Notices by Christoffer S. (nopatience@swecyb.com)

@argv_minus_one @GossiTheDog

I genuinely think that #Passkeys may be the first and only real solution in decades to have a chance at replacing the password/MFA issues.

It will work for individuals as well as organizations and their employees.

Until then we'll have to accept reality which is compromised private computers leaking credentials, and having enforced MFA will help in some instances.

Smart cards has never, imho, been a realistic solution to almost any organisations; ever.

@argv_minus_one
Impractical, expensive, not especially user friendly. Sure they are secure, but there are so many other things (again, imho) that makes them not ideal to use for carrying user identities.
@GossiTheDog

(sophos.com) Evilginx: How Attackers Bypass MFA Through Adversary-in-the-Middle Attacks https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evilginx/

A short descriptive article about Evilginx and how stealing credentials work, a few suggested ways of detecting etc.

Summary:
This article examines Evilginx, a tool that leverages the legitimate nginx web server to conduct Adversary-in-the-Middle (AitM) attacks that can bypass multifactor authentication (MFA). The tool works by proxying web traffic through malicious sites that mimic legitimate services like Microsoft 365, capturing not only usernames and passwords but also session tokens. The article demonstrates how Evilginx operates, showing how attackers can gain full access to a user's account even when protected by MFA. It provides detection methods through Azure/Microsoft 365 logs and suggests both preemptive and reactive mitigations, emphasizing the need to move toward phishing-resistant FIDO2-based authentication methods.

#Cybersecurity #ThreatIntel #Evilginx #Phishing #Credentials #MFA #Azure #Sophos

@troed Feel free to explain, and interpret "the latest" as fitting for your particular context.

I'm genuinely interested to hear what people, of different roles, do to keep up. Consider it part of a research project if that helps ;-)

Can I pick the collective brain a bit about "keeping up" with #Cybersecurity ?

How do you do it? What's your primary way of ensuring you stay up-to-date with... the latest?

It would appear as if Wiz may have discovered another supply-chain compromise:

https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup

The attack involved compromising the v1 tag of reviewdog/action-setup between March 11th 18:42 and 20:31 UTC. Unlike the tj-actions attack that used curl to retrieve a payload, this attack directly inserted a base64-encoded malicious payload into the install.sh file. When executed, the code dumped CI runner memory containing workflow secrets, which were then visible in logs as double-encoded base64 strings. The attack chain appears to have started with the compromise of reviewdog/action-setup, which was then used to compromise the tj-actions-bot Personal Access Token (PAT), ultimately leading to the compromise of tj-actions/changed-files. Organizations are advised to check for affected repositories using GitHub queries, examine workflow logs for evidence of compromise, rotate any leaked secrets, and implement preventive measures like pinning actions to specific commit hashes rather than version tags.

#CyberSecurity #SupplyChain

@anderseknert
For wherever it's worth, I'm a swede and this did indeed happen.

I would like to see the fact checking process of the mods to reach the stated conclusion.

I appreciate that many do this on a volunteer basis, but then we need to be even more considerate and ensure we work together.

Of course it will be reported by some as fake news, or course. But... No.

@GossiTheDog @dangoodin

If you perhaps remember the attack against TietoEvry in Sweden... there has been speculation that it was executed because of exactly this.

Attacker escaped from VM into the entire VMware cluster... which led to pretty much a full compromise of the entire datacenter.

Now it's NOT KNOWN whether this was the actual flaw that led to the successful attack, but it certainly is a very plausible (and viable) vector.

@aral ... and I just realized that before switching to nvim as my main editor, I used Sublime Text AND Merge.

I probably have a license around here somewhere... that's a good idea, I could use Sublime Merge for git management, and continue my nvim usage.

Thanks for reminding me about Merge 🙂

@aral Yeah, sorry... I should have made that clear.

I do have some basic "skills" in using git for local versioning, but because I also split my work between two computers I wanted to a reasonably simple way of getting the source code synced between devices using git. I have used syncthing previously but found myself more times than I'd like with some incomplete syncs between devices.

So the PRs is when i push to git, probably (very likely) incorrectly.

I'm a complete noob when it comes to source code management through git (one developer only).

Are there any good "for dummies" resources with clear and systematic workflows for how a single developer can work?

I'm trying to wrap my head around "branching/committing" often, tags and what not.

Right now I'm doing something wrong because I'm getting PRs on my own repo, I don't get it.

Need to learn.

#Git #SourceCode #Single #Developer #Python

Volexity: https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/

Multiple Russian threat actors have been identified targeting Microsoft 365 accounts through Device Code Authentication phishing campaigns, according to Volexity. These attacks, which began in mid-January 2025, involve social engineering and spear-phishing tactics, often masquerading as communications from reputable organizations like the U.S. Department of State and the Ukrainian Ministry of Defence.

#ThreatIntel #CyberSecurity #Russia

@dansup There is one thing I really liked from the G+ days - Circles.

It made sense. You have a circle of friends, coworkers, or hobby friends. Organizing in terms of circles made sense.

Even if Circles is more or less equivalent to Lists... it has a psychological effect or calling them Circles, more human.

And then having the option to decide access rights depending on Circles etc.

TL;DR - Circles from G+ was a neat idea, I miss it.

@Viss @cR0w @chillybot @jerry @lerg

haha... I feel I need to contribute.

I have seen Airwolf and ultimately feel qualified to assert that helicopters and airplanes should in fact attempt to avoid colliding.

I enjoy reading articles written by humans, because most often ... they read like as if a human had written it.

Tell me what you think of this one from Fortinet:

https://www.fortinet.com/blog/threat-research/analyzing-malicious-intent-in-python-code

To me this reads like an LLM has generated the output based on some technical indicators.

What's your take? I really, really dislike it. Please dont write like this if you are a human.

#CybeeSecurity

Huntress: https://www.huntress.com/blog/analyzing-initial-access-across-todays-business-environment

Thorough analysis of initial access and the distribution of various techniques. Exploitation of 0days, contrary to reporting is not an especially common technique but using stolen creds and logging in, however, is.

Good read for sure and certainly helps with prioritization of defensive countermeasures.

#CyberSecurity #ThreatIntel

Pay for it Friday! Use this toot as an excuse to support your #Fediverse instance home. Perhaps that's #Mastodon, #Pixelfed or any of the other wonderful software projects enabling us all to communicate across platforms.

Setup a recurring donation, anything and everything really counts. I'm personally supporting Mastodon with a $20/monthly donation (and have done so since 2023!). In addition to running a Swedish cybersecurity instance.

Boost if you believe in the fediverse ideal. 🙂

Another thought regarding #OpenSource software. There is a pervasive mentality that such software cannot be associated with money. It appears hard to reconcile paying for something that is free.

This mentality must change. We must foster and support the idea that great software is costly to develop. How can we ensure that more people financially contribute to OSS if it supports them?

I believe that we should highlight those paying and supporting OSS. 1/x

How about a website/portal/system where we could aggregate and display how people could contribute and support various software packages. Where we encourage support, provide tools and guides to how one can support projects.

Perhaps (as a starting point) it could be a simple collection of popular projects where you can contribute financially, orgs enabling such support and how to connect with those?

I so fucking wish there were more hours available during each day...

I have been perhaps somewhat knowingly ignorant of Amazon practices as it relates to price blackmailing regarding books and the authors producing them.

Giving up Kindle is not easy, the comfort and ease with which to buy... license books, is well smooth.

How do people read digitally without Kindle? What are the alternatives?

I credit my enlightenment to @mwl when he in passing explained the reason for not selling through Amazon.

#Books #Kindle #Alternative