@GossiTheDog 38.154.237.100 is a definite yes (I looked at past 24h)

@GossiTheDog I had a look at network traffic from today and some of them are proxy exit nodes; some do broad IoT scanning.

Two of them really stick out as they seem to exclusively target Citrix endpoints: 78.128.113.30 and 38.54.59.96

The attempts by law enforcement & governments to subvert end-to-end encryption are ongoing. The European Commission is going to spend a year thinking about their new "Roadmap for law enforcement access to data", and they are (genuinely) asking for people to join their expert group to help. Here I urge you to join that group (also because I can't): https://berthub.eu/articles/posts/possible-end-to-end-to-end-come-help/

Oh, goodie. Another botnet. This one is exploiting CVE-2024-3721 and CVE-2024-12856 in DVRs and routers to launch DDoS attacks.

https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat

IOCs

Hosts

45[.]135[.]194[.]34
83[.]150[.]218[.]93
14[.]103[.]145[.]202
14[.]103[.]145[.]211
154[.]91[.]254[.]95
78[.]153[.]149[.]90

Files

Downloader

c88f60dbae08519f2f81bb8efa7e6016c6770e66e58d77ab6384069a515e451c
eb3e2a6a50f029fc646e2c3483157ab112f4f017406c3aabedaae0c94e0969f6
f4cd7ab04b1744babef19d147124bfc0e9e90d557408cc2d652d7192df61bda9

RondoDox

e3c080e322862d065649c468d20f620c3670d841c30c3fe5385e37f4f10172e7
e62df17150fcb7fea32ff459ef47cdd452a21269efe9252bde70377fd2717c10
53e2c2d83813d1284ddb8c68b1572b17cca95cfc36a55a7517bf45ff40828be5
43d4847bf237c445ed2e846a106e1f55abefef5c3a8545bd5e4cad20f5deb9a4
4c2429fc8b8ec61da41cbba1b8184ec45fa93a9841b4ca48094bba7741b826b8
694d729d67f1b0c06702490bfab1df3a96fe040fe5d07efa5c92356c329757be
edae3b75deb8013bd48ac4534cca345b90938a2abb91672467c2bf9ae81ff683
0814a0781ab30fca069a085dba201d6fd0f414498fafa4bb42859786d91d4781
59b4deee977e9e27b60e7e179d54a1ce8e56624e73b799523416eee828bfaf76
9f916a552efc6775367a31357a633dc0be01879830d3fddccdf3c40b26e50afd
0a9ebbecc8ec58c253039520304ca373cfb8d1674d67993e6485e244a77d6ec9
6c81fd73b4bef6fef379cbefdcce7f374ea7e6bf1bf0917cf4ca7b72d4cee788
a55a3859a203ca2bae7399295f92aeae61d845ffa173c1938f938f5c148eef99
57573779f9a62eecb80737d41d42165af8bb9884579c50736766abb63d2835ba
3daa53204978b7797bd53f5c964eed7a73d971517a764785ce3ab65a9423c2e7
8bf8928bc255e73e0b5b0ce13747c64d82d5f2647da129f189138773733ac21f
20a24b179bdbbdcc0053838c0484ea25eff6976f2b8cb5630ab4efb28b0f06b5
42aa715573c7d2fca01914504cb7336db715d73d1e20d23e4bd37f2e4f4fe389
c9278ce988343606350a94156ca28ee28bd605d1d95c810a16866eee1f997598
a197f60d5f5641f2c56576b4c867d141612c6e00db29c512f266835510b8a62d
8250d289c5ec87752cec1af31eed0347cf2dd54dc0fbeea645319c4dae238ee2
d02414a54e97ad26748812002610f1491a2a746e9ba0f9d05de3d47d7bab4f5e
c123a91fdacd9a4c0bcf800d6b7db5162cfd11cb71e260647ef0f2c60978ebfc
ef708fec1afbea4fb32b586e0dacf0d228c375a532008d81453c367256afea5a
305507f34c14c72cab35715b7f7b25b32352a8e19b8a283003aaf539d12ca517
937e6ab0dfcedfa23eced7b52d3899b0847df3fcb7a9c326b71027a7ab5f5b93

cc: @Dio9sys @da_667 since this seems like the kind of thing you might want to sig / tag.

