Bad Rabbit
Tuesday's outbreak — affecting Russian and Ukrainian organisations primarily — uses drive-by web compromise plus credential-theft lateral movement. Echoes of NotPetya, with refinements.
SWIFT, six months on
Bangladesh Bank was the first. Banco del Austro, Tien Phong, the Vietnam case, and now several more in confidential disclosure. The pattern is a campaign, not an incident.
DNC, Guccifer 2.0, the disclosure as weapon
Wikileaks publishes the DNC email cache the day before the Democratic Convention. The disclosure timing, the Guccifer 2.0 persona, and CrowdStrike's attribution to Russian state actors are converging on a different kind of incident.
Bangladesh Bank, SWIFT
Eighty-one million dollars taken from the Bangladesh Bank's Federal Reserve account through fraudulent SWIFT messages. The story so far points at a campaign of patient back-office targeting, with the typo at the gateway being all that prevented a billion-dollar take.
Carbanak
Kaspersky's report on the Carbanak campaign reads like a manual. Spear-phishing in, lateral movement, then patient instrumentation of bank back-office systems for direct theft.
Detection content
Six weeks of writing detection content for the Hedgehog SOC build. The technical innovation pool is shallower than the press coverage suggests; six categories cover most of what shows up.