Hamzah 'Lateef

Every little piece of #information or #data you dropped somewhere on the Internet is a piece of the puzzle named YOU. When the time is right, they can always be brought together. Don't forget You are your data! #CyberAware

100/365. April 10th, 2026.

@A_Feranmi Can you highlights some of your expectation?

Regulators are treating this hack in a funny way. If it was a fintech, particularly a crypto one, all hell would have been let loose.

@MaziGerald @A_Feranmi What happened at Afrinvest?

@A_Feranmi Okay. I read about it. I was thinking it's Afrinvest. So many hacks in the last coupla weeks. We are observing the regulators.

@chiefdavidsays Register NOW tinyurl.com/whitehatCD2602

Alright, based on what was published , the internal recon section captured all the subnet on which the Kubernetes sit, the naming convention in use, and at the same time some specific service names, which I am aware was extracted from the images the attacker posted. Just as it is not that easy to change infrastructure detail for an attacker so it is not for victims, some of these information will still continue to be in use internally even after the recovery from the incident. And anyone can come up back to you website to look it up for whatever they are planning next. On the amplification issue, permit me to ask you a simple question at this point. Can you point out a single customer record from the data you analyzed as released by the attacker? The attacker claimed 900K without a single sample to be presented! Samples was given for the employees because he truly had it. Samples was given for the CEO's financial record, and others. Records targeted was that of the bank leadership at Sterling with their financials, and PII, no single evidence in file or screenshot indicates record of other customer ( the attacker having this remain an hypothesis). And in addition 3010 employees data was exfiltrated with evidence provided. Note that attacker's claim most time is to add pressure and I can show you evidence right here on X where the attacker asserted to this hypothesis. Record count is good but not great, but let us put it like this, an attacker show us you have 40 servers on a subnet during internal scan of your network. Can you tell from that alone that all 40 servers was accessed and compromised by mere looking at a screenshot. For the S3 bucket 🪣, a 588.25GB file size of KYC service with 657,242 items was shown to us in a screenshot, the question of how much data the attacker access and took from the bucket can only be validated from an internal log which is only available to the affected organization. Hence from here the amount of accessible data, exfiltrated data from the bucket remain an hypothesis that needs to be validated. And to put this in a story now depends on how we want people to see it. On the VM program coverage, if we are out to judge, that can fly, but if we are out to analyze the data based on available information provided by the attacker, no evidence support this - experience also suggest that successful exploitation doesnt mean the program doesn't exist . The bank may also have additional information that we don't about this environment and it govenance program. In cyber we say things only when we are sure to ensure we don't put ourselves and people in trouble. And when we are not sure, we report it as such, especially when we have less evidence corroborating those statements. On the aspect of peer review, we have a similar session tomorrow and I invite you to join by 3PM WAT.

Three weeks ago, a threat actor called ByteToBreach walked through Nigeria’s financial infrastructure using a single unpatched vulnerability at Sterling Bank as the door. What followed was nine days of undetected access with core banking data, sensitive customer information and employee records exfiltrated before the actor pivoted into Remita, Nigeria’s government payment backbone. From Remita they took everything. 3TB of data. Including sensitive and personal information of over a million Nigerians (across both breaches). I spent the last week reconstructing the full attack chain from the artefacts the actor published. I have now produced a narrative investigation on my new substack and a technical analysis on @WebSecurityLab covering the complete breach from the first CVE exploit to the published HSM key directory. This was published in the hope that the lessons from these events prove more durable than the events themselves. Security failures of this scale are painful. They are also, when documented carefully and honestly, among the most valuable contributions one can make to an ecosystem that is still maturing. Nigeria’s banking story is one of the most compelling in the world. It deserves a security culture to match. Read the full investigation here: securityintelligence.substack.com/p/sterling-ban…

@Xymbiz You know when they say don't try this at home. This is it. If not the body of knowledge (bok) of the certification body will betray you.

Let me give you people context! 🤣🤣 The exam she wrote, she sleeps, eat and walk in that area! She meant HIGHLY SKILLED.

@ireteeh Cyber Threat Intelligence 🔥

What is that thing you can teach for 30 minutes effortlessly?

David, you are doing a great work and I recommend you keep it up professionally. You may have given out too much information about the victims that can make them become victim again in your analysis - remember those extra info used in your analysis was lifted from the dark web post and you brought it up now to the surface web. Enough redaction on assets list may be better. I saw those disclaimers but to be very honest it doesn't work like that, so many claims in your writeup, and from the evidence released by the attacker, you may not be able to prove them all. For example, no evidence he took everything in the case of Remitta but you said so, no evidence of the bank not having a VM program covering non-prod environment? No evidence of over 1 million personal record of Nigerians may have been impacted across both breaches. Except you are looking at another data other than what the attacker published himself. This is just to point out a few up there, and to note that in our course to educate and create awareness, we don't let sensationalism take over and misinformation to become the order of the day. This can further damage the digital trust left within the ecosystem and create fear 😨. Thank you.

@cyber_razz Data Structure & Algorithms😢 Automata Theory 😢😢

Can you guys please recommend books that made y’all cry?

In one of the recent cyber breaches, where the org code repo got stolen and the threat actor open sourced it. It appears the practice of writing hardcoded secret to file is still a common practice despite the great harm that could cause in the case of unauthorized access to them. In this scenario, this gives the threat actor opportunity and further access to create more damage for shared infrastructure and laterally move from one victim's environment to the other.

Phishing is a means to deliver social engineering attack. Other means could be smishing, vishing, device code, etc. One can also say phishing is a type of social engineering but phishing is not all that you can have for social engineering, but it is the primary and most common vehicle. Social engineering can be physical, it can be psychological manipulation to compromise the CIA of a target or information, it can be virtual manipulation to attain chaos in a system by destroying the trust that exist therein, which is classified under virtual societal warfare. It is all about what you want to deliver and how you chose to do it. But the main goal is to get the target to act to your interest, and deliver an environment where you attain control.

@iamfelabadan You are trying 😆

@password_ng Exactly, me doing device timeline analysis is part of Digital forensics too

Digital forensics is not isolated maybe that is why you think many people are not into it. Within the context of incident response, fraud investigation, bringing justice to cyber crime victims and putting criminals behind bars - you will see digital forensic at play. And I know many people transition into it by starting with roles that set the foundation for success - soc analsyst, incident responder, law enforcement operatives, lawyers, journalist and co.

@cyber_rekk What is your definition of competency? Can you share ?

A council that will be filled with some of the most incompetent people ever

People work for Candiru, NSO group, Positive Technologies, on the commerical level and other special private program run by intelligence agencies across the globe!

There are community of specialist software engineers and all they do is write/create malware. Here's the thing, they are either writing malware for the criminal market or the intelligence agencies🤔

@sec_hub93028 Cyber Mercenaries: The State, Hackers, and Power - by Tim Maurer

What are the must read books for anyone serious about cybersecurity?

Press Release! NDPC Investigates Remita and Sterling Bank for Alleged Data Breach.

Why can't Google allow us to set the file sizes we want to back up to our Google Drive? Imagine helping me to do backup of 4GB video from Google Photo Ahha Who sent you people?