@lime-light.bsky.social
Reposted
AWS security bulletin: aws.amazon.com/security/sec...
"This issue did not affect any production services or end-users."
Weird how customer logs show the wiper prompt executing.
Anyone else see "clean a system to a near-factory state" in your logs?
"This issue did not affect any production services or end-users."
Weird how customer logs show the wiper prompt executing.
Anyone else see "clean a system to a near-factory state" in your logs?
July 24, 2025 at 2:01 AM
AWS security bulletin: aws.amazon.com/security/sec...
"This issue did not affect any production services or end-users."
Weird how customer logs show the wiper prompt executing.
Anyone else see "clean a system to a near-factory state" in your logs?
"This issue did not affect any production services or end-users."
Weird how customer logs show the wiper prompt executing.
Anyone else see "clean a system to a near-factory state" in your logs?
Reposted
Iran's Internet: A Censys Perspective
https://censys.com/blog/irans-internet-a-censys-perspective
https://censys.com/blog/irans-internet-a-censys-perspective
June 23, 2025 at 9:00 PM
Iran's Internet: A Censys Perspective
https://censys.com/blog/irans-internet-a-censys-perspective
https://censys.com/blog/irans-internet-a-censys-perspective
Reposted
There's a new ClickFix variation called FileFix
This one works by tricking users into copying a file path in Windows Explorer.
Attackers modify the clipboard, so you're actually pasting and running PowerShell ahead of the file path
mrd0x.com/filefix-clic...
This one works by tricking users into copying a file path in Windows Explorer.
Attackers modify the clipboard, so you're actually pasting and running PowerShell ahead of the file path
mrd0x.com/filefix-clic...
June 24, 2025 at 8:28 AM
There's a new ClickFix variation called FileFix
This one works by tricking users into copying a file path in Windows Explorer.
Attackers modify the clipboard, so you're actually pasting and running PowerShell ahead of the file path
mrd0x.com/filefix-clic...
This one works by tricking users into copying a file path in Windows Explorer.
Attackers modify the clipboard, so you're actually pasting and running PowerShell ahead of the file path
mrd0x.com/filefix-clic...
Reposted
I'm starting a new series on Detection Engineering called the Detection Field Manual. I wanted to publish < 10 minute reads on threat detection topics I've built in the field, at conferences and our interviews for candidates at Datadog.
Here's issue 1!
www.detectionengineering.net/p/detection-...
Here's issue 1!
www.detectionengineering.net/p/detection-...
Detection Engineering Field Manual #1 - What is a Detection Engineer?
Why does Detection Engineering matter to a security org?
www.detectionengineering.net
June 22, 2025 at 6:44 PM
I'm starting a new series on Detection Engineering called the Detection Field Manual. I wanted to publish < 10 minute reads on threat detection topics I've built in the field, at conferences and our interviews for candidates at Datadog.
Here's issue 1!
www.detectionengineering.net/p/detection-...
Here's issue 1!
www.detectionengineering.net/p/detection-...
Reposted
2025-06-18 (Wed): #SmartApeSG --> #ClickFix lure --> #NetSupportRAT --> #StealCv2
A #pcap of the traffic, the malware/artifacts, and some IOCs are available at www.malware-traffic-analysis.net/2025/06/18/i....
Today's the 12th anniversary of my blog, so I made this post a bit more old school.
A #pcap of the traffic, the malware/artifacts, and some IOCs are available at www.malware-traffic-analysis.net/2025/06/18/i....
Today's the 12th anniversary of my blog, so I made this post a bit more old school.
June 19, 2025 at 4:23 AM
2025-06-18 (Wed): #SmartApeSG --> #ClickFix lure --> #NetSupportRAT --> #StealCv2
A #pcap of the traffic, the malware/artifacts, and some IOCs are available at www.malware-traffic-analysis.net/2025/06/18/i....
Today's the 12th anniversary of my blog, so I made this post a bit more old school.
A #pcap of the traffic, the malware/artifacts, and some IOCs are available at www.malware-traffic-analysis.net/2025/06/18/i....
Today's the 12th anniversary of my blog, so I made this post a bit more old school.
Reposted
North Koreans reportedly host fake Zoom meeting featuring multiple deepfake colleagues. Target’s microphone doesn’t work so the colleagues talk them through installing malicious fix. www.huntress.com/blog/inside-...
Inside the BlueNoroff Web3 macOS Intrusion Analysis | Huntress
Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report.
www.huntress.com
June 19, 2025 at 10:41 AM
North Koreans reportedly host fake Zoom meeting featuring multiple deepfake colleagues. Target’s microphone doesn’t work so the colleagues talk them through installing malicious fix. www.huntress.com/blog/inside-...
Reposted
🥷 Detect & defend vs Entra ID persistence! From my RSAC Cloud Summit talk, I've shared how attackers persist through Entra ID roles, applications, and authentication... and how you can stop them: kknowl.es/posts/defend...
