I don't know who needs to hear this today but cyber security work is really hard. Even at the entry level, it's difficult work. People around you too easily forget that because of the curse of knowledge -- we can't remember what it was like to not know something we know.

One of the developers for Babuk ransomware group, a 17 year old person from Russia, has been diagnosed with Stage-4 Lung Cancer. He has decided to leaked the ENTIRE Babuk source code for Windows, ESXI, NAS. You can download the Babuk source here: vx-underground[.]org/tmp/

gossi This is even more severe. The RCE is the simplest RCE you can ever imagine. Simply remove the auth header and you are root. remotely. on all machines. Is this really 2021?

[UPDATE] Here's a new #maldoc trick that we haven't seen before. The base64 commandline of the powershell invoke (WMI) is stored as RTF in a "INKEDLib.InkEdit" control. The file ends up dropping #emotet. All network IOCs are extracted successfully: filescan.io/uploads/619e61…

The LAPSUS$ ransomware group has claimed to breach Okta sharing the following images from internal systems.

LAPSUS$ isn't a ransomware group, so stop calling them a ransomware group. Ransomware groups use ransomware, hence the term "ransomware group". LAPSUS$ doesn't use ransomware. Stop calling LAPSUS$ a ransomware group.

The LAPSUS$ Group/DEV-0537 was not on my 2022 bingo card - given impact of their activities Microsoft Threat Intelligence wanted to detail unique blend of tradecraft. I've personally given dozens of threat briefings in the last few weeks Here's a 🧵with my highlights microsoft.com/security/blog/…

Everyone has their hot take on Okta and what is going on. I usually don't comment on these things, but why not. Here is my take on it based on similar IRs I have worked. THIS IS ALL CONJECTURE AND I HAVE NO INTERNAL KNOWLEDGE!

Hot take: Lapsus didn’t get much at all from the Okta incident, so instead they spun it into a PR smear campaign by leaking a bunch of lame screencaps and infosec twitter played right into it with all this twitter outrage 🤷‍♂️

On a ransomware case, just found a service installed by the hacker with the name of "Who are you? However, it doesn’t matter. Nobody ever cares about you." Thanks. Right in the feels on a Friday morning.

One thing about cybersecurity that people new to the field should know going in is that there's no joy to be had in saying, "I told you so," in cases where you actually got to tell them so beforehand.

What do you mean "Hey you want to get out of here and install my root certificate authority on your laptop" isn't a good pickup line?

Starting today, when a device that is not enrolled in Microsoft Defender for Endpoint is suspected of being compromised, as a SOC analyst, you will be able to “Contain” it. techcommunity.microsoft.com/t5/microsoft-d…

Cyber Trends 1/2022 📈 BUY - Phishing with ISO/IMG attachments - Rust malware - eBPF rootkits - Sliver agents - abused legitimate RA software - LotL LSASS dumps (eg via WerFault) HOLD - CobaltStrike SELL - VBA Macros - Off-the-shelf process dumper

1/ In one ransomware case, the attackers started an EXE file that dropped the vulnerable GIGABYTE driver to C:\Windows\System\gdrv.sys. The TA used the vulnerable driver to load a malicious driver as a kernel driver, who hunted and killed Symantec processes. 🧵 #CyberSecurity

Quick dynamic analysis of latest #Qakbot infection chain: - Uses html smuggling to drop pwd protected zip file with zip pwd mentioned in html file (e.g. 764). - After extracting zip with pwd, it contains img file that auto-mounts when clicked

Mick Douglas 🇺🇦🌻 I am teaching log parsing this week and have some techniques you can steal. github.com/P0w3rChi3f/Def… github.com/P0w3rChi3f/Get… github.com/P0w3rChi3f/Def… I don't know how quick they will be for your, but can be modified, I Hope it helps.

Digging a bit into Windows performance and diagnostics, Steven was able to identify more WMI classes that could be used for lateral movement or persistence. Read more in his blog post. ghst.ly/43nQFG1

Discovered an execution lolbin a while ago and just submit it to the lolbas-project! Using this tweet for the entries reference section :)

CyberChef v10 is here! Explore the latest features of the cyber Swiss Army knife, developed by our very own software engineers ⬇️ github.com/gchq