Kevin Beaumont<p>Several months after this thread, Conduent have finally filed at 8-K for a cyber incident. </p><p>They don’t say it, but it was ransomware. Ransomware group was Safepay. This is their second big ransomware incident. </p><p>The Fediverse had the thread first. </p><p> <a href="https://www.sec.gov/ix?doc=/Archives/edgar/data/1677703/000167770325000067/cndt-20250409.htm" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">sec.gov/ix?doc=/Archives/edgar</span><span class="invisible">/data/1677703/000167770325000067/cndt-20250409.htm</span></a></p><p><a href="https://cyberplace.social/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://cyberplace.social/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ransomware</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
norden.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Moin! Dies ist die Mastodon-Instanz für Nordlichter, Schnacker und alles dazwischen. Folge dem Leuchtturm.
Administered by:
Server stats:
3.5Kactive users
norden.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#threatintel
15 posts · 14 participants · 0 posts today
cR0w :cascadia:<p>Do you run F5 BIG-IP? If so, here's a list of a little over 7000 IPs that I've recently seen performing brute force and low-and-slow password sprays recently. The only intel I can share is that among the noise, it appears to be at least four distinct campaigns, two of which were tailored to the target orgs. Many of the IPs are already on block lists and known bad ASNs, but not all.</p><p><a href="https://cascadiacrow.com/f5passwordAttacks.txt" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">cascadiacrow.com/f5passwordAtt</span><span class="invisible">acks.txt</span></a></p><p><a href="https://infosec.exchange/tags/threatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatIntel</span></a> <a href="https://infosec.exchange/tags/VIBINT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VIBINT</span></a> <a href="https://infosec.exchange/tags/GAYINT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GAYINT</span></a> <a href="https://infosec.exchange/tags/FURINT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FURINT</span></a></p>
Kevin Beaumont<p>Healthcare provider DaVita Inc have filed an 8-K with the SEC for an ongoing ransomware incident. </p><p><a href="https://www.sec.gov/Archives/edgar/data/927066/000119312525079593/d948299d8k.htm" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">sec.gov/Archives/edgar/data/92</span><span class="invisible">7066/000119312525079593/d948299d8k.htm</span></a></p><p><a href="https://cyberplace.social/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://cyberplace.social/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ransomware</span></a></p>
A bot witha.name<p>New configuration detected for DDosia. Hosts:<br>* www.taaleri.com<br>* beta-my.fondia.com<br>* www.fingrid.fi<br>* mediabank.neova-group.com<br>* extra.eezy.fi<br>* login-euva-saasfaprod1.fa.ocs.oraclecloud.com<br>* enersense.com<br>* smile2.likeit.fi<br>* gasgrid.fi<br>* www.panostaja.fi<br>* eezy.fi<br>* tyopaikat.eezy.fi<br>* codento.com<br>* www.if.fi<br>* www.kaukokiito.fi<br>* www.op.fi <a href="https://social.circl.lu/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://social.circl.lu/tags/Ddosia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ddosia</span></a> <a href="https://social.circl.lu/tags/NoName" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NoName</span></a><br>* <a href="https://witha.name/data/2025-04-12_08-25-06_DDoSia-target-list-full.json" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">witha.name/data/2025-04-12_08-</span><span class="invisible">25-06_DDoSia-target-list-full.json</span></a><br>*</p>
G0rb<p><span class="h-card" translate="no"><a href="https://chaos.social/@brahms" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>brahms</span></a></span> <span class="h-card" translate="no"><a href="https://social.bund.de/@certbund" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>certbund</span></a></span> hat doch schon vor 7 Stunden informiert. 😜</p><p>Osterwochenende wird richtig lustig :ablobcatrainbow:</p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/easter2025" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>easter2025</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/bruteforce" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bruteforce</span></a> <a href="https://infosec.exchange/tags/Yeet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yeet</span></a></p>
