Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
toot.wales is one of the many independent Mastodon servers you can use to participate in the fediverse.
We are the Open Social network for Wales and the Welsh, at home and abroad! Y rhwydwaith cymdeithasol annibynnol i Gymru, wedi'i bweru gan Mastodon!

Administered by:

Server stats:

655
active users

toot.wales: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#threatintel

36 posts25 participants0 posts today
Public
Christoffer S.

Alright, I'm really bloody excited about this. I have just published the likely final iteration, of the first version, of my Cybersecurity weekly summary affectionately referred to as the Cyber Sunday.

This, I dare say, is pretty fucking awesome. I really am super proud of this. There are TONS of work behind the scenes to produce it, and it gives me enormous satisfaction to see the results of my efforts come together like this.

Yeah, I'm likely very biased ;-)

This is what will soon be provided to all current Cyber Espresso users on a regular basis.

I've published it on my personal blog to allow some easy referencing and show-casing of "what it is".

cstromblad.com/posts/cyber-esp

STRÖMBLAD · BETA - Cyber Espresso Sunday - Week 27This is the first and entirely fully automated production of a Cybersecurity weekly summary which I affectionately refer to as the Cyber Sunday. This production is meant summarize, categorize and reference articles from the last 7 days intended to be published on you guessed it, Sundays. Curious?
#Cybersecurity#Infosec#ThreatIntel
Public
Ian Campbell

New @DomainTools Investigations research is out this morning, providing critical background on Iranian nation-state threat actors Intelligence Group 13.

Covering technical capabilities, tradecraft, ideological origins and more, the piece also details a model emerging in multiple foreign adversary structures: opaque private sector ecosystems where rotating cybermercenary vendor companies provide cover and resilience for offensive operations.

#infosec #threatintel

dti.domaintools.com/irans-inte

DomainTools Investigations | DTI · Iran's Intelligence Group 13 - DomainTools Investigations | DTIIntelligence Group 13, embedded within the Shahid Kaveh Cyber Group, represents one of the most operationally aggressive and ideologically fortified units within the Islamic Revolutionary Guard Corps (IRGC) cyber arsenal. Positioned at the confluence of tactical cyber-espionage, industrial sabotage, and psychological warfare, the group is uniquely equipped to respond to geopolitical escalations,particularly in light of the recent U.S. airstrikes targeting Iranian nuclear facilities, which have significantly heightened the risk of asymmetric retaliation.
Public *
cR0w :cascadia:

Unit42 has a good write-up on some ITW Tomcat and Camel shenanigans exploiting CVE-2025-24813, CVE-2025-27636, and CVE-2025-29891. IOCs in the post.

But does anyone know if this is a typo by the article or if there are actual files with the .sesson extension? Seems like a good indicator to search on if it's not a typo.

As noted in our earlier analysis, exploits for CVE-2025-24813 use a name appended by .sesson in the initial HTTP request. This .session file contains the code the vulnerable host will run if an exploit is successful.

Edit: Confirmed typo per this response: infosec.exchange/@0xThiebaut/1

unit42.paloaltonetworks.com/ap

Infosec ExchangeMaxime Thiebaut (@0xThiebaut@infosec.exchange)@cR0w That’s a confirmed typo
#threatIntel
Public
cR0w :cascadia:

So y'all remember that Treasury OFAC sanction against Aeza Group like a month ago yesterday? If you want to block some IP ranges, I got you. ASNs should be enough but firewall vendors still suck and generally don't allow blocking by ASNs.

AS216246 - Aeza Group, LLC

AS210644 - Aeza International Ltd

IPv4 network list: cascadiacrow.com/aeza4.txt

IPv6 network list: cascadiacrow.com/aeza6.txt

Of course it's a good idea to verify the addresses instead of trusting a random crow on the Internet. You never know when all of Cloudflare or Google might slip into a block list. Or I completely fat finger things. Again.

#GAYINT#FURINT#threatIntel
Public
No Starch Press

Some invaders like to operate silently, using anti-analysis techniques to remain undetected. Understanding these methods is crucial for defenders who want to identify and stop those stealthy activities.

Kyle Cucci offers that understanding, providing practical knowledge for those in the field.

