Technology
Ho ho homepage! Christopher Glyer and Nick Carr are back for the lastepisode of 2019. They’re closing the year with a look at this month’sfront-line espionage activity and a whole bunch of FIN intrusions! Inaddition to the threat round-up, they highlight some of our Mandiantconsultants doing that work and a few DFIR tricks they included in arecent blog:https://www.fireeye.com/blog/threat-research/2019/12/tips-and-tricks-to-analyze-data-with-microsoft-excel.html. As a special bonus, Santadropped off a slide clicker for the show so Nick and Christopherdecide to go deep on their recent presentation at #CYBERWARCON on “redsourcing.” An episode sure to make them friends on infosec twitter forsure! The presentation was a 10 minute #threatintel lightning talk,but embracing the Christmas spirit, the gang tries to navigate asensitive area of current debate by spending more time on red sourcing& providing some evidence and observations on APT groups moving topublicly released post-compromise tooling; some potential motivations;and then question whether any tool can ever be fully controlled (e.g.Delpy/MIMIKATZ evil maid scenario, recent Turla coopting APT34 access& tools). Because RULER.HOMEPAGE was touched on in the talk, theyexpand a bit further on this and highlight the recent blog that Nickco-authored on how attackers (like UNC1194) can conduct intrusionsfrom just a single registry key. They also question whether thetechnique’s usage via Outlook installed Office 365’s Click-to-Run istechnically CVE-2017-11774 or not. I guess we need another episodewith MSRC! They end the year with some spicy predictions for 2020.You’ll see. Thanks for watching and listening this year!This episode was sponsored by bad decisions and office holiday parties- and especially both.