Discover and read the best of Twitter Threads about #APT33

Most recents (4)

OK so this is my last week at @Mandiant / @FireEye ๐Ÿ˜ข

Here's the truth:
โ™ฅ๏ธ Joining Mandiant was the best decision of my career โ€“ the people & company have been SO good to me
๐Ÿง  Many of the brilliant minds in security are here & we have FUN every day

1/8
๐Ÿ’ป๐Ÿ” There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here โ€“ .
๐Ÿ—“๏ธ One year here is worth many more in experience. So here are some highlights:
2/8
โ˜•๏ธ Doing LRs & writing decoders during my first Mandiant breach response - with #APT17's HIKIT & also BLACKCOFFEE malware using technet for C2: fireeye.com/blog/threat-reโ€ฆ
๐Ÿ’ฐ I was fortunate to lead the first IR for the group that would come to be known as #FIN7
3/8
Read 9 tweets
In response to increased U.S.-Iran tensions & concerns of retaliatory cyber attacks, Iranian intrusion experts @sj94356 & @QW5kcmV3 are on #StateOfTheHack for the latest on all things Iran: #APT33 #APT34 #APT35 #APT39 #MuddyWater & active UNC groups ๐Ÿ‡ฎ๐Ÿ‡ท๐Ÿ‘จโ€๐Ÿ’ป๐Ÿ•ต๏ธโ€โ™‚๏ธ
@sj94356 @QW5kcmV3 Wait, did @YouTube remove the #StateOfTheHack episode? ๐Ÿ‘‰feye.io/soth ๐Ÿ‘€
Are we being oppressed? Do they think this is a U.S.-Iran influence operation? ... is it? ๐Ÿ‡บ๐Ÿ‡ธ๐Ÿ‡ฎ๐Ÿ‡ทAm I going to get a bunch of weird #MAGA replies to this tweet? I have so many questions ๐Ÿ˜…๐Ÿ™ƒ ImageImage
For more information on mitigations as well as our public source material supporting the discussion from the show, please check out:
โ€ข APT33 graduation: fireeye.com/blog/threat-reโ€ฆ
brighttalk.com/webcast/10703/โ€ฆ
โ€ข APT33 webinar & examples: fireeye.com/blog/threat-reโ€ฆ
... (more below)
Read 9 tweets
๐Ÿ”จA Tough Outlook for Home Page Attacks
๐Ÿ”—fireeye.com/blog/threat-reโ€ฆ
Blog has #APT33 ๐Ÿ‡ฎ๐Ÿ‡ท, #APT34 ๐Ÿ‡ฎ๐Ÿ‡ท, and #UNC1194 ๐Ÿด๓ ต๓ ณ๓ ฏ๓ จ๓ ฟ๐Ÿ˜‰ home page persistence & RCE.
๐Ÿ”’We talk CVE-2017-11774 patch tampering in-the-wild and made a hardening guide!
๐Ÿ˜ฑCool TTPs (pictured) #GuardrailsOfTheGalaxy UNC1194 macros and CVE-2017...Domain guardrail, Azure sto...
Here is the #UNC1194 first stage (recon) payload stored in an attacker-controlled @Azure storage blob:
Pretty neat that the attacker (@TrustedSec) can conduct a full intrusion by just swapping the storage blob content for the next stage!
This was a fun one to write with McWhirt & @doughsec. We ended up with 3 registry settings to enforce with Group Policy for CVE-2017-11774 Outlook hardening:
fireeye.com/blog/threat-reโ€ฆ
Final step is to enforce GPO reprocessing. Image
Read 6 tweets
OVERRULED: Here's our take on outmaneuvering a potentially destructive adversary fireeye.com/blog/threat-reโ€ฆ
We talk compromise, RULER, and links to APT33.
Infosec Twitter suggests they dropped #SHAMOON ๐Ÿ’ฅ

Shout-out to co-authors: @QW5kcmV3 @_gackerman_ @a_tweeter_user @WylieNewmark
If you liked this part about our threat similarity engine; I have a confession: that is CYBER #machinelearning!

Designed by @BarryV & Nalani F.
Studied & prototyped by our data scientist @secbern.

Learn more here ๐Ÿ“บ: (it's not officially called APTinder)
If you like Operational Timelines, #AdversaryPursuit has you covered. We're including them in blogs because it's how we operate & it improves #threatintel sharing. Thx @QW5kcmV3

๐Ÿ–ผ๏ธ #1: Suspected #APT33 โฒ๏ธ fireeye.com/blog/threat-reโ€ฆ
๐Ÿ–ผ๏ธ #2: Suspected #APT29 โฒ๏ธ fireeye.com/blog/threat-reโ€ฆ
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!