Alan Neville
@abnev.bsky.social
Principal Intelligence Analyst @ Symantec. Views are my own etc. https://keybase.io/abnev
Reposted by Alan Neville
Mercenary spyware vendor Paragon claims it's "responsible", (unlike NSO Group)
But our investigations @citizenlab.ca show Paragon's spyware was abused in Italy 🇮🇹 to target civil society
@accessnow.org sent them a letter with questions, and I signed on 👇
www.accessnow.org/press-releas...
But our investigations @citizenlab.ca show Paragon's spyware was abused in Italy 🇮🇹 to target civil society
@accessnow.org sent them a letter with questions, and I signed on 👇
www.accessnow.org/press-releas...
Access Now - Paragon must answer for spyware use against civil society and journalists
Access Now calls on Paragon to answer for the use of its spyware in Italy against journalists, and to address oversight failures.
www.accessnow.org
June 19, 2025 at 1:25 PM
Mercenary spyware vendor Paragon claims it's "responsible", (unlike NSO Group)
But our investigations @citizenlab.ca show Paragon's spyware was abused in Italy 🇮🇹 to target civil society
@accessnow.org sent them a letter with questions, and I signed on 👇
www.accessnow.org/press-releas...
But our investigations @citizenlab.ca show Paragon's spyware was abused in Italy 🇮🇹 to target civil society
@accessnow.org sent them a letter with questions, and I signed on 👇
www.accessnow.org/press-releas...
Reposted by Alan Neville
"Typically the Iranians have deployed wipers against targets in critical infrastructure and other organizations," Google threat intelligence group chief analyst John Hultquist told The Register. "We will probably see more of that in Israel and we could see it in the US as well."
Cyber weapons in the Israel-Iran conflict may hit the US
: With Tehran’s military weakened, digital retaliation likely, experts tell The Reg
www.theregister.com
June 13, 2025 at 10:15 PM
"Typically the Iranians have deployed wipers against targets in critical infrastructure and other organizations," Google threat intelligence group chief analyst John Hultquist told The Register. "We will probably see more of that in Israel and we could see it in the US as well."
Reposted by Alan Neville
Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
'It's a high-stakes intelligence war' he told El Reg
exclusive A mystery whistleblower calling himself GangExposed has exposed key figures behind the Conti and Trickbot ransomware crews, publishing a trove of internal files and naming names.…
dlvr.it
May 31, 2025 at 10:28 AM
Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
Reposted by Alan Neville
It’s amazing to me that it can take 6 years from the first attack until the trial starts.
via @jgreig.bsky.social & @therecordmedia.bsky.social
via @jgreig.bsky.social & @therecordmedia.bsky.social
Iranian pleads guilty to launching Baltimore ransomware attack, faces 30 years behind bars
Sina Gholinejad admitted to using the Robbinhood ransomware variant to extort ransom payments from dozens of victims.
therecord.media
May 27, 2025 at 10:41 PM
It’s amazing to me that it can take 6 years from the first attack until the trial starts.
via @jgreig.bsky.social & @therecordmedia.bsky.social
via @jgreig.bsky.social & @therecordmedia.bsky.social
Reposted by Alan Neville
NASA simulation for what you'd see while plunging into a black hole:
youtu.be/chhcwk4-esM
There's actually a lot left to see after passing the event horizon!
youtu.be/chhcwk4-esM
There's actually a lot left to see after passing the event horizon!
May 20, 2025 at 4:04 AM
NASA simulation for what you'd see while plunging into a black hole:
youtu.be/chhcwk4-esM
There's actually a lot left to see after passing the event horizon!
youtu.be/chhcwk4-esM
There's actually a lot left to see after passing the event horizon!
Reposted by Alan Neville
#ESETresearch has published its latest APT Activity Report, covering October 2024 to March 2025 (Q4 2024–Q1 2025). China-aligned groups like Mustang Panda and DigitalRecyclers continued their espionage campaigns targeting the EU government and maritime sectors. 1/2
May 19, 2025 at 12:30 PM
#ESETresearch has published its latest APT Activity Report, covering October 2024 to March 2025 (Q4 2024–Q1 2025). China-aligned groups like Mustang Panda and DigitalRecyclers continued their espionage campaigns targeting the EU government and maritime sectors. 1/2
Reposted by Alan Neville
Here's how the TM SGNL server, which had access to plaintext chat logs from people like Mike Waltz, got hacked in about 20 minutes www.wired.com/story/how-th... (my first article in @wired.com!)
How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes
The company behind the Signal clone used by at least one Trump administration official was breached earlier this month. The hacker says they got in thanks to a basic misconfiguration.
www.wired.com
May 18, 2025 at 11:11 AM
Here's how the TM SGNL server, which had access to plaintext chat logs from people like Mike Waltz, got hacked in about 20 minutes www.wired.com/story/how-th... (my first article in @wired.com!)
Reposted by Alan Neville
Learn about monitoring inauthentic accounts and conducting investigations into Foreign Information Manipulation and Interference (FIMI) in our next Stage Talk on Thursday, 4pm CEST/10am EDT. We're joined by the @doublethinklab.bsky.social team live in our Discord Server
discord.gg/FGq4XfYm?eve...
discord.gg/FGq4XfYm?eve...
May 6, 2025 at 4:34 PM
Learn about monitoring inauthentic accounts and conducting investigations into Foreign Information Manipulation and Interference (FIMI) in our next Stage Talk on Thursday, 4pm CEST/10am EDT. We're joined by the @doublethinklab.bsky.social team live in our Discord Server
discord.gg/FGq4XfYm?eve...
discord.gg/FGq4XfYm?eve...
Reposted by Alan Neville
Layoffs at CrowdStrike. I’m safe, but if you’re looking for IR consultants I know a bunch of fucking amazing ones that will be looking for jobs 🫠
May 7, 2025 at 2:54 PM
Layoffs at CrowdStrike. I’m safe, but if you’re looking for IR consultants I know a bunch of fucking amazing ones that will be looking for jobs 🫠
Reposted by Alan Neville
Socket Security has discovered a malicious Python library that contained a remote access trojan and went undetected for over three years
socket.dev/blog/malicio...
socket.dev/blog/malicio...
Malicious PyPI Package Targets Discord Developers with Remot...
The Socket Research team investigates a malicious Python package disguised as a Discord error logger that executes remote commands and exfiltrates dat...
socket.dev
May 8, 2025 at 10:10 AM
Socket Security has discovered a malicious Python library that contained a remote access trojan and went undetected for over three years
socket.dev/blog/malicio...
socket.dev/blog/malicio...
Reposted by Alan Neville
I'm analyzing the TM SGNL source code and will publish findings tomorrow. But the for a sneak peak, here's how it seems TeleMessage's system works:
There's E2EE between TM SGNL and Signal, but NOT between TM SGNL and archive destinations. TM's archive server can read the chat logs.
Stay tuned.
There's E2EE between TM SGNL and Signal, but NOT between TM SGNL and archive destinations. TM's archive server can read the chat logs.
Stay tuned.
May 5, 2025 at 8:32 PM
I'm analyzing the TM SGNL source code and will publish findings tomorrow. But the for a sneak peak, here's how it seems TeleMessage's system works:
There's E2EE between TM SGNL and Signal, but NOT between TM SGNL and archive destinations. TM's archive server can read the chat logs.
Stay tuned.
There's E2EE between TM SGNL and Signal, but NOT between TM SGNL and archive destinations. TM's archive server can read the chat logs.
Stay tuned.
Reposted by Alan Neville
May 1, 2025 at 10:00 AM
Reposted by Alan Neville
Recorded Future Insikt Group researchers analyse MintsLoader, a malicious loader deployed through multiple infection vectors that commonly deploys second-stage payloads such as GhostWeaver, StealC, and a modified BOINC client. www.recordedfuture.com/research/unc...
May 1, 2025 at 10:05 AM
Recorded Future Insikt Group researchers analyse MintsLoader, a malicious loader deployed through multiple infection vectors that commonly deploys second-stage payloads such as GhostWeaver, StealC, and a modified BOINC client. www.recordedfuture.com/research/unc...
Reposted by Alan Neville
ESET researchers provide an analysis of Spellbinder, a lateral movement tool for performing adversary-in-the-middle attacks, used by TheWizards, a China-aligned threat actor. www.welivesecurity.com/en/eset-rese...
May 1, 2025 at 10:07 AM
ESET researchers provide an analysis of Spellbinder, a lateral movement tool for performing adversary-in-the-middle attacks, used by TheWizards, a China-aligned threat actor. www.welivesecurity.com/en/eset-rese...
Reposted by Alan Neville
Trustwave researchers observed a notable increase in NodeJS-based backdoor deployments across multiple malware campaigns, including KongTuke, Fake CAPTCHA schemes, Mispadu, and Lumma stealers. www.trustwave.com/en-us/resour...
May 1, 2025 at 10:09 AM
Trustwave researchers observed a notable increase in NodeJS-based backdoor deployments across multiple malware campaigns, including KongTuke, Fake CAPTCHA schemes, Mispadu, and Lumma stealers. www.trustwave.com/en-us/resour...
Reposted by Alan Neville
Security leaders at Mandiant and Google Cloud say nearly every major company has hired or received applications from North Korean nationals working on behalf of the country’s regime. via @mattkapko.com cyberscoop.com/north-korea-...
North Korean operatives have infiltrated hundreds of Fortune 500 companies
Security leaders at Mandiant and Google Cloud say nearly every major company has hired or received applications from North Korean nationals working on behalf of the country’s regime.
cyberscoop.com
May 1, 2025 at 9:25 AM
Security leaders at Mandiant and Google Cloud say nearly every major company has hired or received applications from North Korean nationals working on behalf of the country’s regime. via @mattkapko.com cyberscoop.com/north-korea-...
Reposted by Alan Neville
CVE-2024-10442 (CVSS 10): Zero-Click RCE in Synology DiskStation, PoC Publishes
CVE-2024-10442 (CVSS 10): Zero-Click RCE in Synology DiskStation, PoC Publishes
CVE-2024-10442 allows unauthenticated RCE on Synology DS1823xs+ via Replication Service flaw. Patch now to avoid exploit risk.
securityonline.info
May 1, 2025 at 3:39 AM
CVE-2024-10442 (CVSS 10): Zero-Click RCE in Synology DiskStation, PoC Publishes
Reposted by Alan Neville
So regarding this behavior: I've confirmed it, and there's more detail than is in the story. Let's go.
arstechnica.com/security/202...
arstechnica.com/security/202...
Windows RDP lets you log in using revoked passwords. Microsoft is OK with that.
Researchers say the behavior amounts to a persistent backdoor.
arstechnica.com
May 1, 2025 at 5:03 AM
So regarding this behavior: I've confirmed it, and there's more detail than is in the story. Let's go.
arstechnica.com/security/202...
arstechnica.com/security/202...
Reposted by Alan Neville
Ako ransomware affiliate gets five years in prison
Rançongiciel: comment "JohnSmith", "Boba" ou encore "Svetka" ont tenté d'extorquer leurs victimes en passant par des accès RDP
www.zdnet.fr/actualites/r...
www.zdnet.fr/actualites/r...
Rançongiciel: comment "JohnSmith", "Boba" ou encore "Svetka" ont tenté d'extorquer leurs victimes en passant par des accès RDP - ZDNET
Un Biélorusse d'une trentaine d'années vient d'être condamné à 5 ans de prison, dont un an avec sursis, par le tribunal judiciaire de Paris.
www.zdnet.fr
April 30, 2025 at 9:21 PM
Ako ransomware affiliate gets five years in prison
Reposted by Alan Neville
#ESETResearch analyzed the toolset of the China-aligned APT group that we have named #TheWizards. It can move laterally on compromised networks by performing adversary-in-the-middle (AitM) attacks to hijack software updates. www.welivesecurity.com/en/eset-rese... 1/6
TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks
ESET researchers publish an analysis of Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks.
www.welivesecurity.com
April 30, 2025 at 11:30 AM
#ESETResearch analyzed the toolset of the China-aligned APT group that we have named #TheWizards. It can move laterally on compromised networks by performing adversary-in-the-middle (AitM) attacks to hijack software updates. www.welivesecurity.com/en/eset-rese... 1/6
Russia attempting cyber sabotage attacks against Dutch critical infrastructure therecord.media/dutch-mivd-r...
Russia attempting cyber sabotage attacks against Dutch critical infrastructure
Kremlin-backed hackers have tried sabotage attacks against critical infrastructure in the Netherlands, the country's Military Intelligence and Security Service said in its annual report.
therecord.media
April 22, 2025 at 6:49 PM
Russia attempting cyber sabotage attacks against Dutch critical infrastructure therecord.media/dutch-mivd-r...
Reposted by Alan Neville
@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.
www.volexity.com/blog/2025/04... #dfir
www.volexity.com/blog/2025/04... #dfir
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) acco...
www.volexity.com
April 22, 2025 at 4:39 PM
@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.
www.volexity.com/blog/2025/04... #dfir
www.volexity.com/blog/2025/04... #dfir
Reposted by Alan Neville
Reposted by Alan Neville
Check Point published a write-up of CVE-2025-24054, an NTLM leak that Microsoft patched last month.
The company says the vulnerability is now being exploited in the wild, with one campaign targeting government and private institutions in Poland and Romania.
research.checkpoint.com/2025/cve-202...
The company says the vulnerability is now being exploited in the wild, with one campaign targeting government and private institutions in Poland and Romania.
research.checkpoint.com/2025/cve-202...
CVE-2025-24054, NTLM Exploit in the Wild - Check Point Research
Key Points Introduction NTLM (New Technology LAN Manager) is a suite of authentication protocols developed by Microsoft to verify user identities and protect the integrity and confidentiality of netwo...
research.checkpoint.com
April 17, 2025 at 9:17 AM
Check Point published a write-up of CVE-2025-24054, an NTLM leak that Microsoft patched last month.
The company says the vulnerability is now being exploited in the wild, with one campaign targeting government and private institutions in Poland and Romania.
research.checkpoint.com/2025/cve-202...
The company says the vulnerability is now being exploited in the wild, with one campaign targeting government and private institutions in Poland and Romania.
research.checkpoint.com/2025/cve-202...
Reposted by Alan Neville
After years of the West naming and shaming nation-state hackers I have wondered (and written about) the lack of similar finger pointing back at the US etc. This new shift from China to out western hackers for cyber spying is overall a good thing for transparency. www.theregister.com/2025/04/15/c...
China swipes at NSA for alleged Asian Winter Games hack
: Beijing claims NSA went for gold in offensive cyber, got caught in the act
www.theregister.com
April 17, 2025 at 9:24 AM
After years of the West naming and shaming nation-state hackers I have wondered (and written about) the lack of similar finger pointing back at the US etc. This new shift from China to out western hackers for cyber spying is overall a good thing for transparency. www.theregister.com/2025/04/15/c...