DomainTools DNSDB sensors recorded a massive, sustained spike in deduplicated and validated DNS observables early Christmas morning. Data analysis is forthcoming. But for the moment I'll just remind you that, like CSI Miami, we never close.

Merry Christmas from the goat: Vendor Verbiage is a list of common example messages used by software vendors to note that a vulnerability is publicly disclosed or exploited in the wild. This should come in handy when quickly scanning through security advisories on Patch Tuesday. Enjoy!

Hey #infosec people, what are you using to detect leaked #discord API keys and tokens, and detect programs trying to steal those? (Also, if there's a way to generate #canary #discord #tokens please share).

INTERPOL: INTERPOL urges end to 'Pig Butchering' term, cites harm to online victims
INTERPOL is calling for a shift in language to combat online relationship and investment frauds, advocating for the term 'romance baiting' to replace the widely used but stigmatizing 'pig butchering.' INTERPOL argues that the term 'pig butchering' dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities. See related WIRED reporting (paywall).

🇲🇽 Cargamos.com, a package delivery company was exposing over 6 million files for over a year.

I've always opted to keep trying some other way to get a server closed instead of going public about the issue until earlier this week.
I've contacted multiple GOV/CERT emails in Mexico over multiple issues and I never got a meaningful reply.
The company ignored my contact, so I either let it go and see it posted eventually by some "ransomware" group or I make enough noise publicly that the company will get alerted about it.

Today, 2 days after an article came out on a Mexican news website, the exposure was closed down.

Read the article, in Spanish, that made the company close the server down:

https://www.publimetro.com.mx/noticias/2024/12/16/start-up-mexicana-deja-a-merced-de-hackers-6-millones-de-archivos-de-clientes-y-repartidores/

OK, a huge thumbs up to Byte Federal for their breach notification letter. They frankly admit where they screwed up and what happened. I wish more notifications were as clear and straightforward as this one.

https://databreaches.net/2024/12/17/a-positive-example-of-forthright-breach-disclosure/

Periodic reminder to reboot your routers. 📶🛜✅

SAME STATS, DIFFERENT IMPROVEMENTS...

@programming

After 12 months of managing bugs developers A, B, and C changed their approach.

Whose change is an improvement❓ What's your answer❓

Boosts appreciated! :boost_no: 🙂

More generally, the problem is domain independent.

Trend Micro: Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion
Trend Micro provides a case study in which the attacker used social engineering via a Microsoft Teams call to impersonate a user's client and gain remote access to their system. The attacker failed to install a Microsoft Remote Support application but successfully instructed the victim to download AnyDesk 😂. DarkGate malware was deployed to their machine and persistence was created, but the attack was stopped. Trend Micro is sharing infection chain and post-infection actions for security awareness. Indicators of compromise provided.

Sharing this post from earlier this week about NTLM. https://msrc.microsoft.com/blog/2024/12/mitigating-ntlm-relay-attacks-by-default/. You should NOT wait until you start moving to Server 2025 to start on this. The LDAP Channel Binding audit alert was back ported to all the way to Server 2019. Enable this, see what WILL break and start fixing!

U.S. Department of Defense: Cyber Command Chief Discusses Challenges of Getting Intel to Users
A generic-looking press release revealed additional information about the Salt Typhoon hack:

• "the Chinese government led hack aimed at North America and Southeast Asian targets."
• "The hack — discovered by Microsoft"
• "is just one part of China's global cyber program"
• The agency did send out cyber security advisories in 2022 "that laid out this exact series of things that we had observed overseas,"

I don't know about you, but this is my first time hearing confirmation of Southeast Asian victims from a government official, that it was discovered by Microsoft (obvious in hindsight), and that there were early indicators and warnings (I&W) since 2022. cc: @nattothoughts

Scattered Spider Hacking Gang Arrests Mount With Teen:

Remington Ogletree (aka "Remi") arrested and charged with wire fraud and aggravated identity theft.

This teen had jaw-droppingly bad opsec, and to add to it, he used a crypto laundering service on TG that was actually an undercover FBI operation.

https://databreaches.net/2024/12/05/scattered-spider-hacking-gang-arrests-mount-with-teen/

Rapid7: Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware
Rapid7 reports a resurgence of activity from Black Basta ransomware operators in early October 2024 with new malware payloads, improved delivery, and increased defense evasion. They provide a technical analysis of the attack lifecycle. Indicators of compromise provided at their GitHub repo, and TTPs are mapped to MITRE ATT&CK.

lol
lmao

Sauce: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a

So, apparently Thames Water is still using IT systems from the 1980s, which doesn't seem very ideal or secure for a critical infrastructure operator in 2024.

“The software we use is older than me, and some of the hardware is older than my dad,” says Siddharth*. He is one of a team fighting a daily battle to sustain ancient IT infrastructure at Thames Water."

Then later...

"The use of Lotus Notes is a signal of how starved of investment technology at the company has been since it was privatised in the late 1980s. Other examples of obsolete or near obsolete technology include wide reliance on 2G technologies, arrays of meters that remain analogue and require manual checks, and hardware that is often more than 30 years old." #infosec

A tip to all of you out there struggling to keep your company services accessibility to 100%, if you delete the logs that show the down time, your up time will always be 100% :ablobcool:

Idaho man who hacked medical entities and made vile threats sentenced to 10 years in prison:

https://databreaches.net/2024/11/13/idaho-man-who-hacked-medical-entities-and-made-vile-threats-sentenced-to-10-years-in-prison/

This is a case that started because the threat actor, "Lifelock," contacted DataBreaches to try to get DataBreaches.net to report on victims who hadn't paid his ransom demands.

Some of his court filings tried to blame me for the FBI raiding him and seizing his devices. The FBI did their own investigation but yes, it was my reporting that initially made the FBI aware of Robert Purbeck.

#databreach #healthsec #cybersecurity #infosec #extortion

@euroinfosec @campuscodi @gcluley @zackwhittaker

Last night I made a fake nuclear reactor control system and put it on the Internet for hackers to find.

It's a script implementing the absolute minimum of the VNC protocol to very slowly send a screenshot of a SCADA interface.

I'm logging any keys they try to type and mouse movements they make, and the next stage of the project is to use that data to drive a display in my living room, that'll look like an electronic cloud chamber (using e-paper)

ASN: AS4837
Location: Zhengzhou, CN
Added: 2024-11-07T19:38

Wild ass day in the Tor node operator world. Got an email from my VPS, forwarding a complaint from WatchDog CyberSecurity saying that my box was scanning SSH ports!

> Oh no, oh no, I knew I should have set up fail2ban, oh god why was I so lackadaisical!

So I remote in to the machine: no unusual network activity, no unusual processes, users, logins, command history, no sign that anything is doing anything I didn't tell it to do.

So what's up? Turns out there's been a widespread campaign where some actor is spoofing IPs to make it look like systems running Tor are scanning port 22: https://forum.torproject.org/t/tor-relays-tor-relays-source-ips-spoofed-to-mass-scan-port-22/15498/14

Operators from all over are saying they're getting nastygrams from their VPS providers because WatchDog is fingering their source IPs (which are being spoofed and NOT part of a global portscanning botnet).

@delroth did an amazing writeup of the whole thing here: https://delroth.net/posts/spoofed-mass-scan-abuse/

I am an #infosec professional. You sell #infosec "solutions".

If your spam email to me starts with “RE:” and consists of a conversation with yourself suggesting days for a meeting, I have to ask:

Do you seriously think I would ever consider buying your products after you implied that I was an idiot that you could somehow social engineer into a meeting?

All Qtriots in control #QAnon #Conspiracy #photography #dogs #nature #camping #anime #music #BSD #cycling #DOS #fedi22 #fitness #FOSS #GNU #infosec #Lego #linux #MOC #MSDOS #OpenSource #OpSec #OSINT #pinball #privacy #RightToRepair #security #StarTrek #Unix #believeinfilm #fedi22 #photography #filmphotography #35mm #filmisnotdead #Politics #Fediblock #Trump #Caturday #Dutch #English #LGBTQIA #Minecraft #Programming

🇺🇸 Professional Probation Services ( www.ppsfamily.com ) exposes almost 500,000 US probationers private data publicly, SSNs included, and when I ask them for their intentions regarding disclosure, they go into hiding mode, removing their management and Our companies contact page.

Read more about the exposed data from the company who, according to them, has "A corporate culture of knowing right from wrong, and doing right- every time."

https://jltee.substack.com/p/ppsfamilycom-professional-probation-services-data-leak

ASN: AS13036
Location: Ostrava, CZ
Added: 2024-10-20T12:38

ASN: AS4713
Location: Takamatsu, JP
Added: 2024-10-29T20:39