Brian R

OpenAI’s GPT-5.5 is the second model to complete one of our multi-step cyber-attack simulations end-to-end 🧵

Howdy folks! Taking a break from my twitter break to let yall know that we released a new @GreyNoiseIO product yesterday. It's called Project Swarm. We've been quietly not-so-quietly working on it for a few years. You can buy it now. It costs $1. There are lots of vulnerabilities on edge-facing apps. To catch in-the-wild exploitation of them, we @ GreyNoise run sensors on the internet. New AI models means more vulnerabilities being identified and exploited, and FASTER. Long term, software and hardware will probably get better, but in the meantime we're gonna have to deal with A LOT of vulnerabilities. At GreyNoise, the sensors we run are basically honeypots- we bait attackers to scan and exploit them which enables us to learn where the attackers are, which vulnerabilities they are exploiting, what it drops, and what it looks like on the wire. From ~2020-now it took us years to build up our fleet. Now anyone can use our new product to deploy their own sensors on their own networks, or an entire fleet of any size, in a day. You can rip back the data and do whatever you want with it. You can resell it, put it into your product, or just stare at it- whatever you want! On our side, we aggregate the data and pour it into a community dataset that everyone shares. As more people join, the data gets bigger and better. Couple neat features: - Sensor deployment is a single bash command on any modern linux distro that supports iptables and wireguard. - Sensors and vulnerable software (profiles) are abstracted into different logical concepts, which means the "what" and "where" are different things, and the sensor is not constrained by the compute required to run the vulnerable software. Also, no matter how hacked the profile (honeypot) gets, it can't touch your host sensor or the rest of your network. - Sensors can run fake honeypots, real software, or even real hardware (bridged with a raspberry pi) like old crappy routers and modems (or expensive firewalls and VPN gateways 👀) - You can create dynamic blocklists that block IPs sourced from your own sensors in real time, so if a remote IP address *looks at your network* the wrong way, you block them instantly. - All the PCAP data is available to you in a gorgeous and intuitive interface at near real time and fully enriched against all of our (thousands of) rules. We're working on the host metadata (malware, syscalls, host behaviors) as well, but this will come later. - If we don't tag a CVE that's interesting to you, you can write a Suricata rule to tag it yourself once and your data gets tagged with it in real time forever. - You can instantly download PCAPs of any exploits that hit your sensors. - If you don't want your data shared with the community dataset, you can talk to our team and we'll work out rights to make it private. Check it out! There's a lot of moving pieces to make this work and we expect bugs, but it's available right now. Join the fight! greynoise.io/project-swarm

Everyone who is not a hacker is now suddenly learning that the level of security they had was more like paper mache and less like plate armor.

We didn't know how an actor was using EV Certificates issued to Lenovo and others. We now do. From DigiCert's incident report: "the threat actor used a compromised analyst endpoint to access DigiCert's internal support portal. The threat actor used a limited function within the customer-support portal which allows authenticated DigiCert support analysts to access customer accounts from the customer's perspective to facilitate support tasks. The threat actor was able to use this function to access initialization codes for orders that were approved but pending delivery for EV Code Signing certificate orders across a finite set of customer accounts." "Possession of the initialization code, combined with an approved order, is functionally sufficient to generate and retrieve the corresponding certificate." The full report can be found here and explains the incident in great detail: bugzilla.mozilla.org/show_bug.cgi?i… The report mentions "Where we got lucky: A community member involved in security research reported the evolving pattern of misused certificates and engaged in dialogue with our support team. Without that report, the undetected compromise of ENDPOINT2 and the associated mis-issuance might have remained undiscovered for a longer period." Special thanks goes to the regular contributors to the Cert Graveyard; @g0njxa , @malwrhunterteam , and others. Also special thanks to DigiCert: this report has a high level of transparency, which is warranted, and also well executed.

