reverseshell

@hamidonsolo Hi @hamidonsolo its inspiring. Can you please share some pointers as a guidence so that i can improve my bug bounty journey

I'm 19, still in engineering school, and I just made $5,879 in February from bug bounties. I used AI to speed up my recon and workflow. No certs. No bootcamp. No CS degree. Here's the breakdown 🧵👇

@MrRajputHacker I would like to contribute my private work as well.

Hey 👋, Bug Bounty Hunters (Cyber Security Researchers), I am planning to create a Pvt Group where we monitor the data breaches of log files, company leaked source codes (for example, Uber, TikTok, etc.), and also share my findings, research, etc., for learning purposes.

Last night APT10, APT28, APT29, APT41, and FIN7 DM me here on Twitter and said that my tweets revealed their poor opsec practices so now they will make a few changes: Changes: APT28 is not going to use Cobalt Strike anymore and they will use Koadic C3 from today. APT29 Cobalt Strike watermark is going to be changed from 1359593325 to 1337. APT10 infra is going to be hosted on Digital Ocean only. APT41 is changing all default C2 certifications from Major Cobalt Strike to Minor Cobalt Strike. FIN7 will not use RDP for lateral movements anymore and will use only SSH. So you have to track them now all from the beginning! Sorry about that 🤷‍♂️

Pivoting from VirusTotal to Shodan and uncovering all threat actor infra (BRc4) 🎯 Let's grab this hash/badger implant (BRc4) 086d6f54b51a368d0a836ad8e24df659 Looks like the badger implant is connecting to this IP address -> 51.77.112.254 Now let's check IP with Shodan and let's create a hunting rule to find other Brute Ratel C4 👀 We need to grab HTTP Response/Hash (from HTTP Response) and JARM from this C2 and combine them all together🤘 Our combined Shodan BRC4 Hunting rule 🎯 http.html_hash:182674321 ssl.jarm:3fd21b20d00000021c43d21b21b43de0a012c76cf078b8d06f4620c2286f5e Our hunting rule uncovered 31 Brute Ratel C4 🔥 shodan.io/search?query=h… This is an example of how to pivot from one C2 and find the rest Happy Hunting! 🎯

Cobalt Strike redirector technique used recently by Russian APT29/Nobellium ⚡️ This is a Red Team technique (T1090.002 External Proxy) attack.mitre.org/techniques/T10… to hide C2 behind a legit website. This could be very useful for Threat Hunters/Intel to set up a hypothesis/monitor network traffic for malicious activity.

Tweet 1. Just a bit more… From 🤖 #Truebot to #CL0P via #GoAnywhere: In my last thread, I went on a journey and found 14 #Cobalt Strike/#Meterpreter #C2s based off a HTTP header for an IP that shared an SSH fingerprint with a Truebot C2. Let's look at these a bit further…🧐

#IcedID - The New Era of IcedID 👇 Awesome work @Myrtus0x0 @k3dg3 @joewise34 🔥 proofpoint.com/us/blog/threat…

🔒ThreatLabz has identified the U-Bomb #ransomware group operating a victim portal that strongly resembles the former #Hive group. Screenshots for comparison are shown below:

Critical #0day in #Outlook fixed. CVE-2023-23397 exploited by #FancyBear to breach government, military, energy, and transportation orgs. Reported by CERT-UA so probably used in Russia's war against Ukraine. The flaw can be used to steal NTLM Hashes of victims. To cite: Threat actors can exploit it by sending messages with extended MAPI properties containing UNC paths to an SMB share (TCP 445) under their control. "The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane," Microsoft says in a security advisory published today. "The connection to the remote SMB server sends the user's NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication," Redmond explains added in a separate blog post. CVE-2023-23397 impacts all supported versions of Microsoft Outlook for Windows but doesn't affect Outlook for Android, iOS, or macOS versions. Additionally, since online services like Outlook on the web and Microsoft 365 do not support NTLM authentication, they are not vulnerable to attacks exploiting this NTLM relay vulnerability. Patches are out so #Patch now! #infosec #vulnerabilty #news

Recent Android Based #Nexus #Android #Banking #Botnet in the market . Found their whole C2 infrastructure deployed by the threat actor in United States, Moldova, Russia Total 25 C2 Panel currently Active threatfox.abuse.ch/browse/tag/Nex… cc: @ET_Labs @Trex421 @abuse_ch @0x6rsk @evstykas

🚨We released an ESXiArgs ransomware recovery script on GitHub to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks: github.com/cisagov/ESXiAr… #StopRansomware

Linux Variant of Clop Ransomware Spotted, But Uses Faulty Encryption Algorithm thehackernews.com/2023/02/linux-… via @TheHackersNews

I spoke to @uuallan, @BrettCallow and dozens more about the FBI's Hive #ransomware operation. Most said the novel operation was a major step forward but the lack of arrests means the group is likely to reconstitute in some form #Hive @TheRecord_Media therecord.media/ransomware-exp…

Exploits A handy collection of my public exploits, all in one place. github.com/0xdea/exploits #redteam #cve #exploit t.me/hackgit/7322

Sebastien Raoult, an alleged member of ShinyHunters group, has been extradited from Morocco following a request from the United States government. He is currently in Seattle, Washington. He is facing 116 years in prison. He has plead not guilty. justice.gov/usao-wdwa/pr/a…

Thread alert! The Splunk Threat Research team (#STRT) has been busy in the past 60 days. Here's a quick rundown of some of our most recent projects:

interesting APT28 malloc which uses no macro, the document is a PowerPoint file that exploits a code execution technique in a ahyperlink. which is designed to be triggered when the user starts the presentation mode and moves the mouse.

NSO's Pegasus Android spyware Technical analysis series by CyberMasterV (@GeeksCyber) Part 1: cybergeeks.tech/a-technical-an… Part 2: cybergeeks.tech/a-technical-an… Part 3: cybergeeks.tech/a-technical-an… #android #malware #nso #pegasus #infosec #cybersecurity

wrote a #bruteratel (encrypted) config extractor/unpacker: github.com/matthw/malware… Could only test with the few samples i found here and there...

Recently, a new version of #Hive #Ransomware v6 has been released. ty @happyhubbybear Hive's developer abandoned the keystream and XOR encryption. This version has a new crazy crypto scheme... ChaCha20 (some keys per a file) and RSA-5120 (2 public keys)