Fox-IT (@foxit) 's Twitter Profile
Fox-IT

@foxit

IT-Security company creating special security, intelligence and forensics solutions. Fox-IT is part of NCC Group.

ID: 16738794

linkhttp://www.fox-it.com calendar_today14-10-2008 14:42:28

1,1K Tweet

14,14K Followers

302 Following

Fox-IT (@foxit) 's Twitter Profile Photo

๐ŸŒŸ Dissect Task Board Now Live! ๐ŸŒŸ Dive into Dissect projects, select tasks, suggest features, and code with a global community. Let's innovate together! ๐Ÿ”— Look under issues in each Dissect project, or use this filter (log in needed) github.com/issues?q=is%3Aโ€ฆ

Fox-IT (@foxit) 's Twitter Profile Photo

Check out our latest blog where we pluck the feathers off Android Malware Vultur's latest variants, revealing its most recent developments in masquerading malicious activity and how it maximises remote control over infected devices. blog.fox-it.com/2024/03/28/andโ€ฆ

Fox-IT (@foxit) 's Twitter Profile Photo

๐Ÿš€ Our open-source Dissect project now supports reading Fortinet firmware files! ๐Ÿ›ก๏ธ Easily mount, browse or dump FortiGate firmware files hassle-free with Dissect. No extra steps needed! #Dissect #Fortinet #FortiGate #Firmware github.com/fox-it/dissectโ€ฆ

๐Ÿš€ Our open-source Dissect project now supports reading Fortinet firmware files! ๐Ÿ›ก๏ธ Easily mount, browse or dump FortiGate firmware files hassle-free with Dissect. No extra steps needed! #Dissect #Fortinet #FortiGate #Firmware

github.com/fox-it/dissectโ€ฆ
Fox-IT (@foxit) 's Twitter Profile Photo

This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. blog.fox-it.com/2024/04/25/sifโ€ฆ

Fox-IT (@foxit) 's Twitter Profile Photo

Say hello to Dissect summer release V.3.15! ยท Major rewrite of dissect core engine โ€“ cstruct v.4.0 is now released! ยท Target tools usability improvements ยท MPLog parser added to Windows defender plugin ยท Identification of Windows 11 improved Release 3.15 ยท fox-it/dissect ยท GitHub

Fox-IT (@foxit) 's Twitter Profile Photo

Check out our latest blog from our Red Team about EDR evasion through malware virtualisation: blog.fox-it.com/2024/09/25/redโ€ฆ

Fox-IT (@foxit) 's Twitter Profile Photo

Hey cyber sleuths! Dissect open source just turned two, and we're not done celebrating. Surprise! Our Dissect add-on for Splunk is now also open sourced, making your Dissect records ingestion a breeze. Prepare to enhance your Splunk powers! ๐Ÿฅณ lnkd.in/g38ii8Et

Hey cyber sleuths! Dissect open source just turned two, and we're not done celebrating. Surprise! Our Dissect add-on for Splunk is now also open sourced, making your Dissect records ingestion a breeze. Prepare to enhance your Splunk powers! ๐Ÿฅณ lnkd.in/g38ii8Et
Fox-IT (@foxit) 's Twitter Profile Photo

Our SOC detected suspicious activity from 158.247.199[.]37 directed at FortiManager ports as early as May 2024. #threatintel #fortianalyzer #fortijump fortiguard.com/psirt/FG-IR-24โ€ฆ

Our SOC detected suspicious activity from 158.247.199[.]37 directed at FortiManager ports as early as May 2024. #threatintel #fortianalyzer #fortijump

fortiguard.com/psirt/FG-IR-24โ€ฆ
Fox-IT (@foxit) 's Twitter Profile Photo

Pivoting on the SimpleHTTP server on port 443 (but not TLS) and ASN 20473 we found servers that are likely related to the #FortiJump #FortiManager CVE-2024-47575 exploitation campaign that are not yet publicly mentioned. IOCs: * 107.191.63[.]169 * 139.180.138[.]190 *

Pivoting on the SimpleHTTP server on port 443 (but not TLS) and ASN 20473 we found servers that are likely related to the #FortiJump #FortiManager CVE-2024-47575 exploitation campaign that are not yet publicly mentioned. IOCs:

* 107.191.63[.]169
* 139.180.138[.]190
*
Fox-IT (@foxit) 's Twitter Profile Photo

Some of these servers show similarities with known attacker infra, like hosting *.js files. We observed compromised FortiManager devices use cURL to retrieve such files, e.g. dom.js. Another server had a file named exp-7.2.6.py, which is also a valid FortiManager

