Omar Avilez
👤 PersonPodcast Appearances
So we discovered a C2 server that was, you know, utilized by Conti.
So we discovered a C2 server that was, you know, utilized by Conti.
So that's when everybody started sending us emails and emails and emails. We analyzed hundreds of emails. Literally hundreds of emails. So the weird thing is about these females that they were reading perfect Spanish, like they were not English, but perfect Spanish, like perfect Spanish.
So that's when everybody started sending us emails and emails and emails. We analyzed hundreds of emails. Literally hundreds of emails. So the weird thing is about these females that they were reading perfect Spanish, like they were not English, but perfect Spanish, like perfect Spanish.
At that time, it was June 2022, we had over five to six hundred emails, different emails, and all of them were different. So we didn't have one single email that was the same. But all of them, you know, shared one thing. All of them were about banking transactions or money or payments, something related to money. And also all of them had
At that time, it was June 2022, we had over five to six hundred emails, different emails, and all of them were different. So we didn't have one single email that was the same. But all of them, you know, shared one thing. All of them were about banking transactions or money or payments, something related to money. And also all of them had
a backdoor that the attackers were using, which was a backdoor known as Bandook.
a backdoor that the attackers were using, which was a backdoor known as Bandook.
And they compromised the company. So it was an important target.
And they compromised the company. So it was an important target.
What they did is that they used a user that was having a conversation with the existing administrator. So the existing administrator was waiting for that user to send him an attachment. So in the step of the legitimate attachment, the existing administrator received the backdoor.
What they did is that they used a user that was having a conversation with the existing administrator. So the existing administrator was waiting for that user to send him an attachment. So in the step of the legitimate attachment, the existing administrator received the backdoor.
And we found out, you know, something that was very terrifying for us. Over 30 government organizations were compromised by that campaign, like really big organizations.
And we found out, you know, something that was very terrifying for us. Over 30 government organizations were compromised by that campaign, like really big organizations.
Let me tell you, you know, it was not just government organizations, but also critical infrastructure organizations.
Let me tell you, you know, it was not just government organizations, but also critical infrastructure organizations.
Yeah, it was a very complicated moment. We didn't know what to do.
Yeah, it was a very complicated moment. We didn't know what to do.
But after, you know, they did some things on the system, they now... It downloaded or installed a second malware, which was a Coal Strike implant, which was communicating to Conti C2.
But after, you know, they did some things on the system, they now... It downloaded or installed a second malware, which was a Coal Strike implant, which was communicating to Conti C2.
He was a man. And on that moment, we wanted to disappear.
He was a man. And on that moment, we wanted to disappear.
A big bank overnight stopped working for over a month. So if that bank cannot operate, all the people that have the money on that bank, you know, how they are going to get their money out or how that can affect the government or the economy. So that was something big, and we involved even more people to investigate
A big bank overnight stopped working for over a month. So if that bank cannot operate, all the people that have the money on that bank, you know, how they are going to get their money out or how that can affect the government or the economy. So that was something big, and we involved even more people to investigate
So one of the first thing that I did or I tried to do was call the people of Costa Rica because that happened to them. I wanted to know, you know, all about the incident.
So one of the first thing that I did or I tried to do was call the people of Costa Rica because that happened to them. I wanted to know, you know, all about the incident.
FIRST is a forum for instant response. So like all the instant response teams all over the world just have a conference once or twice a year. So we all go to the conference. They know each other. So if anybody needs help, so we know who we can call.
FIRST is a forum for instant response. So like all the instant response teams all over the world just have a conference once or twice a year. So we all go to the conference. They know each other. So if anybody needs help, so we know who we can call.
We found out that the red actor was on the system over time. 10 months ago. They were in these agencies for 10 months? Jeez. So when we discovered that, we tried to get to somebody else that may have more information than us. We get to our partners. So when we reach out to them and we show them all the information that we have, they Russia as in the Russian government.
We found out that the red actor was on the system over time. 10 months ago. They were in these agencies for 10 months? Jeez. So when we discovered that, we tried to get to somebody else that may have more information than us. We get to our partners. So when we reach out to them and we show them all the information that we have, they Russia as in the Russian government.
It was very strange for me why Russia would compromise the Dominican Republic in that way, what interest they would have here, because in the Dominican Republic we have a lot of Russians, like a lot of Russians living here.
It was very strange for me why Russia would compromise the Dominican Republic in that way, what interest they would have here, because in the Dominican Republic we have a lot of Russians, like a lot of Russians living here.
uh what would be their intention and what that organization told us is that they were trying to experiment with some countries and something that may do in a bigger scale so they could not target some more mature countries like the united states or united kingdom because they have better defense so they were trying to do it in this part of the world so what happened in costa rica
uh what would be their intention and what that organization told us is that they were trying to experiment with some countries and something that may do in a bigger scale so they could not target some more mature countries like the united states or united kingdom because they have better defense so they were trying to do it in this part of the world so what happened in costa rica
Even though it's not publicly, I'm not saying that on behalf of the government. It's just my opinion. And what I know from what happened and from what I learned on the process, what happened in Costa Rica was part of that. And what was happening in the Dominican Republic was part of that.
Even though it's not publicly, I'm not saying that on behalf of the government. It's just my opinion. And what I know from what happened and from what I learned on the process, what happened in Costa Rica was part of that. And what was happening in the Dominican Republic was part of that.
And it was not just Costa Rica and the Dominican Republic, but also other countries in the Latin American region.
And it was not just Costa Rica and the Dominican Republic, but also other countries in the Latin American region.
were involved on that so we as soon as we knew that we started reaching out to those countries to let them know that this was happening to send the indicators of compromise so that way they find out even earlier than us that something dangerous was happening in their country so they were able to Those things, you know, before something really bad happened.
were involved on that so we as soon as we knew that we started reaching out to those countries to let them know that this was happening to send the indicators of compromise so that way they find out even earlier than us that something dangerous was happening in their country so they were able to Those things, you know, before something really bad happened.
Yes, we did. So we call a national meeting with the big person supporting the government So we inform the president and intelligence agencies about what we discover.
Yes, we did. So we call a national meeting with the big person supporting the government So we inform the president and intelligence agencies about what we discover.
Yeah, so they're not supposed to work together, so that thing went over our heads over and over. We overthink it, so why, why, why?
Yeah, so they're not supposed to work together, so that thing went over our heads over and over. We overthink it, so why, why, why?
We do. So our Current president, his family is from Lebanon. What?
We do. So our Current president, his family is from Lebanon. What?
They tried to, but they... Could not. The critical infrastructure works in what we call OT, which is operational technology.
They tried to, but they... Could not. The critical infrastructure works in what we call OT, which is operational technology.
Basically, I want to see all the computers where Domino's users are local admins.
Basically, I want to see all the computers where Domino's users are local admins.
This story starts much earlier, you know. Okay, so this is Omar, and he lives in the Dominican Republic, which is an island in the Caribbean Sea.
This story starts much earlier, you know. Okay, so this is Omar, and he lives in the Dominican Republic, which is an island in the Caribbean Sea.
Let me introduce myself before I start talking about the incidents. So I used to work in the Dominican Republic National Desert, which is the National Cybersecurity Incident Response Team.
Let me introduce myself before I start talking about the incidents. So I used to work in the Dominican Republic National Desert, which is the National Cybersecurity Incident Response Team.
So when the incident in Costa Rica happens, they contact us. just to ask for help.
So when the incident in Costa Rica happens, they contact us. just to ask for help.
You know, it was like a massive malware campaign in Costa Rica. They were targeting government organizations through phishing, exploiting vulnerabilities. But they, you know, compromised all the departments separately.
You know, it was like a massive malware campaign in Costa Rica. They were targeting government organizations through phishing, exploiting vulnerabilities. But they, you know, compromised all the departments separately.
We found an implant. a piece of malware.
We found an implant. a piece of malware.
But the malware, the implant was on the system from 10 to 11 months ago.
But the malware, the implant was on the system from 10 to 11 months ago.
It was a malware that did privilege escalation. So it exploded a window of vulnerability that was unknown to the Okay, this just got worse.
It was a malware that did privilege escalation. So it exploded a window of vulnerability that was unknown to the Okay, this just got worse.
They exploited a vulnerability, an unfortunate firewall. that allowed them to have VPN access to the infrastructure. So with the VPN access, they managed to compromise the entire organization and then try to ransom the organization.
They exploited a vulnerability, an unfortunate firewall. that allowed them to have VPN access to the infrastructure. So with the VPN access, they managed to compromise the entire organization and then try to ransom the organization.
So... That went very public. So on the investigation, we found out the attacker got into the network via a phishing attack, but that didn't tell us much information. So we concluded the investigation or the report without any attribution. So we just know that somebody compromised the system.
So... That went very public. So on the investigation, we found out the attacker got into the network via a phishing attack, but that didn't tell us much information. So we concluded the investigation or the report without any attribution. So we just know that somebody compromised the system.
And one day we got a tool to analyze all the DNS queries that the organization made. So we implemented that technology all around all government organizations so we can have a full visibility of what was happening on the government.
And one day we got a tool to analyze all the DNS queries that the organization made. So we implemented that technology all around all government organizations so we can have a full visibility of what was happening on the government.