APT Tracker

There’s a lot of different campaign and actor names and it’s tough to keep them all straight — just see here.

The Council on Foreign Relations released a new tool, the Cyber Operations Tracker.  The tool is a database of the publicly known state-sponsored cyber incidents that have occurred since 2005.  The database contains almost two hundred entries of state-sponsored cyber incidents or threat actors for which data is publicly available. Want to know who is spying on whom? Looking for the number of times North Korea has been publicly denounced for its cyber operations? Heard of Equation Group but would like to know more about it? The tracker can help answer all of these questions.

I should also mention Google and Arbor Networks partnered up a while ago to create the Digital Attack Map however its focus is on DDOS attacks.


Disable 445 outbound

Just a friendly reminder to make sure you’re only allowing port 80, 443, and maybe 8080 outbound from your network.  According to this recent US CERT alert advanced attackers are using email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol.  This sends the user’s credential hash to the remote server prior to retrieving the requested file. (Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors then likely used password-cracking techniques to obtain the plaintext password.

TCP ports 445 or 139 and UDP ports 137 or 138 (SMB) should only be allowed internally !!!