Notices by screaminggoat (screaminggoat@infosec.exchange), page 2

@da_667 Federal agencies and state governments legitimize Twitter by continuing to post important information to the platform. This includes cybersecurity companies like Microsoft Threat Intelligence who sometimes post exclusive CTI to their accounts. It's shameful and is a step back for society.

WIRED: Hackers Likely Stole FBI Call Logs From AT&T That Could Compromise Informants
U.S. telecommunication company AT&T disclosed a data breach in July (presumably 2024) that exposed call and text messaging logs from six months in 2022... of almost all 100,000,000+ customers. This includes FBI special agents' interactions with sources connected to investigations (confidential informants, etc.) and has far reaching impacts.

WIRED reported in July that after the hackers attempted to extort AT&T, the company paid $370,000 in an attempt to have the data trove deleted. In December, US investigators charged and arrested a suspect who reportedly was behind the entity that threatened to leak the stolen data.

#fbi #att #extortion #cybercrime #news

Trend Micro: Investigating A Web Shell Intrusion With Trend Micro™ Managed XDR
Trend Micro provides a case study of a security incident where an attacker’s webshell sent to an unrestricted IIS worker led to the customer's server compromise and multiple payloads being deployed, and payment information being exfiltrated. Indicators of compromise are provided.

#threatintel #ioc #threatintel #infosec #cybersecurity #cyberthreatintelligence #CTI

@reverseics I didn't get one :blobsad: @cR0w

@cR0w @catsalad @reverseics I found it in my notifications within the past 1 day. I was worried that I'd have to scroll back to the 31 December 2024 timeframe of notifications.

#Wrapstodon

CISA: Microsoft Expanded Cloud Logs Implementation Playbook
CISA released a 60 page Microsoft Expanded Cloud Logs Implementation Playbook (PDF) to help organizations get the most out of Microsoft’s newly introduced logs in Microsoft Purview Audit (Standard). This step-by-step guide enables technical personnel to better detect and defend against advanced intrusion techniques by operationalizing expanded cloud logs.

#microsoft #cisa #securitybestpractice #cloudsecurity #infosec #cybersecurity

Note that Fortinet's security advisory has Indicators of Compromise, of which 3 out of 5 IP addresses overlap with Arctic Wolf reporting from 10 January 2025: Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls.

While its use in a ransomware campaign hasn't been confirmed by Arctic Wolf, @GossiTheDog notes exploitation by a ransomware operator:

they have a copy of an exploit and are using it for initial access and handing off for lateral movement.

#CVE_2024_55591 #threatintel #ioc #fortinet #FortiProxy #fortios #zeroday #vulnerability #infosec #cybersecurity #cybersecurity #eitw #activeexploitation #cisakev #kev #cti #cyberthreatintelligence #infosec

U.S. Department of State: Joint Statement on Cryptocurrency Thefts by the Democratic People’s Republic of Korea and Public-Private Collaboration
A joint statement released by the United States of America, Japan, and the Republic of Korea blamed the Democratic People’s Republic of Korea (DPRK) for at least $659.13 million (USD) in cryptocurrency. DPRK-affiliated APTs like the Lazarus group continue to conduct numerous cybercrime campaigns to steal cryptocurrency and targeting exchanges, digital asset custodians, and individual users.

#northkorea #cybercrime #crypto #infosec #cybersecurity #cyberthreatintelligence #CTI #lazarus #japan #korea

@CyberLeech @GossiTheDog if you're referring to the URL you mentioned the other day, it's available and does not explicitly mention exploitation 🤔 https://www.fortiguard.com/psirt/FG-IR-24-266

Happy #ZeroDay from your friends at Fortinet: Authentication bypass in Node.js websocket module
CVE-2024-55591 (CVSSv3.1: 9.8 critical) An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Please note that reports show this is being exploited in the wild.

Indicators of compromise include possible log entries, IP addresses used, and admin accounts created. cc: @GossiTheDog @wdormann @cR0w @briankrebs

#zeroday #patchtuesday #fortinet #vulnerability #CVE_2024_55591 #infosec #ioc #threatintel #infosec #cybersecurity #

@cR0w CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

It's pretty self explanatory ¯\_(ツ)_/¯

@cR0w all else fails I could just point at a random toot https://cyberplace.social/@GossiTheDog/113687025051706838

@cR0w we could be talking about a different eitw. Fortinet tomorrow kthx

@cR0w LOLBin

@GossiTheDog ??? You're missing one: CVE-2020-2883 (9.8 critical) Oracle WebLogic Server Unspecified Vulnerability

https://www.cisa.gov/news-events/alerts/2025/01/07/cisa-adds-three-known-exploited-vulnerabilities-catalog

@ryanc does it have floor arrows that you can secretly add more of to create an endless loop and drive customers into despair?

@Sempf

our own @GossiTheDog

@XDAOfficial @xda-developers-XDAOfficial

Rather than fixing its old routers, D-Link is telling customers to upgrade

#shitpost #dlink #cybersecurity #vulnerability #eol #cve #infosec

Merry Christmas from the goat: Vendor Verbiage is a list of common example messages used by software vendors to note that a vulnerability is publicly disclosed or exploited in the wild. This should come in handy when quickly scanning through security advisories on Patch Tuesday. Enjoy!

#patchtuesday #zeroday #vulnerability #CVE #infosec #cybersecurity #proofofconcept #poc #eitw #activeexploitation

Sophos security advisory 19 December 2024: Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)

• CVE-2024-12727 (9.8 critical) pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall
• CVE-2024-12728 (9.8 critical) weak credentials vulnerability potentially allows privileged system access via SSH to Sophos Firewall
• CVE-2024-12729 (8.8 high) post-auth code injection vulnerability in the User Portal allows authenticated users to execute code remotely in Sophos Firewall

Sophos has not observed these vulnerabilities to be exploited at this time.

#sophos #firewall #vulnerability #cve #infosec #cybersecurity