@BushidoToken Threat Intel

Introduction Russian state-sponsored threat groups, such as Fancy Bear (APT28), Cozy Bear (APT29), Turla, and Sandworm, among others, are well-known for complex cyber-espionage operations, targeted intrusions, destructive attacks, and disinformation campaigns. Some of the capabilities of Russian threat groups, however, are not well-known and extend beyond the usual targeting of government and critical infrastructure enterprise networks. The main three Russian intelligence services (GRU, FSB, and SVR) have also conducted less well-known and underreported intelligence gathering campaigns against Android and iPhone users delivering spyware as well as collecting credentials for specific mobile applications. In this blog, I will be examining open source intelligence (OSINT) reports, leveraging the findings and citing investigations conducted by other threat researchers, to present my key findings and an overall assessment of these mobile threat campaigns. Background on Mobile Threat...

This is a blog on some of the latest phishing threats that are out there and ones I have recently, personally experienced and reverse engineered. On 1 May I received this SMS text:  Just received this: (1 May) http://security[.]hsbcuk[.]confirm-securekey[.]com @HSBC_UK #phishing #smishing (I’m not with HSBC) pic.twitter.com/HU3sqBlPhz — Will | BushidoToken 👁‍🗨 (@BushidoToken) May 1, 2020 To me, it was quite clearly a phish, as I'm not with HSBC, however, someone who is may have been easily fooled. The trick the phishermen used here is via a subdomain. Average users may be able to recognise their usual bank domain and feel safe. However, the threat actors who sent this to me could use a domain like 'digitalbanking.com' (which is for sale ) and simply insert my bank's full URL as a subdomain - making it quite convincing. Plus, they can add a free digital certificate from Let's Encrypt CA to give it HTTPS and now we have a pretty convincing phish. ...