smthdfirent
@smthdfirent.bsky.social
Reposted by smthdfirent
Using our #honeypots, we uncovered an unreported #botnet that has been operational since at least the end of November 2023. This #PolarEdge botnet has been focusing on #edge devices, particularly those made by #Cisco, #Asus, #QNAP, and #Synology.
https://buff.ly/4ibOEo8
https://buff.ly/4ibOEo8
February 25, 2025 at 1:22 PM
Using our #honeypots, we uncovered an unreported #botnet that has been operational since at least the end of November 2023. This #PolarEdge botnet has been focusing on #edge devices, particularly those made by #Cisco, #Asus, #QNAP, and #Synology.
https://buff.ly/4ibOEo8
https://buff.ly/4ibOEo8
Reposted by smthdfirent
Good overview from @talosintelligence.com on what is happening with Volt Typhoon in the Telco Infrastructure.
Weathering the storm: In the midst of a Typhoon
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, by a threat actor dubbed Salt Typhoon. This blog highlights ou...
blog.talosintelligence.com
February 20, 2025 at 3:54 PM
Good overview from @talosintelligence.com on what is happening with Volt Typhoon in the Telco Infrastructure.
Reposted by smthdfirent
We released a report on an updated version of #Shadowpad including anti-debugging features and new configuration structure, that in some cases deploy a custom ransomware family. We have mainly seen the manufacturing industry being targeted in Europe and Asia www.trendmicro.com/fr_fr/resear...
#APT
#APT
February 20, 2025 at 9:39 AM
We released a report on an updated version of #Shadowpad including anti-debugging features and new configuration structure, that in some cases deploy a custom ransomware family. We have mainly seen the manufacturing industry being targeted in Europe and Asia www.trendmicro.com/fr_fr/resear...
#APT
#APT
Reposted by smthdfirent
Today, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger | Google Cloud Blog
Russia state-aligned threat actors target Signal Messenger accounts used by individuals of interest to Russia's intelligence services.
cloud.google.com
February 19, 2025 at 11:05 AM
Today, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Reposted by smthdfirent
@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...
#dfir #threatintel #m365security
#dfir #threatintel #m365security
Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication
Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack cam...
www.volexity.com
February 13, 2025 at 10:39 PM
@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...
#dfir #threatintel #m365security
#dfir #threatintel #m365security
Reposted by smthdfirent
Fantastic work here from the MSTIC folks re: 74455. So many threads to pull.
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation | Microsoft Security Blog
Microsoft is publishing for the first time our research into a subgroup within the Russian state actor Seashell Blizzard and its multiyear initial access operation, tracked by Microsoft Threat Intelli...
www.microsoft.com
February 12, 2025 at 7:15 PM
Fantastic work here from the MSTIC folks re: 74455. So many threads to pull.
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
Reposted by smthdfirent
Harfanglab researchers describe exploitation of Ivanti CSA vulnerabilities, which started in Q4 2024 & led to webshell deployments, and detail malicious activities conducted by a threat actor within an organization following Ivanti CSA device compromise. harfanglab.io/insidethelab...
February 11, 2025 at 11:45 AM
Harfanglab researchers describe exploitation of Ivanti CSA vulnerabilities, which started in Q4 2024 & led to webshell deployments, and detail malicious activities conducted by a threat actor within an organization following Ivanti CSA device compromise. harfanglab.io/insidethelab...
Reposted by smthdfirent
#botconf2025 ticket sales will open this week-end.
January 31, 2025 at 11:09 PM
#botconf2025 ticket sales will open this week-end.
Reposted by smthdfirent
#ESETresearch discovered + named 🇨🇳 China-aligned #APT group #PlushDaemon who did a supply-chain compromise of a 🇰🇷 South Korean #VPN provider, trojanizing its legitimate software installer with a Windows backdoor we named #SlowStepper www.welivesecurity.com/en/eset-rese...
🧵1/6
🧵1/6
January 22, 2025 at 8:50 AM
#ESETresearch discovered + named 🇨🇳 China-aligned #APT group #PlushDaemon who did a supply-chain compromise of a 🇰🇷 South Korean #VPN provider, trojanizing its legitimate software installer with a Windows backdoor we named #SlowStepper www.welivesecurity.com/en/eset-rese...
