Compromised KY: Analyzing Russian Ransomware Operations Through Leaked Chat Data

thank you and good morning can you hear me this is the worst part of being a speaker is all the weird stuff that happens right before you go live this should be a sence class for dealing with presentations because even though you might be an expert or know what you're doing technically this I don't have a home setup I don't broadcast soe appreciate everyone here getting this working and thank you for coming out uh thank you to the volunteers who organized the bsides conferences they don't run without the volunteers and truly appreciate the time and effort they put in year round to make these two days three days work so this talk is the compromised KY

chats and carving those with the analytical mindset of an intelligence analyst it's not going to be technical as some of the other talks at the workshops yesterday this is more of a framework with International Affairs than a deep dive into hacking 0365 so I'm will bagot uh certification is a certified combat collection engineer and certified fraud examiner I picked the one certification up when I was teaching NATO spal Ops uh cyber security on how to exploit Battlefield finds uh digitally doing forensics on those but you didn't come to hear about me you came to hear the talk we're going to cover Russian ransomware group kti Russia Ukrainian cyber warfare The Insider threat overview that's a very

esoteric but necessary part of cyber security and then the Carver analysis method that I applied to the leak KY chats again being a former instructor for uh NATO I would have 40 hours in a week to train the troops on the cyber security issues the red slides or where would be if theoretically we had the time we'd go to an exercise and have Hands-On learning the yellow slides are things that were learned well after the triage of the data but again I've got 15 minutes not 40 hours I am limited by the technology of my time so ransomware it's kind of dropped off a little bit I know John Hammond gave a fantastic talk last

year on the methods to distribute ransomware through backup servers is a fascinating thing very timely ransomware is not the event that happens when you click on the link and it locks up your system for money there's a lot of Recon that goes into it beforehand they'll much like a red team they'll look for sensitive data the amount of money that a corporation can repay if a corporation has no cyber insurance no funding it doesn't make sense for the ransom group to go after the Target and hold the data for money they'll never get um variation on that that we saw saw during the Russian conflict with Ukraine was wiper Weare it's a little bit like a

modified EMP electromatic electromagnetic pulse delivery system where instead of locking the data it just remotely wipes the machine whereas that is a horrible event for us who are in system administration that's still far better having your system wiped than having your building blown up so that's a little bit of the overview but who is Ki they russian-based ransomware group they were pre previously passed in an operation up until 2022 they would extract the data and if it hit the criteria they had Consultants to go over the data to tell them what was valuable and how much they could get they would name the client and shame them if they didn't pay the data hey uh

I realize I'm overseas I don't need to shame any us corporations Corporation X won't pay us they have your data it's being linked out so then you get to a different version of finding your data on have I been owned later it was come it was determined that the ransomware group was part of the Russian government for fundraising it was a big business $180 million per year up until this leak occurred this Insider threat did take down the whole organization $180 million pretty much tax-free because you're a criminal group working with the Russian government that's not bad money I don't know if you get Sans training out of that or not but that's not inconsequential for a small startup they

use that standard operating procedure they'll identify a compromised account get someone to click on a link once they have access they'll set up a domain server a C2 Excel the data sop right this is and then once they have the data the very last step is they deploy the ransomware a little bit of historical background in a May 2021 Colonial pipeline realize that was not an issue down here but for those of us on the Eastern Seaboard of the United States Colonial pipeline was taken down by dark side ransomware they took down the billing server for Colonial pipeline which shut down the entire pipeline delivering uh petroleum to the eastern half the United States if anyone was up there it was

pretty brutal I've got a jeep that gets about 15 mil to the gallon and not being able to get gas was a event to be nice they deployed the ransomware through um fishing click here for the pull of power of dark side again fishing is usually the main way that a Rin group is going to penetrate your organization so giving a little bit of background as we build up to what this event actually happened so may 2021 February of 2022 russan invade Ukraine but before that there had been some interesting cyber warfare tactics deployed by both sides there are some interesting Sant oan events some disinformation campaigns that are very effective no loss of life

which is not bad but for those of us in the Cyber domain these are definitely things to pay attention to things you wouldn't think you'd have to tell people such as hey don't take your cell phone into combat and uh don't turn on Tinder while you're in combat on the Russian border and M with locals hot Russian women are not L it's Ivan and he's sucking down your information to manipulate you later to see where troop movements are going but again not everyone is on the same level technically as those of us in the room and if you don't tell people they won't know it's a bad thing to do 2014 again the age of AI now in