World UFO Day Flash Sale today – Get Evasive Malware 35% off with code LITTLEGREYMEN - Ends Midnight PT

Illustrated book cover for Evasive Malware. It shows a mysterious alien creature peeking out from behind leafless trees in a nighttime forest, bathed in purple-blue tones. Another alien hides further in the background, partially obscured. A beam of light shines down from the upper right, suggesting surveillance or abduction. The title reads, “Evasive Malware: A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats” with the author's name, Kyle Cucci, below. Published by No Starch Press.
#BlueTeam#Malware#DFIR
Public *
⚯ Michel de Cryptadamus ⚯

a russian hosting service that takes payment in crypto, Aeza Group, was just hit with #OFAC sanctions.

they've sent funds to a bunch of the shadiest crypto exchanges - #Cryptomus, #MEXC, #Binance, and (of course) #HTX, the crypto exchange run by the business partner of the president of the united states.

also looks like they took payment in #Tether, the #stablecoin whose money is managed by america's secretary of commerce howard lutnick.

* OFAC press release: ofac.treasury.gov/recent-actio
* Wallet: intel.arkm.com/explorer/addres

AEZA GROUP LLC, Ul. Zolnaya d. 15, str. 1, Pomeshch 1N, Office 603, St. Petersburg 193318, Russia; Kronversky pr-kt, 65 letter B, room 2n, office 1, room 5, St. Petersburg 197198, Russia; Website aeza.ru; Secondary sanctions risk: Ukraine-/Russia-Related Sanctions Regulations, 31 CFR 589.201; alt. Secondary sanctions risk: Ukraine-/Russia-Related Sanctions Regulations, 31 CFR 589.201; Organization Established Date 17 Jun 2021; Digital Currency Address - TRX TU4tDFRvcKhAZ1jdihojmBWZqvJhQCnJ4F; Tax ID No. 7813654490 (Russia); Business Registration Number 1217800095248 (Russia) [CAATSA - RUSSIA] [CYBER4].
screenshot of wallet info on arkham
#JustinSun#threatintel#threatassessment
Continued thread
Public
cR0w :cascadia:

Okay, I spent some time going through some of my MOVEit logs and I think I see at least part of what's going on with the increase in MOVEit scans noted by @greynoise.

One thing I have noticed is a group of GCP hosts performing high volume scans against the MOVEit servers every seven days, but not against adjacent servers or other servers for the same orgs. This kind of makes it look targeted but the scans are generic kitchen sink vuln scans.

I did notice that some of these and other scanners I've seen over the past few months now have a couple requests that appear to be testing for CVE-2023-34362 mixed in to their other requests. It's like they loaded their automated scanners with updated payload lists.

There are a lot of Cloudflare and AWS IPs in the logs, as indicated by GreyNoise in their blog post. There are not a lot of unique Google IPs but I'm seeing a ton of noise from the ones I do see. But only every seven days. The servers I have logs for all block Tencent so I can't confirm the activity from their infrastructure.

I have also put my juicy eyes on every single GET and POST sent to these MOVEit Transfer servers for the past 60 days and I do not see any payloads that appear to be new or novel. That's not to say there isn't anything new going on, but I'm now comfortable with treating MOVEit servers with the same concern as before the GreyNoise blog post as I don't see any indication of impending action. There may be some WAF or rate limit or geolocation filter testing going on that's disguised as generic scans, but I have no evidence to suggest that's the case.

Caveat: I have relatively low visibility into what's going on at scale like GreyNoise does so take this with a grain of salt and if it's of interest, go confirm it yourself. This is intended to be informational, not actionable.

#threatIntel#MOVEit
Public *
k3ym𖺀

Scattered Spider hackers shift focus to aviation, transportation firms

If you work in aviation or transportation, LISTEN

  • Scattered Spider is actively targeting your industry.
  • They are using trycloudflare.com to deliver Chisel, a FOSS encrypted reverse proxy.

ACTION ITEMS:

  • block trycloudflare.com by FQDN.
  • make sure you are using IPS or app signatures on your firewalls to detect the chisel traffic.

NOTE: Chisel is encrypted, so you need to be doing full SSL inspection (TLSI) to effectively detect and block the app.

Additional Resources:

Please don't let this fuck up your 4th.

#ScatteredSpider#UNC3944#Chisel
Continued thread
Public *
Kevin Beaumont

DragonForce YARA rule from 3 months ago which still captures these:

github.com/GossiTheDog/ThreatH

Don’t rely on security tooling to prevent though, the threat actors just turn off the tooling. I just use the YARA rule to rubber neck on victims and changes.

Tools for hunting for threats. Contribute to GossiTheDog/ThreatHunting development by creating an account on GitHub.
GitHubThreatHunting/YARA/DragonForce-Payload.YAR at master · GossiTheDog/ThreatHuntingTools for hunting for threats. Contribute to GossiTheDog/ThreatHunting development by creating an account on GitHub.
#threatintel#ransomware
ExploreLive feeds
About