Friendly reminder that you should be blocking all newly registered domains for your end users. Free lists like the NRD (https://github.com/xRuffKez/NRD) exist. Microsoft Defender for Endpoint also has a built in list you can enable via policy.

IMO everyone should do 365 days but even 30 or 90 will save you so much headache.
#DNS #ThreatIntel #FastFlux

I'm a sucker for behavior-based investigations, especially for stuff off the beaten path, so I love the insights we were able to come up with on this one. @DomainTools Investigations researchers found exposed criminal infrastructure and went down a rabbit hole.

#threatintel #infosec #cybersecurity

https://dti.domaintools.com/proton66-where-to-find-aspiring-hackers/

Quite a big dump of UK PII via RoyalMail via Spectos
https://www.infostealers.com/article/royal-mail-group-loses-144gb-to-infostealers-same-samsung-hacker-same-2021-infostealer-log/

Malware Is Evolving — And So Are the Languages It’s Written In — A new study highlights a growing tactic among malware developers: coding in uncommon languages to evade detection.

Key takeaways:
Obscure languages like Lisp, Rust, Haskell, Delphi, and Phix are harder for static analysis tools to parse.
These languages often produce fragmented memory layouts and more indirect execution paths, complicating reverse engineering.
Even the choice of compiler — like Tiny C or Embarcadero Delphi — impacts how easily malware can be flagged.
APTs (Advanced Persistent Threats) are increasingly adopting these strategies to fly under the radar.

Security teams must broaden their detection capabilities and adapt tooling for these underrepresented programming environments.

#CyberSecurity #ThreatIntel #MalwareAnalysis #Infosec #Programming #ReverseEngineering #security #privacy #cloud #infosec

https://www.theregister.com/2025/03/29/malware_obscure_languages/

Malicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware.

Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments.

One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.

Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records.

Block these:

user2ilogon[.]es
viewer-ssa-gov[.]es
wellsffrago[.]com
nf-prime[.]com
deilvery-us[.]com
wllesfrarqo-home[.]com
nahud[.]com.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #malware #scam #ssa

Last week, while reviewing detected lookalike domains, one in particular stood out: cdsi--simi[.]com. A quick search pointed him to a legitimate U.S. military contractor, CDSI, which specializes in electronic warfare and telemetry systems. It's legitimate domain cdsi-simi[.]com features a single hyphen, whereas the lookalike domain uses two hyphens.

Passive DNS revealed a goldmine: a cloud system in Las Vegas hosting Russian domains and other impersonations of major companies.

Here are a few samples of the domains:

- reag-br[.]com Lookalike for Reag Capital Holdings, Brazil.
- creo--ia[.]com Lookalike for an industrial fabrication firm in WA State.
- admiralsmetal[.]com Lookalike for US based metals provider.
- ustructuressinc[.]com Lookalike Colorado based Heavy Civil Contractor.
- elisontechnologies[.]com Typosquat for Ellison Technologies machine fabrication.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #phishing #malware #scam #dod

(sophos.com) Evilginx: How Attackers Bypass MFA Through Adversary-in-the-Middle Attacks https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evilginx/

A short descriptive article about Evilginx and how stealing credentials work, a few suggested ways of detecting etc.

Summary:
This article examines Evilginx, a tool that leverages the legitimate nginx web server to conduct Adversary-in-the-Middle (AitM) attacks that can bypass multifactor authentication (MFA). The tool works by proxying web traffic through malicious sites that mimic legitimate services like Microsoft 365, capturing not only usernames and passwords but also session tokens. The article demonstrates how Evilginx operates, showing how attackers can gain full access to a user's account even when protected by MFA. It provides detection methods through Azure/Microsoft 365 logs and suggests both preemptive and reactive mitigations, emphasizing the need to move toward phishing-resistant FIDO2-based authentication methods.

So this is what I was dancing about last night - DomainTools Investigations researchers uncovered nearly 900 connected domains spoofing defense and aerospace firms involved in the Ukraine conflict.

#infosec #cybersecurity #threatintel

https://dti.domaintools.com/phishing-campaign-targets-defense-and-aerospace-firms-linked-to-ukraine-conflict/?utm_source=Mastodon&utm_medium=Social&utm_campaign=PhishingInfra-UAConflict

Somebody is claiming to have exfiltrated 6 million lines of data with Oracle Cloud’s SSO and LDAP that includes JKS files, encrypted SSO passwords, key files and enterprise manager JPS keys from servers on login.*.oraclecloud.com

The poster has no prior reputation, it is unclear if they're LARPing. Some of the sample data does align with prior infostealer logs, I'm told. https://breachforums.st/Thread-SELLING-Oracle-cloud-traditional-hacked-login-X-oraclecloud-com

Last week, we discussed the riskiest TLDs of March. Our reputation algorithm is generic, meaning it can be applied to virtually *any* type of data (read more here: https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/). This time, we'll take a look at the riskiest mail servers we've identified this month. Top of the list? all-harmless[.]domains -- the irony isn't lost on anyone.

These mail servers attract phishing actors like honey does flies -- serving such lovely domains as bbva-web-soporte[.]com and kutxabank-movil-app[.]com. Additionally, we've identified one FunNull / Polyfill domain (69558[.]vip) using both baidu[.]com and shifen[.]com mail servers.

Blacklock ransomware group aka El Dorado aka Dragon Force appear to have been hacked. Or should I say free pentest. #threatintel

New On Location Coverage with Sean & Marco on ITSPmagazine

Cybersecurity in #Italy : A Niche Topic No More...

Not too long ago, if you mentioned #cybersecurity in Italy, you’d get a lot of blank stares. Today, it’s everywhere—boardrooms, government agencies, and, of course, #ITASEC, Italy’s official cybersecurity conference.

This year, #ITASEC2025 took over Bologna, bringing together researchers, policymakers, and industry leaders to discuss what’s next for digital security. AI security, regulatory shifts, #cybereducation — yes, even the Digital Operational Resilience Act (#DORA) that’s reshaping financial sector security—were all on the table.

Unfortunately I wasn’t in Italy at the time of the event, but that didn’t stop me from having a fascinating conversation with Professor Alessandro Armando, one of the key organizers and a leading voice in cybersecurity research. In this latest On Location episode. Of course, Sean Martin joined me and we spoke about:

How cybersecurity went from an afterthought to a national priority in Italy

Why companies are (finally) realizing that #security is an #investment, not just a cost

The rise of Cyber Challenge IT—Italy’s initiative to build the next generation of cybersecurity experts

And, of course, the big reveal… ITASEC 2026 is heading to Sardinia!

Watch the Full Video: https://youtu.be/NsdkYAYZANc

Listen to the Full Podcast: https://eventcoveragepodcast.com/episodes/cybersecurity-in-italy-itasec-2025-recap-future-outlook-with-professor-alessandro-armando-on-location-coverage-with-sean-martin-and-marco-ciappelli

Subscribe to On Location Podcast: https://eventcoveragepodcast.com

Cybersecurity isn’t just about stopping threats—it’s about shaping the future of how we live, work, and trust #technology.

What’s your take? Are we heading in the right direction, or are we still playing catch-up?

#InfoSec, #CyberRisk, #AIsecurity, #CyberThreats, #CyberEducation, #CyberWorkforce, #ThreatIntel, #EthicalHacking, #PenTesting, #RiskManagement, #CyberResilience, #DataProtection, #DigitalSecurity, #CyberLaw, #TechnologyNews, #OnLocationPodcast

Sekoia: https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/

A few days ago Brian Krebs wrote about ClickFix, and now Sekoia has written a technical deep dive of said malicious framework.

In the Sekoia report they analyze the evolution of ClearFake, a malicious JavaScript framework that compromises legitimate websites to deliver malware through drive-by downloads. Since its emergence in July 2023, ClearFake has evolved from displaying fake browser updates to using sophisticated social engineering tactics called 'ClickFix' that trick users into executing malicious PowerShell code. The latest variant (December 2024-February 2025) uses fake reCAPTCHA or Cloudflare Turnstile verifications alongside technical issues to deceive users. ClearFake leverages the Binance Smart Chain through a technique called 'EtherHiding' to store malicious code, making it impossible to remove. The framework has infected thousands of websites and is actively distributing Lumma Stealer and Vidar Stealer malware.

https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/

@briankrebs
@sekoia_io

I just published the source code for my very naive #Python implementation for generating a node network based on MITRE Intrusion Sets and Techniques. It will output linked #Markdown files linking intrusion sets to their used techniques.

Perhaps someone finds it useful or interesting to experiment with.

Source code: https://github.com/cstromblad/markdown_node

I hinted at this in a thread started by @Viss where he asked for input on a few very likely malicious domains. Me @Viss @cR0w @neurovagrant and others did some OSINT fun work with a couple of the original domains.

It was this thread: https://mastodon.social/@Viss/114145122623079635

Now I posted a picture of a node network rendered in Obsidian and I hinted that perhaps Obsidian could be used as a poor mans version of performing threat intelligence work.

The free service from portmap.io is being abused to support malware C2 communications. If you don’t use it, I suggest blocking *.portmap.io via DNS, NGFW and/or web proxy.

#cybersecurity #threatintel

From: @ScumBots
https://infosec.exchange/@ScumBots/114167879065509347

Threat actors often have their favorite TLDs. This month we've found the following TLDs to have the highest risk. The top 5 retain their spot from last month, with the TLD .bond topping the chart with a risk score of 10. This is rare and only happens when the percentage of risky domains is at least 4.5 standard deviations above the mean. Congratulations, I guess?

An explanation and minimum-working-example of our reputation algorithm can be found here: https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/

These have all been shut down. #noname #threatintel https://cyberplace.social/@GossiTheDog/113596971515491145