Some of these servers show similarities with known attacker infra, like hosting *.js files. We observed compromised FortiManager devices use cURL to retrieve such files, e.g. dom.js. Another server had a file named exp-7.2.6.py, which is also a valid FortiManager
Fox-IT (@foxit) 's Twitter Profile Photo

Dissect release v3.17 - what's new? ๐Ÿ”นSupport for BitLocker and LUKS encrypted disks ๐Ÿ”นSupport for BSD Vinum volumes ๐Ÿ”นA new MSSQL log parser ๐Ÿ”นRetrieve installed Ubuntu Snap & Windows applications ๐Ÿ”นNow possible to create aliases in target-shell github.com/fox-it/dissectโ€ฆ

Dissect release v3.17 - what's new?
๐Ÿ”นSupport for BitLocker and LUKS encrypted disks
๐Ÿ”นSupport for BSD Vinum volumes
๐Ÿ”นA new MSSQL log parser
๐Ÿ”นRetrieve installed Ubuntu Snap & Windows applications
๐Ÿ”นNow possible to create aliases in target-shell
github.com/fox-it/dissectโ€ฆ
Fox-IT (@foxit) 's Twitter Profile Photo

๐Ÿ”’Great news for #DFIR folks! Dissect now supports both BitLocker & LUKS encrypted disks, making forensic analysis smoother and more comprehensive. Another step forward for digital forensics capabilities! Read more in this blog: blog.fox-it.com/2024/12/11/decโ€ฆ #InfoSec #DigitalForensics

๐Ÿ”’Great news for #DFIR folks! Dissect now supports both BitLocker & LUKS encrypted disks, making forensic analysis smoother and more comprehensive. Another step forward for digital forensics capabilities! Read more in this blog: blog.fox-it.com/2024/12/11/decโ€ฆ #InfoSec #DigitalForensics
Fox-IT (@foxit) 's Twitter Profile Photo

๐Ÿง€ ๐—ก๐—ฒ๐˜„ ๐—ฏ๐—น๐—ผ๐—ด: "๐—ง๐—ต๐—ฟ๐—ฒ๐—ฒ ๐—Ÿ๐—ฎ๐˜‡๐—ฎ๐—ฟ๐˜‚๐˜€ ๐—ฅ๐—”๐—ง๐˜€ ๐—–๐—ผ๐—บ๐—ถ๐—ป๐—ด ๐—ณ๐—ผ๐—ฟ ๐—ฌ๐—ผ๐˜‚๐—ฟ ๐—–๐—ต๐—ฒ๐—ฒ๐˜€๐—ฒ" Read about PondRAT, ThemeForestRAT and RemotePE - three RATs we encountered during incident response involving the Lazarus group. Check the indicators and don't let them steal

Fox-IT (@foxit) 's Twitter Profile Photo

๐—ก๐—ฒ๐˜„ ๐——๐—ถ๐˜€๐˜€๐—ฒ๐—ฐ๐˜ ๐—ฟ๐—ฒ๐—น๐—ฒ๐—ฎ๐˜€๐—ฒ ๐˜ƒ.๐Ÿฏ.๐Ÿฎ๐Ÿฌ.๐Ÿญ ๐—ถ๐˜€ ๐—ผ๐˜‚๐˜! Important: deprecation notice for Python 3.9, next Dissect version will support Python 3.10 and up - VMFS implementation rewritten from scratch - Mounting btrfs subvolumes with target-mount enabled - Performance

๐—ก๐—ฒ๐˜„ ๐——๐—ถ๐˜€๐˜€๐—ฒ๐—ฐ๐˜ ๐—ฟ๐—ฒ๐—น๐—ฒ๐—ฎ๐˜€๐—ฒ ๐˜ƒ.๐Ÿฏ.๐Ÿฎ๐Ÿฌ.๐Ÿญ ๐—ถ๐˜€ ๐—ผ๐˜‚๐˜!

Important: deprecation notice for Python 3.9, next Dissect version will support Python 3.10 and up

 - VMFS implementation rewritten from scratch
 - Mounting btrfs subvolumes with target-mount enabled
- Performance
Fox-IT (@foxit) 's Twitter Profile Photo

Sharing is caring! We've uploaded malware samples from our latest Lazarus research to VirusTotal (d86c51db1a0f3c6b71b1b62a766d6daa). This includes macOS, Linux and Windows samples used by this actor, such as custom screenshotters and keyloggers. See our blogpost for the hashes: