Rob Gasior

I pivoted on #Vect ransomware activity and identified related samples based on the post shared by @AlvieriD. 🔗 Post: x.com/AlvieriD/statu… 🛡️ Our detection rule covering both Linux and Windows variants: valhalla.nextron-systems.com/info/rule/MAL_…

If you have any evidence against hosting companies purposely allowing cybercriminals on there network, please shoot me a dm.

Most investigators stop their research when they see a Cloudflare IP That’s a mistake! Cloudflare hides the origin server’s real IP address but it doesn’t always make it impossible to find. With the right techniques, you can often uncover the actual hosting infrastructure behind a protected website. Here are 3 methods I regularly use: 🧠 Criminal IP Search Engine: One of the fastest ways to investigate infrastructure behind a domain. 🔎 Reverse Favicon Search: Some websites reuse the same favicon across multiple services or subdomains. Searching by favicon hash can reveal infrastructure that isn’t behind Cloudflare. 📜 WHOIS History: Older WHOIS records sometimes expose previous hosting providers or IP addresses used before Cloudflare protection was enabled. Using Criminal IP, you can pivot from a domain and uncover: ✅Possible origin server IPs ✅Passive DNS history ✅ Abuse records ✅Malware associations ✅Scanner activity ✅Related infrastructure Example: I searched a Cloudflare-protected domain inside Criminal IP and it immediately revealed the underlying server IP where the website was actually hosted. Most people never go this far but this step often unlocks the biggest findings in a website investigation. Try out the search engine: shorturl.at/yHwuJ

PwnForums has just released, run by John Insane Loki Tanaka Pine and Paw. They have imported the previous threads and users up until 28 March. Ranks should carry over.

@ACLU @ABAesq @TheDemocrats @DemSocialists @LPNational @USPirates @EFF @torproject @delaware_gov @hopeconf @amnestyusa @VisitCA @CAgovernor @TorEkelandPLLC @SecKC @BernieSanders @TomCarperforDE @ChrisCoons @RonWyden @SarahEMcBride @JoeBiden @KavyaPearlman @FBI @INTERPOL_HQ @ACLUDelaware @FreedomofPress @USArmy @USMC @DeptofWar @ProtonPrivacy @naomibrockwell @finkd @ylecun @elonmusk @quadling @gunpolicy @HackerWomen @XRSIdotorg @bcrypt @Meta @BrennanCenter @nyuniversity @theCCR @NintendoAmerica @Snowden @SenMarkKelly @pumpcon @xychelsea I literally tried to tell everyone years ago First direct communication in the cyber security industry Circuit swan DNS Handorf Muntez 2021-2022 Hope and 2600 and cpv 2023

PSF Security developers have published incident reports on the LiteLLM & Telnyx #supplychain attacks. Read what happened, who's affected, and what developers & maintainers can do to prepare and protect themselves from future incidents. #security #python blog.pypi.org/posts/2026-04-…

📰Today in TeamPCP updates - @LloydLabs finds more infra on 43.228.157[.]123 - TeamPCP/Cipherforce redirect their onion site to @vectrw's … which looks down (launch coming?) - @pcpcats get their analyses of the msbuild.exe payload - from @TheEnergyStory @HackingLZ & @N3mes1s

🐈‍⬛Meet nsa[.]cat Kudelski's IR writeup is flying under the radar, and it's the first with TeamPCP post-exploit IOCs you can hunt TrufflesHog scans led back to an attacker VPS hosting not just this file share, but target lists & MinIO storage This is one to read 🧵

We're restarting Three Mile Island to power Copilot. Let me tell you why we're qualified. In 2020, Russian intelligence hacked SolarWinds and rode the supply chain into 18,000 organizations. We were one of them. They used our systems to breach the Department of Defense, the Department of Homeland Security, and the Pentagon. I found out in a meeting about font choices for the new Outlook redesign. Someone pinged the #incidents channel. I checked. 18,000 compromised organizations. I went back to the font meeting. We chose Aptos. That took four months. The Russians had been inside for nine. We called it "a sophisticated nation-state attack." Sophisticated means we didn't notice. Nation-state means it's not our fault. In 2021, Chinese hackers exploited four zero-day vulnerabilities in Exchange and breached 30,000 American organizations. Schools. Hospitals. Police departments. The entire email infrastructure of small towns in Ohio. We called it "limited and targeted." 30,000 is a limit. Technically. That same quarter we won a Cybersecurity Excellence Award. The trophy is in the lobby of Building 34 in Redmond. It's in a glass case next to a framed quote from Bill Gates about "Trustworthy Computing." The glass case has a keycard lock. The keycard system runs on Exchange. In 2022, a group of teenagers breached our Azure DevOps environment and accessed the source code for Bing and Cortana. They did this from their bedrooms. They posted the screenshots on Telegram. One of them was seventeen. Teenagers. On Telegram. From a bedroom in England. We called it "a contained incident." We have an internal award for this kind of thing. "Security Resilience Recognition." It comes with a $500 gift card to the Microsoft Store and a LinkedIn badge. Twelve people got it that quarter. One of them wrote the code the teenagers stole. In 2023, Chinese hackers stole one of our cryptographic signing keys — one of the actual skeleton keys to the kingdom — and used it to read the emails of the Secretary of Commerce, the U.S. Ambassador to China, and officials across multiple federal agencies. 60,000 State Department emails. They were inside for six weeks. We didn't detect it. A customer noticed. They called us. We checked. They were right. We sent them a thank-you email. From Exchange. The U.S. Cyber Safety Review Board investigated. Thirty-four pages. "Cascade of avoidable errors." "Security culture inadequate and requires an overhaul." "Preventable and should never have occurred." I printed the report. I highlighted the word "preventable." I put it in the same drawer as my Q3 performance review, which said I "exceeded expectations." Same quarter. Same company. In January 2024, Russian intelligence hacked the personal email accounts of our senior leadership. The method was password spraying. The entry point was a legacy test account. Without multi-factor authentication. A test account. Without MFA. At the company that sells MFA. To the government. That it told to enable MFA. In a security advisory. That we wrote. Someone asked how this happened. I said it was "a legacy configuration artifact from a prior authentication framework." That's nineteen words for "nobody turned it on." He asked who was responsible. I said the account "predated current ownership structures." That's five words for "we don't know." He looked like he had more questions. I scheduled him for a "career trajectory alignment session." He works in compliance now. Compliance is where we put the people who ask questions we don't want answered. It has a very high headcount. It shares a floor with Legal, which is where we put the people who answer questions we wish nobody asked. Meanwhile, federal reviewers examining our government cloud described our internal architecture as "spaghetti pies." They flagged that we were missing basic encryption documentation for Exchange Online. Exchange. The product we've shipped for thirty years. We didn't have the diagram that shows how it encrypts your email. Nobody asked for it until someone asked for it. Then we couldn't find it. Then we looked in SharePoint. SharePoint said the file existed. SharePoint was wrong. This surprised nobody. The reviewers called our government cloud "a pile of shit." Direct quote. In writing. To each other. They approved it for the nation's most sensitive data anyway. The Justice Department helped push it through. Then two of the people who helped approve it came to work for us. Our former DOJ liaison is now on our government strategy team. The ex-Deputy Attorney General is our president. That's not a revolving door. That's a recruitment pipeline. We hired the people who grade our homework. Now nobody grades our homework. FedRAMP's budget just got slashed to $10 million. That's less than what we spent on the catering contract for Build 2025. Fewer reviewers. Fewer questions. So. Here is what I know about the company that's going to operate nuclear reactors. Twenty-year deal. $16 billion. The site of the worst nuclear accident in American history. We can't secure email. We can't detect our own cryptographic keys being stolen. We can't stop teenagers in a bedroom in England from downloading our source code on Telegram. We can't remember to enable the security feature we sell to everyone else. Our internal architecture is spaghetti pies. Our government cloud is a pile of shit. Our security culture requires an overhaul. And now we're restarting Three Mile Island. To power Copilot. Which costs $30 per seat per month. Usage rates at most companies are in the single digits. But the servers still run. The GPUs still spin. The meter doesn't care if anyone's prompting. So we need more power. Not a little more. Not solar-panel more. Not wind-farm more. Nuclear reactor more. A junior engineer asked if we'd considered making the software more efficient instead of building a nuclear plant. I said that was "a pre-scale optimization mindset." She asked what that meant. She's in documentation now. Documentation is next to Compliance. Satya will present this at the next earnings call. The slide will say "Responsible AI" in the Aptos font we spent four months choosing while the Russians were inside. The analysts will nod. The stock will move. Nobody will ask about the spaghetti pies. Because we've rebranded all of it. "Cascade of avoidable errors" is now "security journey." "Pile of shit" is now "FedRAMP High authorized." A teenager on Telegram is now "external security researcher." A nuclear meltdown site is now "clean energy campus." The keycard still runs on Exchange. The padlock emoji in #incidents is still on fire. I don't know how our encryption works. I've been here nine years. Nobody's seen the diagram. I don't know how a nuclear reactor works. But I know the graph goes up and to the right.

@UK_Daniel_Card Tired - wish threat actors would sometimes work UK friendly hours

How's everyone doing?

🚨 Andrej Karpathy just explained the scariest thing happening in software right now.. someone poisoned a Python package that gets 97 million downloads a month.. and a simple pip install was enough to steal everything on your machine.. SSH keys.. AWS credentials.. crypto wallets.. database passwords.. git credentials.. shell history.. SSL private keys.. everything.. and here's the part that should terrify every developer alive.. the attack was only discovered because the attacker wrote sloppy code.. the malware used so much RAM that it crashed someone's computer.. if the attacker had been better at coding.. nobody would have noticed for weeks.. one developer.. using Cursor with an MCP plugin.. had litellm pulled in as a dependency they didn't even know about.. their machine crashed.. and that crash saved thousands of companies from getting their entire infrastructure stolen.. Karpathy's take is the real wake up call.. every time you install any package you're trusting every single dependency in its tree.. and any one of them could be poisoned.. vibe coding saved us this time.. the attacker vibe coded the attack and it was too sloppy to work quietly.. next time they won't make that mistake.

How the fuck did he exfiltrate 590 TB of data?????

No Serious cybersecurity person uses Kali

@UK_Daniel_Card @JohnHultquist And C&C please say C&C

@JohnHultquist This applies to theme park, hospital and sim city as well right? Right? 🤣

Somebody please send this to my wife

@UK_Daniel_Card 100%

Anyone think there’s a lot of grifters in the cyber / privacy spaces? Like for real there’s tons of awesome people (or I would not be chatting to you lovely h00mans) but like… LinkedIn and Instagram etc is full of absolute fucking nonsense

Said a guy who got caught bribing people in an attempt to take over a Reddit sub but failed at it. You’ve been building compliance platforms for years and keep rebooting with different names and entities. I’m sure this is the one that will work! Rooting for you. Once again, good luck with your series A.

@vxdb Great find - What’s frustrating is Arion is like 6 miles away from me, shame they have him locked up, but I understand why, but I’d love to know more about what they were up too - and it’s not like NCA is gonna share

In June 2021, Lapsus$ breached Electronic Arts and stole an estimated 780 GB of data, including source code and development tools. I was messing around on Osint Industries searching emails owned by Arion Kurtaj, and found this email: admin@leaks.direct. Arion tried making a website called leaks[.]direct, in early 2021, a potential database/leak sharing site that never released to the public, to my knowledge. Yet an email was still created, admin@leaks[.]direct. After putting that into Osint Industries, we see a very interesting entry. A GitHub profile pretending to be an Electronic Arts Supplier Relationship Management account. Created just a month before the alleged breach on EA’s network. On June 7th, the GitHub account in question opened an issue in the OwnCloud repo: https://github[.]com/owncloud/core/issues/38814 Months before the EA breach goes public, a Lapsus member creates an issue on the owncloud repo asking for help on exporting data out of a deleted LDAP account. In their post, they also claim to see another storage cluster on the network with roughly 13pb of data. They even promote a reward to anyone who can help them with this task. Very interesting find on @OSINTindustries

Pro-tip: You can still be supportive of women and girls tomorrow, next month, next year etc. Don't limit yourself to just treating them decently for one day!