2024 this is relatively trivial Ukrainian troops landed near the Russian border and they received text messages in Mass the whole unit did saying you are going to be shelled concurrently the parents of those troops also got text messages saying your son just died in combat which now triangulates the troop further located and then the movement they take for exfiltration and evacuation off the X so you have a combination of electronic warfare signals intelligence collection human collection and ENT collection all delivered at once in Mass this is phenomenal from a pure technical point of view because it did work it got the troops away from the border Ukraine also not a slacker of a country they claimed they had a list of

all the Russian spies operating in all of Europe they released the names addresses SIM cards of all the Russian diplomats in Europe so every single person who worked for the Russian government was now claimed to be FSB or KGB what that's going to do is isolate if you're just working with a regular individual but now there's the taint they're a Russian officer collecting Intelligence on your country you won't want anything to do with them they've been essentially persona nonr pnged it's frozen the entire Russian collection Network in all of Europe fantastic move I salute them for that but there's been games back and forth now again if we were in class we' pivot over to laptops

desktops we could do some things like bellingcat to find where two Russians under tourist cover left Moscow flew to Europe uh flew to UK to go see a chapel in Birmingham or B uh I forget which city but to go see a chapel for a day and they flew back home most government employees don't fly six hours to go look at a church and fly back in the same day they used some ponum killed a dissident flew back home and from these leaks is able to ascertain the identities of the Russians who are committing murder for their country we could work down this leak again if we had more time 40 hours to dig through this and show how the

smallest leak would take down the organization but instead we'll go with a meme of I'm telling you right now that Foreign Service Officer is not real one other exercise I did take out for the because we are international and I don't want to encourage any crime one of the uh slides I took out for this was um it's a beautiful exercise I would have the troops get online and just search on Twitter on X or Facebook for my new debit card my new passport my new credit card and people still post pictures of their credit cards front and back they post pictures of their passports or travel orders and then we would walk backwards to show here's their flight number

here's their credit card number now you pivot over to their registry you can find out where they live now you can you got their home phone number so it's easy to call and say hey Ivan I'm with uh aeroflot your flight had an issue we' like to reimburse you we just need your bank account number to wire you the money now I've got your bank information and that's where the fraud begins just from these simple leaks but again 50 minutes versus 40 hours getting into the meia presentation Russia invades Ukraine February 2022 this is the first modern Invasion War modern of a two Western countries where I'm working we shifted as part of key part of the US economy we

shifted a 247 operations for cyber threat intelligence which on a personal level being able to walk down two flights of stairs at home and actually collect intelligence and report on Russian movements of troops and cyber activities from my freaking basement instead of having to drive into a skiff and then badge in log into a system and collect the same data from the same sources that was different for a lot of us but it's still the same data so going back to the ransomware Ki puts out a notice we are fully support of the Russian government in everything they do all right yeah we expected that well two hours later well we don't really support Russia we blah blah blah weasel word

weasel word word salad and they backpedal from what they've done that is vague and unconvincing there's something going on for KI we're not on the X but it's now heightened our awareness of what's going on with this ransomware group so Ukrainian security researcher part of the ransomware group leaked about 60,000 messages that belong to the ransomware group after the gang sided with Russia over the invasion of Ukraine two slides back where they said we're with Russia the one Insider took action on this he sent a message saying I'm releasing this one file it's a I'm looking at the name here it's a uh tar file we're releasing it this will be the first of many more will come and now

