Adversaries Infrastructure-Ransomware Groups, APTs, and Red Teams
In this short blog, I will get straight to the point. I have been scanning the internet on a daily/weekly basis over the past few months/weeks using Shodan, Censys, Nmap, and my Python scripts, and would like to share my information/research. I will very briefly explain how the different Threat Actors work, what kind of infra and tools are used to launch attacks, and how bad they are at opsec.
Threat Actors Profiles:
- Ransomware Groups based in Russia
- Threat Actors based in China
- Red Teamers
Diamond Model examples
I will use Diamond Model to explain Threat Actors methodology (It is self-explanatory I guess?)
Ransomware Group from Russia
How do Ransomware Group's based in Russia infra/tools look like?
Another Ransomware Group example is 62.182.159[.]147
Anydesk, RDP, and ShadowGuru bat files as well as ngrok are typical tools used by ransomware operators.
Anydesk is probably used for persistence same as RDP and other bat files to uninstall/disable security controls.