Dragonfly v2 : Mindmap on energy sector targeted by sophisticated attack group

Mid 2014 Symantec released a report on a threat actor Dragonfly targeting energy companies. Early September 2017 Symantec released an updated report on Dragonfly v2 where they describe that the threat actor shifted their attention from merely observing the environment to having remote access to the environment of energy providers.

This shift could indicate that the threat actor has a changed objective, from monitoring to actually intervening and potentially conducting sabotage.

I created two mindmapsRead more.

Monitor your public assets via Shodan

Shodan is a powerful tool for doing passive reconnaissance. It’s also a great source of information that you can put to good use to monitor your publicly available assets. Shodan acts as a search engine (also see: : What is Shodan.io?), whatever that is connected to the internet will get indexed by their crawlers.

I wrote a script that takes one parameter (ideally a string) and

Fetches the information that is available at Shodan forRead more.

NotPetya / ExPetr information

I updated my page on WannaCry with information on the latest NotPetya ransomware attack : https://www.wannacry.be.

Mindmap for CRASHOVERRIDE

Both Dragos and ESET released two reports on the analysis of malware attacking power grids.

According to Dragos the adversary group labeled as ELECTRUM is responsible for the cyber attack on the Ukraine electric grid in 2016.

I created a mindmap based on the info in the Dragos document. It’s available on https://github.com/cudeso/tools/tree/master/CRASHOVERRIDE

https://www.us-cert.gov/ncas/alerts/TA17-163A https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf https://dragos.com/blog/crashoverride/

WannaCry / Wcry / WannaCrypt help / advice

I compiled a list of -hopefully- useful tips and help for dealing with the WannaCry ransomware. I try to keep the page updated as soon as new information is available.

See https://www.wannacry.be/. Feedback is welcome!

What could have limited the impact of the WannaCry / Wcry / WannaCrypt ransomware?

A major wave of ransomware called WannaCry / Wcry / WannaCrypt has hit many organizations around the world, causing panic among many users, system administrators and security professionals. The details of the ransomware have been covered in detail at other posts

Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware Player 3 Has Entered the Game: Say Hello to ‘WannaCry’ Massive outbreak of ransomware variant infects large amounts of computers aroundRead more.

What is Shodan telling us about ICS in Belgium?

I have been using Shodan, “the world’s first search engine for Internet-connected devices”, since a long time. Recently I switched my free account to a membership account. A membership account allows you to do API queries with additional query filters (for example restricting search results to specific countries).

In this post I describe the results of querying the Shodan API for ICS (or related) devices in Belgium. These results are entirely based on what isRead more.

Hack of Polish Financial Supervision Authority and Polish banks

A couple of days back the financial sector in Poland was shocked by the news that the Polish financial supervision authority was hacked and was used as an attack vector to get access to other (mostly Polish) banks.

This is a very short summary with some IOCs (Indicator of Compromise) that you can use to check your logs and verify if you are affected.

Note that most of this information is composed from information foundRead more.

MISP EcoSystem : Threat Intelligence, VMRay and MISP

I made a slide-deck on integrating MISP and VMRay in your incident management workflow.

MISP EcoSystem – Threat Intelligence, VMRay, MISP from Koen Van Impe

Use Certificate Transparency for OSINT and passive reconnaissance

SANS ISC recently posted an article on The Dark Side of Certificate Transparency.

Certificate transparency means that participating certificate authorities will publish all certificates that they issue in a log. This information is public, meaning that you can search it at will.

The article already touches one of the side effects of having this information publicly available. By publishing the information organizations can disclose hostnames they’d rather not be known on the internet.

There areRead more.