Ian Campbell<p>Good MORNING, folks!</p><p>I am caffeinated, and I also have brand new shiny things for you.</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@DomainTools" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>DomainTools</span></a></span> Investigations published a report this morning detailing a campaign of newly-registered domains impersonating the Google Play store and leading to deployment of the SpyNote Android RAT. No attribution available, but significant Chinese-language connections.</p><p><a href="https://masto.deoan.org/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://masto.deoan.org/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://masto.deoan.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> </p><p><a href="https://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dti.domaintools.com/newly-regi</span><span class="invisible">stered-domains-distributing-spynote-malware/</span></a></p>
A bot witha.name<p>New configuration detected for DDosia. Hosts:<br>* www.vaasa.fi<br>* www.porvoo.fi<br>* ek.fi<br>* www.if.fi<br>* www.lahitaksi.fi<br>* www.kuluttajariita.fi<br>* www.vaestoliitto.fi<br>* supo.fi<br>* www.airpro.fi<br>* www.lahitapiola.fi<br>* www.hel.fi<br>* www.korrek.fi<br>* www.ely-keskus.fi<br>* www.hsl.fi <a href="https://social.circl.lu/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://social.circl.lu/tags/Ddosia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ddosia</span></a> <a href="https://social.circl.lu/tags/NoName" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NoName</span></a><br>* <a href="https://witha.name/data/2025-04-10_11-50-02_DDoSia-target-list-full.json" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">witha.name/data/2025-04-10_11-</span><span class="invisible">50-02_DDoSia-target-list-full.json</span></a><br>* <a href="https://witha.name/data/2025-04-10_11-50-02_DDoSia-target-list.csv" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">witha.name/data/2025-04-10_11-</span><span class="invisible">50-02_DDoSia-target-list.csv</span></a></p>
Tim (Wadhwa-)Brown :donor:<p>sapuid(0); // <a href="https://www.anvilsecure.com/blog/one-bug-wasnt-enough-escalating-twice-through-saps-setuid-landscape.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">anvilsecure.com/blog/one-bug-w</span><span class="invisible">asnt-enough-escalating-twice-through-saps-setuid-landscape.html</span></a></p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a>, <a href="https://infosec.exchange/tags/sap" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sap</span></a></p>
Kevin Beaumont<p>Sensata Technologies Holding plc filed an 8-K with the SEC for a ransomware attack which is remarkably honest, and pretty much the textbook example of how to do it well. <a href="https://www.sec.gov/ix?doc=/Archives/edgar/data/1477294/000147729425000047/st-20250406.htm" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">sec.gov/ix?doc=/Archives/edgar</span><span class="invisible">/data/1477294/000147729425000047/st-20250406.htm</span></a></p><p><a href="https://cyberplace.social/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://cyberplace.social/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ransomware</span></a></p>
Infoblox Threat Intel<p>Going to RSA? We’re giving a 2 hour hands-on learning lab on traffic distribution systems (TDS). Malicious actors use these to hide their activity from security teams and deliver tailored content to victims.<br> <br>Not going to RSA? We’ve written a number of articles on this topic (some included below) and we’re happy to answer questions about TDSs here on Mastodon.<br> <br><a href="https://blogs.infoblox.com/threat-intelligence/from-click-to-chaos-bouncing-around-in-malicious-traffic-distribution-systems/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/from-click-to-chaos-bouncing-around-in-malicious-traffic-distribution-systems/</span></a><br><a href="https://www.infoblox.com/resources/webinars/dns-threat-briefing-q1-2025/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">infoblox.com/resources/webinar</span><span class="invisible">s/dns-threat-briefing-q1-2025/</span></a><br><a href="https://www.infoblox.com/resources/webinars/traffic-distribution-systems-at-the-heart-of-cybercrime/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">infoblox.com/resources/webinar</span><span class="invisible">s/traffic-distribution-systems-at-the-heart-of-cybercrime/</span></a><br><a href="https://www.infoblox.com/resources/webinars/the-big-ruse/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">infoblox.com/resources/webinar</span><span class="invisible">s/the-big-ruse/</span></a><br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/RSAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RSAC</span></a> <a href="https://infosec.exchange/tags/RSAC25" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RSAC25</span></a></p>
