A Threat Analysis of 0ktapus SMS Phishing Campaigns

all right so yeah thanks everyone for coming this is uh my talk they can't keep getting away with it and I'm going to be doing a bit of a threat analysis on the octopus slash scattered spider campaigns which probably some of you have heard of um but you know we're going to be diving into more about that so a bit a little bit about me who am I I'm a CTO researcher for four years I've been working for uh various I've been working for a UK CTI company and then I moved to go work for a company called equinix which is the world's digital infrastructure company um there's a kind of inside Jokers you know we're the biggest company you've

never heard of we have 240 data centers around the world and you know every time you use the internet your traffic's going through our exchanges pretty much uh I'm also a co-author of sans 4589 cyber crime intelligence course is currently under development and will be available by uh next uh probably around this time next year probably and I'm also the co-founder of the curated intelligence trust group as well uh probably a group of about 160 uh CTI analysts around the world and sharing information amongst amongst each other you can find me on the the various websites as well so who is this group that we're talking about who is scattered spider octopus who are these three actors well they're

responsible for basically a big branch of breaches uh you know they were they the techniques used that by this group have been used against organizations such as uh twilio HubSpot door Dash OCTA um and then they kind of launched additional cam they're very persistent and constantly launching campaigns uh and they you know they end up stealing all sorts of stuff uh accessing back ends and and credentials and accounts and all these companies keep getting hacked basically so a little bit more about what this campaign is what what's uh what this campaign consists of so they're basically English-speaking cyber criminals they are successfully compromising Fortune 500 companies that spend Millions on cyber security have massive teams and

they still keep getting hacked uh they're financially motivated through actors and they mainly Target North North America as well and they've been active pretty much since around 2022 was probably their main year but they're still active now and they launched persistent social engineering campaigns they're targeting the human factor of security or often the weakest link and these guys kind of prove exactly how that works so how do they do it um kind of a brief summary of actually how these campaigns start and kind of how they finish so they or usually often start with an SMS text uh and you know that contains a malicious link the user clicks it they enter their credentials then they provide the actor to fa prompt

and then the threat actor logs in with those credentials and performs additional follow-up post compromise tactics and and techniques however if the if the target of the SMS text doesn't immediately enter the credentials the threat actors are known to actually call call that victim pretending to be the company's I.T team and try and guide them into providing them access as well and you know they've been on the phone for up to an hour sometimes trying to convince employees to give them access and once inside you know they move laterally the game game Privileges and established persistence and then they basically they go after data they go after source code they go after cryptocurrency private keys they

go after whatever they can they can find valuable and later they either threaten to leak that data or threaten to uh you know sell that data and try to extort the the company that they stole that from and an example here of one of these types of phishing texts this is one that Activision got so they kind of appear to be like a automated SMS message they uh you know they pretend that your employment status is under review and then they're in the domain they kind of have the target companies and the company they're posing as in the domain as well and then you know the the victim basically will go to that site on as you can see on the

left this is sort of what it looks like they enter they're using a password and then the threat actor enters that username and password on their end then they asked the victim for the 2fa code and then they sort of send another uh you know automated message and then they once they've got it they've automatically entered it and so they're in once they've kind of got an established persistent moved around stolen everything then the victim will sometimes get a ransom note so in this example riot games uh kind of received a long email Ransom note with a telegram link to you know negotiate basically and this Ransom note was quite revealing of more more information about who these

threat actors are because it you know it contained things like um you know our you know they say that their sole motivation is financial gain that you know these aren't nation state apt groups doing intelligence operations or anything like that they just want to steal information steal data and Ransom it back to the victim as well and they will also exploit that data as well and then it's kind of the kind of thing the interesting thing from this Ransom note to me was that they also admit that the the victim was attacked by an amateur level attack because it kind of shows more a bit about the the Cyber criminal psyche as well but yeah as you can see here's a Mr Al

