Threat group attribution with open-source datasets

Case study: Reading between the lines of a press release. You're a threat analyst doing their job, reading the news  — i t's December 13, 2020 . FireEye just announced that they identified the SolarWinds Orion solution being used by Russia as a backdoor initial access into the systems of all types of governments and organizations. The full scope of the breach is still unclear; 100s, 1000s, and probably more are impacted. Fast forward  —  It's now late January of 2021. C haos in the media has ensued over recent weeks, many individuals and even companies are  claiming attribution to specific Russian groups using flimsy proof and no hard evidence.  Finally, US officials share that it was "an Advanced Persistent Threat (APT) actor, likely Russian in origin" that is responsible for the SolarWinds attack, described as "an intelligence-gathering effort."  ( CISA ) We look at 2 highlights, our key takeaways... –  "likely Russian in origin" –  

Reflecting on the Fortinet VPN victim exposure

Lists of Fortinet VPN systems that have been historically compromised were shared on a underground sources between 2021-08-31 and 2021-09-07.  I identified the victim list files (2021-09-06) and began parsing them into a more clear format that was later published to help blue teamers globally (2021-09-08), improving the time-to-response (TTR) of this global incident. The list was spread via social media and news outlets. The theory that these Fortinet systems were previously compromised, sometime between 2020 and 2021, is confirmed by a Fortinet PSIRT advisory : These credentials were obtained from systems that remained unpatched against FG-IR-18-384 / CVE-2018-13379 at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable. This victim list files were first observed (2021-08-31) being shared on RAMP Forum  (private source)  by a moderator, with their associated usernames and passwords. The files were later obse