Author:Will Gragido

Staring at the Sun: Thoughts on UNC2452, SUNBURST, SolarWinds and Road Ahead

Cyber- Photokeratitis Some Thoughts On The Events Associated with UNC2452 Like many who have worked in the threat research & intelligence, forensics, and incident response space some time, when I became aware of FireEye’s public breach disclosure earlier this month (09 DEC 2020), it gave me pause. FireEye is without question a global leader in the development and acquisition of technology, services, and intelligence (e.g., Mandiant, iSIGHT Partners, etc.,). Few can or would debate that and even fewer would debate the organization’s knowledge and understanding of the threat landscape. During my time at...

Share Post

Tip of the Spear: Evidence of Breach and Breach Intelligence

Introduction For quite some time we at Prevailion have been speaking publicly to the nature of the differences between Prevailion and other vendors in the threat intelligence market, and for good reason. There are two key concepts at the forefront of every discussion that I and my peers have when discussing who we are, what we do, why we are unique, and what we do: Evidence of Compromise (EoC), and Compromise Intelligence (CI). There is little that leads me to believe as I write this blog that there are any vendors current or emerging who are approaching...

Share Post

The Q1 2020 Apex Report

How did a group of criminals come to be responsible for such a costly enterprise? Threat actors are distributed, and they don’t form one cohesive group,  but the holes they've punched in organizations and governments through infiltration, compromises, and breaches have collectively amounted to this staggering estimate....

Share Post

Alert for Cyber Risk and COVID-19

With COVID-19, there is a wave of new teleworkers hitting internet infrastructure. Cyber criminals will actively look for ways to take advantage of these teleworkers in order to gain access to otherwise secure company networks....

Share Post

The Triune Threat: MasterMana Returns

Prevailion’s Tailored Intelligence team has discovered new campaigns associated with the Gorgon Group, suspected Pakistani based actors, who previously operated the MasterMana botnet. While this group relied upon an amalgamation of multiple open-source and commercially available tools, they have proven themselves to be highly capable. By utilizing various 3rd party websites and services, they are able to bypass common network defense mechanisms. Recently they have added new capabilities to evade host-based detection through encoding payloads and renaming file extensions. In some cases, they took a more audacious approach by incapacitating the Windows...

Share Post

TA 505 – Global Ransomware Criminals

Prevailion’s Tailored Intelligence Team has continued to follow an evolving threat actor group dubbed TA505 - a known cyber criminal organization that has likely been active since at least 2017, whose motives are speculated to be financial in nature. This group has been known to infect victims through business email compromise. Once a victim’s system is initially compromised, TA505 has been observed utilizing a wide variety of commercially available and custom remote access trojans. Upon gaining access, with a trojan in the network, they have been observed stealing sensitive financial data...

Share Post