Michael :donor:<p><span class="h-card" translate="no"><a href="https://cyberplace.social/@CyberSECIntelligence2" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>CyberSECIntelligence2</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.green/@fthy" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>fthy</span></a></span> <br>yes, advisories are published now</p><p><a href="https://www.fortiguard.com/psirt/FG-IR-24-111" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">fortiguard.com/psirt/FG-IR-24-</span><span class="invisible">111</span></a><br><a href="https://www.fortiguard.com/psirt/FG-IR-24-453" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">fortiguard.com/psirt/FG-IR-24-</span><span class="invisible">453</span></a><br><a href="https://www.fortiguard.com/psirt/FG-IR-24-046" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">fortiguard.com/psirt/FG-IR-24-</span><span class="invisible">046</span></a><br><a href="https://www.fortiguard.com/psirt/FG-IR-24-435" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">fortiguard.com/psirt/FG-IR-24-</span><span class="invisible">435</span></a></p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/fortigate" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>fortigate</span></a></p>
Alexandre Dulaunoy<p>First cool and impressive outcome of hackathon.lu 2025, MISP fleet commander. An open source project which supports organisation to manage large fleet of MISP instances, tests synchronisation and many other features.</p><p>🔗 <a href="https://github.com/MISP/MISP-Fleet-Commander" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/MISP/MISP-Fleet-Com</span><span class="invisible">mander</span></a></p><p><span class="h-card" translate="no"><a href="https://misp-community.org/@misp" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>misp</span></a></span></p><p><span class="h-card" translate="no"><a href="https://social.circl.lu/@circl" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>circl</span></a></span> </p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/opensource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>opensource</span></a> <a href="https://infosec.exchange/tags/misp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>misp</span></a></p>
Quad9DNS<p>We recently sat down with our Director of <a href="https://mastodon.social/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> to talk about her role at Quad9 and what she enjoys about her work.</p><p><a href="https://www.quad9.net/news/blog/staff-highlight-emilia-cebrat-maslowski" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">quad9.net/news/blog/staff-high</span><span class="invisible">light-emilia-cebrat-maslowski</span></a></p><p><a href="https://mastodon.social/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a> <a href="https://mastodon.social/tags/privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>privacy</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a></p>
Taggart :donor:<p>Oh is it time for another Fortinet crit again? Unauthenticated admin password change in FortiSwitch.</p><p>CVE-2024-48887, CVSSv3 9.3</p><p><a href="https://fortiguard.fortinet.com/psirt/FG-IR-24-435" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">fortiguard.fortinet.com/psirt/</span><span class="invisible">FG-IR-24-435</span></a></p><p><a href="https://infosec.exchange/tags/CVE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CVE</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a></p>
Bill<p>Looks like the DOGE bullshittery is taking its roll across the pond. Half of UK businesses are delaying tech initiatives because of the high cyberattack risk.</p><p><a href="https://hachyderm.io/@molly0xfff/114304378581690097" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hachyderm.io/@molly0xfff/11430</span><span class="invisible">4378581690097</span></a></p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/poll" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>poll</span></a></p>
Infoblox Threat Intel<p>Online gambling operators are sponsoring charities?? If only :(</p><p>We've identified a malicious gambling affiliate whose specialty is to buy expired domain names which used to belong to charities or reputable organisations. </p><p>Once they own a domain, they host a website impersonating its previous owner, where they claim to "deeply appreciate the support from [their] sponsors", which surprise surprise, all turn out to be dubious online gambling companies.</p><p>Because the domain they are taking over is often abandoned or managed by non-technical people, its previous owner often doesn't notify anyone that they've lost control of their website, so it continues being referenced in genuine content, and it continues getting traffic from old links scattered throughout the internet.</p><p>teampiersma[.]org (screenshots below)<br>americankayak[.]org<br>getelevateapp[.]com<br>hotshotsarena[.]com<br>nehilp[.]org<br>questionner-le-numerique[.]org<br>sip-events[.]co[.]uk<br>studentlendinganalytics[.]com<br>thegallatincountynews[.]com</p><p>Comparison content: <br>2018: <a href="https://web.archive.org/web/20180119043432/https://teampiersma.org/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">web.archive.org/web/2018011904</span><span class="invisible">3432/https://teampiersma.org/</span></a><br>2025: <a href="https://web.archive.org/web/20250401092253/https://teampiersma.org/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">web.archive.org/web/2025040109</span><span class="invisible">2253/https://teampiersma.org/</span></a></p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/dropcatch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dropcatch</span></a> <a href="https://infosec.exchange/tags/charity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>charity</span></a></p>
