S2E13: Rudolph the Redsourced Reindeer
Ho ho homepage! Christopher Glyer and Nick Carr are back for the last episode of 2019. They’re closing the year with a look at this month’s front-line espionage activity and a whole bunch of FIN intrusions! In addition to the threat round-up, they highlight some of our Mandiant consultants doing that work and a few DFIR tricks they included in a recent blog: https://www.fireeye.com/blog/threat-research/2019/12/tips-and-tricks-to-analyze-data-with-microsoft-excel.html. As a special bonus, Santa dropped off a slide clicker for the show so Nick and Christopher decide to go deep on their recent presentation at #CYBERWARCON on “red sourcing.” An episode sure to make them friends on infosec twitter for sure! The presentation was a 10 minute #threatintel lightning talk, but embracing the Christmas spirit, the gang tries to navigate a sensitive area of current debate by spending more time on red sourcing & providing some evidence and observations on APT groups moving to publicly released post-compromise tooling; some potential motivations; and then question whether any tool can ever be fully controlled (e.g. Delpy/MIMIKATZ evil maid scenario, recent Turla coopting APT34 access & tools). Because RULER.HOMEPAGE was touched on in the talk, they expand a bit further on this and highlight the recent blog that Nick co-authored on how attackers (like UNC1194) can conduct intrusions from just a single registry key. They also question whether the technique’s usage via Outlook installed Office 365’s Click-to-Run is technically CVE-2017-11774 or not. I guess we need another episode with MSRC! They end the year with some spicy predictions for 2020. You’ll see. Thanks for watching and listening this year! This episode was sponsored by bad decisions and office holiday parties - and especially both.