@SwiftOnSecurity

Even ic3.gov recommend this. Go for the eZ win!

#infosec #ublock #malvertising

I recently found out that my department at work is being shut down, so I'm looking for a new position!

I spent the last 6 years building advanced security assessment capabilities around hardware/IoT, industrial, marine OT, and x86 platforms. Before that I spent 5 years as a pentester. I excel at weird and novel stuff where there's no template.

I'm based in the UK and I'm looking for a remote full-time role.

CV: https://poly.nomial.co.uk/graham_sutherland.pdf

Thanks!

If there’s really a #TalentShortage in #infosec, why aren’t all current infosec professionals being swarmed all the time by recruiters? Why aren’t there bidding wars for, say, SOC staff at every level?

There isn’t a talent shortage. There are just bad job requirements.

So it "may" be happening. Infosec.Exchange "may be leading the cybersecurity conversation days before it explodes. There's a place for discussing things far from Twitter.

Good shortread by Goodin on the clandestine tracking platform Location X. Sold to government agencies, it supposedly exploits the unique 'advertising ID' accessible to the app layer on all Android phones, and (with optional user input) on iOS. The article has a brief mitigation walkthrough for phone owners.

https://arstechnica.com/information-technology/2024/10/phone-tracking-tool-lets-government-agencies-follow-your-every-move/

Thanks to @Christina for the share

Fortinet exploited zero-day: FG-IR-24-423 Missing authentication in fgfmsd
CVE-2024-47575 (9.8 critical, disclosed 23 October by Fortinet, noted earlier on 13 October by @GossiTheDog on Mastodon) Fortinet FortiManager Missing Authentication Vulnerability.

  • Reports have shown this vulnerability to be exploited in the wild.
  • The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.

CISA added CVE-2024-47575 to the KEV Catalog about 3 hours afterward.

Just in case you didn't read closely, there are indicators of compromise (IoC) in the advisory. At least one of the IP addresses was reportedly used as a Cobalt Strike server 2 years ago.

cc: @cR0w @nopatience I require at least 25 favorites to unlock my next toot!

#fortinet #fortimanager #cve #zeroday #CVE_2024_47575 #vulnerability #eitw #activeexploitation #kev #cisakev #KnownExploitedVulnerabilitiesCatalog

Do we have people in UK able to raise a stink?

A friend ( @bucketchallenge ) stumbled over a bucket with hundred of thousands surveillance photos from London lying around openly.

Main purpose of the bucket seems to be OCRing the car plates. You could build nice profiles with that data.

You can even do some live surveillance since they add a photo every 12 seconds.

Locations include places like Tillermans Court in Greenford.

Anyone?

@GossiTheDog or someone from #infosec perhaps?

AWS is playing coy and tells him, they don't want to act upon his report.

Patch your FortiManager now. Limit access to it to only from dedicated jump-servers.

There is no such thing as a backdoor for good guys. Once you place a backdoor, you compromise the safety and privacy of all your users. A third party or bad guys will get access to it and abuse it further. The concept of a "backdoor for good guys" is fundamentally flawed and dangerous. It sets a dangerous precedent. Security and privacy should be absolute. There's no safe way to create a backdoor that can't be exploited by malicious actors.

Proofpoint: Security Brief: Royal Mail Lures Deliver Open Source Prince Ransomware
Proofpoint reported on a Prince ransomware campaign impersonating British postal carrier Royal Mail that occurred in mid-September and targeted people in the UK and the U.S. The activity was low-volume and impacted a small number of organizations. Notably, in most cases the messages appear to originate via contact forms posted on the target organizations’ websites, indicating the actor does not exclusively target organizations via email directly, but also from public contact forms. Proofpoint notes that there’s no decryption mechanisms or data exfiltration, so the end result is destructive rather than typical ransomware. They describe the campaign details (from infection to ransom note) and include a bit about the ransomware creator SecDbg having a paid infostealer version called ThunderKitty. Proofpoint does not attribute this activity to a tracked threat actor. Indicators of compromise are provided.

Shoutout to @selenalarson for the awesome post

Recon: Whats everyone else doing? (Thats why I'm here on Mastodon and #Infosec) are others taking the threat serious? Is the environment changing? Is there more clear intel being shared?

I had several people I know tell me they weren't doing anything about #EvilSocket 's potential disclosure because it was inactionable.

I wish I were at a keyboard right now. But of course its actionable! In the military we often received warning orders and we always followed our troop leading procedures. Heres a break down of those and how they apply to your role in #InfoSec A 🧵.

Who is paying attention to #EvilSocket on X and wheres the conversation happening? I'd like to follow whoever's mastodon is talking about it.

If no one is, then there is a #Linux unauth #RCE being disclosed to openwall on the 30th.

Appears to affect Linux and #BSD with a 9.9 CVSS score.

From reading X thread seems to be not kernel or user space. Assuming protocol implementation?

https://x.com/evilsocket/status/1838169889330135132

One thing that really sucks about me leaving Twitter/X and losing so much of my audience and reach is that I can watch in real time the people who my generation and older in infosec all knew were abusers, harassers, and generally really dangerous people being forgotten as such, and our warnings not being passed on to the younger generation.

Those same bad dudes are absolutely noticing they're in the clear, and coming right back into the conference, X, and education spaces where they can victimize young people, especially young women. They have the age, the money, and the power to do it. It really blows.

I'm sure it's exactly what Elon wanted.

Here is a traffic distribution system (TDS) in action. Fairly often when talking about TDS, I get the rebuttal: when i visited that domain, i only saw parking. Exactly. That's the point. :) A malicious TDS is like a router for malware -- the goal is to bring the best victims to the best malicious offering. And to play dead when it looks like they might be caught, aka look like parking or search ads.

What these images show is the difference between visiting the site tokclix[.]live from a scanner (urlscan) versus from a real Android phone. The former leads you to (sketchy) search arbitrage and the latter is classic scareware. This is what a TDS does.

Found this particular one while researching search arbitrage so it is fairly random. started with an old post on BlackHat World but the domains were all still live. On the screen capture you can see the redirects through the TDS.

The imgur video shows the original click to scareware -- watch the redirects.

#InfobloxThreatIntel #tds #dns #malware #threatintel #cybercrime #cybersecurity #infosec #scam #phishing

"Unfortunately we have fallen prey to the myth of techno exceptionalism," Easterly opined. "We don't have a cyber security problem – we have a software quality problem. We don't need more security products – we need more secure products."

A funny phishing targeting GitHub users with an email notification about a security issue on a existing repository.

Then the captcha verification on a malicious website is trying to trick the user to run a shell command on Windows.

🔗 Powershell to be executed by the user
https://gist.github.com/adulau/6cf6f3e9c5bbd9106af8814d0a22f473

🔗 File downloaded https://pandora.circl.lu/analysis/21e8f693-361b-4a04-853c-276f9dd841e4/seed-1XqUr4mADaFYlLAyrBH8oQUBgOoEbceZ586b8h05YyA - Lumma Stealer

🔗 Malicious domain analysis. https://lookyloo.circl.lu/tree/91106035-dfec-4acc-af06-c9fc36c62774

Microsoft introducing python support in excel

PINs

@GossiTheDog @mattburgess I like how the whole #infosec world largely ignore the fact of the teenagers can completely stomp these large companies, let alone organized crime, let alone a nation state.

I don't know if anyone ever gets hired from these sorts of posts, but please boost as I am motivated by enjoying such things as "eating food to stay alive" and "being able to pay my bills to have a roof over my head."

I've been a Sr. Infrastructure Engineer for roughly 4 years now, at the same MSP (THAT I LOVE, but may not be able to move upward/get paid enough to support myself and my family any longer. :\ ) We focus almost entirely in the Biotech/Life Sciences space, so I have special knowledge of laboratory networking, compatibility, patching, software integrations (on-prem, hybrid, and cloud) etc. It's a very small world, but useful knowledge.

I am looking for a full-time security position whether it's in ops, ops-adjacent, outside of ops entirely, whatever it may be. I just want to make a difference, use my talents, and more importantly, grow. I know that my experience in all things ops can be very useful.

I can do almost everything in the Microsoft stack from M365/Office 365 administration, Intune, to spinning up entire Azure environments with IAM, Conditional Access policies, App Protection, etc. from scratch. If I haven't done it already, I have probably administrated it after it was spun up by a member of my team.

I have experience in Defender (and its myriad products across the Endpoint/Office/Cloud/Azure/Entra space), SentinelOne, Sophos, Cylance(vomit emoji), you name it.

I have basically been running incident response as best I can solo for years, I've wrote a rudimentary Vulnerability Management process for my org for SOC2 certification. (we're being audited right now and my processes were accepted, so good? lol)

Open to requests for my resume, links to job postings, etc. (I will redact my address and number of course because...safety reasons.)

I am currently in Boston, MA. Looking for remote roles, as transit into Boston is a no-go entirely.

I don't know if anyone ever gets hired from these sorts of posts, but please boost as I am motivated by enjoying such things as "eating food to stay alive" and "being able to pay my bills to have a roof over my head."

I've been a Sr. Infrastructure Engineer for roughly 4 years now, at the same MSP (THAT I LOVE, but may not be able to move upward/get paid enough to support myself and my family any longer. :\ ) We focus almost entirely in the Biotech/Life Sciences space, so I have special knowledge of laboratory networking, compatibility, patching, software integrations (on-prem, hybrid, and cloud) etc. It's a very small world, but useful knowledge.

I am looking for a full-time security position whether it's in ops, ops-adjacent, outside of ops entirely, whatever it may be. I just want to make a difference, use my talents, and more importantly, grow. I know that my experience in all things ops can be very useful.

I can do almost everything in the Microsoft stack from M365/Office 365 administration, Intune, to spinning up entire Azure environments with IAM, Conditional Access policies, App Protection, etc. from scratch. If I haven't done it already, I have probably administrated it after it was spun up by a member of my team.

I have experience in Defender (and its myriad products across the Endpoint/Office/Cloud/Azure/Entra space), SentinelOne, Sophos, Cylance(vomit emoji), you name it.

I have basically been running incident response as best I can solo for years, I've wrote a rudimentary Vulnerability Management process for my org for SOC2 certification. (we're being audited right now and my processes were accepted, so good? lol)

Open to requests for my resume, links to job postings, etc. (I will redact my address and number of course because...safety reasons.)

In a very strange turn of events, I've randomly stumbled across a misconfigured #S3 Bucket. I have no idea who owns it, or how sensative the contents might be. Does anyone have any suggestions on how to go about the responsible disclosure process here? Do I contact amazon Web Services perhaps? Boosts for reach would be greatly appreciated.