-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
2 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,9 @@ | ||
{ | ||
"pfp" : "images/statics/apts.png", | ||
"nickname" : "Various APTs", | ||
"poster" : "smoothingimpact", | ||
"poster" : "smoothimpact", | ||
"posterLink" : "https://x.com/smoothingimpact", | ||
"osf" : ["ACC", "UGE", "PO", "Y", "POSF"], | ||
"blog" : "This talk which has been modified by the admin is about following the OpSec failures (OSF) of various APTs, also called APT-17 panda or probably a million and one other different names, depending on which kind of vendor's naming convention you subscribe to. Let's talk about their OSF.<br><br>They used some of their victim's infrastructure to access social media profiles, which is a pretty big giveaway, but it might be a result of their own government's policies. Their mistake is probably using the infrastructure of the victim they are extorting instead of hacking into a random or anyone's device outside their operation. Some of the operators had curated their own handles over a really long period of time. This led trails to all activities they were doing.<br><br>They used personal emails to register C2 domains, and some of the operators reused the same passwords, which led to the identification of them over various hacks. They had the consistent use of the 'cpyy handle'. One of the emails was linked to a Picasa account which held a variety of photos of them. Actually, how long does it take to create a dummy email, 1 year? 2 months?<br><br>Before they went live with their Command and control servers, they used them for testing their tools and communicating. They forgot to clear down those logs and also misconfigured the server and left the log directory open to the internet so it was indexed by Google. They also used their corporate server to conduct their hacks. Other threat actors went online posting images of them holding their bundles of cash.<br><br>As time went on, they did sharpen their OpSec, but as I usually have Godlike OpSec since day one, as many OpSec blunders are made in the early life of threat actors, if you find that you made an OSF in your early days, it's better to create a new alias, even though the other has a big reputation, it ain't worth it. You never know how long you're going to stare at a wall. I also advise aspiring threat actors and intelligence analysts not to connect the real-life alias with their work alias. If possible, use another computer to conduct your work even if you have a billion layers of VMs, proxies, etc. Peace out.<br><br>Before I FORGET, for aspiring malware developers, always update your malware signature when scanning it. All the scanners log the scans for research. Because you made it this far, the second link is about OpSec. It's really good, TRUST ME.", | ||
"links" : ["https://www.youtube.com/watch?v=NFJqD-LcpIg","https://www.youtube.com/watch?v=9XaYdCdwiWU"] | ||
} | ||
} |