Hachyderm.io

65 posts27 participants5 posts today

Opalsec :verified:👋 Ready for a fresh day of Cyber horrors? Me neither! Oh well, here you go: <a href="https://opalsec.ghost.io/daily-news-update-wednesday-april-2-2025-australia-melbourne/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://opalsec.ghost.io/daily-news-update-wednesday-april-2-2025-australia-melbourne/</a>Here's a few of the key items to be aware of:🚨 Palo Alto GlobalProtect Scans: Observed a significant spike in scans targeting Palo Alto Network GlobalProtect login portals, possibly prior to new exploit releases. Time to audit those logs! 🧐🇨🇳 China as Top Cyber Threat: Gen. Paul Nakasone (former NSA/Cyber Command Head) highlights China's unprecedented cyber activities, including malicious code in critical infrastructure and rapid exploitation of vulnerabilities. It's time to rethink our defense strategies! 🛡️🇰🇵 North Korean IT Worker Expansion: North Korean "IT warriors" are infiltrating European companies, using fake identities to secure remote work and fund their regime. Stay vigilant and double-check those remote hires! 🕵️🔑 Identity Flaws in Breaches: A new report indicates 60% of incidents involved an identity attack, with compromised valid accounts being a top initial access vector. Focus on robust MFA, least privilege, and AD security! 🔒Read the full post for all the details and more actionable insights, and if you want all this straight to your inbox, you're in luck! 👉 <a href="https://opalsec.ghost.io/daily-news-update-wednesday-april-2-2025-australia-melbourne/#/portal/signup" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://opalsec.ghost.io/daily-news-update-wednesday-april-2-2025-australia-melbourne/#/portal/signup</a><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Cybersecurity</a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/DataBreach" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DataBreach</a> <a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Vulnerability</a> <a href="https://infosec.exchange/tags/PatchManagement" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PatchManagement</a> <a href="https://infosec.exchange/tags/ZeroDay" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ZeroDay</a> <a href="https://infosec.exchange/tags/Ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ransomware</a> <a href="https://infosec.exchange/tags/China" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#China</a> <a href="https://infosec.exchange/tags/NorthKorea" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NorthKorea</a> <a href="https://infosec.exchange/tags/EU" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EU</a> <a href="https://infosec.exchange/tags/UK" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#UK</a> <a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CISA</a> <a href="https://infosec.exchange/tags/Apple" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Apple</a> <a href="https://infosec.exchange/tags/Oracle" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Oracle</a> <a href="https://infosec.exchange/tags/Ivanti" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ivanti</a> <a href="https://infosec.exchange/tags/CrushFTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CrushFTP</a> <a href="https://infosec.exchange/tags/CyberAttack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberAttack</a> <a href="https://infosec.exchange/tags/CyberThreat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberThreat</a> <a href="https://infosec.exchange/tags/SecurityNews" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SecurityNews</a>

A bot witha.nameNew configuration detected for DDosia. Hosts: * online.beobank.be * www.tec.be * www.allweb.be * connect.alimakgroup.com * asa.be * www.hansa-flex.be * alimak.com * stad.gent * www.provincedeliege.be * www.automatic-systems.com * www.const-court.be * www.agfa.com * www.elsene.be * www.cpbourg.com * www.beobank.be * www.cnp.be * www.bpost.be <a href="https://social.circl.lu/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://social.circl.lu/tags/Ddosia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ddosia</a> <a href="https://social.circl.lu/tags/NoName" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NoName</a> * <a href="https://witha.name/data/2025-04-02_08-20-03_DDoSia-target-list-full.json" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://witha.name/data/2025-04-02_08-20-03_DDoSia-target-list-full.json</a> * <a href="https://witha.name/data/2025-04-02_08-20-03_DDoSia-" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://witha.name/data/2025-04-02_08-20-03_DDoSia-</a>

A bot witha.nameNew IP set detected for DDosia.<a href="https://social.circl.lu/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://social.circl.lu/tags/Ddosia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ddosia</a> <a href="https://social.circl.lu/tags/NoName" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NoName</a>

A bot witha.nameid.coruna.gal * www.ferrol.gal * 1535.omr.gov.ua * www.kcci.kharkov.ua * data.gov.be * gasolina-online.com * ooek.od.ua * employment.belgium.be * odgaz.odessa.ua * venta.renfe.com * www.casareal.es * www.lamoncloa.gob.es * orcci.odessa.ua * www.citydev.brussels * www.coruna.gal * www.hetacv.be * www.conselleriadefacenda.gal * www.provincieantwerpen.be <a href="https://social.circl.lu/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://social.circl.lu/tags/Ddosia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ddosia</a> <a href="https://social.circl.lu/tags/NoName" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NoName</a> * <a href="https://witha.name/data/2025-04-02_07-20-02_DDoSia-target-list-full.json" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://witha.name/data/2025-04-02_07-20-02_DDoSia-target-list-full.json</a> *

RedPacket SecurityCVE Alert: CVE-2025-30006 - <a href="https://www.redpacketsecurity.com/cve_alert_cve-2025-30006/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.redpacketsecurity.com/cve_alert_cve-2025-30006/</a><a href="https://mastodon.social/tags/OSINT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OSINT</a> <a href="https://mastodon.social/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://mastodon.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://mastodon.social/tags/cve_2025_30006" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cve_2025_30006</a>

RedPacket SecurityCVE Alert: CVE-2025-31125 - <a href="https://www.redpacketsecurity.com/cve_alert_cve-2025-31125/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.redpacketsecurity.com/cve_alert_cve-2025-31125/</a><a href="https://mastodon.social/tags/OSINT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OSINT</a> <a href="https://mastodon.social/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://mastodon.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://mastodon.social/tags/cve_2025_31125" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cve_2025_31125</a>

Tim (Wadhwa-)Brown :donor:Looking at <a href="https://www.qualys.com/2025/three-bypasses-of-Ubuntu-unprivileged-user-namespace-restrictions.txt" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.qualys.com/2025/three-bypasses-of-Ubuntu-unprivileged-user-namespace-restrictions.txt</a>:$ aa-exec -p trinity -- unshare -U -r -m /bin/bash # id uid=0(root) gid=0(root) groups=0(root),65534(nogroup)(It's time to learn about namespaces =))<a href="https://infosec.exchange/tags/linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#linux</a>, <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>

Xavier «X» Santolaria :verified_paw: :donor:<blockquote>Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies</blockquote>-- <a href="https://mastodon.social/@hrbrmstr" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@hrbrmstr</a> <blockquote>These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.</blockquote><a href="https://www.greynoise.io/blog/surge-palo-alto-networks-scanner-activity" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.greynoise.io/blog/surge-palo-alto-networks-scanner-activity</a><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>

A bot witha.name1535.omr.gov.ua * www.provincieantwerpen.be * employment.belgium.be * www.citydev.brussels * www.ciriec.uliege.be * www.xunta.gal * www.federation-wallonie-bruxelles.be * www.contratosdegalicia.gal * ooek.od.ua * cci.sumy.ua * www.lamoncloa.gob.es * odgaz.odessa.ua * training.orcci.odessa.ua * venta.renfe.com * www.ferrol.gal * id.coruna.gal * www.transportepublico.es * ibsa.brussels * www.granada.org * www.politie.be * www.kcci.kharkov.ua * www.tribunalconstitucional.es <a href="https://social.circl.lu/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://social.circl.lu/tags/Ddosia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ddosia</a>

A bot witha.name* employment.belgium.be * statbel.fgov.be * courrier.parlement-wallon.be * www.lamoncloa.gob.es * www.conselleriadefacenda.gal * www.casareal.es * www.hetacv.be * www.provincieantwerpen.be * www.ciriec.uliege.be * ibsa.brussels * sede.coruna.gal * acceso.navantia.es * www.rsz.be <a href="https://social.circl.lu/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://social.circl.lu/tags/Ddosia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ddosia</a> <a href="https://social.circl.lu/tags/NoName" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NoName</a> * <a href="https://witha.name/data/2025-04-01_11-10-03_DDoSia-target-list-full.json" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://witha.name/data/2025-04-01_11-10-03_DDoSia-target-list-full.json</a> * <a href="https://witha.name/data/2025-04-01_11-10-03_DDoSia-target-list.csv" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://witha.name/data/2025-04-01_11-10-03_DDoSia-target-list.csv</a>

A bot witha.nameNew configuration detected for DDosia. Hosts: * employment.belgium.be * statbel.fgov.be * www.politie.be * ibsa.brussels * courrier.parlement-wallon.be * www.hetacv.be * data.gov.be * www.ceps.eu * www.rsz.be * www.federation-wallonie-bruxelles.be * www.ciriec.uliege.be * www.provincieantwerpen.be * www.plan.be * www.citydev.brussels * www.parlement-wallonie.be <a href="https://social.circl.lu/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://social.circl.lu/tags/Ddosia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ddosia</a> <a href="https://social.circl.lu/tags/NoName" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NoName</a> * <a href="https://witha.name/data/2025-04-01_08-10-03_DDoSia-target-list-full.json" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://witha.name/data/2025-04-01_08-10-03_DDoSia-target-list-full.json</a> *

Brian Clarktl;dr Block the malicious domains lawliner[.]com skhm[.]org<a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/iocs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iocs</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> From: <a href="https://infosec.exchange/@threatinsight" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@threatinsight</a> <a href="https://infosec.exchange/@threatinsight/114258140244901381" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@threatinsight/114258140244901381</a>

B'ad Samurai 🐐Bingo! Lots of modern techniques were tapped in this Unit 42 Timely threat intel repo:<ul><li>Adware affiliates on South African TLD .za, routing to a CrimeFlare TDS with short-lived URL params</li><li>After expiration, they appear as benign "blogs"</li><li>MSI files are different for each download</li><li>MSI files do not work outside the infection chain</li><li>MSI download pages are all <code>.com</code> and while odd they are readable word combinations.</li><li><code>Win+R</code> ClickFix technique, but in this case they are loading <code>curl</code> which in PS5 is an alias of <code>Invoke-WebRequest</code>. This can be seen with <code>gal -Definition Invoke-WebRequest</code> <code>wget</code> is also an alias and were removed in v7.</li></ul><a href="https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/ef284c86b45e329415e45bb2c38cc5c628bbbd49/2025-03-31-IOCs-for-evasive-campaign-pushing-Legion-Loader.txt" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/ef284c86b45e329415e45bb2c38cc5c628bbbd49/2025-03-31-IOCs-for-evasive-campaign-pushing-Legion-Loader.txt</a><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/blockthis" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#blockthis</a> <a href="https://infosec.exchange/tags/clickfix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#clickfix</a> <a href="https://infosec.exchange/tags/powershell" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#powershell</a>

RF WaveSecurity researchers reveal hackers abusing <a href="https://mstdn.ca/tags/WordPress" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WordPress</a> MU-plugins to hide malicious codeMU-plugins run on every page, which is a good target for attackers. Researchers discovered three types of code used by attackers: redirect to malicious site, backdoor, and hijack content and links.Administrators are advised to remove unused plugins, update plugins as they are released, and protect high-privilege accounts with strong passwords and MFA<a href="https://mstdn.ca/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://mstdn.ca/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a><a href="https://www.bleepingcomputer.com/news/security/hackers-abuse-wordpress-mu-plugins-to-hide-malicious-code/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/hackers-abuse-wordpress-mu-plugins-to-hide-malicious-code/</a>

cR0w :cascadia:Following up on the scanning and password spraying that <a href="https://mastodon.social/@hrbrmstr" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@hrbrmstr</a> and <a href="https://infosec.exchange/@greynoise" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@greynoise</a> have posted about today, I combined a list of IPs I'm seeing going after Palo Alto GlobalProtect with the Greynoise lists:<a href="https://cascadiacrow.com/globalprotectips.txt" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://cascadiacrow.com/globalprotectips.txt</a>I also have a list of usernames attempted by those various IP addresses:<a href="https://cascadiacrow.com/globalprotectusernames.txt" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://cascadiacrow.com/globalprotectusernames.txt</a><a href="https://infosec.exchange/tags/threatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatIntel</a> <a href="https://infosec.exchange/tags/gayInt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#gayInt</a>

cR0w :cascadia:I have no idea if it's related at all to what <a href="https://mastodon.social/@hrbrmstr" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@hrbrmstr</a> has been seeing and talking about, but now that he has me <del>looking</del> Vibe Thrunting, I'm seeing a new-to-me wordlist being thrown at various PAN devices on the Internet from AS262287 and AS212238 the past few days.<a href="https://infosec.exchange/tags/threatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatIntel</a> <a href="https://infosec.exchange/tags/gayInt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#gayInt</a>

Recent searches

Search options

Administered by:

Server stats:

#ThreatIntel