State of the Hack Episode 09: Holiday APT Spectacular

This month, we took a break from traveling to conferences and speaking with front-line defenders so that we could recap some of the most interesting activity that we’ve analyzed in recent months. We spent this whole State of the Hack episode, the last of 2018, at our new office in Reston, VA talking about interesting threat intelligence conclusions, APT29 emerging from the dark, unique attacker malware and techniques, and some of our latest FireEye blog posts. Think of it as a return to our roots – finishing 2018 the way we kicked things off in Episode 1 earlier this year.

Episode Recap and More Information

“Viewing the News from the Trenches”: We start off by discussing FireEye's recent conclusions that the intrusion activity that led to deployment of the TRITON ICS malware framework was supported by a Russian government-owned technical research institution located in Moscow. Next, we shift to a recent suspected APT29 phishing campaign that involved intrusion attempts against multiple industries, including law enforcement, media, and U.S. military. We then talk about the Department of Justice announcement that two Iranian men were indicted for their roles in distributing SamSam ransomware that ultimately led to losses exceeding $30 million, as well as what the Chinese Ministry of State Security indictments mean for contextualizing the physical side of an IT compromise.

“Novel Technique Adoption”: We spend some time talking about DNS Over HTTPS, a protocol that is intended to improve user privacy and security yet is ripe for abuse by attackers. A big shout out to David Middlehurst (@dtmsecurity) with SpiderLabs for his hard work on this topic, and also for talking about it with us at MITRE ATT&CKcon in October. We also chat about profilers – specifically web profilers and document profilers – that are used by attackers to determine whether or not they want to deliver a specific exploit or other threat to a system.

“Deciphering CMD and the FireEye Blogs that Help”: To close off our final episode of the year, we call attention to a couple of recent FireEye blog posts that deserve more attention. Michael Bailey (@mykill) updated his flare-qdb tool, which is a command-line and Python-scriptable debugger based on Vivisect. Read his latest post to learn how to use flare-qdb to bring “script block logging” to the Windows command interpreter, and more. In a separate blog post, Vikram Hedge presents a machine learning approach to solving an emerging security problem: detecting obfuscated Windows command line invocations on endpoints.

State of the Hack® is FireEye's monthly broadcast series, hosted by Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that discusses the latest in information security, cyber espionage, attack trends, and tales from the front lines of responding to targeted intrusions. If you want to experience the magic, you can watch all State of the Hack episodes now. All episodes are also available as podcasts.