Christopher Bauer :debian: :i3wm: :blobcatthinkingglare:<p>Okay, a couple of folks I follow have written about the 2025 Sophos Active Adversary Report but I want to underscore their thoughts and draw attention to few other items.</p><p>- Regarding the "lede" about median dwell times falling to two days: its difficult to assess, when Sophos only offers a single simple statistical measure, how significant that figure is. Simple statistics should always be reported together to give the reader a more accurate sense of were the median falls in the distribution. With the median alone, I can't tell if its tightly coupled with the average or whether odd outliers are skewing things.</p><p>- Others have commented, with good reason, on the prevalence of uncomplicated root causes such as credential compromise and exploits. Sophos repeatedly and rightly bangs the MFA drum as well. The majority of these cases seem like bread and butter stuff for blue teams.</p><p>- Speaking of MFA, 63% of victims did not have MFA configured in 2024 :blobcatangery: </p><p>- "logs were missing in 47% of cases" !?!?! :blobcatshocked: That is really striking to me, though the breakdown is not all down to attackers deleting their trails.</p><p>- business processes and change management vs security: I feel as though I hear quite a lot about how security is a cost center. I think this report comes squarely down on the side of "if there isn't adequate security, there won't a business process to carry out."</p><p>All in all an interesting report.</p><p><a href="https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">news.sophos.com/en-us/2025/04/</span><span class="invisible">02/2025-sophos-active-adversary-report/</span></a></p><p><a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>blueteam</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a></p>
GreyNoise<p>Spike in Exploitation Attempts Targeting TVT NVMS9000 DVRs — reportedly used in security and surveillance systems. Full analysis: <a href="https://www.greynoise.io/blog/surge-exploitation-attempts-tvt-dvrs" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">greynoise.io/blog/surge-exploi</span><span class="invisible">tation-attempts-tvt-dvrs</span></a> <a href="https://infosec.exchange/tags/GreyNoise" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GreyNoise</span></a> <a href="https://infosec.exchange/tags/Exploitation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Exploitation</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a></p>
GreyNoise<p>New Threat Update from GreyNoise — Significant spike in exploitation attempts targeting Linksys E-Series routers, likely Mirai. Full analysis ⬇️ <br><a href="https://www.greynoise.io/blog/heightened-in-the-wild-activity-key-technologies" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">greynoise.io/blog/heightened-i</span><span class="invisible">n-the-wild-activity-key-technologies</span></a></p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/GreyNoise" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GreyNoise</span></a> <a href="https://infosec.exchange/tags/Mirai" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mirai</span></a> <a href="https://infosec.exchange/tags/Linksys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linksys</span></a></p>
Infoblox Threat Intel<p>Is the sky fluxxing?! Last week a CISA advisory on DNS Fast Flux created a lot of buzz. We have an insider's take.<br> <br>Fast Flux is a nearly 20 year old technique and is essentially the malicious use of dynamic DNS. It is critical that protective DNS services understand this -- and all other DNS techniques -- on that we agree. </p><p>What we also know as experts in DNS is that there are many ways to skin a cat, as they say. </p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cisa" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cisa</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> </p><p><a href="https://blogs.infoblox.com/threat-intelligence/disrupting-fast-flux-and-much-more-with-protective-dns/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/disrupting-fast-flux-and-much-more-with-protective-dns/</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload