D33P_DIV3R

@[email protected]
34 Followers
46 Following
24 Posts
Senior Intern at Shadowserver Foundation | Threat intel | Malware | Pentesting | Malpedia Contributor | VXUnderground Volunteer
D33P_DIV3RApr 25, 2023

“Sometime in 2012, various media outlets and research groups began referring to TA 402 as a Palestinian-sponsored threat actor. Some researchers have pointed to the fact that the C2 infrastructure involved in some of the earliest attacks executed by TA 402 resides on servers based in the West Bank. However, the nature of the region’s geopolitics prohibits Palestine from exercising sovereignty over any internet infrastructure within its territory. The servers in question don’t belong to any Palestinian entities.”

https://d33pdiv3r.com/2023/04/24/cutting-through-the-fog-of-cyberwar-a-deep-dive-into-ta-402/

Cutting Through the Fog of Cyberwar: A Deep Dive Into TA402

DEEP DIVER - Cybersecurity Blog
D33P_DIV3RFeb 14, 2023
Hot: https://securityboulevard.com/2023/02/exposing-trickbots-bitzlato-cryptocurrency-exchange-an-osint-analysis/amp/
Exposing TrickBot's Bitzlato Cryptocurrency Exchange - An OSINT Analysis

Just came across this and I've decided to elaborate and offer actionable intelligence on the whereabouts of TrickBot's Bitzlato cryptocurrency exchange.Company name: Bitzlato LimitedCompany owner: Anatoly LegkodymovCompany URLs: hxxp://bitzlato.com - 103.41.71.252; hxxp://bitzlato.net - 103.41.71.252; 104.21.64.203; 104.24.117.5; 172.67.136.54; 104.24.116.5; 154.92.19.56; 107.161.23.204; 192.161.187.200; 209.141.38.71 - hxxp://bitzla.to - hxxp://bitzlato.bz - hxxp://bitzlato.bz - hxxp://changebot.infoSample company social media account presence: hxxp://t.me/bitzlato; hxxp://www.reddit.com/r/Bitzlato/; hxxp://facebook.com/bitzlato; hxxp://instagram.com/bitzlato; hxxp://t.me/s/bitzlato_ruSample personally identifiable email address accounts known to have been involved in the campaign include:[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@mail.ruRelated domains known to have been registered by the same individuals:hxxp://fineeps.comhxxp://btcbanker.info - [email protected]://btcbanker.org - [email protected]; [email protected]://changebot.orghxxp://changebot.infohxxp://maccounter.comSample Maltego graphs related to the company:Sample responding IPs known to have been involved in the campaign:17267701351841682218850632026518416822190506320253506320293160153128463131204591881149775063202691881149715184168221871881149605063202641726416733188114967232171381082320223116710426383184168221691092011354578412043795183532018811497619216118720018811496227039125243313120461103417125219458563419458563254161222855273179541945856351841682218319458564031312339031302041609521175261092011337117267131163104214411726713115610421435104186212010421291121726719617910418631201042144681043188147104318914717267148132172671481981042814149104281514910431811021042191117172672171331726411010172641111017267215551042137237104213016217267173591042175731726721615417264172311726417331104216213172672171721726722249104215410104271551041726416733172672001151042715410410418442061041845206172671702041726419751726419651726413622104271867010427187701726720816610424119521726721121610424118521726720021610431801021043179154104317815417267186246104241032491726715820810424102249172671981731042411511217264108201726410920104241086910424109691726720881726416633172671567010427148220104271492201726716714117264130141726413114172642025172642035104184928172671387617264104417264105410431662441726416420172641652010431672441726720815210427130711042713171104283058104283158104282457104282557172671311471042715624210427157242172671552541042714417517267150910427145175104282024310428212431726715918110427128230172671642310427129230182151281431921575614119215756140185107565518510756193192157561421851075619418510756195185107561921921575613910920113539207244671383748651502072446713957968109374865149172671671701042142229182132501175242092501622101951119647230681092011354516221019512219911511511896472307081171224207244671741092011336981171226964723069109201135461092011354310920113565162210195123109201133391092011354410920113535374865151207244672181991151151161092011357120724467216199115115102374865148199115115119207244672148117122557968110207244672159647230679521175251086119121729319460108611911851592334478412042816221019616716222221319678412043478412043916222221319910920113356162210199652091261231110920113323209126123133748651551092011336895211751095211752695211751620724467172207244671731086119134616618254108611914162222213197579681071042371961158117122717293194625796810846166182621841682217910427176871042717787109201133541622101961661622101998737486515219911511621620912612312207244655837486514337486513616221019985374865154109201133733748651533748651451622101961685202174423202391252542413452612815591195240137420823610231220165331312045910341712521042164203104241175172671365410424116515492195610716123204192161187200209141387150632025310421611561726721113816015312846172677013510426383104262831621591388516215913785172677448104261044104261144172671862131042160910421511451726718110610421691941042412454104241255417267212102172641661817264167181726419421726419521041842185172671762541041843185172641322117264133211041845185172671762531041844185172671871911042168571042143431726721948172672153210421595617267190821042176601726715919610421911110421911017267159195104219109172671591941042183911726722023917267165641042714522617267207132104184076104184176104318375104318275104241241571042412515710427151157104271501571726499151726498151726417316172642032917264202291726496281726497281043168221172671661661043169221172671464110418532271041852227172671654172641111417264110141726417034172641713417264207121726420612104271442261042179147104215552172671442121726413722172671841441042176217267168239104217932172642027172642037172672225910421461110421491481726716324217267220103104216252172641691617264168161726410513104214011172641671617267173216172641661618811496217264137311881149721726413631188114963104184016010421762251041841160172672012341726417216104217092104241132817267222471042411228104218668178128139249172672169116799215175104213913218516512320617267145207457755611726714678Sample photos of the individuals behind the campaign:Sample related MD5s known to have phoned back to these domains:7a6f2d84c3eb8db4d91ce07ea3ac9772bd5fea06fe2c762f0077cba876ed4b13994ecf65c45d64965191445dcd5408eab1cd5b8a99a7073968da5cd14036ea4b7c074a18640479cc1073f56dedd3b7794ffd7d3c1605f3660cd2d5c480b55dccd14461d2642994a3ef194c6f1c4d542d48bc8d6ccbf16f18a3e4ef0d61739ca5fd5541baaabab71fa71762c8490205dbc16af038a5243923593845f922b501ee411cfd693f38f0b39d5689e48b5b7ec4d660ba95a1ec6d842d8fcc1b116994a72e12c3bf63facebb6e4fac6e2b0ee715de2127d4ace510b1a188158d3588fabcd29544e4e66e74468d38f667603a55da657cd10b5ec999e615b9a7b920f324413305706d89aa2ef1e0a03f381f94c78c00b11b2bd5b400d73ee010c876bd77cc68130f4b25cfa991c20f73b508a795a7a81b54d04fb7b39d3fb663aae43dee4ac64edf4e3c7fa154fe85eb3dd69e99a561dcfae16e24a4f5360527b2137f892575a2a61d9822fcf3b41b43a2a9b2bfa2bc7b723aa57180b404e6bc9b36d183372164f91e3aad0cc69015d0ba9e33d6cdcf7595c48161c2858566e64008ef9ae9a9c93131325212be8fc88c6b8cb9b83a32c7c39875b2861d79fec1851a067f6a78e72c1ca6d4c2c0e4bb9be957d6a8302ddd0c24d3c51f28482c5211f9c90074ad01f17ebf40b4d66598fb30be1a84a5f3fdda301b8bed285b6b2c966d68c463The domains are currently seized and sinkholed by the ShadowServer Foundation.Stay tuned!

Security Boulevard
D33P_DIV3RFeb 13, 2023
The Shadowserver FoundationFeb 13, 2023

Over the weekend we picked up exploitation attempts for IBM Aspera Faspex CVE-2022-47986 (unauthenticated RCE), a file exchange application. IBM issued a patch on Feb 2 addressing this & other vulnerabilities: https://ibm.com/support/pages/node/6952319

Exploit code is public, make sure to update!

We will be sharing out IP data on exposed IBM Aspera Faspex interfaces starting tomorrow in our Device Identification report: https://shadowserver.org/what-we-do/network-reporting/device-identification-report/

EDIT: Looking back at our sensor dataset attempts started Feb 3rd, shortly after exploit code was published. Some continued into Feb 4th before restarting on Feb 11th

Security Bulletin: IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068)

This Security Bulletin addresses security vulnerabilities that have been remediated in IBM Aspera Faspex 4.4.2 PL2.

D33P_DIV3RFeb 13, 2023
I’ve just overwritten data that took me months to generate on an Ubuntu VM. I’ve found a resource that walks through file recovery by unmounting the directory and using “debugfs” and “lsdel” commands to recover the last overwritten files and dumping the desired files from the allocated memory blocks because they likely haven’t been overwritten with data. However, I’m unsure if this works with a VM. Here goes nothing…
D33P_DIV3RFeb 1, 2023
2nd term of Russian language is like 2nd year Spanish without the vocabulary… if that doesn’t make any sense then welcome to the клубе.
D33P_DIV3RDec 17, 2022
JKDec 17, 2022

Stealing passwords from infosec Mastodon - without bypassing CSP.
#mastodon #bypass #password

https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

Stealing passwords from infosec Mastodon - without bypassing CSP

The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose

PortSwigger Research
D33P_DIV3RDec 14, 2022
Show threadDr. Jorge CaballeroDec 14, 2022

The #BigotedBillionaire suspended the account that tracks his private jet ~3 hours ago- that account has moved to Mastodon

#TwitterMigration FTW

https://mastodon.social/@elonjet