the x is on the I ofs is on this Twitter account again going back to OPC usually I've been my first Twitter account I set up was at Apple headquarters doing digital forensic research with black bag I'm really dating myself with that they're now part of uh celebrite one thing we noticed way back was when people would set up alt accounts or sock puppet accounts General the amateurs will set up see the one they're following not this case the first person they follow is their true name account so don't do that the second is for an not an intelligence officer any longer Unfortunately The 9,300 followers who are they why are you following this account you don't have to

follow you can bookmark it in your browser you don't have to actually put your name out there and following that these are becoming interesting they link to a non files so now on the insid or threat side of the house knowing you've got this cyber warfare games that Ukraine and Russia play with each other just quick show of hands would you block can non files from download because I don't really hey here's something nice and juicy about the Russian Ukraine conflict please download it comrade no no other things to consider sure You' got the retweets the quotes the likes the bookmarks that doesn't tell the full story of what's going on another thing is tool is still up there I would

go to T info.com I would put in the name of the account put in my personal email or nonwork email because I don't know what's going to come back and I would get a full result as to the account the account number previous names for the account who's following it geolocation alleged geolocations because those can definitely be spoofed but you can start to gather more data and this is a free tool so again I get no compensation for this but tm.com that's part of entf framework. comom X1 discoveries about $2 to $3,000 per year for the similar capability if your organization is like mine and tooling has become expensive free is not bad so that was so first thing I did was

pull the account information the operation security exercise that we' roll through here I did leave it in I'm surprised myself but again this is something yall probably going back to your hotel we going to do this during the break at lunch but people still do that in the year of Our Lord 2024 I I don't understand it but that's why I have a job in cyber so the kti leaks in inside our threat began pumping out the leaked files different Vari ations and one thing to notice what does that little graph represent anyone that's the number of times the Tweet was viewed not the number of times people liked it replied to it you can

view it even just going to your web browser and not being logged into Twitter and not leave that footprint so you can see it was as the kids would say doing numbers without having the actual interaction of committing that you're looking at these tweets which is better tradecraft right after these Rel we're starting to pick up business someone leaked the English version of the KY leaks all total almost 400 Jon files with h 61,000 messages you ever parse through 61,000 chat files it sucks I shouldn't say that my kids might watch this it's unfortunate so these conversations formatting died here so the conversations contained pretty much everything about the organization um I sent Apple keynote slides to PowerPoint

my apologies for the formatting on that so it was their C2 it was their Bitcoin address their data leaks come uh it was targets that had been compromised who hadn't made it public for SEC filings in the United States there's a lot of data in here that wasn't yet public including their Bitcoin wallets so again we would go back you could trace through entf framework. go down to digital currency go to bitcoin and you can begin tracing back to see if you get the names of the operatives who are working with coni the data was leaked by a researcher who had access to the full back end of the jabber database hati thought they were a red team pin testing Organization

for most people that was their cover story they didn't know they were actually working with ransomware the yellow slides are the slides of Historical Notes so this is a year and four months after the leaks came out with someone's due diligence they found leaks connections between Russia and kti which in the first year and a half that wasn't apparent you just had time effort on target to analyze this there's a small cyber threat intelligence team for a large organization we didn't have the luxury of time we had other threats to deal with we didn't have this but this still shows that the Russian ransomware groups are active and tied to Russia so a little bit of this has

happened Insider threat to cover this anyone else in here working Insider threat just me it's looking instead of looking for the intrusions from external actors looking to breach the organization like a solar winds or Cloud misconfiguration your awsc or your AWS bu ISM misconfigured it's an internal person who leaks it the easy analogy is a data breach is a dam that has a hole broken into it whereas a internal leak is someone opening the gate on purpose to let the data out it only takes one unexpected action to breach an organization something like kop or move it a little bit older ransomware leak but or solar winds cuz no one expects a leak to happen it only takes one person to lower

the defenses whether it's Edward Snowden copy and paste he's not a hacker he's a h SharePoint admin copy paste or a thumb drive Robert Hansen he worked FBI closely with CIA he leaked the name of our assets who are working in Moscow I believe they were mostly put to death by the Russians nebula from The Avengers movies there's evil nebula good nebula I feel like a teenager up here she lowed the defenses to bring Thanos in endgames and the reason people go from movies in these presentations because with secrecy agreements and ndas we can go with this we can't discuss real world events traditional motivations for Espionage are money ideology conscience compromise ego or excitement so the

researcher who leaked this data fell into ideology conscience I don't know if it was ego I think it was more of again this third party analysis but I think it was more of an ideology my country is being invaded you're making money off of my country I'm going to take you down a little bit more advanced uh they taught us it was Rascals reciprocity Authority scarcity commitment liking social proof ways to manipulate people to get things to act in your interest we've seen ransberg groups offer um emails to people who are considering leaving companies they'll get emails saying if you'll load this ransomware on your organization we'll give you cut of the take and those are also the same

elements of fishing emails so it's manipulation of whether it's one-on-one or whether it's fishing it's still how do we get this person to move this actor moved on his own conscience the data breach again like mgn at Caesar's Palace this was done by scattered spider um but again it's a little bit different than The Insider leak so this one was a one-time event he lost access he quit leaked the day they knew who it was he was the only Ukrainian on the team there's no hiding that directly identified to again the one individual there's no observation and the damage was unquantifiable they are offline for good now so a question I had when I gave the

talk to my team the data was compartmentalized meaning group a didn't know what group b was doing Group B didn't know what group C was doing generally it was stag in know organized files for exfiltration linked with a very public name and how would you detect this Behavior do you have a method in your organization determine if people are get harvesting sensitive data and storing in a folder before they mail it out did he use his KY laptop to send this out these weren't small files so if you have EDR software inpoint detection software that would say hey Bob is collecting these source code files on his laptop he's encrypted them things like a detex

software or um maybe Sentinel one would detect his actions beforehand did he copy the data to a USB drive how did he get it out of the organization what controls do they have for the sensitive data these are things to consider not just for KI but for your organization is if they're going to exfiltrate there are clear defined steps they're going to do unless and this is what people hate PT puff put the props up front just take a screenshot with your phone we still don't have a method to detect that yet because now with OCR on the iPhone I can copy the Sens of data no one's going to know I've done that not that I'm

going to do it because I like being employed in this economy but that's still the one risk that we haven't mitigated only thing I can think of and I would not do not known it would be have a camera on 24/7 is I don't want to work having a camera the I on right there watching me work um but there are definitely tells if someone's going to exfiltrate data so then now what this is working as a cyber threat manager we've got this leaked data from an unknown source that may or may not be another method of load m Weare ransomware wiper Weare and in talking with friends who are still serving if there's a battlefield data

collection they the aerial they do a raid on some Island to go into an admin Hut find a hard drive is that going to be legitimate data or is it going to be false data generally false because the time effort and planning to have false data interspersed with real data most Military Intelligence organizations don't do that on base they've got enough to worry about with the real classified data to have false sh in dispersed this is mass dispersion of Battlefield data whereas if I would go out with the guys on a raid get a iPhone image it get the target deck where they've been all that glorious data from the knowledge C database all their text messages I can

get more information doing iPhone forensics about an individual then I can doing human elicitation face-to-face conversations you just can't hide from the ones and zeros that's if you looked at my phone last night you would see I walked about a mile past Governor's uh mansion on the beach and then I ran back because I was caught in the rain glad to be here don't get me wrong but all that data is stored in phone in the phone in a protected part of your I would need a physical image of my phone to get that but the data is still there and if the nation state has it they have to time effort and the money to get the data so you

know the authentic authenticity of this whereas this random stuff from Ki is it real these are things you have to consider when you're approaching this it's a very esoteric Niche thing but it's becom more common now the question was who was Ki K's gone so we've got all this the Carver method again show a hands anyone heard of this forign military intelligence if you're American your tax dollars paid for this Carver was developed in World War II to help the French Resistance Rank and identify key targets so that attacks could be more efficient it's not software definitely not there's software out you can pay for it you can get a carveron but you don't need that it's a framework and basically