They asked a 10 million Ransom so we're going to use the you know for as we do as we you know this talk is about doing CTI against the threat actor we're going to be using one of the uh most important intelligence models the diamond model to actually understand more a bit about this adversary we're also going to be using uh the Cyber kill Chain by Lockheed Martin to you know sort of explain how they go from stage one reconnaissance all the way through to their actions on objective and then we're also going to be using the mitro type framework to you know explain a bit more about how they perform each technique so yeah we're going to start with

capabilities and you know this kind of I broke this down into kind of five different areas preparation social engineering evading security attacking the cloud as well as exfiltrating data so preparation one of the interesting things about this campaign is they kind of focus on customers of single sign-on provider Solutions so in case you didn't realize your company may be listed as a customer on one of these websites so you know Duo OCTA twilio they all advertise who their customers are so if so if you want to Target a company you just and you want to find out what uh you know what SSO provider they use you just go to their customer testimonials or they advertise

their customer list so you can use osin pretty much to yeah find this information very easily and then once they do that they can craft you know uh you know custom phishing page for that organization using their logo the company's logo as well as the SSO providers logo as well they will also use data Brokers to be able to sort of gather information to be able to then exploit and Target those employees and users you know they'll use things like Zoom info D hashed rocket reach um all sorts of all sorts of areas as well you can even use LinkedIn as well if you want um and you can get just from using these few sources you can get someone's you

can get who their employees their name phone number email address and potentially the passwords that have already been breached as well social engineering what do these uh what do these threat actors actually what are their primary social engineering kind of methodologies were they SMS phishing is probably one of their calling cards you know if your organization is getting SSO themed text messages trying to steal credentials from your employees uh you know good chance it could be one of these uh one of these three actors and they often use things like schedule changed or employment terminated just to try and really you know entice the user to basically click on that text message because you know if you're working for a

company and suddenly you're you're saying that they're saying you're terminated you're going to you know you you filling the pressures on you want to you know quickly find out what's happening there and then again as I mentioned voice calls um and uh you know threatening or bribing people trying to give them into tricking them into giving them access and coinbase recently disclosed like that they were attacked by threat actor of this kind of nature you know they even say uh the attacker claimed to be from coinbase IT team um and they and they were actually able to successfully uh compromise that victim's end point by by uh installing like a remote admin tool and going

through the motions on that which I'll dive into more in a bit um the other thing that they do is Sim swapping um maybe in it's Sim swapping has been around for a long time but only recently it's kind of really been used against uh sort of Enterprises such as the ones I've mentioned who have been breached uh so what is a bit more about Sim swapping so since swapping involves tricking a employee's uh tricking the mobile provider of an employee's phone number into transferring that phone number to a SIM card that the threat actor controls so they can do this by basically social engineering the sort of help desk support admin of your mobile service

provider into yes giving access taking your phone number and giving it to someone else basically and once they do that then they control your phone number and they can you know basically trigger one-time password codes with password resets and then log into accounts and things unsuccessful Sim swaps you know for years they've resulted in sort of targeting cryptocurrency uh secret life people high net worth individuals with lots of cryptocurrency though those sorts of attacks of those sorts of individuals have often been targeted by Tim swapping but you know more recently they're going after Enterprise accounts with access to more data as well that can sort of assist in those types of campaigns so yes the possession of a phone number can

actually be enough to reset other online accounts and passwords and once the victim is compromised the mobile service provider is kind of it's on them it's their fault there isn't really much you can do other than rely on the security and processes of that mobile service provider so a bit more about evading Enterprise security you know they use remote monitoring admin tools or remote remote monitoring and management tools such as any desk TeamViewer I'm sure if any of you guys do uh you know any sort of threat hunting or adversary emulation you're going to be incorporating these types of tools into those campaigns um they also use session hijacking you know basically using uh browser cookies to steal the

cookie and then replay it basically a replay attack as well they're using bring your own vulnerable driver attacks to basically disable security tools code signing certificates actually stolen from company so last year I believe Nvidia had a pretty bad breach and all their code signing certificates were stolen and through actors are using those co-signing certificates to sign their malware and then they also using ufci boot UEFI boot kits as well as tunneling tools as well so a bit more about these rmm tools they actually use up to 20 different rmm tools so maybe you're you know maybe you have an alert for unauthorized usage of any desk or TeamViewer in your organization you know if you're doing a

