Helvede

21 posts18 participants1 post today

Taggart :donor:FWIW, 100% of <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ClickFix</a> attacks I've seen have added some kind of inline comment at the end of the command string like <code>I am not a robot</code> to sell the ruse. Definitely worth a threat hunt on command line history.<a href="https://infosec.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntelligence</a>

Tim (Wadhwa-)Brown :donor:That SAP NetWeaver bug is pretty ouchy:<a href="https://x.com/gothburz/status/1915755189019017411" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://x.com/gothburz/status/1915755189019017411</a><a href="https://infosec.exchange/tags/sap" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#sap</a>, <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>

Brian Greenberg :verified:⚠️ Mobile security risk: New Android malware "SuperCard X" enables contactless payment fraud via NFC relay attacks 📱💳Here’s how it works: 🔹 Victims are socially engineered through fake bank alerts (smishing + calls) 🔹 Tricked into installing a rogue app posing as “security software” 🔹 NFC data is intercepted from real debit/credit cards 🔹 Attackers relay stolen credentials to PoS terminals and ATMs for fraudulent cashoutsWhy it matters: • Attackers no longer need stolen physical cards — just proximity + deception • Banking customers, payment providers, and card issuers are all at risk • Google is working on Android protections — but vigilance is key now🛡️ Tip: Always scrutinize app installs, verify messages before acting, and keep Google Play Protect enabled.<a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/MobileSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MobileSecurity</a> <a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://infosec.exchange/tags/NFC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NFC</a> <a href="https://infosec.exchange/tags/FinancialFraud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FinancialFraud</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a> <a href="https://infosec.exchange/tags/privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#privacy</a> <a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cloud</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://thehackernews.com/2025/04/supercard-x-android-malware-enables.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://thehackernews.com/2025/04/supercard-x-android-malware-enables.html</a>

Ian CampbellSo you like domain intel.What if we presented 2024 findings and went deep into the analytical methods?What if we provided some awesome scatterplots showing intel-relevant convergences?What if I said....Shannon Entropy?And if we gave you topic-based heatmaps?Well, get in here, then. Our first annual Domain Intelligence Report is out. <a href="https://masto.deoan.org/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://masto.deoan.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://masto.deoan.org/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://www.domaintools.com/dti-inaugural-domain-intelligence-report/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Domain-Intel-Report" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.domaintools.com/dti-inaugural-domain-intelligence-report/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Domain-Intel-Report</a>

Tim (Wadhwa-)Brown :donor:Another header bypass, this time a Citrix NetScaler nasty:<a href="https://attackerkb.com/topics/7zebEgmGLs/cve-2024-6235" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://attackerkb.com/topics/7zebEgmGLs/cve-2024-6235</a><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>, <a href="https://infosec.exchange/tags/netscaler" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#netscaler</a>

Tim (Wadhwa-)Brown :donor:The mean time between me pointing out a potential abuse case and us finding malware using it is shortening. This is either good news or bad.<a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>, <a href="https://infosec.exchange/tags/linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#linux</a>

Taylor ParizoRelated: <a href="https://arxiv.org/pdf/2503.23175" rel="nofollow noopener noreferrer" target="_blank">Large Language Models are Unreliable to Cyber Threat Intelligence</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>

Ian CampbellDid that thing again where I shared some of the stuff we're reading internally at <a href="https://infosec.exchange/@DomainTools" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@DomainTools</a> Investigations.Not a roundup, just what caught our attention. Got something you think we should add? Link me, I always need more to read and more reasons to avoid cleaning the fridge.<a href="https://masto.deoan.org/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://masto.deoan.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://masto.deoan.org/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> https:// dti.domaintools.com/cybersecur ity-reading-list-week-of-2025-04-21/?utm_source=Mastodon&utm_medium=Social&utm_campaign=reading-list-april

Christoffer S.<a href="https://infosec.exchange/@fabian_marquardt" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@fabian_marquardt</a> Welcome, it's a pretty decent place, and with <a href="https://infosec.exchange/@jerry" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@jerry</a> at the helm you've chosen your instance well ;-)Enjoy!(Make sure to follow a couple of Tags such as <a href="https://swecyb.com/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Cybersecurity</a> and <a href="https://swecyb.com/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> as it will somewhat get you going with a good timeline!)

