Security Geek. CISO & Head of Investigations @DomainTools. Bee Whisperer. Former USA 12B20 | HigherEd security | Farsight Security (DNSDB). Occasional @BreakingBadness cohost. Jack of all Trades, Master of Some.
Fresh research from my team at DomainTools Investigations just dropped! We look into newly registered domains that mimic the Google Play Store, and try to trick visitors into downloading the SoyNote Android RAT:
Protip: if someone posts a technical or legal analysis of something the administration is doing or proposing and your response is that legalities are irrelevant and a waste of time, the problem is YOU.
You know who wants you to think laws don’t matter anymore and that pushback is hopeless? Fascists.
Don’t act like a fascist.
Another installment of my occasional series "Where in the world is Daniel Schwalbe" - today with details about our upcoming @DomainTools Investigations Closed Door Sessions in #austintx and #boston next week. There is still time to apply to attend at https://dti.domaintools.com , but space is limited - act now! 😎
There are signs that Russia is ramping up its technical infrastructure and dispersing more disinformation campaigns in 2025.
"We see a tendency — a trend of domains getting registered — that ... seems to be focused on disinformation, whether they're trying to mimic a real world, big news outlet, or in some cases, are very regionally targeted, giving the appearance of a local-ish news outlet," says @danonsecurity, CISO and head of investigations at DomainTools.
Read more from @roblemos at @darkreading here: https://www.darkreading.com/threat-intelligence/us-weakens-disinformation-defenses-russia-china-ramp-up
@jtk Totally fair point. That's why we also post it on dti.domaintools.com 🤓
LI gets it first (cuz metrics), then a day later email, and at the end of the week it gets posted on our site. I just REALLY want people to read it 😆
The latest installment of my monthly newletter is out: https://www.linkedin.com/pulse/guess-whos-back-again-dtis-tell-friend-daniel-schwalbe-yf2rc
If LI isn't your thing, you can get it via email: https://www.domaintools.com/investigations-newsletter-reg/
I'm sharing an update to last month’s research on Chinese malware and an additional look into our findings by our friends at CSIRT Gadgets. We’re also covering the Manipulaters [sic] takedown, upcoming webinars, plus all the spring events where you can come meet us in person.
Sarah Sabotka (@proofpoint) will join us on March 19 for our Foundations of DFIR panel!
That's a while away though. Where can you find Sarah before then? Check out this episode of the DISCARDED podcast (Stealth, Scale, and Strategy: Exploring China's Covert Network Tactics - APT41) hosted with Selena Larson and guest Mark Kelly.
By studying APT41's operations, digital forensics and incident response teams can better prepare for and mitigate the impacts of both cybercrime and state-sponsored espionage, ultimately enhancing overall cybersecurity resilience.
Listen here: https://www.proofpoint.com/us/podcasts/discarded
Want to hear more of Sarah's insights, along with conversation with @danonsecurity, @hacks4pancakes, and David Bianco? Join us on March 19 - save your spot here: https://www.domaintools.com/webinar-getting-back-to-the-foundations-of-dfir/?utm_source=Mastodon&utm_medium=Social&utm_campaign=DFIR-to-You
@hacks4pancakes (@dragosinc) will join us on March 19 for our Foundations of DFIR panel!
While that's a few weeks away, you can check out Lesley's blog post on The Shifting Landscape of OT Incident Response which illustrates the importance of specialized incident response and digital forensics in maintaining the security and integrity of OT systems.
Find it here: https://www.dragos.com/blog/the-shifting-landscape-of-ot-incident-response/
If you want to catch Lesley along with panelists @danonsecurity, David Bianco, and Sarah Sabotka for unique insights on bolstering your DFIR foundations, save your spot here: https://www.domaintools.com/webinar-getting-back-to-the-foundations-of-dfir/?utm_source=Mastodon&utm_medium=Social&utm_campaign=DFIR-To-You
We'll be hosting a customer-exclusive webinar on Thursday, March 20 with @danonsecurity, Austin Northcutt, and Steven Behm demonstrating how our domain and DNS intelligence platform can help stay ahead of business email compromise (BEC) using the example of TA4903, a financially motivated threat actor.
In this closed event, the audience will walk away with the following:
🔹Investigate IOCs for increased context and find connected domains
🔹Understand how to create a fingerprint within Iris Investigate’s Advanced Search
🔹Leverage passive DNS to uncover connected subdomains
🔹Discuss automating discovery within Splunk SIEM environment for continued domain discovery
Save your spot here: https://www.domaintools.com/webinar-ta4903-and-me-using-domain-and-dns-intel-against-bec/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Webinar
@danonsecurity's latest DomainTools Investigations (DTI) newsletter is out on LinkedIn! He shares an update to last month’s research on Chinese malware and CSIRT Gadgets, LLC additional look into our findings. He also covers the Manipulaters [sic] takedown, upcoming webinars, plus all the spring events where you can come meet the DTI team in person.
Don't use LinkedIn? Sign up for an email copy here: https://www.domaintools.com/investigations-newsletter-reg/?utm_source=Mastodon&utm_medium=Social&utm_campaign=DFS-Newsletter
A group of 20-somethings with names like "Big Balls" gain unauthorized access to your servers, delete data, take your website down, and now you can't serve your customers and your organization goes belly up unless you pay money to a mafia boss.
