Imagine if in 1944, President Roosevelt had sat down at his desk to write and congratulate Hitler and express his commitment to the success of Nazi Germany.

This US administration is killing the American brand faster than a forrest fire consumes dried-out pine trees in August.

Dear Americans, get rid of your turncoat government.

Source: https://www.state.gov/releases/2025/06/russia-national-day/

New investigation out from our @DomainTools investigations team - our researchers identified over a hundred domains and Chrome browser extensions mimicking legitimate services, but also enabling malicious backend connections and code execution.

https://dti.domaintools.com/dual-function-malware-chrome-extensions/

#infosec #cybersecurity #threatintel

edit: ARGH WRONG LINK. coffee.

New: Senior White House official Russell Vought, who's also the acting head of the Consumer Financial Protection Bureau, has scrapped a plan that would have blocked data brokers from selling Americans' personal and financial information, including Social Security numbers.

https://techcrunch.com/2025/05/14/white-house-scraps-plan-to-block-data-brokers-from-selling-americans-sensitive-data/

Infoblox Threat Intel had the opportunity to collaborate with the United Nations Office on Drugs and Crime (#UNODC) for their latest report on South East Asian Crime. The report is titled "Inflection Point". It is a great in-depth analysis of the triads and how they fuel the current scam epidemic.

Organized crime is booming - as you can see with the picture below which shows the growth in the physical footprint of the compounds they operate.

Our part of the collaboration (pages 37-42 of the 90+ page report) were around a single actor that we can track in #dns -- naturally!

We analysed a number of illegal Chinese-operated gambling websites and soon found out they were operated by the same 'gambling provider' we named Vault Viper. Vault viper develops its very own "secure gambling browser". Of course it's #malware.

Through DNS, we discovered the companies behind Vault Viper were in fact controlled by Suncity - a criminal junket whose founder has been convicted of laundering billions of dollars.

https://www.unodc.org/roseap/en/2025/04/cyberfraud-inflection-point-mekong/story.html

Illegal gambling is not harmless fun. It fuels some of the largest criminal networks in the world.

The entire report is worth reading to get the latest view from experts on the world of organized crime in Asia that is running #scam, #pigbutchering, #humantrafficking, #cybercrime, #malware, #illegalgambling, illegal porn and who knows what else. The image below shows just how much it has grown in a few years from physical footprints.

We'll be releasing a detailed report on Vault Viper in the coming months.

#infobloxthreatintel #infoblox
#organizedcrime #china

New on the @volexity Blog: Multiple Russian threat actors are leveraging Signal, WhatsApp, and a compromised Ukrainian government email address to impersonate EU officials. This latest round of phishing attacks abuses first-party Microsoft Entra apps and OAuth to compromise targets.

https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows

#dfir #threatintel

🧵 THREAD: A federal whistleblower just dropped one of the most disturbing cybersecurity disclosures I’ve ever read.

He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords

Media's coverage wasn't detailed enough so I dug into his testimony:

On Wednesday, CISA warned federal agencies to secure their SonicWall Secure Mobile Access (SMA) 100 series appliances against attacks exploiting a high-severity remote code execution vulnerability.

https://www.bleepingcomputer.com/news/security/cisa-tags-sonicwall-vpn-flaw-as-actively-exploited-in-attacks/

Bluesky didn't reach a federated stage where you could choose a service provider in a free country before they started to censor people based on authoritarian demands.

Finally put together a proper story on this funding debacle for MITRE's CVE program.

"A critical resource that cybersecurity professionals worldwide rely on to identify, mitigate and fix security vulnerabilities in software and hardware is in danger of breaking down. The federally funded, non-profit research and development organization MITRE warned today that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program -- which is traditionally funded each year by the Department of Homeland Security -- expires on April 16."

https://krebsonsecurity.com/2025/04/funding-expires-for-key-cyber-vulnerability-database/

Today's story looks at how the POTUS's revenge tour is targeting cybersecurity leaders and election security efforts.

