Merry Christmas from the goat: Vendor Verbiage is a list of common example messages used by software vendors to note that a vulnerability is publicly disclosed or exploited in the wild. This should come in handy when quickly scanning through security advisories on Patch Tuesday. Enjoy!

Huntress: https://www.huntress.com/blog/analyzing-initial-access-across-todays-business-environment

Thorough analysis of initial access and the distribution of various techniques. Exploitation of 0days, contrary to reporting is not an especially common technique but using stolen creds and logging in, however, is.

Good read for sure and certainly helps with prioritization of defensive countermeasures.

INTERPOL: INTERPOL urges end to 'Pig Butchering' term, cites harm to online victims
INTERPOL is calling for a shift in language to combat online relationship and investment frauds, advocating for the term 'romance baiting' to replace the widely used but stigmatizing 'pig butchering.' INTERPOL argues that the term 'pig butchering' dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities. See related WIRED reporting (paywall).

🇲🇽 Cargamos.com, a package delivery company was exposing over 6 million files for over a year.

I've always opted to keep trying some other way to get a server closed instead of going public about the issue until earlier this week.
I've contacted multiple GOV/CERT emails in Mexico over multiple issues and I never got a meaningful reply.
The company ignored my contact, so I either let it go and see it posted eventually by some "ransomware" group or I make enough noise publicly that the company will get alerted about it.

Today, 2 days after an article came out on a Mexican news website, the exposure was closed down.

Read the article, in Spanish, that made the company close the server down:

https://www.publimetro.com.mx/noticias/2024/12/16/start-up-mexicana-deja-a-merced-de-hackers-6-millones-de-archivos-de-clientes-y-repartidores/

Trend Micro: Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion
Trend Micro provides a case study in which the attacker used social engineering via a Microsoft Teams call to impersonate a user's client and gain remote access to their system. The attacker failed to install a Microsoft Remote Support application but successfully instructed the victim to download AnyDesk 😂. DarkGate malware was deployed to their machine and persistence was created, but the attack was stopped. Trend Micro is sharing infection chain and post-infection actions for security awareness. Indicators of compromise provided.

U.S. Department of Defense: Cyber Command Chief Discusses Challenges of Getting Intel to Users
A generic-looking press release revealed additional information about the Salt Typhoon hack:

• "the Chinese government led hack aimed at North America and Southeast Asian targets."
• "The hack — discovered by Microsoft"
• "is just one part of China's global cyber program"
• The agency did send out cyber security advisories in 2022 "that laid out this exact series of things that we had observed overseas,"

I don't know about you, but this is my first time hearing confirmation of Southeast Asian victims from a government official, that it was discovered by Microsoft (obvious in hindsight), and that there were early indicators and warnings (I&W) since 2022. cc: @nattothoughts

Rapid7: Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware
Rapid7 reports a resurgence of activity from Black Basta ransomware operators in early October 2024 with new malware payloads, improved delivery, and increased defense evasion. They provide a technical analysis of the attack lifecycle. Indicators of compromise provided at their GitHub repo, and TTPs are mapped to MITRE ATT&CK.

lol
lmao

Sauce: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a

A tip to all of you out there struggling to keep your company services accessibility to 100%, if you delete the logs that show the down time, your up time will always be 100% :ablobcool:

Idaho man who hacked medical entities and made vile threats sentenced to 10 years in prison:

https://databreaches.net/2024/11/13/idaho-man-who-hacked-medical-entities-and-made-vile-threats-sentenced-to-10-years-in-prison/

This is a case that started because the threat actor, "Lifelock," contacted DataBreaches to try to get DataBreaches.net to report on victims who hadn't paid his ransom demands.

Some of his court filings tried to blame me for the FBI raiding him and seizing his devices. The FBI did their own investigation but yes, it was my reporting that initially made the FBI aware of Robert Purbeck.

#databreach #healthsec #cybersecurity #infosec #extortion

@euroinfosec @campuscodi @gcluley @zackwhittaker

Wild ass day in the Tor node operator world. Got an email from my VPS, forwarding a complaint from WatchDog CyberSecurity saying that my box was scanning SSH ports!

> Oh no, oh no, I knew I should have set up fail2ban, oh god why was I so lackadaisical!

So I remote in to the machine: no unusual network activity, no unusual processes, users, logins, command history, no sign that anything is doing anything I didn't tell it to do.

So what's up? Turns out there's been a widespread campaign where some actor is spoofing IPs to make it look like systems running Tor are scanning port 22: https://forum.torproject.org/t/tor-relays-tor-relays-source-ips-spoofed-to-mass-scan-port-22/15498/14

Operators from all over are saying they're getting nastygrams from their VPS providers because WatchDog is fingering their source IPs (which are being spoofed and NOT part of a global portscanning botnet).

@delroth did an amazing writeup of the whole thing here: https://delroth.net/posts/spoofed-mass-scan-abuse/

One for UK cyber folk!

I'm hiring two Cyber Security Operations Engineers to join my team at the National Energy System Operator (NESO).

This would ideally suit folk who are well-versed in infrastructure, CI/CD pipelines, SIEM/security tooling, and who have a good awareness of what a modern SOC needs to function.

This is the first time I've tried reaching out on Mastodon for this kind of thing but there's plenty of skilled folk on here doing all sorts of interesting things so I'm giving it a go!

As I put in the ad, if you're the kind of person who likes building and experimenting, and telling people about your over-engineered homelab setup, you'd probably fit in extremely well.

The role is listed as hybrid, but the on-site component is really only about 1-2 days a month, when interesting things may be happening.

More than willing to chat to anyone at all who might be interested so do feel free to reach out if this appeals to you in any way!

https://jobs.nationalgrid.com/NationalEnergySO/job/Warwick-Senior-Cyber-Security-Operations-Engineer-NESO-CV34-6DA/1229130700/

Boosts very appreciated if you have UK-based followers who might also be interested. Thanks! :blobsmile:

🇺🇸 Professional Probation Services ( www.ppsfamily.com ) exposes almost 500,000 US probationers private data publicly, SSNs included, and when I ask them for their intentions regarding disclosure, they go into hiding mode, removing their management and Our companies contact page.

Read more about the exposed data from the company who, according to them, has "A corporate culture of knowing right from wrong, and doing right- every time."

https://jltee.substack.com/p/ppsfamilycom-professional-probation-services-data-leak

Rapid7: Investigating a SharePoint Compromise: IR Tales from the Field
Rapid7 provides a case study of a compromised Microsoft Exchange service account with domain administrator privileges. They assessed that the initial infection vector was CVE-2024-38094 (7.2 high) Microsoft SharePoint Remote Code Execution Vulnerability. Seeing how this CVE was added to the CISA's KEV Catalog only 8 days ago, it is very likely that Rapid7 fed CISA the KEV information via backchannels. They describe the attacker's tactics, techniques, and procedures (TTPs). Indicators of compromise are provided.

Fortinet exploited zero-day: FG-IR-24-423 Missing authentication in fgfmsd
CVE-2024-47575 (9.8 critical, disclosed 23 October by Fortinet, noted earlier on 13 October by @GossiTheDog on Mastodon) Fortinet FortiManager Missing Authentication Vulnerability.

• Reports have shown this vulnerability to be exploited in the wild.
• The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.

CISA added CVE-2024-47575 to the KEV Catalog about 3 hours afterward.

Just in case you didn't read closely, there are indicators of compromise (IoC) in the advisory. At least one of the IP addresses was reportedly used as a Cobalt Strike server 2 years ago.

cc: @cR0w @nopatience I require at least 25 favorites to unlock my next toot!

#fortinet #fortimanager #cve #zeroday #CVE_2024_47575 #vulnerability #eitw #activeexploitation #kev #cisakev #KnownExploitedVulnerabilitiesCatalog

New regulations set out circumstances in which the Secretary of State can intervene in the running of internet domain registries for UK-related domains

This somewhat lengthy blogpost about The Internet Domain Registry (Prescribed Practices and Prescribed Requirements) Regulations 2024 is probably of most interest to people running domain registries, and domain registrars, for .uk, .scot, .wales., .cymru, and .london.

To be honest, until yesterday, I had no idea that the Secretary of State had these kind of powers...

https://decoded.legal/blog/2024/10/new-regulations-set-out-circumstances-in-which-the-secretary-of-state-can-intervene-in-the-running-of-internet-domain-registries-for-uk-related-domains

British intelligence services to protect all UK schools from ransomware attacks:

https://therecord.media/uk-pdns-schools-cyberdefense-intelligence-services

Direct link to #NCSC announcement: https://www.ncsc.gov.uk/blog-post/pdns-for-schools-provide-cyber-resilience-for-more-institutions

@douglevin @funnymonkey @mkeierleber @brett @brianhonan

For several days, robot vacuums in several U.S. cities were hacked, with perpetrators physically controlling them and shouting obscenities through their built-in speakers.

The cyberpunk world we live in.

https://www.abc.net.au/news/2024-10-11/robot-vacuum-yells-racial-slurs-at-family-after-being-hacked/104445408

Proofpoint: Security Brief: Royal Mail Lures Deliver Open Source Prince Ransomware
Proofpoint reported on a Prince ransomware campaign impersonating British postal carrier Royal Mail that occurred in mid-September and targeted people in the UK and the U.S. The activity was low-volume and impacted a small number of organizations. Notably, in most cases the messages appear to originate via contact forms posted on the target organizations’ websites, indicating the actor does not exclusively target organizations via email directly, but also from public contact forms. Proofpoint notes that there’s no decryption mechanisms or data exfiltration, so the end result is destructive rather than typical ransomware. They describe the campaign details (from infection to ransom note) and include a bit about the ransomware creator SecDbg having a paid infostealer version called ThunderKitty. Proofpoint does not attribute this activity to a tracked threat actor. Indicators of compromise are provided.

Shoutout to @selenalarson for the awesome post

One thing that really sucks about me leaving Twitter/X and losing so much of my audience and reach is that I can watch in real time the people who my generation and older in infosec all knew were abusers, harassers, and generally really dangerous people being forgotten as such, and our warnings not being passed on to the younger generation.

Those same bad dudes are absolutely noticing they're in the clear, and coming right back into the conference, X, and education spaces where they can victimize young people, especially young women. They have the age, the money, and the power to do it. It really blows.

I'm sure it's exactly what Elon wanted.

Here is a traffic distribution system (TDS) in action. Fairly often when talking about TDS, I get the rebuttal: when i visited that domain, i only saw parking. Exactly. That's the point. :) A malicious TDS is like a router for malware -- the goal is to bring the best victims to the best malicious offering. And to play dead when it looks like they might be caught, aka look like parking or search ads.

What these images show is the difference between visiting the site tokclix[.]live from a scanner (urlscan) versus from a real Android phone. The former leads you to (sketchy) search arbitrage and the latter is classic scareware. This is what a TDS does.

Found this particular one while researching search arbitrage so it is fairly random. started with an old post on BlackHat World but the domains were all still live. On the screen capture you can see the redirects through the TDS.

The imgur video shows the original click to scareware -- watch the redirects.

#InfobloxThreatIntel #tds #dns #malware #threatintel #cybercrime #cybersecurity #infosec #scam #phishing

Really looking forward to explaining to my kid that his PII has been compromised for basically his entire life because he had the audacity to be born at a time when the positive incentives for computer security were nearly nonexistent and the regulatory penalties favored doing the bare minimum you can get away with.

Can confirm localsend.org works perfectly between Desktop Linux, Apple iOS & Android (LineageOS).

The cute & funny generated device names help a lot in acceptance of this tech by non-tech people.

Have not looked at the code yet, so no info on security as of now. Maybe some #Dart & #CyberSecurity gurus want to have a look & gift localsend & the #OpenSource community with a free audit? 😄

Anyone tried https://localsend.org already as a replacement for Apple's airdrop?

I'm especially interested in cross-platform usage experience. E.g. Apple <--> Linux & Android <--> Apple/iOS. Target group is teens & schools.

Also, how secure is this solution?

Feel free to boost this :)

Thanks in advance!

NEW: Details of people's therapy sessions—including reports, video and audio recordings—have been exposed by a healthcare company.

These included people mentioning sexual abuse and highly sensitive subjects. The exposed database has now been closed down