Koen Van Impe
@cudeso.bsky.social
Freelancer. CSIRT. Incident Response. Threat Intelligence. Security, IDS, Linux, OpenBSD, Honeypots, Jazz, Literature, Modern Art. https://cudeso.be
Did you know that since v3.0.0 of misp-modules and v3.0.1 of misp-docker/misp-modules it is possible to load custom misp-modules without building your own image? Just drop them in the corresponding /custom/ directory.
github.com/MISP/misp-do...
github.com/MISP/misp-do...
github.com/MISP/misp-do...
github.com/MISP/misp-do...
March 11, 2025 at 8:51 PM
Did you know that since v3.0.0 of misp-modules and v3.0.1 of misp-docker/misp-modules it is possible to load custom misp-modules without building your own image? Just drop them in the corresponding /custom/ directory.
github.com/MISP/misp-do...
github.com/MISP/misp-do...
github.com/MISP/misp-do...
github.com/MISP/misp-do...
Vulnerability in Billion Electric Router - Use of Hard-coded Credentials. vulnerability.circl.lu/vuln/CVE-202... CVE-2025-1143 ; routers typically used in an industrial environment. #cve #ics
February 11, 2025 at 8:30 AM
Vulnerability in Billion Electric Router - Use of Hard-coded Credentials. vulnerability.circl.lu/vuln/CVE-202... CVE-2025-1143 ; routers typically used in an industrial environment. #cve #ics
A clever technique to fool detection analysts: path masquerading to disguising malware as legit system files in SIEM logs. Unicode tricks make C:\Program Files\Windows Defender look real, hiding payloads in plain sight. www.zerosalarium.com/2025/01/path... #siem #soc #monitoring
February 10, 2025 at 7:14 AM
A clever technique to fool detection analysts: path masquerading to disguising malware as legit system files in SIEM logs. Unicode tricks make C:\Program Files\Windows Defender look real, hiding payloads in plain sight. www.zerosalarium.com/2025/01/path... #siem #soc #monitoring
Reporting by AhnLab shows Kimsuky keeps relying on LNK malware in spear-phishing attacks, but also shifting to the use of RDP Wrapper and Proxy to remotely control the infected systems instead of installing backdoors. asec.ahnlab.com/en/86098/ IOCs: www.botvrij.eu/data/feed-os...
February 7, 2025 at 7:03 AM
Reporting by AhnLab shows Kimsuky keeps relying on LNK malware in spear-phishing attacks, but also shifting to the use of RDP Wrapper and Proxy to remotely control the infected systems instead of installing backdoors. asec.ahnlab.com/en/86098/ IOCs: www.botvrij.eu/data/feed-os...
Agencies now released guidance on digital forensics & monitoring for edge devices to boost threat detection & incident response. www.ncsc.gov.uk/guidance/gui... #initialaccess #ir
February 6, 2025 at 6:56 AM
Agencies now released guidance on digital forensics & monitoring for edge devices to boost threat detection & incident response. www.ncsc.gov.uk/guidance/gui... #initialaccess #ir
Google’s Threat Intelligence Group (GTIG) found that threat actors (mostly Iran, China and DPRK) using generative AI (Gemini) gain productivity but no novel capabilities. services.google.com/fh/files/mis... #ai
February 5, 2025 at 8:33 PM
Google’s Threat Intelligence Group (GTIG) found that threat actors (mostly Iran, China and DPRK) using generative AI (Gemini) gain productivity but no novel capabilities. services.google.com/fh/files/mis... #ai
If you’re using @letsencrypt.bsky.social certificates it becomes time to setup a certificate expiration monitor (if you haven’t done already).
February 4, 2025 at 10:28 AM
If you’re using @letsencrypt.bsky.social certificates it becomes time to setup a certificate expiration monitor (if you haven’t done already).
There's a wealth of useful threat data available via Rösti, Repackaged Öpen Source Threat Intelligence. Formats include STIX, JSON, CSV and MISP. Provided by @viql.bsky.social . And now also available as a default @mispproject.bsky.social feed. Check out rosti.bin.re
February 1, 2025 at 9:40 AM
There's a wealth of useful threat data available via Rösti, Repackaged Öpen Source Threat Intelligence. Formats include STIX, JSON, CSV and MISP. Provided by @viql.bsky.social . And now also available as a default @mispproject.bsky.social feed. Check out rosti.bin.re
"Tear Down The Castle", great writeups @malmoeb.bsky.social on common configuration issues in Active Directory. #pingcastle #lowhangingfruit dfir.ch/posts/tear_d... dfir.ch/posts/tear_d...
