Colt have finally confirmed an ongoing cyber incident, after several days of pretending it was a technical issue to customers.

I think this thread exposes something about the cybersecurity industry and org posture btw - it almost all runs on Windows and EDR telemetry, hence why there’s little info on this from vendors (Netscaler is closed box appliance - they’re flying blind) and why orgs aren’t seeing anything, they don’t know how without vendors.

I keep contacting orgs and they have no idea they are compromised or how to investigate.

#CitrixBleed2

@kevinrothrock are we there yet?

Also, I'm pretty sure I've said this before, but I'll say it again:

Part of your job as a senior is to tell your juniors about your fuckups. The embarrassing cringe reckless and lazy bullshit that you did when you were new, and the various times you brought down Prod. We ALL did it sometime. And then tell them: the moment you realized you fucked up, I know, the impulse is to try and cover it up, but don't do it. Come to the seniors you trust, and they'll help you unfuck it, and fight management tooth and claw like mamma and pappa bears to defend you from any shitheads in management. Because that's what our seniors did to us.

@kevinrothrock Let’s see when the advancing stops.

@kevinrothrock Their ability to supply and support the frontline is diminishing.

I will not accept criticism of my ”righteousness” when the context is my opposition to criticism of Ukraine’s successful operations that directly hurt Russia’s ability to conduct long-range operations, supply their forces, fund their war and portray their leadership as competent.

All they have left is zombie meat grinder. They are world’s premier suicide force and unrivalled in cruelty. That’s all, and they will be defeated.

@kevinrothrock Putin was always intent on committing genocide in Ukraine. No amount of appeasement will change that. The objective needs to be to diminish Putin. That seems to be working.

Another protest at Microsoft Build about their involvement in targeting Palestinians caused the head of AI security to accidentally share customer Teams chats https://www.theverge.com/news/671373/microsoft-ai-security-chief-walmart-conversation-build-protest-disruption

Microsoft has used its security controls to block messages which contain the words Palestine and Gaza.

https://www.theverge.com/tech/672312/microsoft-block-palestine-gaza-email

@GossiTheDog

FWIW, I see no indication that the Teams chats accidentally exposed at the Build event would’ve been labeled as containing customer confidential information.

I wish Microsoft with their ’security first’ mindset and infinite resources could develop and take into use technological means to label sensitive content and protect them.

Instead they use .. checks notes .. yes, Purview DLP to prevent people from expressing their displeasure at a genocide.

My take on this one, specifically limiting terms like Palestine by MS is lame.

After hiring a real auditor, the auditor found builder.ai faked three quarters of its sales. https://www.ft.com/content/926f4969-fda7-4e78-b106-4888c8704bda

Holy fucking shit Broadcom:

As no new order(s) for subscription licenses and support services has been executed between the parties, Support
Services are no longer available for the perpetual Software listed in the Order(s) and such Software licenses deployed
in your environment are running unsupported.

VMware, therefore, immediately demands that all use of Support Services associated with VMware Software, including
Maintenance Releases/Updates, Minor Releases, Major Releases/Upgrades extensions, enhancements, patches, bug
fixes or security patches (with the exception of zero-day security patches for vSphere 7.x and 8.x, CVSS score greater
than or equal to 9.0, so long as those are generally provided by VMware at no cost) be ceased.

The implementation of any of the aforementioned (excluding select zero-day patches as defined above) past the
Expiration Date must be immediately removed/deinstalled. Any such use of Support past the Expiration Date constitutes
a material breach of the Agreement with VMware and an infringement of VMware’s intellectual property rights,
potentially resulting in claims for enhanced damages and attorneys’ fees.

Additionally, Customer must comply with any post-expiration reporting requirements related to the Order(s) and
governing license agreement. Failure to comply with such requirements may result in a breach of the Agreement by
Customer and VMware may exercise its right to audit Customer as well as any other available contractual or legal
remedy.

Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage
https://www.wired.com/story/cbp-confirms-telemessage-use/?utm_source=flipboard&utm_medium=activitypub

Posted into Security News @security-news-WIRED

Microsoft Copilot for SharePoint just made recon a whole lot easier. 🚨
 
One of our Red Teamers came across a massive SharePoint, too much to explore manually. So, with some careful prompting, they asked Copilot to do the heavy lifting...
 
It opened the door to credentials, internal docs, and more.
 
All without triggering access logs or alerts.
 
Copilot is being rolled out across Microsoft 365 environments, often without teams realising Default Agents are already active.
 
That’s a problem.
 
Jack, our Head of Red Team, breaks it down in our latest blog post, including what you can do to prevent it from happening in your environment.
 
📌Read it here: https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sharepoint/

#RedTeam #OffSec #AIsecurity #Microsoft365 #SharePoint #MicrosoftCopilot #InfoSec #CloudSecurity

Today's scoop: xAI Dev Leaks API Key for Private SpaceX, Tesla LLMs

An employee at Elon Musk's artificial intelligence company xAI leaked a private key on GitHub that for the past two months could have allowed anyone to query private xAI large language models (LLMs) which appear to have been custom made for working with internal data from Musk's companies, including SpaceX, Tesla and Twitter/X, KrebsOnSecurity has learned.

GitGuardian's Eric Fourrier told KrebsOnSecurity the exposed API key had access to several unreleased models of Grok, the AI chatbot developed by xAI. In total, GitGuardian found the key had access to at least 60 distinct data sets.

"The credentials can be used to access the X.ai API with the identity of the user," GitGuardian wrote in an email explaining their findings to xAI. "The associated account not only has access to public Grok models (grok-2-1212, etc) but also to what appears to be unreleased (grok-2.5V), development (research-grok-2p5v-1018), and private models (tweet-rejector, grok-spacex-2024-11-04)."

Fourrier found GitGuardian had alerted the xAI employee about the exposed API key nearly two months ago -- on March 2. But as of April 30, when GitGuardian directly alerted xAI's security team to the exposure, the key was still valid and usable. xAI told GitGuardian to report the matter through its bug bounty program at HackerOne, but just a few hours later the repository containing the API key was removed from GitHub.

Read more: https://krebsonsecurity.com/2025/05/xai-dev-leaks-api-key-for-private-spacex-tesla-llms/

CIA's latest recruitment videos aimed at the Chinese are plain ridiculous. Here's a CNN article with links to them on Twitter:

https://edition.cnn.com/2025/05/02/china/cia-recruitment-videos-chinese-officials-intl-hnk

To begin with, they seem made with the same template as the ones aimed at the Russians after the start of the Russia-Ukraine war.

In one of them the CIA is trying to play on the fear a Chinese functionary might feel about the fate of his family if he's replaced. Is the CIA not familiar with what authoritarian regimes like the one in China do with traitors and their families - or do they hope that the Chinese are not familiar with that?

On the second one, they play on the disillusionment of a young Chines who "returns to a small apartment where he lives with his parents". I guess the CIA is unaware how a large number of US youths live - or hopes that the Chinese aren't?

PSA: Every open source project you work on should have GitHub's

🛡️ Secret Protection and
🛡️ Push Protection

Set to Enabled ✅

Why do this? 👇

So I know of 3 pretty reliable web archive sites. Are there any other sites you know about?

🌐 web.archive.org
🗃️ archive.today + (⁠:tor:⁠Tor Onion)
👻 ghostarchive.org

Someone else did a writeup on this phishing email / attack:

Google Spoofed Via DKIM Replay Attack: A Technical Breakdown

https://easydmarc.com/blog/google-spoofed-via-dkim-replay-attack-a-technical-breakdown/