UNC3944/Scattered Spider) is the most dangerous financial threat actor right now
Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)
Some recent developments:
1. Now deploying ransomware (had been extorting orgs before)
2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)
July 6, 2023 at 11:53 PM
If you haven’t turned on non sms/push 2FA and are a tech/bpo, retail, or telco org, they will find a weak spot and ruin your summer.
US holidays are perfect for tagging attribution on 25k events without getting any cpu usage complaints.
July 4, 2023 at 11:35 PM
US holidays are perfect for tagging attribution on 25k events without getting any cpu usage complaints.
Happy Canada Day! 🇨🇦 Careful out there! 🌪️⛈️
July 1, 2023 at 7:53 PM
Happy Canada Day! 🇨🇦 Careful out there! 🌪️⛈️