ShadowTalk Threat Intelligence by Digital Shadows

Digital Shadows CISO Rick hosts this edition of ShadowTalk. He’s joined by special guest and friend Jeff Stone, Editor at CyberScoop News. They discuss: - Jeff's origin story - Parallels between journalism and threat intelligence - How journalists validate sources - Why "It's better to be right than first" - The go-to defense lawyer for Russian and Eastern European cybercriminals - The nuance around interviewing cybercriminals ***Resources from this special podcast*** Find Jeff on Twitter: https://twitter.com/jeffstone500 CyberScoop: https://www.cyberscoop.com/ https://twitter.com/CyberScoopNews CyberScoop CyberTalks Virtual Summit https://www.cyberscoop.com/events/cybertalks/ "How Arkady Bukh, a New York-based immigrant from the former Soviet bloc, emerged as the go-to defense lawyer for the cybercrime underworld." https://www.cyberscoop.com/story/arkady-bukh-man-in-the-middle/

ShadowTalk hosts Sean, Alec, Ivan, and Charles bring you the latest in threat intelligence. This week they cover: - Ivan takes us through the latest updates on DarkSide and the Colonial Pipeline incident - DarkSide faces consequences - The team talks about new legislation from the US government - better late than never? - Plus, our hosts dive into all things ransomware - what’s happening with the cyber threat landscape? - Alec brings us the latest on Conti ransomware targeting Ireland's Department of Health - what was the impact? - Charles discusses a new web skimmer indicating ongoing Magecart activity Get this week’s intelligence summary at: https://resources.digitalshadows.com/digitalshadows/weekly-intelligence-summary-21-may ***Resources from this week’s podcast*** Colonial Pipeline Updates: https://www.bankinfosecurity.com/2-bills-introduced-in-wake-colonial-pipeline-attack-a-16666 Conti Ransomware: https://www.bleepingcomputer.com/news/security/conti-ransomware-also-targeted-irelands-department-of-health/ PHP Skimmer: https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/ Verizon DBIR: https://enterprise.verizon.com/resources/reports/2021-data-breach-investigations-report.pdf Also, don’t forget to reach out to - shadowtalk@digitalshadows.com

ShadowTalk hosts Stefano, Chris, Kim, and Xue bring you the latest in threat intelligence. This week they cover: - Xue takes us through the Colonial Pipeline ransomware incident - DarkSide’s involvement and more - What does the attack on the Colonial Pipeline indicate for future cyber threats against critical infrastructure? - Chris dives into the BEC incident - what does it mean and what happened? - Kim discusses the Bulletproof Hosting indictment - what is the impact? Get this week’s intelligence summary at: https://resources.digitalshadows.com/digitalshadows/weekly-intelligence-summary-14-may ***Resources from this week’s podcast*** Colonial Pipeline: https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-compromise-of-colonial-pipeline-networks DarkSide: https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/ Gift Card Scam: https://www.microsoft.com/security/blog/2021/05/06/business-email-compromise-campaign-targets-wide-range-of-orgs-with-gift-card-scam/ Bulletproof Hosting: https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals Bitcoin Blog: https://www.digitalshadows.com/blog-and-research/bitcoin-and-alternative-cryptos-in-the-cybercriminal-underground/ Colonial Pipeline Blog: https://www.digitalshadows.com/blog-and-research/colonial-pipeline-ransomware-attack/ Vaccine Card Blog: https://www.digitalshadows.com/blog-and-research/how-cybercriminals-can-leverage-your-vaccination-card-selfie/ Mapping MITRE to Wannacry Blog: https://www.digitalshadows.com/blog-and-research/mapping-mitre-attck-to-the-wannacry-campaign/

Digital Shadows CISO Rick hosts this edition of ShadowTalk. He’s joined by special guest David Thejl-Clayton , Senior Advisor in Cyber Defense at Combitech. They discuss: - David talks origin story, his journey through CTI, and his current role at Combitech - His obsession with data driven response and how that data-love came to be - He and Rick reminisce about favorite speakers at SANS - They discuss the Verizon DBIR - what’s to come? - Purple-teaming - how to bring value to organizations through data ***Resources from this week’s podcast*** Find David on Twitter: https://twitter.com/DCSecuritydk Find David on LinkedIn: https://www.linkedin.com/in/davidclayton454/ Data Driven Incident Response: https://www.youtube.com/watch?v=Ll60XUJnRTw SANS CTI Summit - VERISIZE your way into CTI: https://www.youtube.com/watch?v=AwMC6INC5TE https://www.sans.org/blog/a-visual-summary-of-sans-cyber-threat-intelligence-summit/ Vocabulary for Event Recording and Information Sharing (VERIS): http://veriscommunity.net/ 2020 Data Breach Investigations Report: https://enterprise.verizon.com/resources/reports/dbir/

ShadowTalk hosts Alec, Ivan, Sean, and Digital Shadows CISO, Rick, bring you the latest in threat intelligence. This week they cover: - Sean discusses Pulse Secure VPN vulnerabilities - what are the latest updates and who is being targeted? - The team talks about supply chain compromise - what is it? - Sean takes us through the DDoS attack on Belnet - Babuk is hanging up their hat - Ivan brings us the latest - Ryuk gets ahold of bio research through a student Get this week’s intelligence summary at: https://resources.digitalshadows.com/digitalshadows/weekly-intelligence-summary-07-may ***Resources from this week’s podcast*** Pulse Secure: https://www.bleepingcomputer.com/news/security/pulse-secure-fixes-vpn-zero-day-used-to-hack-high-value-targets/ Belnet: https://www.zdnet.com/article/this-massive-ddos-attack-took-large-sections-of-a-countrys-internet-offline/ Babuk: https://threatpost.com/babuk-ransomware-gang-mulls-retirement/165742/ Ryuk: https://www.zdnet.com/article/ryuk-ransomware-finds-foothold-in-bio-research-institute-through-a-student-who-wouldnt-pay-for-software/#ftag=RSSbaffb68 The Technology Adoption Lifecycle Of Genesis Market Blog: https://www.digitalshadows.com/blog-and-research/the-technology-adoption-lifecycle-of-genesis-market/ The Top 5 Dark Web Monitoring Use Cases Blog: https://www.digitalshadows.com/blog-and-research/the-top-5-dark-web-monitoring-use-cases/ Password Day Blog: https://www.digitalshadows.com/blog-and-research/creating-security-aware-passwords/ Also, don’t forget to reach out to - shadowtalk@digitalshadows.com

Digital Shadows CISO, Rick, hosts this edition of ShadowTalk. He’s joined by special guest Amy Bejtlich, Director of Intelligence Analysis at Dragos, Inc. They discuss: - Amy’s origin story and journey from traditional intelligence to cyber intelligence - How to "bloom where you are planted" - Her various SANS cyber threat intel presentations - How to build a "culture of candor" within an intel team - Minimizing burnout and supporting the mental health of teams ***Resources from this week’s podcast*** Find Amy on Twitter: https://twitter.com/_Silent_J Find Amy on LinkedIn: https://www.linkedin.com/in/amybejtlich/ SANS New to Cyber Summit: "Job Role Spotlight - Cyber Threat Intelligence": https://sansorg.egnyte.com/dl/TjsPnHluNo/? SANS 2019 CTI Summit Video: "Analytic Tradecraft In The Real World": https://www.youtube.com/watch?v=MWJZsW9HooY SANS 2019 CTI Summit slides: Analytic Tradecraft In The Real World": https://sansorg.egnyte.com/dl/MnytUZPcOU/?

It’s a full house with ShadowTalk hosts Stefano, Alec, Charles, Kim, Dylan, Adam, and Digital Shadows CISO, Rick! The team is looking back at three years of ShadowTalk and taking us on a journey through changes in the threat landscape. They discuss: - Adam and Alec take us through ransomware heavy hitters from the last few years - Big game hunting, double-extortion, and more - The team reminisce about their first time joining ShadowTalk - Kim and Rick tackle supply-chain attacks - looking back at SolarWinds and the role of trust - Most embarrassing moments in ShadowTalk history - Dylan and Charles talk CVE’s - more on opportunistic attackers taking advantage of Covid-19 and remote work - Final thoughts from the team - what would you tell your 2018 self? Check out the video recording of the podcast here: https://resources.digitalshadows.com/digitalshadows/special-shadowtalk-s-200th-episode Get this week’s intelligence summary at: https://resources.digitalshadows.com/digitalshadows/weekly-intelligence-summary-30-april ***Resources from this week’s podcast*** Phineas Fisher And The Hacking Team Investigation: https://resources.digitalshadows.com/threat-intelligence-podcast-shadowtalk/episode-51-phineas-fisher-and-the-hacking-team-investigation SolarWinds Supply Chain Attack Round-Up: https://resources.digitalshadows.com/threat-intelligence-podcast-shadowtalk/weekly-solarwinds-supply-chain-attack-round-up ElectricFish Malware Attributed To “Lazarus Group” : https://resources.digitalshadows.com/threat-intelligence-podcast-shadowtalk/electricfish-malware-attributed-to-lazarus-group Threat Report ATT&CK Mapping (TRAM) with MITRE’s Sarah Yoder And Jackie Lasky: https://resources.digitalshadows.com/threat-intelligence-podcast-shadowtalk/threat-report-attck-mapping-tram-with-mitre-sarah-yoder-and-jackie-lasky CVE 2019-0708 RDP Vulnerability and GDPR’s Anniversary: https://resources.digitalshadows.com/threat-intelligence-podcast-shadowtalk/cve-2019-0708-rdp-vulnerability-and-gdpr-s-anniversary Also, don’t forget to reach out to - shadowtalk@digitalshadows.com

ShadowTalk hosts Alec, Ivan, Charles, and newcomer, Sean, bring you the latest in threat intelligence. This week they cover: - Ivan dives into FBI actions against web-shells from compromised Exchange servers - Codecov supply chain attacks - Charles brings us the latest - The team discuss the Pulse Secure VPN bug - Plus, don’t forget our special 200th episode next week! Get this week’s intelligence summary at: https://resources.digitalshadows.com/digitalshadows/weekly-intelligence-summary-23-april ***Resources from this week’s podcast*** FBI Web Shells: https://www.welivesecurity.com/2021/04/14/fbi-removes-malware-compromised-exchange-servers/ Codecov: https://www.bleepingcomputer.com/news/security/hundreds-of-networks-reportedly-hacked-in-codecov-supply-chain-attack/ REvil vs. Apple: https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/ Pulse Secure VPN: https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-zero-day-used-to-hack-defense-firms-govt-orgs/ https://www.bleepingcomputer.com/news/security/cisa-orders-federal-orgs-to-mitigate-pulse-secure-vpn-bug-by-friday/ Q1 Vulnerability Blog: https://www.digitalshadows.com/blog-and-research/q1-vulnerability-roundup/ Emotet Shutdown Blog: https://www.digitalshadows.com/blog-and-research/the-emotet-shutdown-explained/ Also, don’t forget to reach out to - shadowtalk@digitalshadows.com

ShadowTalk hosts Stefano, Adam, Kim, and Chris bring you the latest in threat intelligence. This week they cover: - Kim takes us back to SolarWinds, the Centreon breach, the Accellion incident, and the Microsoft Exchange supply chain attack - The team discusses attributing attacks - state sponsored threat actors leverage sophisticated tactics, allowing lower level cybercriminals to ride their coattails - Chris takes the teams through mitigating risks and proxy logon vulnerabilities - How Covid-19 and WFH has affected the threat landscape - VPN vulnerabilities - Advice for security teams - what to prioritize - Adam discusses ransomware trends in Q1 2021 - The team touches on law enforcement activity and more! Get this week’s intelligence summary at: https://resources.digitalshadows.com/digitalshadows/20210416-ds-weekly-intsum-updated ***Resources from this week’s podcast*** Q1 Ransomware Blog: https://www.digitalshadows.com/blog-and-research/q1-ransomware-roundup/ IABs Q1 Blog: https://www.digitalshadows.com/blog-and-research/initial-access-brokers-listings-increasing-in-2021/ Also, don’t forget to reach out to - shadowtalk@digitalshadows.com

ShadowTalk hosts Alec, Ivan, Charles, and Digital Shadows CISO Rick bring you the latest in threat intelligence. This week they cover: - Ivan talks through the latest updates on the Facebook data breach - threat actors selling old data for cheap and what was potentially exposed - Charles discusses Fortinet vulnerabilities - what are the technical details and how do defenders protect their data? - The team dives deeper into the ransomware cartel - Clop updates - what’s the latest and who are they targeting? Get this week’s intelligence summary at: https://resources.digitalshadows.com/digitalshadows/weekly-intelligence-summary-09-april ***Resources from this week’s podcast*** Facebook Breach: https://www.theguardian.com/technology/2021/apr/06/facebook-breach-data-leak Fortinet Vulnerabilities: https://www.ic3.gov/Media/News/2021/210402.pdf https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-state-hackers-attacking-fortinet-fortios-servers/ Ransomware Cartel: https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf https://www.scmagazine.com/home/security-news/ransomware/ransomware-cartel-model-didnt-fulfill-potential-yet-but-served-as-cybercrime-proving-ground/ Stanford Breach: https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-stanford-maryland-universities/ Actionable Threat Intel: https://www.digitalshadows.com/blog-and-research/new-release-actionable-threat-intelligence-with-searchlight/ MITRE and CTI: https://www.digitalshadows.com/blog-and-research/applying-mitre-attck-to-your-cti-program/ Also, don’t forget to reach out to - shadowtalk@digitalshadows.com

ShadowTalk hosts Stefano, Dylan, Kim, and Chris bring you the latest in threat intelligence. This week they cover: - Kim and her recent ransomware round-up - insurance company CNA suffers attack, Clop holds victims for ransom, and more - Chris takes the team through the PHP Git Server backdoor - Dylan and the group talk pandemic, remote-working, and cyber hygiene Get this week’s intelligence summary at: https://resources.digitalshadows.com/digitalshadows/weekly-intelligence-summary-02-april ***Resources from this week’s podcast*** Tax Fraud 2021 Blog: https://www.digitalshadows.com/blog-and-research/tax-and-unemployment-fraud-in-2021/ Microsoft Exchange Hafnium Blog: https://www.digitalshadows.com/blog-and-research/microsoft-exchange-server-exploit-what-happened-next/ Cyber Threat Intelligence: Solutions Guide and Best Practices: https://resources.digitalshadows.com/digitalshadows/cyber-threat-intelligence-solutions-guide Also, don’t forget to reach out to - shadowtalk@digitalshadows.com

Digital Shadows CISO Rick hosts this edition of ShadowTalk. He’s joined by special guest Dr. Chase Cunningham, author, Retired Navy Chief Cryptologist, and Chief Strategy Officer at Ericom Software. They discuss: -Dr. Chase's origin story -How to use Zero Trust to take back initiative from the adversary -How the VPN is the Palm Pilot of your network infrastructure -Why there is no Zero Trust easy button -Chase's romance novel on cyber warfare -Threat modeling vacations ***Resources from this week’s podcast*** Find Dr. Chase Cunningham on LinkedIn: https://www.linkedin.com/in/dr-chase-cunningham-54b26243/ Find Dr. Chase Cunningham on Twitter: https://twitter.com/CynjaChaseC Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare: https://www.amazon.com/gp/product/B084ZN2HBD/ref=dbs_a_def_rwt_bibl_vppi_i0 Ericom Software: https://www.ericom.com/r/dr-zero-trust/ ZT Edge: https://www.zerotrustedge.com/

