Andrew Pease

523 posts

Andrew Pease banner
Andrew Pease

Andrew Pease

@andythevariable

Elastic Security Labs Technical Lead. Lawful Neutral. Threat Hunting with the Elastic Stack author. Retired CW4.

Katılım Mayıs 2019
290 Takip Edilen1.1K Takipçiler
Sabitlenmiş Tweet
Andrew Pease
Andrew Pease@andythevariable·
I think the really big takeaway from this is the abuse of a legitimate tool's plugin capability to execute💀scripts. Many hours of work over the weekend by @soolidsnakee @DanielStepanic and @SBousseaden.
Andrew Pease tweet media
Elastic Security Labs@elasticseclabs

We have identified a novel social engineering campaign abusing Obsidian, the popular note taking app, to deliver a previously undocumented RAT #PHANTOMPULSE and it’s loader #PHANTOMPULL targeting individuals in finance and crypto. The attack never exploits a vulnerability. It abuses Obsidian's own plugin ecosystem to execute code the moment a victim opens a shared vault. Full analysis: go.es.io/4cld0dB

English
0
3
12
1.5K
Andrew Pease retweetledi
Andrew Pease retweetledi
Elastic Security Labs
Elastic Security Labs@elasticseclabs·
We tracked a new activity cluster targeting Mexican banking customers. Elastic Security Labs discovered REF6045, an operator-assisted banking fraud campaign targeting customers of Mexican banks, fintechs, and cryptocurrency platforms through ClickFix fake-CAPTCHA lures. The operation exhibits a reliance on AI-generated code and suffers from significant operational security (OPSEC) failures that exposed their infrastructure and their toolkit. The toolkit gives operators a full fraud workflow from: •Vishing overlay: lock the screen behind a fake bank warning •Browser redirect: paste a phishing URL via automated keystrokes •Clipboard swap: replace CLABE or card numbers mid-transfer •Remote access: install Remote Utilities for hands-on takeover Research by @k33b0i and @soolidsnakee. Full analysis from Elastic Security Labs: go.es.io/4eP6VZF
Elastic Security Labs tweet media
English
3
25
70
5.9K
Andrew Pease retweetledi
International Cyber Digest
International Cyber Digest@IntCyberDigest·
❗️ BREAKING: Over 2 million hijacked consumer devices, including smart TVs and streaming boxes, were quietly acting as residential proxy exit nodes. All of them, per Google, were part of the NetNut residential proxy network. Google, working with the FBI and Lumen, has moved to dismantle the NetNut network. In a single week, Google tracked 316 distinct threat clusters, including espionage groups, routing attacks and password sprays through suspected NetNut exit nodes.
International Cyber Digest tweet mediaInternational Cyber Digest tweet media
English
60
637
2.7K
1.3M
Andrew Pease retweetledi
RussianPanda 🐼 🇺🇦
RussianPanda 🐼 🇺🇦@RussianPanda9xx·
Imagine the perfect world where you've got 100 things to do and you have to lean on AI for a quick malware triage. It took 12 minutes to identify the obfuscated C2 and the malware capabilities for this sample. Model used: Sonnet 4.6 I'm working on the AI Reverser skill, built on a bunch of malware samples I threw into an LLM meat grinder for analysis. It won't be published publicly, it will be shared only with a trusted circle. Stay tuned 🤖
RussianPanda 🐼 🇺🇦 tweet mediaRussianPanda 🐼 🇺🇦 tweet media
English
12
13
191
12.9K
Andrew Pease
Andrew Pease@andythevariable·
@JFrogSecurity Thanks for getting this info out. Can you share how you detected it? Sorry if I overlooked that.
English
0
0
0
306
JFrog Security
JFrog Security@JFrogSecurity·
🚨 SECURITY ALERT: A widespread supply chain attack dubbed "easy-day-js" has been identified, targeting the mastra npm packages. Attackers have compromised and published malicious versions of these packages. 144 packages are currently confirmed to be affected. Please check your dependencies immediately. We will share the full list of affected packages in this thread and further analysis in: research.jfrog.com/post/easy-day-… (will be live in a few hours)
English
12
30
157
556.3K
Andrew Pease retweetledi
Samir
Samir@SBousseaden·
very cool research! it triggers an existing Elastic Defend behavior detection
Samir tweet media
Two Seven One Three@TwoSevenOneT

New #redteam tool for blocking EDRs: EDRChoker Instead of fully blocking the EDR agents' connections to their server, we can throttle their bandwidth so they consistently time out when sending data, which is effectively the same as blocking but avoids triggering "block" or "drop" packet events #pentest #cybersecurity Github: TwoSevenOneT/EDRChoker

English
2
23
158
22.2K
Andrew Pease retweetledi
🄱
🄱@lvc1ferrr·
Elastic Security Labs warned that attackers are targeting crypto users through Obsidian community plugins that silently install PHANTOMPULSE malware. They lure victims into opening a shared cloud vault in the note-taking app.
🄱 tweet media
English
6
1
6
281
Andrew Pease retweetledi
Samir
Samir@SBousseaden·
New blog post - prioritizing alerts triage with higher-order detection rules elastic.co/security-labs/…
English
0
17
65
5.9K