lot of threat hunting but you know if those two tools don't work the threats just move on to the next one and to the next one and keep going keep going until they eventually get access and the interesting thing about these rmm tools is that you know your antivirus your EDR is not actually going to flag those as malicious because they're legitimate tools but the threat actors use them for remote access edit this cookie this is kind of an interesting one um it's kind of unique to these three actors as well they actually use a browser extension which can it's basically used for sort of testing in e-commerce websites whether you know a customer has gone to

that site uh added something to their basket and whether they can go back and continue to add things they're kind of the same principle works with the multi-factor authentication uh protocols as well and authentication cookies so if you can what the third actor did was they're able to use an rmm tool to connect to someone's device and then steal the MFA token and then we're able to authenticate into other areas as well pivot into internets and things bring your own vulnerable driver this is kind of a it's another interesting technique that these three actors do they the interesting thing about uh byobd is that it's kind of it's been going on for for quite a while but you

know it kind of originated in sort of the game hacking game cheating communities you know they were using these to bypass anti-chi or turn off anti-cheat and threat actors realize that they can use that to turn off antivirus and EDR so once they've done that you know they can yeah it's possible to turn off Windows uh you know kernel protections they exploit they basically bring a vulnerable literally bring a vulnerable driver uh you know developed by Intel or something like that has a vulnerability already in it so when they deploy it they can then exploit it and because it's you know a valid uh driver then you know your your detection systems aren't going to flag it as

malicious by default you know you can create rules to detect this thing uh but you know by default it's not going to not going to stop it and crowdstrike actually said they saw uh Microsoft Defender Palo Alto cortex and uh Central one edrs or just kind of full fall over fall over to this thing so yes and once they've disabled the endpoint then you know they can perform whatever actions they want another way they can do that if they don't use byovd they can actually use a UEFI boot kit this one was called Black Lotus it's actually sort of developed by you know developed by someone who kind of came from an anti-cheat background and they started selling this boot kit

on the forums this one was offered for in October 2022 for about five thousand dollars and you know these three actors are actually able to purchase it and use it in their campaigns as well um the interesting thing about Black Lotus is that it can run on Windows 10 and 11. um you know even with uh secure boot enabled they can deploy this bootcamp and then actually exploit another vulnerability in I believe it was in Intel processors and then you know they can disable things like BitLocker uh hypervisor protected code integrity and as well as Windows Defender as well and then you can perform all their sorts of tactics and post exploitation activities as well

after that so the interesting thing about Black Lotus as well kind of a side note is that they wouldn't actually if you tried to deploy It On A system that had you know language or system settings for Armenia Belarus Kazakhstan Moldova or Russia or Ukraine um the the boot kit actually won't work so in this scenario for be interesting to raise because it's kind of an Unwritten rule for malware developers from the Commonwealth of independent states they don't Target their own so as long as you don't Target your own then the police and whoever the government is not going to come after you so another interesting thing about these threat actors is that they also Target

the cloud and virtualization virtualized infrastructure they target azir AWS and VMware esxi you know they actually a lot of the time they will take the credentials that they've stolen by phishing uh or potentially stolen via you know editing a cookie and then they actually move uh and gain access to Azure VMS and once they've sort of established Precision access on those VMS they'll then move into move laterally to other systems and premises as well and they also uh once they're inside of Geo they will then sort of usually aimed to export the configuration of a zero D tenants and their users and you know perform all sorts of follow-up attacks data theft and other sorts of attacks like that

