security_dumpster

Sophos analysts are investigating a new infection chain for the GOLD BLADE cybercriminal group’s custom RedLoader malware, which initiates command and control (C2) communications.

Sophos MDR has observed 2 distinct social engineering campaigns using a technique referred to as ClickFix spiking during March. Both of these campaigns—one surging on 2 March & the other 12 March—attempted to deploy SecTopRAT malware. We are tracking this activity as STAC6380./1

In November, Sophos MDR noted a rapid decline in detections for the Rockstar2FA phishing as a service platform. Its rise was documented in a report by Trustwave on November 26. /1 trustwave.com/en-us/resource…

Just put out this research on MiTM PaaS kits Rockstar/ FlowerStorm. While my name is on this, the primary researchers Josh Rawles (@ig3thack3d4u ) and Jordon Olness deserve the lions share of credit. They’re both brilliant to work with and hats off to them news.sophos.com/en-us/2024/12/…

@vxunderground @cyberwarfarelab Logs r guhd

Hi, we're on giveaway ??? (???) Our friends at @cyberwarfarelab hooked us up with 5 vouchers for the Certified Multi-Cloud Red Team Analyst If you wanna big brain science and get more stuff for the Holidays, leave a comment below - Winners will be selected randomly in the next 24 hours. - We will DM winners. - If you do not confirm your win in 24 hours a new winner will be selected - If your DMs are closed, you automatically forfeit your prize Have a nice day

@greglesnewich @_John_Doyle Tyty, will join up this year

Friendly reminder that we have a #100DaysofYARA discord (thanks to @_John_Doyle !) where a lot of folks will be chilling and more responsive than on socials - check it out! And yes red team friends are welcome alongside us blues! 🫶❤️💙💜 discord.gg/z2qFJKez

Me when I saw the theatre showing The Fifth Element on a random Sunday night

My (and my copresenter Colin Cowie) @MSFTBlueHat talk “Patterns in the Shadows: Scaling Threat Hunting and Intelligence for the Modern Adversary” is on YouTube, hope you enjoy! youtu.be/n7GVxDxwOUc?fe…

My @MSFTBlueHat talk "Deprecating Azure AD Graph API is Easy and Other Lies We Tell Ourselves" is now on Youtube! Link to recording & slide deck at aadinternals.com/talks/

🔥 New from @philofishal , @syrion89 and @TomHegel: 🇰🇵 BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence sentinelone.com/labs/bluenorof…

"China’s ‘mind-boggling’ space capabilities worry US, says Space Force chief Beijing’s tech is more concerning than reports of Russian space nukes, said General B. Chance Saltzman." 1/ politico.eu/article/china-…

Hey :) We published a blog talking about ORB networks and a summarise of the purpose, use cases and more: team-cymru.com/post/an-introd… This blog is also a teaser for more blogs to come 👀 @teamcymru_S2

This has been one of my favorites for a while, but now it's time to let it go. Here's my preferred way of getting the KeePass db that we often hunt for: downgrade the executable to version 2.53, use CVE-2023-24055 and wait for the busy admin to trigger the dump of the database. The target can remain clean and you can simply check for the dump creation. KeePass version 2.53 can still open kdbx created with the version 2.57 and if using a proper xml the user will likely notice nothing. Update alerts can also be disabled within the xml. gist.github.com/naksyn/6d5660d…

Sophos detailed to me its 5-year cat-and-mouse game with Chinese hackers repeatedly exploiting its firewalls. The company resorted to installing spy "implants" on devices the hackers were testing on—tracing them to a university and contractor in Chengdu. wired.com/story/sophos-c…

Recent trick related to .RDP files used by the SVR 🇷🇺 is worth threat hunting for. Basically they’re doing what this @BHinfoSecurity blog demoed in 2022: blackhillsinfosec.com/rogue-rdp-revi… Reports: 1. cert.gov.ua/article/6281076 2. aws.amazon.com/blogs/security… 3. microsoft.com/en-us/security…

OK, I promise to stop spamming about relays with NTLM/Kerberos 😅. But if you're a member of the Distributed COM or Performance Log group, these juicy CLSIDs let you trigger remotely machine authentication of any computer, including DCs, and relay DCOM -> HTTP, SMB… 👇

Great approach’s lined out👇, highly recommend the read

🚨 ITW Zero-Day Vulnerability Discovery: #APT37 (#Scarcruft) 🚨 For Responsible Disclosure, we disclose relevant details at this time: Unmasking CVE-2024-38178 The Silent Threat of Windows Scripting Engine 🔗 medium.com/s2wblog/unmask… 🔍 Key findings: - The attack used a freeware advertising module to exploit the vulnerability, marking a shift from previous methods. - The shellcode execution bore striking similarities to tactics from three years ago, underscoring the importance of studying an attacker’s Tactics, Techniques, and Procedures (#TTPs). A few months ago, this issue was shared exclusively with companies in the Joint Analysis Council led by the NCSC, and yesterday, the security advisory was released to the public. Stay informed and vigilant! #APT37 #ThreatHunting #ITW #ZeroDay #TTPs #ThreatIntel #ResponsibleDisclosure

My DEF CON 32 talk "Behind Enemy Lines: Engaging and Disrupting Ransomware Web Panels" is up on YouTube! youtube.com/watch?v=T5K4AB…