Tom Hegel

@[email protected]
687 Followers
275 Following
46 Posts
Sr. Threat Researcher with the SentinelLabs team of SentinelOne. Focused on Threat intelligence, adversary analysis, and all the juicy things that make those happen.
Personal:https://tomhegel.com
SentinelLabs:https://labs.sentinelone.com
Twitter:https://twitter.com/TomHegel
Tom HegelApr 3, 2023
Andy GreenbergApr 3, 2023
Analysts at Kaspersky found that among thousands of potential victims of the 3CX supply chain attack, North Korean hackers appear to have planted their second-stage malware on the networks of just a few crypto firms, targeting them with "surgical precision."
https://www.wired.com/story/3cx-supply-chain-attack-north-korea-cryptocurrency-targets/
Massive 3CX Supply-Chain Hack Targeted Cryptocurrency Firms

North Korean hackers appear to have used the corrupted VoIP software to go after just a handful of crypto firms with "surgical precision."

WIRED
Tom HegelMar 20, 2023
Virus BulletinMar 20, 2023
SentinelOne's Tom Hegel (@hegel) presents the findings of an investigation into Winter Vivern APT activity, leveraging observations made by the Polish CBZC and Ukraine CERT and uncovering a previously unknown set of espionage campaigns & targeting activities conducted by the threat actor. https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/
Winter Vivern | Uncovering a Wave of Global Espionage

SentinelLabs uncover a previously unknown set of espionage campaigns conducted by Winter Vivern advanced persistent threat (APT) group.

SentinelOne
Tom HegelFeb 16, 2023
SentinelLabsFeb 16, 2023

New SentinelLabs Research on WIP26 - https://s1.ai/WIP26

🟣 New actor targeting telco in the Middle East
🟣 Abuses Microsoft 365 Mail, Google Firebase, and Dropbox for C2
🟣 Targeted WhatsApp msgs -> Dropbox -> loader -> backdoors

by @milenkowski and team

WIP26 Espionage | Threat Actors Abuse Cloud Infrastructure in Targeted Telco Attacks

A new threat cluster has been targeting telecommunication providers in the Middle East and abusing Microsoft, Google and Dropbox cloud services.

SentinelOne
Tom HegelFeb 14, 2023
SentinelLabsFeb 14, 2023

πŸ’œβ€‹ Join the @vxunderground & @SentinelOne Malware Research Challenge (VUSMC) --

Submit your previously unpublished research and you could be featured on both the SentinelOne blog and the VXUG site. And that's not all: The best research will win a brand new, sleek and powerful MacBook Pro!

https://s1.ai/vx-s1

Vx-Underground & SentinelOne Malware Research Challenge (VUSMC)

Submit your research and you could win a powerful MacBook Pro! Also, be featured on both the SentinelOne Blog and VXUG site.

SentinelOne
Tom HegelFeb 9, 2023
SentinelLabsFeb 9, 2023

Seen in the wild: Cloud credentials phishing attacks are now deploying Google Ads targeting Amazon Web Services (AWS) cloud logins. By @hegel

https://www.sentinelone.com/blog/cloud-credentials-phishing-malicious-google-ads-target-aws-logins/

Cloud Credentials Phishing | Malicious Google Ads Target AWS Logins

Threat actors target AWS login credentials with phishing websites and malverts returned in Google web searches.

SentinelOne
Tom HegelFeb 2, 2023
SentinelLabsFeb 2, 2023

πŸ‘‰ New on #SentinelLabs! .NET malware loader, dubbed MalVirt, is being distributed through malvertising are using obfuscated virtualization for anti-analysis and evasion in an ongoing campaign. By @milenkowski and @hegel

https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/

MalVirt | .NET Virtualization Thrives in Malvertising Attacks

.NET malware loaders distributed through malvertising are using obfuscated virtualization for anti-analysis and evasion in an ongoing campaign.

SentinelOne
Tom HegelJan 24, 2023
SentinelLabsJan 24, 2023

πŸ‡¨πŸ‡³ New on #SentinelLabs: Cluster of attacks in East Asia, DragonSpark uses open-source tool #SparkRAT & malware evading detection through #Golang source code interpretation. By
@milenkowski πŸ‘‡β€‹

https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/

DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation

A cluster of attacks uses a novel technique, Golang source code interpretation, to avoid detection while also deploying a little-known tool called SparkRAT.

SentinelOne
Tom HegelJan 16, 2023
Jason KiktaJan 16, 2023
Intelligence work in cyberspace should have the same definition that Einstein gave to quantum entanglement – spooky action at a distance.
Tom HegelJan 13, 2023
SentinelLabsJan 12, 2023

πŸ”₯ New on #SentinelLabs! #NoName057(16) group carries #DDoS attacks on πŸ‡ΊπŸ‡¦ Ukraine, #NATO organizations, & other government orgs.

@LabsSentinel has identified #Telegram channels, a #DDoS payment program, & a toolkit on #GitHub. By @hegel & @milenkowski πŸ‘‡β€‹

https://s1.ai/noname0

NoName057(16) - The Pro-Russian Hacktivist Group Targeting NATO

In the name of Russia's war in Ukraine, NoName057(16) abuses GitHub and Telegram in an ongoing campaign to disrupt NATO's critical infrastructure.

SentinelOne
Tom HegelDec 27, 2022

New from Intrusion Truth:

https://intrusiontruth.wordpress.com/2022/12/24/no-limits-relationship-chinas-state-hackers-scoop-up-intelligence-on-ukraine-and-russia/

#nolimits

No-limits relationship? China’s state hackers scoop up intelligence on Ukraine… and Russia

Intrusion Truth