Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
okla.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Oklahoma... we're trying ya'll

Administered by:

Server stats:

34
active users

okla.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.6

#threatintel

21 posts20 participants0 posts today
Public
Christoffer S.

I just published the source code for my very naive #Python implementation for generating a node network based on MITRE Intrusion Sets and Techniques. It will output linked #Markdown files linking intrusion sets to their used techniques.

Perhaps someone finds it useful or interesting to experiment with.

Source code: github.com/cstromblad/markdown

I hinted at this in a thread started by @Viss where he asked for input on a few very likely malicious domains. Me @Viss @cR0w @neurovagrant and others did some OSINT fun work with a couple of the original domains.

It was this thread: mastodon.social/@Viss/11414512

Now I posted a picture of a node network rendered in Obsidian and I hinted that perhaps Obsidian could be used as a poor mans version of performing threat intelligence work.

Node network from Obsidian showing a network of MITRE Intrusion Sets and Techniques from MITRE ATT&CK.
#ThreatIntel#ThreatIntelligence#Cybersecurity
Public
Brian Clark

I suggest searching your #Microsoft EntraID logs for successful sign-ins using one of these user agents identified by Proofpoint. Any successful logins are likely malicious. #cybersecurity #threatintel

From: @threatinsight
infosec.exchange/@threatinsigh

Infosec ExchangeThreat Insight (@threatinsight@infosec.exchange)Attached: 1 image Proofpoint researchers have identified two active #accounttakeover (#ATO) campaigns, tracked as UNK_PanicPulse & UNK_MistyMirror, targeting #Microsoft365 accounts. Since March 2024, both clusters have affected 6K+ accounts across 1.4K+ organizations, using botnets & unique client agents. Our threat analysts have found strong similarities between these threat clusters’ operational infrastructure, tactics, and target selection methods, suggesting that these wide-scale, botnet-driven ATO threats may be tied to a single (currently unattributed) threat actor. --- Key TTPs: • Password spraying – Using generic passwords across multiple accounts • IP rotation – 2.9K IPs linked to 30 abused proxies & ISPs • Distinct client agents – Leveraging known web crawlers & RSS fetchers • ‘O365 Suite UX’ abuse – Targeting M365 native sign-in app --- IOCs (observed user agents): • AdsBot-Google • Bloglines/3.1 • FeedFetcher-Google • Gaisbot/3.0 • msnbot/0.11 & 1.1 • Peach/1.01 (Ubuntu 8.04 LTS) • facebookexternalhit/1.1
Public
Infoblox Threat Intel

Threat actors often have their favorite TLDs. This month we've found the following TLDs to have the highest risk. The top 5 retain their spot from last month, with the TLD .bond topping the chart with a risk score of 10. This is rare and only happens when the percentage of risky domains is at least 4.5 standard deviations above the mean. Congratulations, I guess?

An explanation and minimum-working-example of our reputation algorithm can be found here: blogs.infoblox.com/threat-inte

Riskiest TLDs for March 2025 as calculated by Infoblox Threat Intel using our publicly available reputation scoring algorithm
#dns#threatintel#cybercrime
Public
cR0w :cascadia:

Looks like there is some good human manipulation, er, "social engineering" lately using a pretext of looking for security work and sending links through weird domains that redirect to calendly links for what I assume is an opportunity to continue the con. For now, I would BOLO URIs with ?redirectTo=https://calendly.com/* in the parameters. I can't say they're necessarily malicious, but I would certainly scrutinize them and the domain you see them redirected from, especially if the original subdomain is t or trk.

#threatIntel#socialEngineering#phishing
Replied to Brian Clark
Public
Saltmyhash

@deepthoughts10 @threatinsight Bluetrait doesn’t appear to be on LOLRMM yet, I’ll try to submit it for addition.

Further to Brian’s excellent recommendation, I strongly recommend taking all the LOLRMM domains and file installations paths and running a baseline search against your environment, identify/allowlist authorized RMM solutions used, and hard blocking the rest. Since most TAs use the legitimate stock binaries, security teams can score quick wins with this method.

Work with your IT helpdesk teams to identify which RMM tool they use when you inevitably start seeing RMM usage in your logs. RMM usage is unfortunately more prevalent than one would guess, malicious or not. Think third party vendor troubleshooting calls, rogue employee installs, and random driveby RMM connections when users search for help via their favorite search engine.

Finally, don’t count out remote session takeovers using MS Teams, Zoom, and other collaboration tools. DPRK remote IT workers will use this functionality to remotely control devices they aren’t sitting in front of. Recommend checking your org’s official collab tool of choice for remote control functionality and turning it off at the org level, if possible. Otherwise, detection engineering for use and abuse of a legitimate application feature used by thousands in your org is like searching for needles in the proverbial haystack.

lolrmm.io/

#threatintel#threathunting#cti
Public *
Bongoknight

After seeing, this recent @TrendMicro investigation, I have found many other GitHub repositories actively delivering SmartLoader.

trendmicro.com/en_us/research/

For more context, SmartLoader is Lua-written loader distributed since early 2024. In recent campaigns, threat actors have been creating new GitHub repositories populated with an AI generated README and filled with fake backdated commits. I have also observed the same payloads being distributed via inactive repositories. These repositories are typically forked, with a new release containing SmartLoader ultimately added.

See on GitHub an additional list of IoCs that complements the initial report.

github.com/cert-orangecyberdef

Trend Micro · AI Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer DistributionIn this blog entry, we uncovered a campaign that uses fake GitHub repositories to distribute SmartLoader, which is then used to deliver Lumma Stealer and other malicious payloads. The campaign leverages GitHub’s trusted reputation to evade detection, using AI-generated content to make fake repositories appear legitimate.
#Smartloader#CTI#ThreatIntel
Continued thread
Public
Jérôme Meyer

About this X DDoS campaign: I've seen reports of attribution to Ukraine, and at least based on attack data at network level — I just don't see it. (And I should note: attribution is hard, so I am generally skeptical.)

Top contributors are 🇺🇸🇲🇽🇪🇸🇮🇹🇧🇷, and as with most botnets: very geographically distributed.

Most of the source IPs intersect with #Eleven11bot as we started seeing them on 26 February.

OK, now back to regularly scheduled skiing.

#threatintel
ExploreLive feeds
About