Research Saturday N2K Networks

Jon DiMaggio, a Chief Security Strategist at Analyst1, is sharing his work on "Ransomware Diaries Volume 5: Unmasking LockBit." On February 19, 2024, the National Crime Agency (NCA), a UK sovereign law enforcement agency, in collaboration with the FBI, Europol, and nine other countries under "Operation Cronos," disrupted the LockBit ransomware gang’s data leak site used for shaming, extorting, and leaking victim data.
The NCA greeted visitors to LockBit’s dark web leak site with a seizure banner, revealing they had been controlling LockBit’s infrastructure for some time, collecting information, acquiring victim decryption keys, and even compromising the new ransomware payload intended for LockBit 4.0.
The research can be found here:
Ransomware Diaries Volume 5: Unmasking LockBit

Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Hosein Yavarzadeh from the University of California San Diego, as he is discussing his work on "Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor" This paper introduces new methods that let attackers read from and write to specific parts of high-performance CPUs, such as the path history register (PHR) and prediction history tables (PHTs).
These methods allow two main types of attacks. One can reveal a program's control flow history, as shown by recovering a secret image through the libjpeg routines. The other enables detailed transient attacks, demonstrated by extracting an AES encryption key, highlighting significant security risks for these systems.
The research can be found here:
Graph: Growing number of threats leveraging Microsoft API

Learn more about your ad choices. Visit megaphone.fm/adchoices

Dick O'Brien from Symantec Threat Hunter team is discussing their research on “Graph: Growing number of threats leveraging Microsoft API.” The team observed an increasing number of threats that have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services.
The research states "the technique was most recently used in an attack against an organization in Ukraine, where a previously undocumented piece of malware used the Graph API to leverage Microsoft OneDrive for C&C purposes."
The research can be found here:
Graph: Growing number of threats leveraging Microsoft API

Learn more about your ad choices. Visit megaphone.fm/adchoices

Adam Marré, CISO at Arctic Wolf, is diving deep into geopolitical tension with China including APT31, iSoon and TikTok with Dave this week. They also discuss some of the history behind China cyber operations.
Adam shares information on how different APT groups are able to create spear phishing campaigns, and provides info on how to combat these groups.
Learn more about your ad choices. Visit megaphone.fm/adchoices

Christopher Doman, Co-Founder and CTO at Cado Security, is talking about their research on "Cerber Ransomware: Dissecting the three heads." This research delves into Cerber ransomware being deployed onto servers running the Confluence application via the CVE-2023-22518 exploit. 
The research states "Cerber emerged and was at the peak of its activity around 2016, and has since only occasional campaigns, most recently targeting the aforementioned Confluence vulnerability."
The research can be found here:
Cerber Ransomware: Dissecting the three heads

Learn more about your ad choices. Visit megaphone.fm/adchoices

Greg Lesnewich, senior threat researcher at Proofpoint, sits down to discuss "From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering." Since 2023, TA427 has directly solicited foreign policy experts for their opinions on nuclear disarmament, US-ROK policies, and sanction topics via benign conversation starting emails. 
The research states "While our researchers have consistently observed TA427 rely on social engineering tactics and regularly rotating its email infrastructure, in December 2023 the threat actor began to abuse lax Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to spoof various personas and, in February 2024, began incorporating web beacons for target profiling."
The research can be found here:
From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering

Learn more about your ad choices. Visit megaphone.fm/adchoices