ian

9 posts

ian banner
ian

ian

@adversarialy

threat research @BlackLotusLabs

personal views Katılım Eylül 2025
62 Takip Edilen30 Takipçiler
ian
ian@adversarialy·
We found multiple Cisco Catalyst SD-WAN devices beaconing to a C2 server at 194.163.175[.]135. If anybody has intel about "𝐬𝐡𝐚𝐝𝐨𝐰𝐜𝐨𝐫𝐞" C2, please let me know! linkedin.com/pulse/increase…
English
0
0
0
21
J⩜⃝mie Williams
J⩜⃝mie Williams@jamieantisocial·
deeply unfortunate.
J⩜⃝mie Williams tweet media
DFIR Radar@DFIR_Radar

Elastic Security Labs exposes BRUSHWORM backdoor and BRUSHLOGGER keylogger targeting South Asian financial institution. Custom malware pair features USB worm spreading, broad file theft, and system-wide keystroke capture via DLL side-loading. Key technical details: • BRUSHWORM (paint.exe): Modular backdoor with AES-CBC encrypted config, scheduled task persistence (MSGraphics), anti-analysis checks (screen resolution, hypervisor detection), and C2 communication to resources.dawnnewsisl[.]com/updtdll • Creates hidden directories: C:\ProgramData\Photoes\Pics\, C:\Users\Public\Libraries\, stages stolen files in C:\Users\Public\Systeminfo\ • USB spreading uses social engineering filenames (Salary Slips.exe, Documents.exe) and exfiltrates 40+ file extensions including .doc, .pdf, .pst, .py • BRUSHLOGGER (libcurl.dll): DLL side-loading keylogger with WH_KEYBOARD_LL hook, XOR encryption (key 0x43), logs to C:\programdata\Photoes\_.trn Attack methodology employs T1053.005 (scheduled tasks), T1574.002 (DLL side-loading), T1056.001 (keylogging), T1091 (removable media replication), and maintains persistence across reboots. Hunt for scheduled tasks named MSGraphics/MSRecorder, monitor file creation in ProgramData\Photoes\ directory, and detect abnormal rundll32.exe execution patterns. #DFIR_Radar

English
5
2
41
3K
ian
ian@adversarialy·
Since Thursday, my Fortinet honeypot has been targeted by a distributed and sustained password spraying attack. The login attempts are all coming from GTT Communications (AS 3257) IP space. But it's not just a few devices -- more than 2,000 unique IP addresses are involved in this attack. I believe it includes all of 154.206.240[.]0/20. According to @censysio, most of these IPs have a proxy service running on port 30 (see screenshot). This proxy service, combined with the large number of IP addresses from the same provider, suggests the attacker is using a datacenter proxy. Datacenter proxies enable users to rotate IP addresses, which is useful for attackers seeking to evade IP-based account lockout policies. And since all of these datacenter IPs are based in the United States, they would bypass any GeoIP-based blocking as well. I took the list of passwords the attacker attempted and turned them into a word cloud; the most common were basic variations of "password" (e.g. Pa$$w0rd). Nothing groundbreaking. I suppose the lesson from all this is: use MFA. Don't rely solely on IP-based or GeoIP-based blocking. And even better, use CTI resources to proactively track proxy networks like this one.
ian tweet mediaian tweet mediaian tweet media
English
1
0
0
81
ian retweetledi
Kim Zetter
Kim Zetter@KimZetter·
US medical device maker Stryker hit with cyberattack from Iranian hacktivists who remotely wiped employee devices. "many employees have had their device data wiped and cannot access their accounts" Stryker makes surgical/imaging equipment, defibrillators corkbeo.ie/news/local-new…
English
40
363
1.6K
1.5M

Keşfet

@jamieantisocial @Huntio @DefusedCyber @censysio @elonmusk @BarackObama @taylorswift13 @cristiano