AWS uh the interesting thing about AWS is that what these three actors were found to be doing is that they are actually beginning to Target by beginning to Target AWS by exploiting a or compromising a uh you know public facing application known as Forge Rock open am once they've got into those they once they've gained access to these applications they kind of assume the AWS instant roles like sort of come with those and once they do that then they open AWS Consular start creating accounts for non-existent users establishing persistent access again and then they sort of pivot into the rest of the environment using their you know established credentials VMware esxi another interesting one is

because they actually use a combination of two tools a tunneling tool known as R socks X and as well as level i o again another rmm tool and once they do that they've actually also been known to launch a port scanner known as rust scan from a Docker container onsider esxi Appliance as well so now we kind of have a more comprehensive idea of how these three actors are launching their campaigns what sort of things they're doing what sort of post-exploitation activities they do once they've you know passed the phishing past the social engineering stage what do they do after that infrastructure not as long of a section but you know we're going to go into more

about like actually now we know how they what they do but actually how what infrastructure what do they do to actually launch it from basically so for SMS phishing and VOIP fishing fishing they've actually been able to use sort of communications platform as a Services um so they kind of use Google Voice Skype something called Vonage or bandwidth you know a lot of these things sort of like automated uh voice calling systems you know if you want to book an appointment for something like that sometimes you get like an automated system the threat actors are actually using that against targets as well as well as uh you know sending out malicious text messages as well in a

sort of automated fashion foreign yeah so this so one of the ways that we can actually tie all these breaches together in one way or another is the fact that the phishing pages uh used to Target these organizations are pretty much all the same uh maybe a few Minor Details here and there but the main main fact is is you know the target company's logo is on the fishing page and the target company's SSO provider is also you know has its logo and it's kind of seen that way as well so it's quite let's try quite a basic and straightforward fishing kit once you've entered your credentials actually has like a sort of a telegram back end to

then feed in the credentials that can then be entered uh and you you know they can get into your account within the amount of time it takes for a SMS token or a 2fa token to you know expire there's a sort of an automated fashion [Music] so I actually gathered a load of domains related to these campaigns and the interesting thing about these is there's also Imagine these but imagine each one having like a load of sub domains as well so they kind of use register a ton of domains they mainly use name Silo two cows and yala you know primarily because these registers extract Bitcoin as well um but yeah they use if it has SSO in

the domain if it has OCTA in the domain or like Dash cloud or something so if it's like your company is the subdomain Dash Cloud login SSO whatever.com likely it's going to be one of these guys and if it's registered using name style or two cows and name servers with Nyala even more likely other interesting thing is that these guys use uh an m247 the hosting provider to uh you know for a lot of their sort of Ip endpoints um sort of the like the final step and their attacks they actually use uh the interesting thing about m247 is that they are you know very popular by a lot of VPN companies to host their sort of VPN sort

of exit nodes and yeah so these were actors to actually launch conduct the rest of their campaigns you know they use um you know they use things like level uh Cloud uh so what's that file sharing cloud services VPS and tour and you know this kind of highlights the sort of high level operational security by these reactors as well relying on proc proxy services to sort of conceal their connections um interesting thing was is that these IPS were shared by crowdstrike crowdstrike and just by sort of pivoting on the uh pivoting on the host names that were on these IP addresses we could then reveal who all these Services were so then vpns they actually use the range

of expressvpn surfshark and mulvad interesting thing about these vpns is again they all accept Bitcoin for payment um so you know you can't trace who actually has purchased these ones uh easily anyway and you can use so the interesting thing is like you can use a service uh I mean if anyone uses gray noise or there's a service called spur Intel will actually tell you you can just give it a load of IP addresses to tell you which one is a VPN or not [Music] so file sharing sites uh interesting thing about this is the fact that you know these free sites pasteer rise up.com or or file i o or transfer.sh you know these are free again free services

allows the threat actors to upload their payloads or exfiltrate data or download download files um you know it's all sorts of delivery delivery systems and services or file exploration and the interesting thing about these Services is you know they're valid they're legitimate they're not uni created registered IP address like host paid for rented vps's or recently created domains and you know there's a good chance that your organization's not going to have GitHub uh you know blocked so you could just so that's what these trackers use to kind of evade sort of network traffic and monitoring as well so you've kind of gone through capability in infrastructure and we're going to look more a bit about who their

victimology is um actually go after as I mentioned that earlier in this talk they go after North America a few in Emir and a few in APAC um but out of all of the companies that they target uh the most majority of them are business process Outsourcing and the interesting thing about that is you know many many companies they sort of Outsource things like uh sort of HR or content management uh customer relationship services and customer data processing and stuff uh things like HubSpot um and uh you know one of the other ones I kind of use they kind of used these services to help manage their customer data and so by targeting one of these uh

