SnapMC skips ransomware, steals data

Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the … Continue reading SnapMC skips ransomware, steals data

Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes

tl:dr Incremental Learning is an extremely useful machine learning paradigm for deriving insight into cyber security datasets. This post provides a simple example involving JA3 hashes showing how some of the foundational algorithms that enable incremental learning techniques can be applied to novelty detection (the first time something has happened) and outlier detection (rare events) … Continue reading Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes

RM3 – Curiosities of the wildest banking malware

by fumik0_ & the RIFT TL:DR Our Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In this post we provide some history, analysis and observations on this most pernicious family of banking malware targeting Oceania, the UK, Germany and Italy.  We’ll start with an overview of its origins and current operations before providing a deep dive technical analysis … Continue reading RM3 – Curiosities of the wildest banking malware

Abusing cloud services to fly under the radar

tl;dr NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to data from the airline industry. In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals. NCC Group and Fox-IT observed … Continue reading Abusing cloud services to fly under the radar

TA505: A Brief History Of Their Time

Threat Intel Analyst: Antonis Terefos (@Tera0017)Data Scientist: Anne Postma (@A_Postma) 1. Introduction TA505 is a sophisticated and innovative threat actor, with plenty of cybercrime experience, that engages in targeted attacks across multiple sectors and geographies for financial gain. Over time, TA505 evolved from a lesser partner to a mature, self-subsisting and versatile crime operation with … Continue reading TA505: A Brief History Of Their Time

Decrypting OpenSSH sessions for fun and profit

Author: Jelle Vergeer Introduction A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory of a webserver. The modified OpenSSH binary was used as a backdoor to the system for the attackers. The customer had pcaps and a hypervisor snapshot … Continue reading Decrypting OpenSSH sessions for fun and profit

Conference Talks – October 2020

This month, members of NCC Group will be presenting their work at the following conferences: Dirk-Jan Mollema, "Walking Your Dog in Multiple Forests: Breaking AD Trust Boundaries through Kerberos Vulnerabilities," to be presented at Black Hat Asia 2020 (Virtual - October 1 2020)Sanne Maasakkers, "Improve Security Awareness Campaigns by Applying Phishing Research," to be presented … Continue reading Conference Talks – October 2020

Machine learning from idea to reality: a PowerShell case study

Detecting both ‘offensive’ and obfuscated PowerShell scripts in Splunk using Windows Event Log 4104 This blog provides a ‘look behind the scenes’ at the RIFT Data Science team and describes the process of moving from the need or an idea for research towards models that can be used in practice. More specifically, how known and … Continue reading Machine learning from idea to reality: a PowerShell case study

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox), Michael Sandee and in close collaboration with NCC’s RIFT. About the Research and Intelligence Fusion Team (RIFT):RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IOCs and detection capabilities to strategic reports on tomorrow's threat landscape. Cyber security is an … Continue reading WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group