🧵1/6
🧵1/6
Reposted by smthdfirent
🇷🇺 #DoubleTap Campaign: #Russia-nexus APT possibly related to #APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
https://buff.ly/3WEwPG7
https://buff.ly/3WEwPG7
January 13, 2025 at 10:53 AM
🇷🇺 #DoubleTap Campaign: #Russia-nexus APT possibly related to #APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
https://buff.ly/3WEwPG7
https://buff.ly/3WEwPG7
Reposted by smthdfirent
🔥 new blog detailing 0day exploitation of Ivanti appliances as well as some newly observed malware families tracked as PHASEJAM and DRYHOOK. We also detail activity related to the previously observed SPAWN* malware ecosystem tied to China-nexus cluster UNC5337.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog
Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024.
cloud.google.com
January 9, 2025 at 12:42 AM
🔥 new blog detailing 0day exploitation of Ivanti appliances as well as some newly observed malware families tracked as PHASEJAM and DRYHOOK. We also detail activity related to the previously observed SPAWN* malware ecosystem tied to China-nexus cluster UNC5337.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Reposted by smthdfirent
In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.
🧵⤵️
🧵⤵️
Interesting susp targeted phish targeting an Italian telecom.
1) spoofing swisscom (note 'S', domain just reg'd)
2) leveraging encrypted rar + lnk + self signed pdf reader
3) BGP lure (fits with theme of email). BGP is the third leg in the outage triumvirate)
1) spoofing swisscom (note 'S', domain just reg'd)
2) leveraging encrypted rar + lnk + self signed pdf reader
3) BGP lure (fits with theme of email). BGP is the third leg in the outage triumvirate)
December 12, 2024 at 9:18 PM
In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.
🧵⤵️
🧵⤵️
Reposted by smthdfirent
Be sure to check out part 2!
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine
www.microsoft.com/en-us/securi...
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine
www.microsoft.com/en-us/securi...
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine | Microsoft Security Blog
Since January 2024, Microsoft has observed Secret Blizzard using the tools or infrastructure of other threat groups to attack targets in Ukraine and download its custom backdoors Tavdig and KazuarV2.
www.microsoft.com
December 11, 2024 at 9:54 PM
Be sure to check out part 2!
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine
www.microsoft.com/en-us/securi...
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine
www.microsoft.com/en-us/securi...
Reposted by smthdfirent
Mark was literally on my team for two seconds before solidly attributing the Voldemort activity me and @ffforward.bsky.social worked to TA415 (APT41)
Then me and Tommy went back to ecrime 😂
www.proofpoint.com/us/blog/thre...
Then me and Tommy went back to ecrime 😂
www.proofpoint.com/us/blog/thre...
The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort” | Proofpoint US
Research update (October 22nd, 2024) Proofpoint analysts now attribute this campaign to the China-aligned threat group TA415 (also known as APT41 and Brass Typhoon). This attribution is based on m...
www.proofpoint.com
December 4, 2024 at 12:41 AM
Mark was literally on my team for two seconds before solidly attributing the Voldemort activity me and @ffforward.bsky.social worked to TA415 (APT41)
Then me and Tommy went back to ecrime 😂
www.proofpoint.com/us/blog/thre...
Then me and Tommy went back to ecrime 😂
www.proofpoint.com/us/blog/thre...
Reposted by smthdfirent
Second time we've seen Turla sit on top of someone else's operation. blog.lumen.com/snowblind-th...
Snowblind: The Invisible Hand of Secret Blizzard
blog.lumen.com
December 4, 2024 at 5:31 PM
Second time we've seen Turla sit on top of someone else's operation. blog.lumen.com/snowblind-th...
Reposted by smthdfirent
This blog is wild. “Secret Blizzard (Turla) has used the tools and infrastructure of at least 6 other threat actors during the past 7 years.”
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage | Microsoft Security Blog
Microsoft has observed Secret Blizzard compromising the infrastructure and backdoors of the Pakistan-based threat actor we track as Storm-0156 for espionage against the Afghanistan government and Indi...
www.microsoft.com
December 4, 2024 at 7:20 PM
This blog is wild. “Secret Blizzard (Turla) has used the tools and infrastructure of at least 6 other threat actors during the past 7 years.”
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
Reposted by smthdfirent
Reposted by smthdfirent
Live now on YouTube, the #VB2024 playlist featuring more than 40 presentations from VB2024 in Dublin. Thank you to all the speakers! www.youtube.com/playlist?lis...
