11 posts categorised "Tom Lancaster"

06 May 2016

Exploring CVE-2015-2545 and its users

By Pierre Montagnier and Tom Lancaster Executive Summary This report, available at TLP:GREEN to researchers and network defenders, gives an overview of different attacks using CVE-2015-2545. Specifically we look at the different ways attackers are triggering the vulnerability, and the possibility that the exploit is shared amongst various groups. Based...

23 July 2015

A tale of Pirpi, Scanbox & CVE-2015-3113

By Tom Lancaster Follow @tlansec Executive Summary In the past year, PwC has notified the public about developments relating to the ScanBox reconnaissance framework on several occasions. There has recently been public reporting[1] which relates to possible deployment of malware via ScanBox for the first time. While the report references...

27 April 2015

Attacks against Israeli & Palestinian interests

By Tom Lancaster Follow @tlansec Executive Summary This short report details the techniques being used in a series of attacks mostly against Israel-based organisations. The decoy documents and filenames used in the attacks suggest the intended targets include organisations with political interests or influence in Israel and Palestine. Although we...

20 April 2015

The Sofacy plot thickens

By Tom Lancaster and Chris Doman Follow @tlansec Follow @chrisdoman Background There has been some recent news regarding further activities of a group variously described as Sofacy[1]. We are releasing this flash bulletin containing network indicators to aid security professionals in detecting this activity. Please contact us on [email protected] and...

24 February 2015

A deeper look into ScanBox

By Chris Doman and Tom Lancaster Follow @chrisdoman Follow @tlansec Please e-mail us at [email protected] for a version of this report with additional indicators that you are welcome to distribute so long as it is not on public channels (TLP-GREEN). We have observed actors amending the ScanBox framework to evade...

19 December 2014

Festive spearphishing – Merry Christmas from an APT actor

By Tom Lancaster Follow @tlansec Our journey begins with the discovery of a .cab archive file (fe73d915b4898da02d95973465534d2f) found on the well-known malware repository, VirusTotal. At over 10MB in size even when compressed, it is fairly hefty and we suspect that this may well aid the malware in bypassing perimeter defences,...

05 December 2014

APT28: Sofacy? So-funny.

By Tom Lancaster and Michael Yip Follow @tlansec Follow @michael_yip Since the last time we wrote about the attackers known as Sofacy, they have been the subject of quite a lot of press, with several other security teams publically revealing aspects of the attackers’ campaigns. We have continued to monitor...

27 October 2014

ScanBox framework – who’s affected, and who’s using it?

By Chris Doman and Tom Lancaster Follow @chrisdoman Follow @tlansec Earlier this year the Japanese language website of one of the world’s largest suppliers of industrial equipment was compromised by a sophisticated threat actor. Usually in such cases an attacker will use their access to place an exploit kit on...

20 October 2014

OrcaRAT - A whale of a tale

By Dan Kelly and Tom Lancaster Follow @int0x00 Follow @tlansec It’s every malware analyst’s dream to be handed a sample which is, so far, unnamed by the AV community - especially when the malware in question may have links to a well-known APT group. In my line of work I...

19 September 2014

Malware microevolution

By Tom Lancaster Follow @tlansec Earlier this September, our friends at FireEye blogged[1] about how malware authors often change their tactics in response to the work of those investigating them. However, most of the time, this evolution isn’t a wholesale change as was the case with APT12. Just as in...