a spreadsheet on how to identify the key data the example if I've got this right and again don't quote me I believe it was the uh ball bearing Factory in Dresden and there's going to be someone on the YouTube comment saying oh he's wrong about this they identified if we take out this key component of the ball bearing Factory then the Russian T the German tanks key components on submarines warships it immobilizes the war industry or the refineries here in this other city if we take we don't have to hit the refinery and the wall bearing plant because if we take out this bridge or this railroad intersection no nothing can come out it's immobilized for months

this is an easier Target to get than the ball bearing plant so this is a higher value Target than the actual destruction of the factory so it was something that could be done quickly easily but conversely you can use this to identify what's key in your organization and again doing the speaker thing where I go over my talk a million times in my head before I get up here the thought was what we consider our crown jewels may not be what you consider our crown jewels and I'll show you what Carver Carver KY considered it's an actual acronym US Government loves our acronyms it's criticality accessibility recoverability vulnerability effect and recognizability Carver right what's the most important job

function the key reason we're in business if we lose x what would happen to this could we recover from it now starting to bring all the pieces together an Insider knows the key weaknesses of a system just like the old meme of the modern world runs on an Excel 97 spreadsheet somewhere in pypy right well we know if we delete that one spreadsheet everything else collapses I know from our organization if I'll get to this I'm get ahead of myself we know that if X Y and Z were hit the repercussions would be astronomical we know that because we have guilty inside or knowledge the average attacker may or may not know that you don't have to go through and

rank all six criteria usually criticality in effect is enough these are the most significant if I take out X and Y what happens again going back to the movies because I don't want to go to jail for discussing classified ballot scarf well if they take out this one Shield generator over the planet now we can get signals out we've taken out literally the firewall then we can get data off Planet exfiltrate it and then manipulate it to conduct a Carver attack on the Death Star because it's 2 meter trench we've all seen the movies or you should have being in cyber so it's a scale one to five of least impact to most impact so going

across it would be a total of 30 for the highest value five for the lowest value again the slides will be online for KI as I ranked them this is my personal opinion this isn't I am an Former Intelligence officer this is how I saw it is their crown jewels their source code their ransomware of how are we going to lock a system after reconnaissance was the most crucial thing if they lose that and the Cyber Defenders The Blue Team know how to mitigate this risk con team won't operate the other five in that stack are their core designers you can get more credits you can go on the dark web whether it's I believe it's Intel 471 or

recorded future or any other threat vendors out there you troll the dark red looking for your org's creds there's always more leak creds out there you can always get more creds you can rebuild infrastructure not as robust you're so going to have similar tradecraft to what you built before but you can rebuild that Staffing anybody know anyone who's looking for a job cyber is about a thousand applicants every job job opening they can get more staff to run the actual Ransom wire and collect the data but if you take out the devs and the source code coni doesn't run so this is how I scored it of this is how I saw their biggest impact what KY considers their crown

jewels are things I hadn't considered I don't know everything I know emails address so you can have the supply chain or the email reply attack that's where you have a known good email and you reply to it it gives the authenticity that you're part of the supply the email chain when you're actually not you're a third party people assume you're part of the attack uh part of the communication databases it's there's no telling what you're going to find in any given database with hidden Fields deleted Fields the deleted fields in the SMS database on the iPhone real some pretty historical data that I didn't think would be recoverable but it's still there from years ago obviously the

source code of any facility any U organization design documents because if you know hey the backup server is here but it's on a AWS bucket that isn't secured properly well we don't have to go after this because again their version of Carver they're going out the AWS bucket that's unsecured they still got the same data without the effort that's an absolute win passwords creds for other networks um since I never said where I worked we had a Gman email our uh DLP software data loss prevention software caught him emailing 57 pairs of creds username password for all of his accesses to internal systems for data security why you need to do that when freaking work at home and again you can

take a picture with your iPhone but these are the keys to the kingdom digital wallets because if you have access to that you've got access to more data I'm limited with what I'm showing here for the actual data leak because it is true real world data and lawsuits happen lawyers like to Sue I don't want to deal with that so you can see welcome to Wells Fargo Company ID Pike 329 what that means I don't know but I could prob hey we're calling back about this from this vendor now you have the authenticity to go manipulate someone to load ransomware in your network it leads into the fishing because people just generally don't click on random links aside from the one