December 3, 2024 at 10:41 AM
Live now on YouTube, the #VB2024 playlist featuring more than 40 presentations from VB2024 in Dublin. Thank you to all the speakers! www.youtube.com/playlist?lis...
Reposted by smthdfirent
Three Buddy Problem: Volexity's Steven Adair joins the show 🔥 @stevenadair.bsky.social @craiu.bsky.social @jags.bsky.social
Enjoy securityconversations.com/episode/vole...
Enjoy securityconversations.com/episode/vole...
November 30, 2024 at 6:35 PM
Three Buddy Problem: Volexity's Steven Adair joins the show 🔥 @stevenadair.bsky.social @craiu.bsky.social @jags.bsky.social
Enjoy securityconversations.com/episode/vole...
Enjoy securityconversations.com/episode/vole...
Reposted by smthdfirent
#ESETresearch reveals the first Linux UEFI bootkit, Bootkitty. It disables kernel signature verification and preloads two ELFs unknown during our analysis. Also discovered, a possibly related unsigned LKM – both were uploaded to VT early this month. www.welivesecurity.com/en/eset-rese... 🧵
Bootkitty: Analyzing the first UEFI bootkit for Linux
ESET's discovery of the first UEFI bootkit designed for Linux sendss an important message: UEFI bootkits are no longer confined to Windows systems alone.
www.welivesecurity.com
November 27, 2024 at 8:34 AM
#ESETresearch reveals the first Linux UEFI bootkit, Bootkitty. It disables kernel signature verification and preloads two ELFs unknown during our analysis. Also discovered, a possibly related unsigned LKM – both were uploaded to VT early this month. www.welivesecurity.com/en/eset-rese... 🧵
Reposted by smthdfirent
@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.
Read more here: www.volexity.com/blog/2024/11...
Read more here: www.volexity.com/blog/2024/11...
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...
www.volexity.com
November 22, 2024 at 2:58 PM
@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.
Read more here: www.volexity.com/blog/2024/11...
Read more here: www.volexity.com/blog/2024/11...
Reposted by smthdfirent
#ESET research has identified #Linux malware samples, one of which we named #WolfsBane and attribute with high confidence to #Gelsemium. This 🇨🇳 China-aligned APT group, active since 2014, has not previously been publicly reported to use Linux malware. www.welivesecurity.com/en/eset-rese... 🧵(1/6)
Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine
ESET researchers analyzed previously unknown Linux backdoors that are connected to known Windows malware used by the China-aligned Gelsemium group, as well as to Project Wood.
www.welivesecurity.com
November 21, 2024 at 10:30 AM
#ESET research has identified #Linux malware samples, one of which we named #WolfsBane and attribute with high confidence to #Gelsemium. This 🇨🇳 China-aligned APT group, active since 2014, has not previously been publicly reported to use Linux malware. www.welivesecurity.com/en/eset-rese... 🧵(1/6)
Reposted by smthdfirent
@volexity.bsky.social has published a blog post detailing variants of LIGHTSPY & DEEPDATA malware discovered in the summer of 2024, including exploitation of a vulnerability in FortiClient to extract credentials from memory. Read more here: www.volexity.com/blog/2024/11...
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA
In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s ...
www.volexity.com
November 15, 2024 at 8:02 PM
@volexity.bsky.social has published a blog post detailing variants of LIGHTSPY & DEEPDATA malware discovered in the summer of 2024, including exploitation of a vulnerability in FortiClient to extract credentials from memory. Read more here: www.volexity.com/blog/2024/11...
Reposted by smthdfirent
We're excited to announce the release of ProcDump 1.0 for Mac.
ProcDump functionality is now available on Windows, Linux, and macOS.
Get the tools at sysinternals.com.
See what's new on the Sysinternals Blog:
ProcDump functionality is now available on Windows, Linux, and macOS.
Get the tools at sysinternals.com.
See what's new on the Sysinternals Blog:
Sysinternals - Sysinternals
Library, learning resources, downloads, support, and community. Evaluate and find out how to install, deploy, and maintain Windows with Sysinternals utilities.
sysinternals.com
November 13, 2024 at 4:50 PM
We're excited to announce the release of ProcDump 1.0 for Mac.
ProcDump functionality is now available on Windows, Linux, and macOS.
Get the tools at sysinternals.com.
See what's new on the Sysinternals Blog:
ProcDump functionality is now available on Windows, Linux, and macOS.
Get the tools at sysinternals.com.
See what's new on the Sysinternals Blog: