Threat Hunting//
Threat Hunting Case Study: FileFix
FileFix bypasses Mark of the Web (MotW) protections by hijacking the Windows File Explorer address bar. Here is how to hunt for it.
[Image: The phisherman episode 1]
Bex Nitert is an incident response and forensics professional in Australia. She describes herself as a digital firefighter who helps organizations after they’ve been hacked. She often investigates phishing, the term for stealing login credentials with the aim of taking over accounts and systems. And there’s a threat actor who performs this credential theft on an industrial scale. Bex found him operating in the open.
Many of the frauds, scams and data breaches that are common these days start with the takeover of say, someone’s personal or corporate email account or other type of account. Everything from stealing money from online bank accounts to business email compromise to even file-encrypting ransomware often starts with stolen login credentials. It’s a critical part of the cybercrime-as-as-service economy. Cybercrime-as-a-service is the term for products and services for sale that help other people commit crime on the internet.
There are lots of people who sell these credentials. But this person – the Phisherman – is exceptional. Bex’s investigation uncovered a pattern of malicious phishing activity that went back to at least 2015. These days, the Phisherman’s operation is growing in scale. And Bex found a sign that the Phisherman may be looking for new ways to generate revenue and that his operation may take a darker turn.
Participants:
Bex Nitert, Incident Response and Forensics Professional
Jeremy Kirk, Executive Editor, Cyber Threat Intelligence, Intel 471
