tag:blogger.com,1999:blog-1547389155659419533.post3399634285016584816..comments2024-03-24T13:20:58.768-04:00Comments on BriMor Labs: Post OPM Breach...let the phishing begin!!Brian Moranhttp://www.blogger.com/profile/10916463151597324052noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-1547389155659419533.post-30854003928774756072015-06-13T09:18:36.607-04:002015-06-13T09:18:36.607-04:00Absolutely true. In my experience, out of every 10...Absolutely true. In my experience, out of every 100 cases, 2-3 are "sophisticated" and even those sometimes leverage the malware itself horribly (for example, I worked a case with some really good polymorphic malware, but the persistence mechanism was Current Version/Run and each time it was installed on a system it beaconed to a known IP address, so spotting infected systems was really easy. Much easier than it could have been).<br /><br /><br />It's been a little over a week now and I saw this was apparently caught by a demo of a product. The saddest thing, in my opinion, is that if OPM had just looked at their own network, they probably would have caught it long ago. If more organizations and businesses did that on a regular basis (take the time to look and evaluate what data they do have and can collect) many of these data breaches would be discovered in a much more timely fashion.<br />Brian Moranhttps://www.blogger.com/profile/10916463151597324052noreply@blogger.comtag:blogger.com,1999:blog-1547389155659419533.post-44943010186724368392015-06-08T06:37:16.961-04:002015-06-08T06:37:16.961-04:00I've investigated a number of breaches caused ...I've investigated a number of breaches caused by dedicated adversaries, as well as been privy to many more, and to be honest, there is nothing terribly "sophisticated" about the attacks. The issue comes from the fact that many times, the compromised organization will claim that the adversary brought "sophisticated hacking tools" such as at.exe with them...because the org certainly never installed it!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-1547389155659419533.post-85548383520408483932015-06-05T15:00:33.695-04:002015-06-05T15:00:33.695-04:00Collin, I agree, it might be related, or it might ...Collin, I agree, it might be related, or it might not be, the timing does seem awfully suspect though. I (personally) have never gotten a NFCU phish before yesterday. <br /><br />One of the things that was brought up be a good friend of mine is a correlation of data between from the OPM breach and the Adult Friend Finder breach, just to see how much overlap is actually there :)Brian Moranhttps://www.blogger.com/profile/10916463151597324052noreply@blogger.comtag:blogger.com,1999:blog-1547389155659419533.post-86129449969295396282015-06-05T14:28:41.188-04:002015-06-05T14:28:41.188-04:00I agree that the phishing will increase with the O...I agree that the phishing will increase with the OPM breach, but I don't think that the Navy FCU phishing emails are related. I've been getting phishing emails purporting to be the Navy FCU since January and I've never been employed by the federal government. One url that I ran through IBM X-Force had an IP in the United Kingdom and has been seen distributing malware since August 2014.Anonymoushttps://www.blogger.com/profile/16291355988987725763noreply@blogger.comtag:blogger.com,1999:blog-1547389155659419533.post-74242567337776399992015-06-05T12:29:24.677-04:002015-06-05T12:29:24.677-04:00Thanks for the comment, the domain from the first ...Thanks for the comment, the domain from the first email is now up on virustotal as well. https://www.virustotal.com/en/url/c65460bdc3e379d0f675299e241988a50fa73f8d5e8ffbc5d889a2d2ae0f28d0/analysis/1433521688/Brian Moranhttps://www.blogger.com/profile/10916463151597324052noreply@blogger.comtag:blogger.com,1999:blog-1547389155659419533.post-53349775487990104602015-06-05T12:26:58.551-04:002015-06-05T12:26:58.551-04:00why not report on virustotal, giving it a score ??...why not report on virustotal, giving it a score ?? CAJOhttps://www.blogger.com/profile/08538383423802856914noreply@blogger.com