"President Trump last week revoked security clearances for Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA) who was fired by Trump after declaring the 2020 election the most secure in U.S. history. The White House memo, which also suspended clearances for other security professionals at Krebs's employer SentinelOne, comes as CISA is facing huge funding and staffing cuts."

https://krebsonsecurity.com/2025/04/trump-revenge-tour-targets-cyber-leaders-elections/

Full analysis of Ivanti Connect Secure CVE-2025-22457 via @stephenfewer — full RCE, exploitation non-trivial (at least as it stands now).

We should all be assuming that for any popular or high-profile technology, particularly network edge devices, adversaries have piles of software they're actively reverse engineering and developing complex exploit chains for, regardless of whether vulnerabilities are disclosed publicly as security issues or not. TAs are putting time, resources, and focus into learning the internals of *many* of these systems. If the technology industry broadly — and we ALL live in glass houses here — can't match that investment with expertise and evolution, I'm not sure we can expect the current attack landscape to improve.

https://attackerkb.com/topics/0ybGQIkHzR/cve-2025-22457/rapid7-analysis

Spyware Maker NSO Group Is Paving a Path Back Into Trump’s America
https://www.wired.com/story/nso-group-the-vogel-group-lobbying-trump-administration/?utm_source=flipboard&utm_medium=activitypub

Posted into Politics @politics-WIRED

NEW: A recently published court document shows the locations of WhatsApp victims targeted with NSO Group's spyware.

The document lists 1,223 victims in 51 countries, including Mexico, India, Morocco, United Kingdom, United States, Spain, Hungary, Netherlands, etc.

This targeting was over a span of around two months in 2019, according to WhatsApp's lawsuit against NSO Group.

http://techcrunch.com/2025/04/09/court-document-reveals-locations-of-whatsapp-victims-targeted-by-nso-spyware/

2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html

Tycoon 2FA (a prominent AitM phishing kit), targeting Microsoft and Google accounts, uses a new CAPTCHA page instead of the custom Cloudflare Turnstile page

e.g.
hxxps://ymi.bvyunz.]ru/3v4jfQ-cUo/
hxxps://xau.kolivax.]ru/ckYHFJN/
hxxps://ffqt.lzirleg.]es/VajlR/

Current decoy pages used since 18 March, changing every 3/4 weeks since the beginning of 2025:

https://urlscan.io/search/#page.title%3A(%22Portfolio%20%26%20Agency%20-%20Modern%20Design%22%20OR%20%22EduVision%20-%20Transforming%20Education%22%20OR%20%22Tech%20Solutions%20-%20Innovating%20the%20Future%22)

NEW: Ukrzaliznytsia, Ukraine’s state-owned railway operator, said it has been hit by a large-scale cyberattack that disrupted online ticket sales, but trains continue to run.

https://techcrunch.com/2025/03/24/cyberattack-disrupts-train-ticket-sales-in-ukraine/

NEW: Valve removed a video game from Steam after users reported that its free demo was actually an infostealer malware.

Very similar thing happened last month with another video game laced with malware.

https://techcrunch.com/2025/03/21/valve-removes-video-game-demo-suspected-of-being-malware/

CEO of AI ad-tech firm pledging “world free of fraud” sentenced for fraud
Prosecutors: Firm offering "300% more" fraud detection oversold revenue by 700%.
https://arstechnica.com/gadgets/2025/03/ceo-of-ai-ad-tech-firm-pledging-world-free-of-fraud-sentenced-for-fraud/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

My latest blog post is live. We must stop using knowledge-based "multifactor" authentication. It isn't multiple factors, it is one with a small ephemeral bit. Tools like evilgnx2 make MFA bypass trivial, it is high-time we make serious plans to migrate to passkeys.

https://news.sophos.com/en-us/2025/03/20/the-future-of-mfa-is-clear-but-is-it-here-yet/

#InfoSec @SophosXOps

@dnsprincess personally I don't like Vegas enough to justify the costs of a ticket, hotel and food during the trip

I'm gonna try to spend my money and energy at events that are local to me (Seattle) :blobcatgooglyshrug: