🚨 patch your Cisco AnyConnect boxes 🚨
For a 2020 vulnerability. Really.
Lots of ransomware cases coming in for Cisco AnyConnect/ASA recently and finally we know how - CVE-2020-3259
It was a vuln which allowed a CitrixBleed style memory dump, found by a Russian research org now under US sanctions. Ransomware operators have an exploit.
Sadly it looks like many orgs never patched.
National Presto Industries has filed an 8-K with the SEC for probably ransomware. Apparently they didn’t like including their company name in the text. https://www.sec.gov/ix?doc=/Archives/edgar/data/80172/000143774925006475/npk20250306_8k.htm
In case you missed it - update VMware ESX
There's an in the wild exploit chain being used which does VM -> Hypervisor escape, across all versions of ESXi. Allows full cluster access (not just VMs on that host)
Impacts ESX 5.5 (no patch), 6.5, 6.7, 7, 8 - ie every version released over the past 15 years
I wrote up everything I know about #ESXicape https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exploitation-of-esxicape-0091ccc5bdfc
Handala have been fully kicked off Telegram, including their backup channel.
Achievement unlocked as I can't remember a group ever getting fully booted.
Not sure if anybody else caught this, but CISA added CVE-2024-49035 to KEV a week ago - that vuln is about partner.microsoft.com being owned.
Partner.microsoft.com is a portal which allows orgs to grant access to Microsoft 365 tenants, ie read data of downstream customers.
3 different VMware zero days, under active exploitation by ransomware group
CVE-2025-22224, CVE-2025-22225, CVE-2025-22226
VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion
VMware Cloud Foundation
VMware Telco Cloud Platform
(Exploitation actually ESXi)
https://x.com/i/grok/share/* URLs, you’ll want to block
MOD Police’s website is back online today, almost 3 months after NoName DDoS’d it. https://www.mod.police.uk/
I’ve been seeing an increase in the number of malicious emails using infogram[.]com in the lure url.
Apparently infogram[.]com is trusted by over 10M+ users worldwide. I wonder if they include malicious threat actors in that count?
Infogram[.]com says you can use their service for charts, maps, Infographics, Reports, and More. I guess phishing is “more”. Since the service has a free tier that lets you publish online, you can see why it’s perfect for your budding threat actor.
Recently I’ve seen a number of good looking malicious emails pretending to be from various orgs, all with included company logos.
Looking over the HTML of the emails I noticed an image URL common to all of them, logo.clearbit[.]com. It was in the image tag for logo.
It’s a company logo API that uses logo.clearbit[.]com/“domain.whatever” for logo creation.
Might be a domain you want to start filtering for, as the API is clearly being abused thanks to it being absolutely free.
For some reason people are sharing llm garbage instead of the real chat logs for black basta. Here are the real logs and the telegram channel they're being shared in: https://t[.]me/shopotbasta/21
CTI is a team sport. Not a secret boys club. Sharing is caring.
@GossiTheDog The MEGA site is down, but the Telegram channel where this is being discussed provides a direct download of the chat contents via a ~50MB JSON file. Grepping for ZoomInfo URLs and using cut/sort/uniq can get folks a quick and dirty list of potentially targeted companies. Some of the company names I saw are listed on their ransom site, but some are attributed to other ransomware gangs. Some of the messages also have Forti/Cisco/Citrix as well as the $$$ amount after the ZoomInfo link for the company. Gonna guess this is likely the pwned appliance vendor and ransom amount for the company. One can likely walk back the vendor name to a critical RCE vulnerability which they exploited.
Grepping for CVEs, theres tons of chatter about various RCE vulnerabilities, mitigations, and PoC exploits. Same as Conti Leaks. I’m sure we’ll see a bunch of vendor write-ups in the coming days with Black Basta CTI analysis of the data.
Netskope https://www.netskope.com/blog/telegram-abused-as-c2-channel-for-new-golang-backdoor
Backdoor written in Golang using Telegram for C2-communication. Perhaps most interestingly the referenced Github repository with IoCs is not there anymore? Or will be published soon perhaps?
Over the past few days, I’ve noticed a variety of malicious emails with different styles. All of these emails use the lure URL link.shoppermeet[.]net.
Link attempts to redirect users to a Microsoft 365 phishing page for credential harvesting. The threat actor even tries to include company images and logos to make the email appear more legitimate.
Law enforcement confirm they did a takedown of 8base ransomware group. You heard it here on Mastodon first thanks to @cR0w
https://techcrunch.com/2025/02/10/global-police-operation-seizes-8base-ransomware-gang-leak-site/
8base ransomware group has apparently been seized or done an exit scam.
Two of its Tor portals say "This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg"
They had been hitting some high profile targets in recent times.
HT @cR0w
The US Treasury Department has put out a cyber threat intelligence briefing saying "Continued access to any payment systems by DOGE members, even 'read only,' likely poses the single greatest insider threat risk the Bureau of the Fiscal Service has ever faced." https://www.wired.com/story/treasury-bfs-doge-insider-threat/
Handala claim to have done a hack and wipe of Tosaf, a plastics manufacturer.
Screenshots show apparent Windows domain admin access, and they attach CCTV videos of themselves playing songs into a factory and an office, with workers looking confused.
This is what they're trying to sell, they're also trying to sell the original dump for some reason.
They don't appear to have a way to actually sell the data as the links don't point anywhere, which is a slight flaw.
Belsen Group are back and can spell their own group name now.
Mastodon communities, be vigilant! Bad actors are creating accounts within the Fediverse and then using them to distribute malware. We identified one such case in which the threat actor had gone undetected since 2022. That Mastodon instance was one with a climate change focus. The threat actor was distributing an information stealer through their account.
We are happy to have helped the instance owner figure out why they have been on blocklists intermittently for the last few years, but also get that particular threat out of their Mastodon instance and safe for users.
There are undoubtedly many more of these across the Fediverse. Hopefully more awareness can get them detected and shut down faster.
For our fellow security nerds... this was #vidar malware with sha256 975932eeda7cc3feea07bc1f8576e1e73e4e001c6fe477c8df7272ee2e0ba20d
and a c2 IP 78[.]47[.]227[.]68 from the instance.
there is still at least one more Mastodon instance impacted that we are trying to reach.
Not sure if you’ve heard of Pixpa[.]com. They label themselves as “an easy, all-in-one portfolio website builder for photographers & creators…”
I’ve recently seen threat actors use Pixpa as a trusted domain within links in malicious email campaigns. Watch out as the service isn’t always photography.
Ever seen a single QR code that can lead you to two different URLs? 🤯
Christian Walther just demoed that. He merged two QR codes in such a way that each “pixel” can be interpreted as black or white, depending on angle, focus settings, or even plain luck. Same device, same scanner - yet sometimes you get https://mstdn.social/@isziaui, other times it’s https://github.com/cwalther.
While this is currently just a wicked proof-of-concept, it’s a red flag for possible future scams
Check full threat: https://mstdn.social/@isziaui/113874436953157913
@gvy_dvpont Got me thinking… can it be done without the lens? This one seems to work!
ENGlobal Corporation has filed an updated 8K with the SEC to say they have evicted the ransomware actor from their network and restored service, two months later.
https://www.sec.gov/ix?doc=/Archives/edgar/data/933738/000165495425000798/eng_8ka.htm
