Security Firm @SophosXOps published another report, this one on incidents at small and medium-sized businesses by @thepacketrat and Anna Szalay. One of the things I always look for in these reports are easy #cybersecurity wins -- and this report has a bunch of them.
First off - take a look at this chart: Top 15 dual-use tools. Imagine the pain you can cause threat actors by blocking the use of these tools and disrupting their playbooks!
Solid write up on Scattered Spider by Silent Push, but trademarking a stupid new cybersecurity terms is gross and not helpful to the industry at large.
https://www.silentpush.com/blog/scattered-spider-2025/
The solution to this problem is not MFA.
When you have a problem with passwords getting compromised/phished/bruteforced, and you solve it with #MFA, now you have two problems.
The solution to this problem is smart cards.
#cybersecurity, if you could be less anti-#adhd / #neurophobic[1] that'd be great.
In this particular instance, I'm referring to continually rebooting/restarting processes
AND LOSING ALL MY STATE !!!!!!
I keep my brain on here. Please stop throwing it in the trash.
And don't tell me to "keep notes". I already have a full-time job, I don't need to also manually repeat work the computer could be doing.
I'm a professional #software #engineer. I know you have the power to save and restore my state exactly. You are chosing not to because it makes life easier FOR YOU. But this tool is for ME.
[1]Did I just invent a term?
(sophos.com) Evilginx: How Attackers Bypass MFA Through Adversary-in-the-Middle Attacks https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evilginx/
A short descriptive article about Evilginx and how stealing credentials work, a few suggested ways of detecting etc.
Summary:
This article examines Evilginx, a tool that leverages the legitimate nginx web server to conduct Adversary-in-the-Middle (AitM) attacks that can bypass multifactor authentication (MFA). The tool works by proxying web traffic through malicious sites that mimic legitimate services like Microsoft 365, capturing not only usernames and passwords but also session tokens. The article demonstrates how Evilginx operates, showing how attackers can gain full access to a user's account even when protected by MFA. It provides detection methods through Azure/Microsoft 365 logs and suggests both preemptive and reactive mitigations, emphasizing the need to move toward phishing-resistant FIDO2-based authentication methods.
All-in-One platform leaks millions of attachments from their clients.
This server contained a bit of everything, from sensitive piercing selfies next to identity docs, to passports, cvs, insurance docs and more.
Read about it here: https://jltee.substack.com/p/all-in-one-platform-gohighlevel-exposed-attachments-from-clients
And again, I challenge you to show me ANYWHERE that #Signal is permitted for the processing or storage of non-public government information. The NSA memo (link below) explicitly calls out that it shall not be used even for *unclassified* (protected, FOUO, CUI) data. And that would apply to everybody in the national security apparatus.
Anybody stating anything to the contrary is a liar, a shill or both.
Dealing with something ridiculous at the moment that is a great example of just how 'easy' it really is to close down exposed data:
Found a server recently with no access controls at all that was hit by ransomware in May 2024 and most of the data is encrypted. (It got hit by an automated script, it wasn't targeted by a ransom group)
Found a non encrypted directory:
The company is STILL uploading, monthly, hundreds of millions of records of logs with their clients data.
Tried to reach out to the company, nothing. Company is from AUS so I tried ASD, nothing.
I sent an email to AUSCERT, they validated with me the issue and forwarded the information and my contact to ASD, they also tried to reach out to the company themselves.
Not a word from anyone and the server is still exposed a month after my initial alerts.
Logs are still being uploaded to the server so it's obvious no one did anything.
So what am I supposed to do here?
It would appear as if Wiz may have discovered another supply-chain compromise:
https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup
The attack involved compromising the v1 tag of reviewdog/action-setup between March 11th 18:42 and 20:31 UTC. Unlike the tj-actions attack that used curl to retrieve a payload, this attack directly inserted a base64-encoded malicious payload into the install.sh file. When executed, the code dumped CI runner memory containing workflow secrets, which were then visible in logs as double-encoded base64 strings. The attack chain appears to have started with the compromise of reviewdog/action-setup, which was then used to compromise the tj-actions-bot Personal Access Token (PAT), ultimately leading to the compromise of tj-actions/changed-files. Organizations are advised to check for affected repositories using GitHub queries, examine workflow logs for evidence of compromise, rotate any leaked secrets, and implement preventive measures like pinning actions to specific commit hashes rather than version tags.
So, Cloudflare analyzed passwords people are using to log in to sites they protect and discovered lots of re-use.
Let me put the important words in uppercase.
So, CLOUDFLARE ANALYZED PASSWORDS PEOPLE ARE USING to LOG IN to sites THEY PROTECT and DISCOVERED lots of re-use.
[Edit with H/T: https://benjojo.co.uk/u/benjojo/h/cR4dJWj3KZltPv3rqX]
https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/
It feels quite uncomfortable that cloudflare is somewhat openly admitting to analysing login credentials that are going through the reverse proxy, and providing aggregated stats on it (without explicit consent of the user it appears?)
Based on Cloudflare's observed traffic between September - November 2024, 41% of successful logins across websites protected by Cloudflare involve compromised passwords.Don't get me wrong the results are actually pretty interesting, but I just cannot think of a ethical way of doing this, and it feels kind of jarring that they just "did that"
https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/
The free service from portmap.io is being abused to support malware C2 communications. If you don’t use it, I suggest blocking *.portmap.io via DNS, NGFW and/or web proxy.
From: @ScumBots
#StagedC2 config observed at Sat Mar 15 18:09:04 2025 UTC, located at hXXps://pastebin[.]com/raw/a0epCKQK C2: xdeadlylez-30616[.]portmap[.]io:30616 (IP: 193.161.193.99)
I’ve never heard of the MSP-focused bluetrait.io but add it to the list of legitimate services that get abused. If you don’t use this RMM service, I suggest blocking it via DNS, NGFW or Web security proxy. #cybersecurity
From: @threatinsight
New cyber threat research from Proofpoint highlights how attackers are adapting to law enforcement disruptions, leveraging trusted software to evade detection and compromise systems.
This blog details our team's findings: https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice?campaign=2025&utm_medium=social_organic.
🚨 March 12 UPDATE: Grafana Exploitation May Signal Multi-Phase SSRF Attacks. Update + original analysis:
We are excited to announce that CIRCL has three open positions available.
As a team strongly oriented towards open-source development, we value contributions that drive innovation and strengthen the cybersecurity community. These roles are open to EU citizens, with the workplace based in Luxembourg. If you’re passionate about cybersecurity and open-source collaboration, we encourage you to apply and make a meaningful impact.
🔗 https://www.circl.lu/projects/position/software-engineering-analyst/
🔗 https://www.circl.lu/projects/position/security-analyst-researcher/
🔗 https://www.circl.lu/projects/position/nis2-incident-analyst/
❌ No safe message scanning technology exists.
⚠️ These powers would force a cybersecurity weakness onto apps like WhatsApp and Signal.
‼️ Hackers, predators and spies could crowbar their way into everything you send.
✍️ Tell Ofcom: End-to-end Encryption Means Online Safety ➡️ https://action.openrightsgroup.org/48-hours-tell-ofcom-practice-safe-text
⏰ CLOSES Monday 10 March at 5pm.
🚨 Time is Running Out to Save Encryption 🔐
Ofcom is consulting on implementing message scanning powers in the UK Online Safety Act.
This would break end-to-end encryption on the messaging apps we all use!
⏰ CLOSES Monday 10 March, 5pm.
Use our tool to tell Ofcom #PracticeSafeText 💬
ACT NOW ⬇️
https://action.openrightsgroup.org/48-hours-tell-ofcom-practice-safe-text
I asked for help here some months ago about one of the servers on this post that was hosted by Microsoft.
You can read about how that and other servers with infostealer logs ended up closed.
Hint: MSRC Portal is basically useless.
https://jltee.substack.com/p/billions-of-infostealer-logs-exposed
Well, that was quick!
I wrote about about my disappointment with @mozillaofficial changes:
https://mastodon.social/@BjornW/114032743031437841
Seems they were just starting 🙄
Read
https://blog.mozilla.org/en/products/firefox/firefox-terms-of-use/
Check
- https://www.mozilla.org/en-US/about/legal/terms/firefox/
- https://www.mozilla.org/en-US/privacy/firefox/#notice
Consider other Open Source apps you may use: aren't you sad that these lack ToS & Privacy legalese?
My advise: move away from Mozilla.
They have lost my trust.
1/N
Read this:
https://blog.mozilla.org/en/mozilla/mozilla-leadership-growth-planning-updates
👀 at this:
https://www.mozilla.org/en-US/about/leadership
I'm baffled about the myriad of @mozillaofficial structures, amount of directors / C-level people & how to rhyme 'investing in privacy-respecting advertising; with 'draw a bigger circle of supporters over the long run.'
As a long time Mozilla supporter, I was already unhappy about the direction of the last years & this does certainly not bode well for the future. 😞 😩
The NSA does not deny hacking into China's university. Great write-up and analysis by @inversecos
🇳🇿 I've had quite a few outrageous responses to my alerts, this is another one of those, sent by teammateapp.com CEO.
After my initial alert and follow up email, I get a reply lying about the severity of the exposure and telling me to stop harassing the company.
This CEO also didn't know what Proton is and thought I work for them and threatened to report me to them in case I didn't stop. :blobshrug:
Read about it here: https://jltee.substack.com/p/new-zealand-companys-impossible-to-hack-security
Netskope https://www.netskope.com/blog/telegram-abused-as-c2-channel-for-new-golang-backdoor
Backdoor written in Golang using Telegram for C2-communication. Perhaps most interestingly the referenced Github repository with IoCs is not there anymore? Or will be published soon perhaps?
If you help maintain #cybersecurity on a business network you should absolutely block Telegram—there’s nothing good there. If you have a web security proxy like Netskope or Zscaler, or an NGFW, block it there. You can also block it via DNS. Blocking these domains should do the job:
telegram.me
telegram.org
t.me
cdn-telegram.org
telegram-cdn.org
From: @nopatience
Netskope https://www.netskope.com/blog/telegram-abused-as-c2-channel-for-new-golang-backdoor
Backdoor written in Golang using Telegram for C2-communication. Perhaps most interestingly the referenced Github repository with IoCs is not there anymore? Or will be published soon perhaps?
If you can completely disable device code flows using Conditional Access, you should do so. If you cannot, at least limit which user IDs can use them. If you allow any users to use device code flows, use the #KQL provided to hunt for abuse.
From: @fabian_bader
It couldn't be clearer: Encryption is online safety.
It keeps our data secure from hackers. Our systems secure from global bad actors. Our rights secure from State oppression in a digitalised society.
Sign and share our petition to save Apple encrypted data ⬇️
#encryption #surveillance #e2ee #cybersecurity #ukpolitics #ukpol #Apple
🚨 BREAKING 🚨
The UK is rogue in trying to order a backdoor to Apple encryption.
US lawmakers slam the UK's secretive order, calling it what it is:
🔥 'Dangerous' for global cybersecurity
🔥 'Effectively a foreign cyberattack'
The Home Office must back off ✋
#encryption #surveillance #e2ee #cybersecurity #ukpolitics #ukpol #Apple #privacy