guy I work with who says I click on it see what happens yes I'm talking about you um is that a sub tweet so for my organization I went through and ranked it excuse me our crown jewels personal identifiable information when you conduct a financial transaction with us the volume of pii we have on you is similar SAR to a um oh to an background check for intelligence clearance it's extremely comprehensive it's something that if that was to get out for millions of people we would lose the confidence of the United States public we would go down most of the economy would go down until this came back up the infrastructure how we process what we do our reputation if we lose

those three things it's a major Financial meltdown sorry the effect if we lost our crown jewels and pii astronomical we can always get more creds you can always create more usernames password you can always reset it I know you've got this I learned yesterday from Bose's presentation you got an hour before that token expires on 0365 but you can always generate more creds staff again how many people in here looking for work there's always people looking for you can always get more employees but if you lose your key components your crown jewels your infrastructure and your reputation we're out of business again the slides will be up but this is the basic framework if you want

to use this for your org this works for offense or defense and getting into okay we've got the data we know what's what we consider sensitive we know what they consider sensitive the intelligence Community defined intelligence is a thinka foreign of Interest new clandestinely Acquired and authoritative basically we don't want to pay a case officer to sit overseas in the Bahamas read the newspaper write up the newspaper article and mail at home how he's getting or she's getting you know overseas pay retirement pay to sit on the beach and type up the newspaper that's not how an intelligent service generally works in the uh cyber threat intelligence business the joke was well it's FAA it's we're we look for things

the financial industry of Interest new copied and pasted from bleeping computer and it's authoritative it's similar not quite the same but close now getting into the core of the presentation these are the things when this data leak came out the four questions are we targeted that's the most important thing are we on the x is our Core Business function is our industry a target for the ransomware group do we have any leak credentials in the in the stack and what other intelligence cves what are they using what ioc's what ttps can we ascertain from the leak but the first three are the most important again apologies for this apple format uh PowerPoint I'm an Apple guy wearing my Apple Polo from

Apple headquarters around 87% of successful attacks are because of compromised accounts so just going through these slid or going through the data and saying we're not on the X we don't have compromised accounts and being able to tell the ceso and other se- level Executives we're not on the X invaluable again apologies so this is an older meme but it checks out if y'all seen this or know if I just been on the internet too long I've been on the internet since June of 90 I apologize type your credit card number in to see if you're in the Hacker's database well it's not but it is now you laugh but again we have jobs because of things

we shouldn't have to deal with similar functions exist on the dark web after learning what's on the dark web I don't go on the dark web unless I have legal Authority and a badge to say if you see something you shouldn't you're not going to jail for it there's enough stuff out there I'm not doing that for fun there were dark websites when the dark web came up that had hey if you're an intelligence officer visit this site and see if your asset see if your uh your pseudo name the asset uh Crypt or location or uh collection tools let's type it in and see if it's compromised it's never in there and all they're doing is harvesting your data

just like you know Google or Apple or Facebook is collecting it but it's more for nefarious purposes so we're not going to take this corporate data or the cony leak and run it on the corporate laptop here we go so like goes after like in the military they would say troops go after troops tanks kill tanks Subs kill Subs airplanes kill airplanes you get the idea so in the threat intelligence role we're looking for the immediate actionable intelligence of what is the direct threat to the organization to our industry the detect uh intrusion detection team incident Response Team what malware do they have how can we identify the signatures can we write y rules for this

what do we need to update what have we not considered that could be of risk for Insider threat it's more of okay here's a case study of what went wrong even though what the person did was fantastic it was a noble deed leaking the data it was still Insider threat and we can still learn lessons to make our organization better so credentials that was the biggest thing to sift through very common passwords passwords 1 2 3 4 Boney baloney one with an exclamation point two exclamation points summer 2022 the basics password managers are breached from chrome so even though you've got these long fancy password managers if you have the different uh infoware Steelers you're still breached but again

for the purpose of this talk posting other people's Pi here for international talk leads to H hiring attorneys sharing Pi leads to open a work and then I'm leaning on my Star Wars eBay sales store for revenue and I'd be homeless nobody wants St Wars stuff again just to show you a little bit of the volume of creds it was exhaustive so rather than doing the diamond model to explain anybody ever dra this in elementary school yeah I freaking wanted to use it once in my career so this is a diamond bottle KY wouldn't just go for fishing to get to the Target oranization they used creds compromise creds they used vulnerabilities spear fishing they then pivot to spear fishing

and then the best one they do is typo squats so they have five different methods to come after an organization holy cow this next SL is just it's going to be

special basically we're going to move to a prettier slide and I'll just talk over that one it's text Data okay I've downloaded to a outof band laptop it's not on the corporate laptop one because I don't know what this is I don't know if it's malware I don't know if it's I don't say cam because it's all text but but I don't want on the corporate Network that's how breaches happen that's how malware gets loaded again I like my job I don't want to lose my job assuming never assume so out of band laptop not my personal because again I don't want to leak my personal data for the sake of the organization so I have a stero

laptop just to look at this however you look at text files whether you load it into forensic tools command line interface notepad I really don't it it doesn't matter how you do it it just matters what you do because do you want to assume this data is not going to get you fired I keep reiterating that but that's a key thing because people make mistakes so I've got two machines running corporate machine out of band laptop and communication is key and teams chat God kill me open a jur ticket too have a meeting about your jur ticket but we have the data we're parsing it that goes out to the leadership team immediately it's organization name

is not targeted our partner organizations who do similar functions to us they're not on the X but when you do that search for that Corporation name you're also searching that database that list for creds too because the at company name.com is still going to be there and that's a pretty fast search we're not on the X we are not on the compromised credential list so right now it's 88% coverage not to put too much into compliance and metrics that's a really good start to immediately take this leaked database of files and say we look pretty good so far that that's a good win the next were the fishing templates we can get those over export those get those to our

detection team to write y rules to filter those out so that we're now mitigated against possible fear spear fishing ioc's domain names we're starting to get the immediate threat is uh bleeding off so domain names possible C2 sites we're getting that in sorry looks like I picked the wrong week to get smoking airplane I show my age so the IP sorry the IP address is man I don't know what this is IP addresses and URLs go into anomaly those go into your detection those get blocked we're now starting to shut down any hook that con is going to have into our system as for sharing the ioc ttps with an ISAC you information sharing organization has to go through legal has

to go through regulatory that takes attorneys that takes a long time we can start that process later after done with the data but we'll get to it last was the vulnerabilities this is about 10% of the attacks according to cesa very well organized through the 2015 all the way to 2021 the different vs they had that they wanted to execute and not just the vones it's see want to work with uh vulnerability teams patching a large enterprise system isn't like updating your iPhone it's a lengthy process not only do they have the B listed for each organization they had how to use the V with YouTube tutorials for each operator so you've opened a all right I'm going to discuss

meetings you're going to have a Jura ticket in a teams meeting in a Confluence page in a resilient ticket all to discuss patching cve 2019 1385 by the time we get done having the meeting and completing the jur ticket about the meeting and closing that ticket and tying that jur ticket back to the parent child ticket and then tying that back to the main T-shirt size and then giving the pickle order now I'm not picking the stuff up that's part of J well we're worried about compliance and documentation the ransomware team okay this doesn't work doesn't work doesn't work we're in just like in the movies they have a lot more flexibility and speed to penetrate an

organization so that's something to bring back is this isn't a process like an energy organization I don't want to say it because I like having power and water where I work or where I live but it's not a yearlong process to patch of they're moving very quickly to penetrate and take down a company so typ of squats instead of just for a little overview instead of saying kt.com it would be k i nen.com it looks very similar if you just glance at it it looks like kmon same for Bank of America the r and the N would be a typo Squad so unless your or has a script written have a brilliant engineer on my team he wrote a script

for this to look for all the variants of our Corporation name with reject against the who is registry so every day we know what the latest type of squad attempt for us would look like so that can get blocked we don't get fishing emails customers are unaware they're never impacted by this it's a good thing to look at if organization isn't doing it but again this is something the ransomware group is looking at the tertiary analysis would be their operational Tempo we've discussed that methodology used to discover and exploit the target machines their workflow their chain of command and this is fun I love doing this type of work but for my private sector commercial role hey that was two

years ago that this leaked we're worried about today's Insider threat not what happened two years ago let's focus on this so we got about 5 minutes left this would be again one of the exercises of after action how could this have been identified how could we reverse engineer the source code how can we pit on the usernames the Bitcoin addresses the uh targeted firms and industries I would go to a name check.com again part of um this link from entf framework. comom and see if there's any fragment of their username to see what else would be out there that they may be in other Target decks to see where else the organization is tertiary analysis they've got advice

on how to leave back doors on the domain controller where the red where the intrusion team would look for the domain control how to bypass that so the main hacking tool is Cobalt strike if we know how to mitigate Cobalt strike then we're doing pretty good to stop Ki but again this is something that came out months after the leak this is what uh KY would go after cyber security policies cyber Insurance how much is going to get paid out do they have supplementing Insurance who's underwriting this in what terms that's what they're looking for is if I take down your organization with ransomware how much can we get okay if I can take down your org for 25 million

and your org for 50 but you don't have insurance yours doz you're going to pay out faster I'll go after the 50 I've never considered that as a threat of something that an outside or would look at till I did this research you don't want to assume someone's going to do the work for you because VX underground does amazing work but this was uploaded June of 2023 a year and a half after the leak so I'm not going to wait for my org to download from VX underground to see if we were on the X when I process this myself the steps previously fed they do have compliance they went to this website they had to enumerate hey this isn't

something illicit this is actually the name of a real company they had exp expell so even the Russian Ransom groups have HR to make sure you're not doing anything spicy on your computer so the tldr secure your own organization first then help others document the data as you find it you don't want to cross the same fence twice using Carver methodology doesn't require ire proprietary software there's no licensing there's no fees there's no ISC 2A fees do it's a framework it's not hardcore technical like the other talks but it's the mindset you're bringing when you uh process the data so the next steps on this I did take I was speaking at Defcon on voting machine

forensics and one of the organizers asked if Ki ever targeted the US elections still have the data I could go back and say no they hadn't at the the time I wasn't concerned about us elections I was concerned about my employer uh another thing bumblebee ransomware uses domain generating algorithms for C2 dig kti that's something you can go back and look at but you never assume someone else has done the work because you might be the only person to consider has Georgetown been targeted by well by KY I don't know look yourself and never assume that the data is going to be online last let's see if this animation works this is works on a Mac this is a

great way to pull metadata so Download a pdf again it's very rudimentary but it's extracting some ENT we Download a pdf it's random PDF open a terminal in Mac mdls metadata list this here's the hard step you drag it drop it hit enter and it's going to give the metadata list of who wrote the document or extensively wrote the document the data was created po platform is used and that's going to give you Insider information so if you do something like this with imessage if you don't strip your metadata out you can get what phone the GPS the picture where it was taken the Photoshop software used to manipulate what angle what camera was taken what camera is used for the photo

which way they're facing the GPS coordinates all from this simple mdls list it's free with your Mac on Terminal last again if kti is worried about the mental health awareness of their cyber security operators take care of your health because no one else will take care of you except for yourself if the Russian criminals can do that you've got to take care of yourself too last question 10 seconds left thumbs up thumbs down if you're Russia bad guys do you remove the inside threat yes or no before you invade Ukraine yeah make it firm friendly Finland fire hey we appreciate your time here's $2 million thank you for your service we're sending you and your wife to whitey ke

for 6 weeks enjoy your vacation he's gotten well paid out he's off the X he's not associated with it he's happy and you remove the threat is still operating or if you leave them then it leads to talks at conferences like this so time is up that went by quickly for me at least do we have a minute or two for questions we don't