James Atack
@jamesatack.com
Cyber defender with an offensive name.
Deputy CTO at @onyphe.io | http://onyphe.io
Managing your attack surface... from Europe 👀
Opinions : all mine
Special skill : machine empathy
Deputy CTO at @onyphe.io | http://onyphe.io
Managing your attack surface... from Europe 👀
Opinions : all mine
Special skill : machine empathy
September 2, 2025 at 2:22 PM
Yeah gee Fortinet - wonder what that reality would look like? 🙄
<goes back to day job>
<goes back to day job>
May 28, 2025 at 7:19 AM
Yeah gee Fortinet - wonder what that reality would look like? 🙄
<goes back to day job>
<goes back to day job>
A well-used family charging shelf
- get phones out of bedrooms
- ensure teens go out with charged devices
- never have to look for a charger
- get phones out of bedrooms
- ensure teens go out with charged devices
- never have to look for a charger
May 18, 2025 at 9:01 PM
A well-used family charging shelf
- get phones out of bedrooms
- ensure teens go out with charged devices
- never have to look for a charger
- get phones out of bedrooms
- ensure teens go out with charged devices
- never have to look for a charger
Good luck with that Microsoft.
Thanks iPhone for the ALT text
Thanks iPhone for the ALT text
May 14, 2025 at 12:48 PM
Good luck with that Microsoft.
Thanks iPhone for the ALT text
Thanks iPhone for the ALT text
This is what he means 👇
😨 that's a national telecom network dying of thirst for power
😨 that's a national telecom network dying of thirst for power
April 28, 2025 at 6:53 PM
This is what he means 👇
😨 that's a national telecom network dying of thirst for power
😨 that's a national telecom network dying of thirst for power
Dear @microsoft.com,
I just tried *new* Outlook on Windows. What have you done?
+ve : multithreading
-ve : significantly slower
-ve : uses +5x the amount of RAM
-ve : WebView2? seriously? I wanted a serious desktop app not a browser plugin for a website.
nevermind ... I'll just use OWA on Linux
I just tried *new* Outlook on Windows. What have you done?
+ve : multithreading
-ve : significantly slower
-ve : uses +5x the amount of RAM
-ve : WebView2? seriously? I wanted a serious desktop app not a browser plugin for a website.
nevermind ... I'll just use OWA on Linux
April 14, 2025 at 9:56 AM
Dear @microsoft.com,
I just tried *new* Outlook on Windows. What have you done?
+ve : multithreading
-ve : significantly slower
-ve : uses +5x the amount of RAM
-ve : WebView2? seriously? I wanted a serious desktop app not a browser plugin for a website.
nevermind ... I'll just use OWA on Linux
I just tried *new* Outlook on Windows. What have you done?
+ve : multithreading
-ve : significantly slower
-ve : uses +5x the amount of RAM
-ve : WebView2? seriously? I wanted a serious desktop app not a browser plugin for a website.
nevermind ... I'll just use OWA on Linux
Or your toilet. Definitely not your toilet.
Should we also add Ivanti ConnectSecure to this list?
Should we also add Ivanti ConnectSecure to this list?
February 14, 2025 at 8:53 AM
Or your toilet. Definitely not your toilet.
Should we also add Ivanti ConnectSecure to this list?
Should we also add Ivanti ConnectSecure to this list?
A glimmer of honesty squeaks through with "Vendors are working to try and resolve some of these weaknesses, but it also is paramount for defenders to take note."
We get it. You're trying.
Yet the number of open IOS XE WebUI interfaces just keeps going up. The message isn't getting through.
We get it. You're trying.
Yet the number of open IOS XE WebUI interfaces just keeps going up. The message isn't getting through.
February 12, 2025 at 9:21 AM
A glimmer of honesty squeaks through with "Vendors are working to try and resolve some of these weaknesses, but it also is paramount for defenders to take note."
We get it. You're trying.
Yet the number of open IOS XE WebUI interfaces just keeps going up. The message isn't getting through.
We get it. You're trying.
Yet the number of open IOS XE WebUI interfaces just keeps going up. The message isn't getting through.
$659m in 12 months prompts me to repost the visionary insights of the IMF on how cryptocurrency innovation is a public good
www.imf.org/en/Blogs/Art...
www.imf.org/en/Blogs/Art...
January 15, 2025 at 9:01 AM
$659m in 12 months prompts me to repost the visionary insights of the IMF on how cryptocurrency innovation is a public good
www.imf.org/en/Blogs/Art...
www.imf.org/en/Blogs/Art...
ii) Go Oracle
This is unique IPs by hosting organization.
This is unique IPs by hosting organization.
January 6, 2025 at 12:54 PM
ii) Go Oracle
This is unique IPs by hosting organization.
This is unique IPs by hosting organization.
i) nice that people are happy to share their interest in C2 panels github.com/orgs/trojanp...
I especially like "open source enthusiast" with commit permissions on an apache project. Also a "dubious C2 enthusiast" on the side, yet doesn't mention cyber as an interest. Odd.
I especially like "open source enthusiast" with commit permissions on an apache project. Also a "dubious C2 enthusiast" on the side, yet doesn't mention cyber as an interest. Odd.
January 6, 2025 at 12:54 PM
i) nice that people are happy to share their interest in C2 panels github.com/orgs/trojanp...
I especially like "open source enthusiast" with commit permissions on an apache project. Also a "dubious C2 enthusiast" on the side, yet doesn't mention cyber as an interest. Odd.
I especially like "open source enthusiast" with commit permissions on an apache project. Also a "dubious C2 enthusiast" on the side, yet doesn't mention cyber as an interest. Odd.
Couple of additional datapoints about the "Trojan Panel" C2 that \@shanholo had already found in April
i) the github followers list is an eye-opener
ii) Oracle the leading public cloud for once
details below 👇
i) the github followers list is an eye-opener
ii) Oracle the leading public cloud for once
details below 👇
January 6, 2025 at 12:54 PM
Couple of additional datapoints about the "Trojan Panel" C2 that \@shanholo had already found in April
i) the github followers list is an eye-opener
ii) Oracle the leading public cloud for once
details below 👇
i) the github followers list is an eye-opener
ii) Oracle the leading public cloud for once
details below 👇
And the next ...
IP 101[.]99.93.144 exposing DCE/RPC protocol on 8th Oct 2024
for the record it also exposed winrm and smb around and before that date
IP 101[.]99.93.144 exposing DCE/RPC protocol on 8th Oct 2024
for the record it also exposed winrm and smb around and before that date
![IP 101[.]99.93.144 exposing DCE/RPC protocol on 8 Oct 2024](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:ufgm36h7cjyxosgqinjysb6z/bafkreihmmc6qqvwfuqgglwcmdnajgbed2a36x2wmeosu7p63fpjrulymv4@jpeg)
January 3, 2025 at 10:30 AM
And the next ...
IP 101[.]99.93.144 exposing DCE/RPC protocol on 8th Oct 2024
for the record it also exposed winrm and smb around and before that date
IP 101[.]99.93.144 exposing DCE/RPC protocol on 8th Oct 2024
for the record it also exposed winrm and smb around and before that date
The incident dates back to October, so I'm using our historical data functionality (Cyber Time-Travel if you're a CISO reading this). I'll discard all results after October.
first ip I'm looking at : 101[.]99.93.108
B-I-N-G-O
+1000 points in my rigorous CTI methodology
first ip I'm looking at : 101[.]99.93.108
B-I-N-G-O
+1000 points in my rigorous CTI methodology
![IP 101[.]99.93.108 exposing dce/rpc protocol on 28 september 2024](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:ufgm36h7cjyxosgqinjysb6z/bafkreigjjgd3zxcecdmssyxuzshflsnys3ygahegjv5dz3grvp4cmy565i@jpeg)
January 3, 2025 at 10:27 AM
The incident dates back to October, so I'm using our historical data functionality (Cyber Time-Travel if you're a CISO reading this). I'll discard all results after October.
first ip I'm looking at : 101[.]99.93.108
B-I-N-G-O
+1000 points in my rigorous CTI methodology
first ip I'm looking at : 101[.]99.93.108
B-I-N-G-O
+1000 points in my rigorous CTI methodology
2nd IOC is 185[.]158.248.104
a Windows box with RPC exposed - well that and everything else. Behind a Mikrotik router by the looks of it
RPC hypothesis rigorous CTI methodology analysis ^^ :
-1 on first IP
+1 on 2nd IP
a Windows box with RPC exposed - well that and everything else. Behind a Mikrotik router by the looks of it
RPC hypothesis rigorous CTI methodology analysis ^^ :
-1 on first IP
+1 on 2nd IP
![a Windows box on IP 185[.]158.248.104 exposing protocols btest, dce/rpc, rdp, smb, ssh and winrm](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:ufgm36h7cjyxosgqinjysb6z/bafkreigzkaugxwcuobv3tn242ehgjuasikkjzxznv2a2sp5pg3q34q5vx4@jpeg)
January 3, 2025 at 10:12 AM
2nd IOC is 185[.]158.248.104
a Windows box with RPC exposed - well that and everything else. Behind a Mikrotik router by the looks of it
RPC hypothesis rigorous CTI methodology analysis ^^ :
-1 on first IP
+1 on 2nd IP
a Windows box with RPC exposed - well that and everything else. Behind a Mikrotik router by the looks of it
RPC hypothesis rigorous CTI methodology analysis ^^ :
-1 on first IP
+1 on 2nd IP
we tag it at a risky protocol
there are 2.2M results for Windows RPC boxes
there are 2.2M results for Windows RPC boxes
January 3, 2025 at 9:56 AM
we tag it at a risky protocol
there are 2.2M results for Windows RPC boxes
there are 2.2M results for Windows RPC boxes
so the other C2 65[.]21.245.7 is marginally more interesting
it's another windows box with SMB 🤦♂️ exposed and based on the IIS version it's an out-of-support Windows Server 2012 R2.
It's still up.
The interesting data point is that it also has dcerpc exposed hmm.
it's another windows box with SMB 🤦♂️ exposed and based on the IIS version it's an out-of-support Windows Server 2012 R2.
It's still up.
The interesting data point is that it also has dcerpc exposed hmm.
![onyphe screenshot showing ip 65[.]21.245.7 exposing port 445 with smb on the 28 dec 2024. also exposing ports 135 and 80 and showing IIS version 8.5](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:ufgm36h7cjyxosgqinjysb6z/bafkreibw4pl2mhsw25du27ikmt3ne3skttk5mzsi77llautr4l2owephbe@jpeg)
January 3, 2025 at 9:40 AM
so the other C2 65[.]21.245.7 is marginally more interesting
it's another windows box with SMB 🤦♂️ exposed and based on the IIS version it's an out-of-support Windows Server 2012 R2.
It's still up.
The interesting data point is that it also has dcerpc exposed hmm.
it's another windows box with SMB 🤦♂️ exposed and based on the IIS version it's an out-of-support Windows Server 2012 R2.
It's still up.
The interesting data point is that it also has dcerpc exposed hmm.
Looking at the first C2 IP 111[.]90.140.76 with @onyphe.bsky.social (yeah well...)
nothing currently up but looking back in historical data we've got an RDP box with dcerpc also exposed going back to Sep 24
nothing currently up but looking back in historical data we've got an RDP box with dcerpc also exposed going back to Sep 24
![onyphe screenshot showing result for IP 111[.]90.140.76 on port 3389 exposing RDP, dated to 3 nov 2024. Also exposing port 135 dcerpc](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:ufgm36h7cjyxosgqinjysb6z/bafkreibi7y6dw2vjqb6g5rjwyovsq6lomwpwr4jl2jih3lvp3x6whc2kem@jpeg)
January 3, 2025 at 9:27 AM
Looking at the first C2 IP 111[.]90.140.76 with @onyphe.bsky.social (yeah well...)
nothing currently up but looking back in historical data we've got an RDP box with dcerpc also exposed going back to Sep 24
nothing currently up but looking back in historical data we've got an RDP box with dcerpc also exposed going back to Sep 24
Si vous cherchez une école du 21ème siècle à Paris 👇
December 4, 2024 at 9:39 PM
Si vous cherchez une école du 21ème siècle à Paris 👇
My monthly reminder that two thirds of Cisco IOS XE devices are compromised.
The threat actor gets knocked down, but they get up again ...
#ciscoiosxe
The threat actor gets knocked down, but they get up again ...
#ciscoiosxe
March 21, 2024 at 5:21 PM
My monthly reminder that two thirds of Cisco IOS XE devices are compromised.
The threat actor gets knocked down, but they get up again ...
#ciscoiosxe
The threat actor gets knocked down, but they get up again ...
#ciscoiosxe
Cisco encouraging customers to explore IOS XE automation =>
blogs.cisco.com/developer/io...
Meanwhile ... someone else has automated over half of them
This chart is unique IPs.
blogs.cisco.com/developer/io...
Meanwhile ... someone else has automated over half of them
This chart is unique IPs.
January 25, 2024 at 9:13 AM
Cisco encouraging customers to explore IOS XE automation =>
blogs.cisco.com/developer/io...
Meanwhile ... someone else has automated over half of them
This chart is unique IPs.
blogs.cisco.com/developer/io...
Meanwhile ... someone else has automated over half of them
This chart is unique IPs.
More malspam making it into my mailbox than usual this week. Where's it coming from?
• A MikroTik router in Venezuela
• A hosted linux box in Canada with SSH exposed
The usual suspects
• A MikroTik router in Venezuela
• A hosted linux box in Canada with SSH exposed
The usual suspects
December 8, 2023 at 9:16 AM
More malspam making it into my mailbox than usual this week. Where's it coming from?
• A MikroTik router in Venezuela
• A hosted linux box in Canada with SSH exposed
The usual suspects
• A MikroTik router in Venezuela
• A hosted linux box in Canada with SSH exposed
The usual suspects
- Over the past month we've seen 113,147 unique IPs (IPv4) exposing SSH versions described as having vulnerable implementations 🔥
November 17, 2023 at 5:05 PM
- Over the past month we've seen 113,147 unique IPs (IPv4) exposing SSH versions described as having vulnerable implementations 🔥
The number is going up. ONYPHE this morning identified 53K unique IPs based on the same check. This threat actor :
- compromises router/gateway devices
- not doing ransomware
- doesn't run away quietly when discovered
- doubles down and tries to leverage as much as possible
sounds familiar
- compromises router/gateway devices
- not doing ransomware
- doesn't run away quietly when discovered
- doubles down and tries to leverage as much as possible
sounds familiar
October 18, 2023 at 9:22 AM
The number is going up. ONYPHE this morning identified 53K unique IPs based on the same check. This threat actor :
- compromises router/gateway devices
- not doing ransomware
- doesn't run away quietly when discovered
- doubles down and tries to leverage as much as possible
sounds familiar
- compromises router/gateway devices
- not doing ransomware
- doesn't run away quietly when discovered
- doubles down and tries to leverage as much as possible
sounds familiar