BPO companies you can then exploit you can then Target the data of multiple companies customers as well um so the interesting thing about that is they also then go after telecoms as well once they've once they've kind of targeted these uh BPO companies and again with these attacks they you know it's sort of the easiest way to describe it is what we call cyber enablement so if you want to actually Target a company Downstream you will then talk you'll Target something in between you and your end Target so it kind of enables you to then launch the rest of your Camp campaign hence cyber enablement um interestingly at the sort of end of the uh end of the chain of targeting a lot

of the end targets end up being cryptocurrency exchanges as well as sort of other other companies gaming companies uh Activision and Riot games and things and then they also go after seemingly data in general you know they're going after door chat doordash and companies like that so a bit more on the victim demographics here they go after uh they mainly Target the employees at the organization they go after the I.T staff they go after the software developers because they want to be able basically they want to be able to get access to high-level privileged accounts and potentially you know code repositories and things as well they also go after software as a surface applications so you know things like

anything by atlassian jira Confluence anywhere where you have sort of documentation you know all good stuff for them to download steel and it stores it threaten to leak publicly leak it and then you also Target collaboration applications as well so you know things like slack or teams or GitHub as well you know they go after these things so again because that's where sensitive information is shared um and it's relatively relatively simple to breach these uh Services because once you've got once you've got authenticated access you can then pivot into many other things and the types of information they're targeting includes source code various file shares so SharePoint OneDrive GitHub these kind of things as well as

cryptocurrency private keys so uh I created this kind of uh organizations uh targeted by scattered spider because the the way I did it was that I took those phishing pages like the ones I showed you before and then sort of pivoted on the domains and things as well as well as the sort of similar domain registration patterns as well and then I was actually able to look at which companies were targeted and then kind of derived what sector that company it belongs to and I sort of came up with this and out of that out of those targets about 27 were business process Outsourcing so impact a victim so what actually happened to companies who this threat

group or these various actors have actually uh what have they done to them so twilio probably one of the biggest uh most infamous cases is the fact that about 163 twilio customers were compromised and that doesn't mean like end users with twilio accounts that's like companies that use twilio for their sort of SMS and one-time passcode their authentication systems so things like opta the customer contact information from twilio was actually stolen and SMS OTP information was actually uh you know accessed by the threat actors they had access to twilio's back end with the SMS codes you know being sent so that by having that access they were then actually able to then uh you know Target

other companies as well so things like door Dash OCTA even more down the line as well um doordash again you know they got into doordash via twilio they then accessed customer information various pii records and other interesting thing about doordash is you know it's a it's like the American delivery basically you know they have millions of customers and once you've got access to that sort of basically very up-to-date details you can then pick who you want to Target on that list as well um the other interesting one is OCTA so OCTA say that a small number of their mobile phone numbers were accessed associated with SMS messages were accessed and those SMS messages also contain one-time passcodes and and yes

the director gained it worked twilio HubSpot was kind of an interesting one because they compromised an employee account they gained access to HubSpot company portals where customer data was stored and HubSpot claimed that the only uh there were other affected firms but the two publicly you know declared firms that were affected were Swan finance and block Phi so kind of the financial kind of shows more about these threat actors motivation they're going out to financially uh you know the financial sector and financial institutions Next One impact to more victims so the interesting thing here cloudflare actually came came forward and said that 76 employees were targeted in one minute again kind of shows like with these uh

bulk SMS kind of sending tools they had access to the three actors and uh and then they said three employees actually fell for it they actually clicked on the link and entered their credentials uh interesting thing about cloudflow though is that because they use UB Keys basically the attack was stopped because UB keys are pretty unfishable so this means the threat actor couldn't steal like a 2fa code they actually the employees have to physically put in a UB key to authenticate so kind of stop the thracters there uh coinbase the coinbase one is probably you know one of the most interesting because they were successful in the fact that only one of their employees entered their

credentials and uh the SSO MFA requirement kind of locked the attacker out because it's probably some sort of like biometric uh you know fingerprint scan and then it lets you and then the SSO service lets you in however the employee actually was contacted by the IT team a fake ID team and uh and they were socially engineered into kind of providing them access so yeah basically once the track is within they basically downloaded what we suspect is coinbase's active directory as well but that's pretty much as far as it went as as far as coinbase said so so Activision Activision had it pretty bad you know and then another one of the employees accounts were compromised via

this sort of SMS phishing I showed you the text at the start of this um and they say you know employee information was accessed and then they also got into uh some sort of like marketing data as well so data released by related to Activision so Call of Duty franchise uh and they you know said shared screenshots and things as well uh yeah quite quite a not great look for Activision and then write games probably one of the worst you know they had an employee an employee who was uh who had access to the development environment was actually compromised uh source code for League of Legends was stolen uh as well as the anti-cheap and their 10 10 million Ransom was

demanded bright games you know they said they weren't going to pay the ransom but I'm sure you know the cost the cleanup cost of this incident is probably going to be a similar amount [Music] so a bit more completing the diamond who actually what do we know about scattered spider octopus kind of campaigns now who you know what other objectives who a bit more about who are they um I kind of it's difficult to say because a lot of this information is you're kind of extracting it from threat reports from vendors as well as pivoting on it and doing your own research um I kind of clustered together octopus scattered spider and uh unk3944 by mandian and um kind of

focused on their capabilities and their tactics techniques and things and then basically you want to defend against that type of adversary not really focusing on how each one is connected and who Who's Who and who's what because you know with cybercrime there's hundreds of threat actors coming and going so you may be tracking one you change to something else next week um so basically basically I recommend focusing on the actual uh you know ttps themselves so attributes you know the English speaking the likely young adolescents based on some of the information provided by group IB as well as you know the kind of sometimes the immature uh nature of these kind of attacks and things and

um you know just the sort of usage of things the preference of the tools and things they're using as well and financially motivated through actors is pretty much who these guys are they're not you know they're not a nation states they're actors you know they're using pretty uh you know they're using pretty straightforward tactics and techniques and it's kind of rare to actually see some intelligence some sort of intelligence group using SMS fishing and fishing and things as well um so my summary of who this adversary is uh they're not too technologically advanced but then you know they are rehearsed in getting past Enterprise security level they have quite obscure knowledge in things like cloud and and

how to get around and how to get around ddrs and things they have a focus on social engineering targeting the human factor so if you want to defend against these guys you definitely want to sort of raise your security awareness program uh to actually be aware of SMS fitting if you get an SMS message to your personal phone from the company quite definitely question whether that's you know they're legitimately don't just immediately follow a link kind of thing and um yeah you just definitely want to well the other interesting thing is they don't actually develop their own malware if you notice the whole time they're basically using rmm tools or byovd or a boot kit that they purchased on the

Underground they're not actually developing any of their own malware or they're using sort of Open Source git tools on GitHub to exploit various applications or the cloud even so my final assessment is that this adversary should not be treated more this ad player should also be treated more like a community of threat actors rather than tractors like a monolithic entity you know this isn't just five people working together to attack everyone there's lots of people coming and going here basically so due to the right and you know this is mainly due to their sort of wide range of ttps targets and actions on objectives as well so now we've basically completed the diamond this is everything once we've

sort of got this information we can then uh you know put it into a nice fancy CTI threat report take it to our stakeholders and then help them defend against his threat before they actually Target us so mitigating these attacks before they happen I've kind of broken it down into you know four areas really security awareness training purple teaming incident response and security engineering and architecture uh the we have uh you know obviously security awareness they're going to want to remind people not to click on set you know SMS phishing messages and be aware of voice phishing and make sure you know if the IT team claim they're calling you to hang up and call them back and see if

it's the real it team um you know for for purple teaming uh you know in our organization I actually we'll we'll work with the red team and uh you know develop adversary emulation uh exercises and and basically see if our tools would detect uh the type of tactic that the threat actors use um table talk exercises so you know if you work in a cert or you're doing some response uh for an organizer like as a you know as your main duty inside an organization then you know definitely a good tabletop exercise to do with how would you respond to a Sim swapping attack uh you know what would be you know are you gonna what's your plan to

contact the sort of you know mobile service provider or get their employee a new SIM card kind of thing um security engineering you know they basically security engineering have the toughest job when it comes to these reactors vetting rmm tools inside a large organization I mean in the organization I work for you know there's tens of thousands of employees and the 240 facilities around the world there's all sorts of software going on being used and things and we also do a lot of mergers and Acquisitions as well so whether whether the company that we've just acquired is what they're using it'll you know it's a it's a real difficult thing to actually hunt down the authorized usage of rmm tools

um so I mean my advice would be to you know make sure that you know which rmm tool is used where or just stick to one or two and then block everything else pretty much or you know allow it on a case-by-case basis and then detect anytime a new version is downloaded um detecting byobd this is a tricky one again because it's similar to rmm tools it's legitimate software so you don't want to go instantly blocking legitimate software because you know cause all sorts of issues in your in your environment but you know you actually want to probably see if you can try and hone in the vulnerable versions of these drivers and block those as well

um yes investigating the the cloud site so the file sharing Cloud sites that's a sort of paste sites and and file sharing uh it's important to actually you know verify what sites are being used by your employees and you know if for some reason someone's uploading uh you know if someone's uploading 50 gigabytes to Mega NZ then you may want to check that out um if no one else uses it in your organization and then I am uh identity access management I definitely want to have a look at fishing resistant Hardware such as UB Keys as well so how can cyber threat intelligence help in a situation like this well CTI teams they analyze monitor collect

information from the threat landscape you know we're constantly as a as a part of the CTI team for organization you know we're looking at the latest intrusions and breaches and latest campaigns we're extracting the information we're creating detection opportunities uh we're monitoring through actor infrastructure uh like I like I showed at this in this talk like we took all the domains and mapped out all the targets and of this campaign and things and identify new targets and potentially victims and then uh the you know collecting the indicators compromise as well uh and then you know ingesting them into tools and making sure any reported uh incidents we can also check and review if you know if they try to Target

us or something like that as well so yes thank you for listening if anyone has any questions please let me know [Applause]

so any questions

yes question at the back

yeah so bring your own vulnerable driver it kind of came it we in the intrusions that I kind of investigated related to this campaign uh they would actually once they've downloaded the rmm tool then they would deliver the vulnerable driver to deactivate the EDR after that or the antivirus after that it's because the EDR isn't going to detect it's not always going to alert when a new rmm tool is downloaded unless you've pretty much set it to do that you may get some sort of potentially unwanted software kind of alert but you know they're not always going to be high risk and your team is not going to investigate those straight away when they have so many

other high related alerts going on so once they've got the rmm tool on the device then they will deliver the driver and then use that basically exploit the vulnerability in that driver to the game game privileges yes question good question um it's difficult to actually identify how much this specific group is is making um because a lot of their campaigns are it is difficult because they're kind of related to the groups that do Sim swapping and cryptocurrency theft as well and they've kind of you can say like you can note you can follow that they kind of started with doing that and those kinds of campaigns have made millions of dollars but then they've kind of evolved into targeting

organizations and targeting data and exploiting that data and it gets difficult because then they start it's difficult to say how much they sold the data to another threat actor for or how what they do like when they're compromising accounts and things and how much they exploit each of customer of that account but you know these threat actors are sort of related to the um you know they're sort of mingling in with the ransomware groups as well which we also track very closely and you know these ransomware groups are making millions of dollars by the day so they kind of you can you can you can pretty much rest assured that they are making you know I

mean I would be completely guessing at how much they've made so far but with a ransom demand like 10 million dollars against one organization and they've Tak they've attacked you know potentially dozens if at least one of them pays one Ransom you know they've got a decent amount of money there

any other questions

no that's it [Applause]