Andrew Costis

Author

Andrew Costis (“AC”) is Chapter Lead of the Adversary Research Team at AttackIQ. He has over 22 years of professional industry experience, and previously worked in the Threat Analysis Unit (TAU) team at VMware Carbon Black, and LogRhythm Labs, performing security research, reverse engineering malware, tracking, and discovering new campaigns and threats. Andrew has delivered various talks at Def Con Adversary Village, Black Hat, B-Sides, CyberRisk Alliance, SecurityWeekly, ITPro, BrightTalk, SC Magazine and others.

See other articles by Andrew Costis

#StopRansomware

Response to CISA Advisory (AA23-325A): #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability

AttackIQ has released a new assessment template in response to the recently published CISA Advisory (AA23-325A) that disseminates Indicators of Compromise (IOCs), Tactics, Techniques and Procedures (TTPs), and detection methods associated with LockBit 3.0. This assessment template is based on an incident in which LockBit affiliates were observed exploiting CVE-2023-4966 to gain access to Boeing infrastructure.

November 27, 2023 Read More

Adversary Emulation

Response to CISA Advisory (AA23-320A): Scattered Spider

AttackIQ has released a new assessment template in response to the recently published CISA Advisory (AA23-320A) that disseminates known Scattered Spider’s Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs) identified through FBI investigations as recent as November 2023.

November 21, 2023 Read More

#StopRansomware

Attack Graph Response to CISA Advisory (AA23-319A): #StopRansomware: Rhysida Ransomware

On November 15, 2023, CISA published an Advisory (AA23-319A) that disseminates known Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs), and detection methods associated with Rhysida ransomware identified through FBI investigations. In September 2023, AttackIQ released two new attack graphs in response to recent reports of activities involving Rhysida ransomware.

November 20, 2023 Read More

Adversary Emulation

Attack Graph Response to CISA Advisory (AA23-263A): #StopRansomware: Snatch Ransomware

AttackIQ has released a new attack graph in response to the recently published CISA Advisory (AA23-263A) that disseminates known Snatch ransomware threat actor’s techniques and indicators identified through FBI investigations as recent as June 2023. Snatch operators are known to conduct activities against a wide range of critical infrastructure sectors and carry out double-extortion tactics to improve their chances of successfully receiving a ransom payment.

October 4, 2023 Read More

Adversary Emulation

Attack Graph Response to CISA Advisory AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

AttackIQ has released a new attack graph in response to the recently published CISA Advisory (AA23-250A) that seeks to emulate the activities carried out by multiple nation-state threat actors at an Aeronautical Sector organization as early as January 2023.

September 25, 2023 Read More

Adversary Emulation

Emulating the Iranian State-Sponsored Adversary APT35

AttackIQ has released a new attack graph that aims to emulate activities observed by the politically and military motivated state-sponsored Iranian-based adversary APT35, who is known to target multiple industries primarily in Europe, the Middle East, and North America.

August 18, 2023 Read More

Adversary Emulation

Emulating the Highly Elusive Chinese Adversary Gallium

AttackIQ has released a content bundle consisting of two new attack graphs that seek to emulate the operations carried out by the Chinese-based adversary Gallium against the Telecommunications sector in recent years.

July 28, 2023 Read More

Adversary Emulation

Emulating APT36’s Recent Activities Against the Indian Education Sector

AttackIQ has released a new attack graph that aims to emulate recent activities led by the politically motivated Pakistan-based adversary APT36 against objectives localized in the Education sector within the Indian subcontinent.

June 27, 2023 Read More

Adversary Emulation

Response to CISA Advisory (AA23-144A): China State-Sponsored Actor Volt Typhoon Living off the Land to Evade Detection

AttackIQ has released two new assessments that emulate the techniques associated with a People’s Republic of China (PRC) state-sponsored cyber actor known as Volt Typhoon. Volt Typhoon makes extensive use of living off the land tools to remaining undetected for as long as possible while complete their espionage goals.

May 25, 2023 Read More

Adversary Emulation

Response to US-CERT Alert (AA22-174A): Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems

In response to US-CERT Alert AA22-174A, AttackIQ has released new malware transfer scenarios to the platform and recommends validating security controls using previously released scenarios addressing Log4Shell and the VMware CVE-2022-22954 vulnerability.

June 24, 2022 Read More

Ransomware

Ransomware and Targeted Attacks in the Healthcare Sector

Although ransomware can have devastating effects regardless of which industry vertical an organisation is part of, the healthcare industry has particularly paid a heavy price in recent times.

September 23, 2021 Read More

Ransomware

Azure Security Stack Mappings: The Top Native Security Controls for Ransomware

For the first time, organisations can visually see what Azure security controls can offer in terms of protection, detection and response. With 45 native Azure security control mappings, defenders can start focusing on not only TTPs in the context of Azure threats, but also how each native Azure security control might shield them from related TTPs in Azure.

August 23, 2021 Read More