Alexandre DulaunoyI had the pleasure of presenting at <a href="https://infosec.exchange/tags/FIRSTCTI25" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FIRSTCTI25</a> in Berlin:"The Art of Pivoting – How You Can Discover More from Adversaries with Existing Information."The talk explored how unconventional indicators, like cookie names, QR codes, HTTP headers (HHHash), DOM structures, and reused Google Analytics IDs, can reveal surprising links across threat actor infrastructure and behavior.We also shared real-world insights from our crawling and analysis with AIL, including:<ul><li>How “weak” indicators can gain strength through composite correlation</li><li>Unexpected metadata reuse across Tor services and social platforms</li><li>How AIL enables more creative and effective pivoting workflows</li></ul>🔗 Slides <a href="https://www.ail-project.org/assets/img/slides/the-art-of-pivoting.pdf" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.ail-project.org/assets/img/slides/the-art-of-pivoting.pdf</a><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cti" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cti</a> <a href="https://infosec.exchange/tags/opensource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#opensource</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/darkweb" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#darkweb</a> <a href="https://misp-community.org/@misp" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@misp</a> <a href="https://infosec.exchange/@ail_project" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@ail_project</a> <a href="https://social.circl.lu/@circl" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@circl</a> Thanks to <a href="https://infosec.exchange/@terrtia" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@terrtia</a> for the crazy discussions around correlations!

Christoffer S.Data Breach Investigation Report (DBIR) for 2025 has been published, and as always readable without registration which these days is to be celebrated because it's becoming increasingly rare to find non-walled content.And DBIR has been historically awesome with a very, very personable writing style again something I consider increasingly rare in these days of LLM-generated content.All in all, many reasons to celebrate:<a href="https://www.verizon.com/business/resources/reports/dbir/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.verizon.com/business/resources/reports/dbir/</a><a href="https://swecyb.com/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Cybersecurity</a> <a href="https://swecyb.com/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://swecyb.com/tags/DBIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DBIR</a>

cR0w :cascadia:For those that track IABs:<a href="https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/</a>IoCs, which include Metasploit shells:<blockquote>fdf977f0c20e7f42dd620db42d20c561208f85684d3c9efd12499a3549be38260a367cc7e7e297248fad57e27f83316b7606788db9468f59031fed811cfe48670bcfea4983cfc2a55a8ac339384ecd0988a470af444ea8f3b597d5fe5f6067fb5831b09c93f305e7d0a49d4936478fac3890b97e065141f82cda9a0d75b1066d691cc4a12fbada29d093e57bd02ca372bc10968b706c95370daeee43054f06e370077fde6c5fc5e4d607c75ff5312cc2fdf61ea08cae75f162d30fa7475880dea95930ff02a0d13e4dbe603a33175dc73c0286cd53ae4a141baf99ae664f4132c1bd624e83382668939535d47082c0a6de1981ef2194bb4272b62ecc7be1ff6b209[.]141[.]43[.]37194[.]156[.]98[.]155158[.]247[.]211[.]5139[.]106[.]141[.]6847[.]117[.]165[.]166195[.]123[.]240[.]275[.]127[.]0[.]235149[.]102[.]243[.]100206[.]188[.]196[.]2051[.]81[.]42[.]234178[.]175[.]134[.]52162[.]33[.]177[.]5664[.]52[.]80[.]252162[.]33[.]178[.]196103[.]199[.]16[.]92</blockquote><a href="https://infosec.exchange/tags/threatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatIntel</a>

Brian ClarkSekoia has another excellent write-up on an attack they are seeing. The fact that this attack is successful in some places boggles my mind. It has a smorgasbord of known attacker TTPs that everyone should be monitoring, controlling and/blocking. Example TTPs include: - Use of trycloudflare.com - Use of dynamic DNS (duckdns!) - Use of Wscript.exe - Use of Mshta.exeYou know what to do folks!<a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> From: <a href="https://infosec.exchange/@sekoia_io" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@sekoia_io</a> <a href="https://infosec.exchange/@sekoia_io/114386351495475519" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@sekoia_io/114386351495475519</a>

Tim (Wadhwa-)Brown :donor:Not got my name on it but there are two new techniques that I lobbied for (bind mounts and process argument overwrites). Kudos to the team for finding suitable source material to cite.<a href="https://infosec.exchange/tags/linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#linux</a>, <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>, <a href="https://infosec.exchange/tags/att" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#att</a>&ck

Tim (Wadhwa-)Brown :donor:We welcome ATT&CK v17:<a href="https://attack.mitre.org/resources/updates/updates-april-2025/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://attack.mitre.org/resources/updates/updates-april-2025/</a>Time to update your mappings :).<a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#redteam</a>, <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#blueteam</a>, <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>, <a href="https://infosec.exchange/tags/att" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#att</a>&ck

Brian Greenberg :verified:⚠️ Cyber threat: “Cookie Bite” attack hijacks Microsoft 365 — no malware required. Researchers uncovered a new attack that abuses Azure Entra ID auth cookies (ESTSAUTH + ESTSAUTHPERSISTENT) to: 🍪 Hijack sessions in Outlook, Teams, and more 🚫 Bypass MFA 📥 Avoid traditional endpoint detection 🧩 Spread via malicious browser extensions🛡️ Organizations must: 🔐 Audit browser extension permissions 📊 Monitor for persistent cloud session abuse 🧠 Train users to avoid risky browser behaviorsInvisible. Persistent. And just one stolen cookie away.<a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/Microsoft365" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Microsoft365</a> <a href="https://infosec.exchange/tags/MFABypass" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MFABypass</a> <a href="https://infosec.exchange/tags/EntraID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EntraID</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a> <a href="https://infosec.exchange/tags/privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#privacy</a> <a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cloud</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://www.darkreading.com/remote-workforce/cookie-bite-entra-id-attack-exposes-microsoft-365" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.darkreading.com/remote-workforce/cookie-bite-entra-id-attack-exposes-microsoft-365</a>

Taggart :donor:This is still ongoing, but I might do a looksee in your DNS records for <code>static-pcs-sdk-server.alibaba[.]com</code><a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntelligence</a>

Volexity :verified:New on the <a href="https://infosec.exchange/@volexity" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@volexity</a> Blog: Multiple Russian threat actors are leveraging Signal, WhatsApp, and a compromised Ukrainian government email address to impersonate EU officials. This latest round of phishing attacks abuses first-party Microsoft Entra apps and OAuth to compromise targets.<a href="https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows</a><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>

k3ym𖺀🚨 New Threat Alert: Rustobot Botnet 🚨 A new Rust-based botnet is making waves — and it's hijacking routers to do it. <a href="https://infosec.exchange/@FortiGuardLabs" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@FortiGuardLabs</a> latest research dives into Rustobot, a stealthy, modular botnet that’s fast, evasive, and ready to wreak havoc.🔍 Learn how it works, what makes it different, and how to protect your network: 👉 <a href="https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routed-via-routers" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routed-via-routers</a>IOCsURLshxxp://66[.]63[.]187[.]69/w.sh hxxp://66[.]63[.]187[.]69/wget.sh hxxp://66[.]63[.]187[.]69/t hxxp://66[.]63[.]187[.]69/tftp.sh hxxp://66[.]63[.]187[.]69/arm5 hxxp://66[.]63[.]187[.]69/arm6 hxxp://66[.]63[.]187[.]69/arm7 hxxp://66[.]63[.]187[.]69/mips hxxp://66[.]63[.]187[.]69/mpsl hxxp://66[.]63[.]187[.]69/x86Hostsdvrhelper[.]anondns[.]net techsupport[.]anondns[.]net rustbot[.]anondns[.]net miraisucks[.]anondns[.]net 5[.]255[.]125[.]150<a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/Botnet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Botnet</a> <a href="https://infosec.exchange/tags/RustLang" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RustLang</a> <a href="https://infosec.exchange/tags/Fortinet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fortinet</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/IoTSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#IoTSecurity</a> <a href="https://infosec.exchange/tags/NetworkSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NetworkSecurity</a>

Brian Greenberg :verified:⚠️ Cyber threat: Russian bulletproof host Proton66 fuels global attacks 🌐💣Since January 8, IPs associated with Proton66 have been linked to: 🔍 Mass scanning and credential brute-forcing 💥 Exploitation of critical vulnerabilities (e.g., CVE-2025-0108, CVE-2024-41713) 🛡️ Hosting malware families like GootLoader and SpyNote 📱 Redirecting Android users to malicious APKs via compromised WordPress sitesOrganizations must enhance their threat intelligence and monitoring to detect and mitigate such activities.<a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/Proton66" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Proton66</a> <a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://infosec.exchange/tags/NetworkSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NetworkSecurity</a> <a href="https://thehackernews.com/2025/04/hackers-abuse-russian-bulletproof-host.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://thehackernews.com/2025/04/hackers-abuse-russian-bulletproof-host.html</a>

Recent searches

Search options

Administered by:

Server stats:

#threatintel