ShadowTalk hosts Alec, Austin, Charles, and Digital Shadows CISO Rick bring you the latest in threat intelligence. This week they cover: -The team discusses the latest on Exchange Servers vulnerabilities - should guards still be up? -Austin takes us through the timeline of ransomware taking advantage of vulnerabilities regarding Microsoft -Austin talks $50 million ransom against Acer - biggest known ransom request in modern history. What does this mean for the threat landscape going forward? -A phishing campaign has stolen 400,000 OWA/O365 creds - how to make yourself the hardest target possible Get this week’s intelligence summary at: https://resources.digitalshadows.com/digitalshadows/weekly-intelligence-summary-26-march ***Resources from this week’s podcast*** Microsoft Vulnerabilities: https://www.bleepingcomputer.com/news/security/microsoft-92-percent-of-exchange-servers-safe-from-proxylogon-attacks/ Acer Ransom: https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/ Black Kingdom Ransomware: https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-now-targeted-by-black-kingdom-ransomware/ Office 365 Phishing: https://www.bleepingcomputer.com/news/security/microsoft-warns-of-phishing-attacks-bypassing-email-gateways/ 2021 Tax Blog: https://www.digitalshadows.com/blog-and-research/tax-and-unemployment-fraud-in-2021/ Cybercriminal Perspective Blog: https://www.digitalshadows.com/blog-and-research/the-cybercriminal-perspective/ Also, don’t forget to reach out to - shadowtalk@digitalshadows.com

Digital Shadows CISO Rick hosts this edition of ShadowTalk. He’s joined by special guest John Kindervag, creator of Zero Trust and Senior Vice President, Cybersecurity Strategy, ON2IT Group Fellow at ON2IT Cybersecurity. They discuss: -John’s origin story and influences - what led to the creation of Zero Trust? - Zero Trust - origin, design principles, and terminology - What are your protect surfaces? - using Zero Trust - John’s new position at ON2IT ***Resources from this week’s podcast*** Find John Kindervag on LinkedIn: https://www.linkedin.com/in/john-kindervag-40572b1/ Find John Kindervag on Twitter: https://twitter.com/Kindervag Understanding Zero Trust Terminology: https://www.paloaltonetworks.com/resources/zero-trust Antifragile: Things That Gain from Disorder: https://www.amazon.com/Antifragile-Things-That-Disorder-Incerto/dp/0812979680

ShadowTalk hosts Stefano, Adam, Kim, and first-timer Chris bring you the latest in threat intelligence. This week they cover: -Kim takes us through the return of FIN8 - what are the updates to the “BadHatch” backdoor -Chris discusses DarkSides recent resurgence after a quiet period - what’s the latest? -Microsoft Exchange exploit update - the team discuss -How are threat actors and cybercriminals using ProxyLogon vulnerabilities? Get this week’s intelligence summary at: https://resources.digitalshadows.com/digitalshadows/weekly-intelligence-summary-19-march ***Resources from this week’s podcast*** FIN8: https://labs.bitdefender.com/2021/03/fin8-group-is-back-in-business-with-improved-badhatch-kit/ DarkSide: https://www.infosecurity-magazine.com/news/darkside-20-ransomware-fastest/ ProxyLogon: https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ https://www.vice.com/en/article/n7vpaz/researcher-publishes-code-to-exploit-microsoft-exchange-vulnerabilities-on-github AC Features: https://www.vice.com/en/article/pkdnkz/escape-zoom-meetings-by-faking-technical-issues-and-crying-with-this-app https://attack.mitre.org/techniques/T1090/003/ https://attack.mitre.org/software/S0398/ Mapping MITRE to Microsoft Blog: https://www.digitalshadows.com/blog-and-research/mapping-mitre-attack-to-microsoft-exchange-zero-day-exploits/ Revisiting Spectre Blog: https://www.digitalshadows.com/blog-and-research/revisiting-the-spectre-and-meltdown-vulnerabilities/ Monitoring for Supplier Risks Blog: https://www.digitalshadows.com/blog-and-research/monitoring-for-risks-coming-from-suppliers/ FBI IC3 Blog: https://www.digitalshadows.com/blog-and-research/fbi-ic3-2020/ Also, don’t forget to reach out to - shadowtalk@digitalshadows.com