Threat Intel Lead @swisscom_de - Opinions are my own. Interested in #APT #YARA #SIGMA #ThreatIntel - Did #SIGINT in a previous life

Blockchain
Joined February 2017
What is the bigger problem for your organisation ?
13% OMG Quantum is coming
87% What is asset management?
637 votes • Final results
5
8
2
30
markus neis retweeted
Talos found a tiny Turla backdoor. It's "likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed." 🐍 blog.talosintelligence.com/2…
1
41
5
101
markus neis retweeted
Come and join us to work on really complex vulnerabilities. Not only from a technical perspective but human perspective, you will work with a lot of different people all across the globe. Sydney, USA (remote?!…) careers.google.com/jobs/resu… RT appreciated. @certcc might like this.
0
2
0
3
markus neis retweeted
PLEASE stop interviewing ransomware operators and giving them a platform for yet more publicity. They DO NOT need it. The Victims need more coverage.
3
7
0
36
markus neis retweeted
I built an attack matrix for #Office365 of various techniques used by (mostly) #APT groups to bypass #MFA, achieve persistence, impersonate users including ... > Malicious App Registrations > Abuse of Service Principals > API Bruteforce > Abuse of PTA bit.ly/2XnKju3
30
396
12
1,239
Show this thread
Guess who is coming to dump your confluence DB with a bit of PyFu? Well you monitor your confluence.cfg.xml dont you ?af4bf6d971e4896069589cf776cf5b27 🇨🇳
0
2
0
5
markus neis retweeted
I'm going to be giving a talk at #TheSAS2021! It's going to be on #APT41, and some of its campaigns I tracked a few months ago. I'm really looking forward to presenting, and seeing the other awesome talks scheduled 😄
Dear friends, #TheSAS2021 agenda is live! #Likeoldtimes we fulfilled it with some thrilling announcements and practical workshops alongside with fun, family atmosphere and #TheSAScon buzz! thesascon.com/program
Show this thread
0
12
1
40
Looking forward to this one!
At VB2021 #vblocalhost @_marklech_ @CurlyCyber and @r00tbsd will discuss some of the Lyceum (aka Hexane) group's recent operations in the Middle East with an eye to interesting ties to other actors. Register now for free! vblocalhost.com/presentation…
0
0
0
5
markus neis retweeted
At VB2021 #vblocalhost @_marklech_ @CurlyCyber and @r00tbsd will discuss some of the Lyceum (aka Hexane) group's recent operations in the Middle East with an eye to interesting ties to other actors. Register now for free! vblocalhost.com/presentation…
1
8
1
20
#cobaltstrike in the making 80737a1cc80fa0fb54aeb8d49c2e2ac0 cf310b62d94874e24c287b19a5b31a15 d3169d62ff358f1611a421f62c0b97e7 btw the shellcode is there as well with 0 AV detections cdb184c77d9ce2991fb9bac3bb985b2d but @cyb3rops gives you 5 :D
2
29
1
71
Can confirm!
#GReAT recorded video from my colleague @CurlyCyber piped.kavin.rocks/qW3s5iKNWdE check it out ! She rocks !
0
0
0
0
markus neis retweeted
How to check iOS devices for signs of CVE-2021-30860 / FORCEDENTRY exploitation (for context, see @citizenlab's 13.09.2021 blog). #nso #pegasus #malware #ios
4
184
10
402
Show this thread
markus neis retweeted
Researchers urge Apple users to update immediately. The new zero-click zero-day ForcedEntry flaw affects all things Apple: iPhones, iPads, Macs and Watches. 👉 kas.pr/k386
16
60
14
128
I sincerely appreciate all of the great suggestions. Here is the updated chart based on everyone's input. I had to reformat it make it readable. I originally had company logos where the ransomware icon is but I figure companies won't want their logo on a ransomware chart 🤣.
I could use your (yes you) help. I am trying to compile a list of vulnerabilities ransomware groups (or their access brokers) use to gain initial access. Excepting Kaseya, are there any others I am missing from this list? Remember, this is initial access only.
18
229
25
571
Show this thread
markus neis retweeted
A quick #dailyyara crossover episode with #dailypcap now before you say anything, I acknowledge I am a @stvemillertime wanna-be :D now to the fun
1
10
3
36
Show this thread
markus neis retweeted
Since THOR adds multiple external vars in YARA rule matching, we can write a rule that looks for ELF binaries written by the #confluence user but outside any confluence directory for a compromise assessment YARA rules github.com/Neo23x0/signature… THOR manual thor-manual.nextron-systems.…
2
19
0
42
Show this thread
True!
Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend.
0
0
0
1
markus neis retweeted
Thanks everyone who participated in our Yara webinar earlier this week! It's heartwarming to see so much interest in TI and Yara. Together with @trompi and @plusvic we answered all (hopefully!) pending questions! Enjoy 'Applied Yara training Q&A': securelist.com/applied-yara-…
0
12
0
34