Important free resource that teaches you how to rotate secrets on lots of different platforms. Seems we're in the everyone leaking secrets phase of supply chain attacks lately. Keep this handy. Thanks @trufflesec! howtorotate.com

@mattjay Good write up of practices, tools, and actual configs from astral astral.sh/blog/open-sour…

Whats the GitHub footgun everyone seems to be tripping over that makes their GitHub Actions vulnerable to these attacks going wild the last few weeks? How are we telling people to avoid this stuff?

We identified an exposed server that provided unusual visibility into a large-scale, multi-victim exploitation and collection operation. Artifacts on the host showed that Claude Code and OpenClaw were embedded in the operator's day-to-day workflow, supporting troubleshooting, orchestration, and refinement of the collection pipeline. Logs indicated more than 900 confirmed compromises, with tens of thousands of harvested .env files spanning AI, cloud, payments, databases, messaging and more. Read the full report: thedfirreport.com/2026/04/22/bis…

Every vendor writeup names a new ClickFix variant. The problem IMO is we are looking at ClickFix as a technique, but It's a pattern of behavior. Your detections have to cover the patterns, not the surface level IoCs. This writeup by Microsoft examining the CrashFix variant is a great breakdown of the patterns. And who said #PowerShell as an attack vector was dead?? It employs some new evasion techniques, a denial of service attack, and more trusty #LOLBAS behaviors.(The use of Finger is something interesting I haven't seen in a bit.) microsoft.com/en-us/security…

@Ozzburne @TalkinBaseball_ No interference for a bona fide slide

@TalkinBaseball_ He was baiting the interference call, obviously

This was Konnor Griffin’s fault

If you allow employees to authorize third party apps without admin approval then your entire vendor security review process is meaningless and you're going to get pwned. If this is true then Vercel was extremely negligent here.

The Vercel security breach is a reminder that each and every SaaS tool your team uses IS a security risk of its own - especially if they need broad data access to eg email, internet docs etc (many AI tools do just this) Security teams onboarding new vendors happens for a reason.

AnchorWallet[.]org is fake. The real place to download the wallet is Greymass[.]com. If you download the Windows app from the fake, you get a 680MB remote access tool signed by PIXEL PLAY PRIVATE LIMITED. Not an app signed by Greymass. h/t @malwrhunterteam 1/2

@signulll openai.com/index/testing-…

wtf, can someone confirm if this is accurate? i have been waiting for a 1b user announcement from openai for a while but did growth completely stall?! this is precisely what happened to snap when facebook implemented stories in instagram.

@MarinerMuse I haven’t been this excited for a Dane to make a comeback since Hamlet

Dane Dunning bump day tomorrow

@paulieknep EBSCOHost has a collection from 1954-2000 of Sports Illustrated. about.ebsco.com/products/magaz…

It's sad what's happened to Sports Illustrated. They don't even keep up the vault of old articles online anymore. There's too much wonderful writing and valuable information in there for it to go to waste. Does anybody know a way to access old SI articles?

@IceSolst Game cheat dev clears the top 5 combined too

Cybersecurity roles from most to least technical: - 0day researcher - exploit dev - reverse engineer - malware dev - appsec & devsecops - red teamer - DFIR - SOC analyst - compliance - third party risk management - web app pentester - Amish farmer - CISO - newborn baby - any cybersecurity Twitter account with over 5k followers

@IceSolst Can’t help but picture the first sentence as an alternate intro text for Blade Runner

During the spicy chicken sandwich war of 2019-2021, multiple people got stabbed to death waiting in line, and outrage ensured when they ran out of chicken. Calling for a KFC boycott is putting your life in danger, and in itself an attack on our culture

@BaseballHstrn Does Ranger Suarez count?

Besides Mason Miller, are there any other players whose first and last name are both jobs?

@ISaidItsALion @RyanDivish All he ever did was try his hardest and never gave up 😭

@RyanDivish He’s doing his best okay

Humpy needs to be turned into chum