π™½π™΄πšƒπšπ™΄πš‚π™΄π™²

@netresec@infosec.exchange
1,097 Followers
534 Following
295 Posts

Experts in Network Forensics and Network Security Monitoring. Creators of #NetworkMiner, #CapLoader, #PacketCache, #PolarProxy and #RawCap.

#PCAP or it didn't happen!

Bloghttps://www.netresec.com/?page=Blog
Blueskyhttps://bsky.app/profile/netresec.com
Twitterhttps://twitter.com/netresec
GitHubhttps://github.com/Netresec
RSShttps://www.netresec.com/rss.ashx
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²1d ago
@kwayk42 @catsalad
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²1d ago
@malware_traffic Nice, more #rsockstun 🀘 Thanks for sharing!
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²2d ago
@malware_traffic Oh lΓ  lΓ , this looks like #rsockstun. That's something you don't see being used in the wild every day!
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²3d ago
Show threadMichaΕ‚ "rysiek" WoΕΊniak Β· πŸ‡ΊπŸ‡¦Jun 10

As part of the investigation, I have looked closely at Telegram's protocol and analyzed packet captures provided by IStories.

I have also done some packet captures of my own.

I dive into the nitty-gritty technical details of what I found and how I found it on my blog:

Telegram is indistinguishable from an FSB honeypot
https://rys.io/en/179.html

Yes, my packet captures and a small Python library I wrote in the process are all published along.

#Telegram #InfoSec #Privacy #Surveillance #Russia

Telegram is indistinguishable from an FSB honeypot

Many people who focus on information security, including myself, have long considered Telegram suspicious and untrustworthy. Now, based on findings published by the investigative journalism outlet ISt

Songs on the Security of Networks
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²3d ago
Signed malicious ConnectWise ScreenConnect installers hosted on Cloudflare R2 storage (by @lawrenceabrams)
https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-into-malware-using-authenticode-stuffing/
Hackers turn ScreenConnect into malware using Authenticode stuffing

Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's  Authenticode signature.

BleepingComputer
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²4d ago
@kolya The main issue isn't about liability, but rather about unwillingness to take action against malicious actors using their services for illegal activities. Also, Cloudflare is much more than just a transit provider. They also run nameservers for entire botnets and C2 infrastructures.
https://infosec.exchange/@netresec/114743583440776224
π™½π™΄πšƒπšπ™΄πš‚π™΄π™² (@netresec@infosec.exchange)

@daniel@federation.network But Cloudflare do run the nameservers for many malware/botnet domains. They also forward TCP traffic to command-and-control servers from infected computers. So it's not so much about the hosted content, but rather the service they provide.

Infosec Exchange
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²4d ago
@kolya Then let's keep the debate going! Giving up just because nothing has changed doesn't help.
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²4d ago
@0xabad1dea @catsalad That's terrible, but in line with how Cloudflare handled the Kiwi Farms incident as well. Good that they took action and punished Cloudflare where it hurts (in the wallet).
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²4d ago
@daniel But Cloudflare do run the nameservers for many malware/botnet domains. They also forward TCP traffic to command-and-control servers from infected computers. So it's not so much about the hosted content, but rather the service they provide.
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²4d ago
@kolya Yes, email would be much better. The problem is knowing WHERE to email an abuse complaint to CloudFlare unless you actually know someone who works at Cloudflare's security team.