The number of websites lacking proper RSS/Atom feeds is too damn high.

#RSS #Web #Atom

A notable effect of BIND’s long-standing v6-bias (default since 9.11, and previously discussed in https://blog.apnic.net/2020/06/03/overcoming-the-challenges-of-ipv6-support-in-bind/) is that it helps broaden DNS water-torture attacks.

Even if the spoofed queries are IPv4-only (which it almost always is), BIND’s upstream resolution may span both IPv4 and IPv6, effectively making the attack dual-stack.

(IPv6 adoption is good, but operators should account for this when defending name servers. We just don't see this as much for other DNS server implementations.)

The usual DDoS "noisy influencer" group I will not name started attacking French local/regional government websites this morning (~2025-07-01T06:25Z).

Most of them are unaffected.

@GossiTheDog Done — and truly sorry to hear. Sending you strength and support.

@paul This looks very similar to https://www.intego.com/mac-security-blog/did-the-nightowl-app-really-join-macs-to-a-botnet-army/ (I had a look and it calls back to the same squidyproxy[.]com domain)

@da_667 Perhaps you've seen from this recent write-up: https://www.trendmicro.com/en_us/research/25/f/langflow-vulnerability-flodric-botnet.html

It downloads shell script from
80.66.75[.]121:25565/docker

One of the samples: https://www.virustotal.com/gui/file/a6cf8124e9b4558aacc7ddfa24b440454b904b937929be203ed088b1040d1b36

@resingm FWIW I tested both filtered and unfiltered today from home and both where below 30ms

If you have an iPhone, make sure you always have the latest security update.

If you are concerned that you might be targeted by government spyware, enable Lockdown Mode.

https://techcrunch.com/2025/06/12/apple-fixes-new-iphone-zero-day-bug-used-in-paragon-spyware-hacks/

Digging a bit more into the infrastructure of DNS4EU, dns0.eu, and Quad9, there isn’t much documentation or design detail available about how things actually work including how filtering is implemented. I couldn’t find any Git repositories with their tooling or information about the software they use.

Does anyone have good resources? Transparency about how these services work would help build trust.

#dns4eu #dns #opensource

@tdp_org @richh That’s fair. Interesting about the DC sources; I see it from time to time (eg open Jupyter servers attacking Minecraft servers…) but not nearly as often as IoT/resi proxy sources.

@richh @tdp_org Sure, there are some easy rules that most operators do implement to prevent the obvious (BCP38 to prevent spoofing, rate-limiting outbound DNS/NTP, etc.). For volumetric HTTPS though things tend to get a lot harder.

To be clear, I’m also advocating for more awareness of outbound DDoS and more action — it’s just not as simple as installing a rule on a peering router, especially for modern DDoS.

@tdp_org To be fair, ISPs only have so much control over what security cameras / DVRs / cheap Android TV boxes their subscribers end up installing 🙃

Wrapping up 3.5 days of #Botconf2025 where I learned a lot on botnets and malware.

Definitely a bit out of my comfort zone as I hardly knew anyone at first, but met some nice people throughout the week — including some whose research blog posts I’ve been reading for many years.

The event is relatively human-scale (400 participants), with impeccable organization and, this year, in the beautiful city of Angers.

Looking forward to next year’s event!

@tdp_org From my iPhone:

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36

Well, well, well, look who just got sanctioned in the EU: Stark Industries Solutions! It's about freaking time.

I spent about six months last year researching and writing a deep dive into Stark, its origins, owners and ties to Russian disinformation campaigns and DDoS.

Here's the EU annoucement: https://www.consilium.europa.eu/en/press/press-releases/2025/05/20/russia-s-war-of-aggression-against-ukraine-eu-agrees-17th-package-of-sanctions/

Here's my story from last year: https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/

"France Becomes First Government to Endorse UN Open Source Principles, Joined by 19 Organizations"

👉 https://unite.un.org/news/france-becomes-first-government-endorse-un-open-source-principles-joined-19-organizations

The 8 UN #OpenSource principles:

1. Open by default
2. Contribute back
3. Secure by design
4. Foster inclusive participation and community building
5. Design for reusability
6. Provide documentation
7. RISE (recognize, incentivize, support and empower)
8. Sustain and scale

cc @ambnum @numerique_gouv