January 31, 2025 at 7:49 PM
"Tear Down The Castle", great writeups @malmoeb.bsky.social on common configuration issues in Active Directory. #pingcastle #lowhangingfruit dfir.ch/posts/tear_d... dfir.ch/posts/tear_d...
Reposted by Koen Van Impe
Well done to all at @europol-eu.bsky.social and other law enforcement agencies involved in this operation. Two online forums allegedly providing a range of cybercriminal services were taken offline resulting in 2 suspects arrested so far.
www.europol.europa.eu/media-press/...
#cybercrime
www.europol.europa.eu/media-press/...
#cybercrime
January 30, 2025 at 1:35 PM
Well done to all at @europol-eu.bsky.social and other law enforcement agencies involved in this operation. Two online forums allegedly providing a range of cybercriminal services were taken offline resulting in 2 suspects arrested so far.
www.europol.europa.eu/media-press/...
#cybercrime
www.europol.europa.eu/media-press/...
#cybercrime
Ransomware actors further embracing alternative distribution mechanisms, including botnets. In this case LockBit3 uses Phorpiex botnet. By Cybereason www.cybereason.com/blog/threat-... ; IOCs also available via @mispproject.bsky.social botvrij feed www.botvrij.eu/data/feed-os... #Ransomware #cti
January 29, 2025 at 6:59 AM
Ransomware actors further embracing alternative distribution mechanisms, including botnets. In this case LockBit3 uses Phorpiex botnet. By Cybereason www.cybereason.com/blog/threat-... ; IOCs also available via @mispproject.bsky.social botvrij feed www.botvrij.eu/data/feed-os... #Ransomware #cti
PlushDaemon compromises supply chain of Korean VPN service (IPany) by @esetresearch.bsky.social www.welivesecurity.com/en/eset-rese... #CTI
January 27, 2025 at 6:55 AM
PlushDaemon compromises supply chain of Korean VPN service (IPany) by @esetresearch.bsky.social www.welivesecurity.com/en/eset-rese... #CTI
Reposted by Koen Van Impe
We are sharing backdoored Ivanti Connect Secure devices that *may* have been compromised as part of a CVE-2025-0282 exploitation campaign (but also we believe may include older or other activity).
379 new backdoored instances found on 2025-01-22:
dashboard.shadowserver.org/statistics/c...
379 new backdoored instances found on 2025-01-22:
dashboard.shadowserver.org/statistics/c...
January 23, 2025 at 8:07 PM
We are sharing backdoored Ivanti Connect Secure devices that *may* have been compromised as part of a CVE-2025-0282 exploitation campaign (but also we believe may include older or other activity).
379 new backdoored instances found on 2025-01-22:
dashboard.shadowserver.org/statistics/c...
379 new backdoored instances found on 2025-01-22:
dashboard.shadowserver.org/statistics/c...
Need to analyse Windows DNS server logs? Extract hostnames & domains from the DNS server analytical logs, save them to CSVs, and check against @mispproject.bsky.social , all without centralised DNS logging. A quick win for investigations! github.com/cudeso/tools... #cti #automation #itsalwaysdns
January 23, 2025 at 11:21 AM
Need to analyse Windows DNS server logs? Extract hostnames & domains from the DNS server analytical logs, save them to CSVs, and check against @mispproject.bsky.social , all without centralised DNS logging. A quick win for investigations! github.com/cudeso/tools... #cti #automation #itsalwaysdns
A quick parser to extract whois and country data from the darkweb forum post listing #Fortinet devices victim (?) to CVE-2022-40684.
Parser at github .com/cudeso/tools/blob/master/CVE-2022-40684/README.md
Affected (?) IPs at github.com/arsolutioner...
Parser at github .com/cudeso/tools/blob/master/CVE-2022-40684/README.md
Affected (?) IPs at github.com/arsolutioner...
January 16, 2025 at 3:54 PM
A quick parser to extract whois and country data from the darkweb forum post listing #Fortinet devices victim (?) to CVE-2022-40684.
Parser at github .com/cudeso/tools/blob/master/CVE-2022-40684/README.md
Affected (?) IPs at github.com/arsolutioner...
Parser at github .com/cudeso/tools/blob/master/CVE-2022-40684/README.md
Affected (?) IPs at github.com/arsolutioner...
Spot-on article by @theregister.com El Reg: “After China’s Salt Typhoon, the reconstruction starts now.” www.theregister.com/2025/01/06/o...
January 6, 2025 at 4:22 PM
Spot-on article by @theregister.com El Reg: “After China’s Salt Typhoon, the reconstruction starts now.” www.theregister.com/2025/01/06/o...
Reposted by Koen Van Impe
January 2, 2025 at 3:18 PM
Interesting talk by @pylos.co at @firstdotorg.bsky.social CTI "The Disclosure Dilemma and Ensuring Defense" www.youtube.com/watch?v=Cuhs... A nuanced topic with no one-size-fits-all answer. Requires rethinking per case, considering context, nuances and conditions of available options #CTI #sharing
January 2, 2025 at 2:00 PM
Interesting talk by @pylos.co at @firstdotorg.bsky.social CTI "The Disclosure Dilemma and Ensuring Defense" www.youtube.com/watch?v=Cuhs... A nuanced topic with no one-size-fits-all answer. Requires rethinking per case, considering context, nuances and conditions of available options #CTI #sharing
Watched @datadoghq.bsky.social talk at @firstdotorg.bsky.social CTI on "Automating Cyber Threat Intelligence" www.youtube.com/watch?v=t8M3... Great tips on streamlining vulnerability classification, gather abuse data, and report it to customers. Also check HASH github.com/datadog/HASH #cti
Automating Cyber Threat Intelligence: A Practical Approach to Managing Emerging Vulnerabilities
YouTube video by FIRST
www.youtube.com
January 2, 2025 at 11:30 AM
Watched @datadoghq.bsky.social talk at @firstdotorg.bsky.social CTI on "Automating Cyber Threat Intelligence" www.youtube.com/watch?v=t8M3... Great tips on streamlining vulnerability classification, gather abuse data, and report it to customers. Also check HASH github.com/datadog/HASH #cti
Presentation by ENISA on "Vulnerability Coordination in the EU" during the @firstdotorg.bsky.social VulnCon www.youtube.com/watch?v=MY0W... #CVD #CVE #responsibledisclosure #vulnerability
Vulnerability Coordination in the EU
YouTube video by FIRST
www.youtube.com
January 2, 2025 at 10:29 AM
Presentation by ENISA on "Vulnerability Coordination in the EU" during the @firstdotorg.bsky.social VulnCon www.youtube.com/watch?v=MY0W... #CVD #CVE #responsibledisclosure #vulnerability
Reporting from Forescout indicate engineering workstations not immune for malware www.forescout.com/blog/ics-thr... Ramnit on Mitsubishi and experimental strain targets SiemensTIA. Latter uploaded from BE, with Flemish strings. @mispproject.bsky.social indicators via: www.botvrij.eu/data/feed-os...
December 31, 2024 at 2:02 PM
Reporting from Forescout indicate engineering workstations not immune for malware www.forescout.com/blog/ics-thr... Ramnit on Mitsubishi and experimental strain targets SiemensTIA. Latter uploaded from BE, with Flemish strings. @mispproject.bsky.social indicators via: www.botvrij.eu/data/feed-os...
It’s been a while since I posted a new @mispproject.bsky.social tip, but in the meantime you can now also enjoy the tips via a simple HTML page at cudeso.github.io/misp-tip-of-...
MISP Tip of the Week
A collection of tips for using MISP.
cudeso.github.io
December 11, 2024 at 6:25 PM
It’s been a while since I posted a new @mispproject.bsky.social tip, but in the meantime you can now also enjoy the tips via a simple HTML page at cudeso.github.io/misp-tip-of-...
Report from RecordedFuture : BlueAlpha leverages Cloudflare Tunneling as staging infrastructure for GammaDrop. Monitor activity tied to trycloudflare[.]com. go.recordedfuture.com/hubfs/report... Indicators also shared via www.botvrij.eu/data/feed-os...
December 8, 2024 at 1:29 PM
Report from RecordedFuture : BlueAlpha leverages Cloudflare Tunneling as staging infrastructure for GammaDrop. Monitor activity tied to trycloudflare[.]com. go.recordedfuture.com/hubfs/report... Indicators also shared via www.botvrij.eu/data/feed-os...
The NCA reports on ‘Operation Destabilise', exposes and disrupts a Russian money laundering network. MO consists of, ao., collecting funds in one country and make the equivalent value available in another, often by swapping cryptocurrency for cash.
www.nationalcrimeagency.gov.uk/news/operati...
www.nationalcrimeagency.gov.uk/news/operati...
December 6, 2024 at 9:42 PM
The NCA reports on ‘Operation Destabilise', exposes and disrupts a Russian money laundering network. MO consists of, ao., collecting funds in one country and make the equivalent value available in another, often by swapping cryptocurrency for cash.
www.nationalcrimeagency.gov.uk/news/operati...
www.nationalcrimeagency.gov.uk/news/operati...