Sounds a lot like ransomware, doesn't it? When your government starts imitating ransomware playbooks, it's a four-alarm fire. At least in theory one can negotiate with ransomware actors.
In our upcoming presentation, our panel of experts will take us back to basics. We all know that "the threat landscape is changing rapidly," but have we paused to ensure our security practices are built on a solid foundation? If you're unsure, the answer is likely no. The good news is, we can change that.
Join us as we delve into the PICERL Model (Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned) to review the essential foundations of Digital Forensics and Incident Response (DFIR). These fundamentals are crucial for effectively managing and mitigating cybersecurity incidents, yet they are often forgotten or overlooked.
Our panel includes:
🔹@danonsecurity, CISO and Head of Investigations (DomainTools)
🔹@hacks4pancakes, Technical Director of Incident Response (@dragosinc)
🔹@DavidJBianco, Staff Security Strategist (@Splunk)
🔹Sarah Sabotka, Senior Threat Researcher (Proofpoint)
📅 Date: March 19
🕒 Time: 10AM PT | 1PM ET
📍 Location: Online
✅ Register here: https://www.domaintools.com/webinar-getting-back-to-the-foundations-of-dfir/?utm_campaign=&utm_medium=social&utm_source=Mastodon&utm_content=DFIR-To-You
DomainTools will provide a document confirming your participation; however, CPE credit approval is not guaranteed. Credentialing organizations, such as ISACA or ISC2, may grant CPE credits for security educational courses if you provide proof of participation.
#Cybersecurity #DFIR #PICERLModel #BackToBasics #CyberResilience
Yesterday, we sent out an email version of my LinkedIn Newsletter - DT Investigations News. We did this to give people the option to get the information without requiring them to be on LI.
I have said from the start that we will not gate DTI content, so offering an alternative that doesn't require an account is in line with DTI's "community-first" mission.
Today I noticed that we did not include an unsubscribe option in the email. That was an oversight, but it doesn't make it acceptable, and I take full responsibility for it.
If you received the newsletter, but would like to be removed, please email me and I'll take care of it. Future editions will include an unsubscribe option.
It's back (back again!)
That's right - Breaking Badness is covering our 2025 cybersecurity predictions for the third year in a row!
But we have something special cooked up for how we approached it this year. Join @NotTheLinux, @seanmcnee, @ColonelPanic, and @danonsecurity as they look back at how our 2024 predictions fared and what may occur in the new year.
Listen on Apple Podcasts: https://podcasts.apple.com/us/podcast/2025-cybersecurity-predictions-ai-ransomware-and/id1456143419?i=1000680846546
Spotify: https://open.spotify.com/episode/0EfIxD5bpdGjfbAtbEKsGs
Watch on YouTube: https://www.youtube.com/watch?v=GNaR15LoPZ0&ab_channel=DomainTools
Come find me at @CYBERWARCON if you’re in the neighborhood!
Much of our research team will be at @CYBERWARCON tomorrow including:
🔹 @danonsecurity
🔹 @seanmcnee
🔹 Aaron Gee-Clough
🔹 Malachi Walker
🔹 Austin Northcutt
Stop by to say hi and learn about our latest research including retail-targeted campaigns, new developments in USPS smashing attacks, using domains to better understand Evil Corp's infrastructure, and more!
@BreakingBadness @Jhaddix @NotTheLinux this was a super fun episode to record. Take a listen!
In this episode of the Breaking Badness Cybersecurity Podcast, Arcanum Information Security's @Jhaddix joins @NotTheLinux and @danonsecurity to dive into his unique journey from red teaming and pentesting to leading security teams as a CISO in high-profile organizations, including a top gaming company.
Jason unpacks the distinct challenges of securing a gaming company, where risks come not only from state actors but also from clout-seeking young hackers. He shares valuable insights on building scalable security programs, secrets management, and the importance of radical transparency in corporate security cultures.
Tune in to hear why, in Jason's words, "gaming saved me from a misspent youth," and learn about his latest ventures into offensive security training and AI-driven security solutions.
Listen on:
Apple Podcasts: https://podcasts.apple.com/us/podcast/jason-haddix-on-red-team-tactics-ciso-challenges-and/id1456143419?i=1000676820701
Spotify: https://open.spotify.com/episode/7oTuBvfNUVyAoAWW6Y94e3
Watch on YouTube: https://www.youtube.com/watch?v=PtDSVbu08MU&ab_channel=DomainTools
🚨 The National Crime Agency (NCA) revealed a new face who has participated with the threat group known as Evil Corp 🚨
Alexsandr Rhyzenkov has been identified as Maksim Yakubets’ right hand man and has been tied to numerous Lockbit attacks.
It is our goal to help make the Internet a safer place. Sharing information regarding groups like Evil Corp including activities and TTPs is important in the collective effort to defend against them.
On our blog and GitHub, we’ve included a timeline of Evil Corp events within the last five years, information regarding today’s events, and a list of domains associated with Evil Corp with the intention of providing an illustration of the scale at which many of these groups operate and the use of domains in their C2 infrastructure.