Persisting Unseen: Defending against Entra ID persistence
I recently presented “Persisting Unseen: Attacker Methods of Infesting Entra ID” at RSAC’s virtual Cloud Security seminar. This session introduced some methods attackers may use now or in the near fut...
kknowl.es
June 5, 2025 at 6:54 PM
🥷 Detect & defend vs Entra ID persistence! From my RSAC Cloud Summit talk, I've shared how attackers persist through Entra ID roles, applications, and authentication... and how you can stop them: kknowl.es/posts/defend...
Reposted
For those that have strong opinions on whether AWS should include more info in error messages, this update is relevant. You'll now know what type of policy prevented the access when the principal and S3 bucket are in the same org. aws.amazon.com/about-aws/wh...
Amazon S3 extends additional context for HTTP 403 Access Denied error messages to AWS Organizations - AWS
Discover more about what's new at AWS with Amazon S3 extends additional context for HTTP 403 Access Denied error messages to AWS Organizations
aws.amazon.com
June 16, 2025 at 8:16 PM
For those that have strong opinions on whether AWS should include more info in error messages, this update is relevant. You'll now know what type of policy prevented the access when the principal and S3 bucket are in the same org. aws.amazon.com/about-aws/wh...
Reposted
I wrote about how to turn in-person meetings into Signal groups, how to manage large semi-public Signal groups while vetting new members, and how to sue announcement-only Signal groups, perfect for rapidly responding to ICE raids micahflee.com/using-signal...
Using Signal groups for activism
Things are heating up. Millions of people are taking to the streets against Trump's rising authoritarianism. Communities around the US are organizing to defend against ICE raids, to protest Israeli ge...
micahflee.com
June 16, 2025 at 6:26 PM
I wrote about how to turn in-person meetings into Signal groups, how to manage large semi-public Signal groups while vetting new members, and how to sue announcement-only Signal groups, perfect for rapidly responding to ICE raids micahflee.com/using-signal...
Reposted
Oracle has a serious, customer impacting security incident playing out in Oracle Classic, a cloud SaaS service they manage. They're attempting to deny it by saying there's no problem in "Oracle Cloud", which is wordplay. doublepulsar.com/oracle-attem...
Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service
Being a provider of cloud SaaS (Software-as-a-service) solutions requires certain cybersecurity responsibilities — including being…
doublepulsar.com
March 31, 2025 at 2:31 PM
Oracle has a serious, customer impacting security incident playing out in Oracle Classic, a cloud SaaS service they manage. They're attempting to deny it by saying there's no problem in "Oracle Cloud", which is wordplay. doublepulsar.com/oracle-attem...
Reposted
CyberHaven malicious extension (24.10.4) details 🧵
A new content script was added to the extension manifest which runs at the start of every webpage
A new content script was added to the extension manifest which runs at the start of every webpage
December 26, 2024 at 8:37 PM
CyberHaven malicious extension (24.10.4) details 🧵
A new content script was added to the extension manifest which runs at the start of every webpage
A new content script was added to the extension manifest which runs at the start of every webpage
Reposted
New research: We've been monitoring a threat actor publishing dozens of trojanized GitHub repositories targeting threat actors, leaking hundreds of thousands of credentials along the way
securitylabs.datadoghq.com/articles/mut...
securitylabs.datadoghq.com/articles/mut...
December 16, 2024 at 1:09 PM
New research: We've been monitoring a threat actor publishing dozens of trojanized GitHub repositories targeting threat actors, leaking hundreds of thousands of credentials along the way
securitylabs.datadoghq.com/articles/mut...
securitylabs.datadoghq.com/articles/mut...
Reposted
My colleague Devin Coldewey (who, good for him, is not on social) and I put together an updating list of free, open-source and/or self-hosted alternatives to popular apps — like Adobe, Dropbox, Google Docs, Pocket — that can help you reclaim your data from Big Tech.
techcrunch.com/2024/11/24/t...
techcrunch.com/2024/11/24/t...
These alternatives to popular apps can help reclaim your online life from billionaires and surveillance | TechCrunch
Not every app or service is trying to monetize your personal data. Here are some of our favorite alternatives to popular apps.
techcrunch.com
November 25, 2024 at 1:33 PM
My colleague Devin Coldewey (who, good for him, is not on social) and I put together an updating list of free, open-source and/or self-hosted alternatives to popular apps — like Adobe, Dropbox, Google Docs, Pocket — that can help you reclaim your data from Big Tech.
techcrunch.com/2024/11/24/t...
techcrunch.com/2024/11/24/t...
Reposted
Daniel Grzelak has released Awseye, a so-called Shodan for AWS, an OSINT and reconnaissance service that tracks and analyzes publicly accessible AWS data
awseye.com
awseye.com
November 26, 2024 at 3:36 PM
Daniel Grzelak has released Awseye, a so-called Shodan for AWS, an OSINT and reconnaissance service that tracks and analyzes publicly accessible AWS data
awseye.com
awseye.com