ACARS DramaA step by step guide on how to feed the ACARS Drama Engine with the latest version of the adsb.im image!
https://mike-sheward.medium.com/feed-acars-drama-with-adsb-im-a-step-by-step-guide-a78983f6ed18
Pedro
@pedro@infosec.exchange
- 10 Followers
- 101 Following
- 235 Posts
Kevin BeaumontCVE-2025-5777 (Citrix Netscaler vuln) has been under active exploitation since mid June, with people dumping memory and using this to try to access sessions.
TTPs to hunt for:
- In Netscaler logs, repeated POST requests to *doAuthentication* - each one yields 126 bytes of RAM
- In Netscaler logs, requests to doAuthentication.do with "Content-Length: 5"
- In Netscaler user logs, lines with *LOGOFF* and user = "*#*" (i.e. # symbol in the username). RAM is played into the wrong field.
Horizon3 have a good write up here, I don't think they were aware this is already being exploited for almost a month: https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/
Worth noting I was only able to find exploitation activity due to the WatchTowr and Horizon3 write ups - Citrix support wouldn't disclose any IOCs and incorrectly claimed (again - happened with CitrixBleed) that no exploitation in the wild. Citrix have gotta get better at this, they're harming customers.
cR0w 
Fortinet has a write-up on a Windows infostealer called NordDragonScan. IOCs in the post.
https://www.fortinet.com/blog/threat-research/norddragonscan-quiet-data-harvester-on-windows
Girl on the NetWould you like to see something astonishing?
Recently, a friend gave me a gift that she had been working on for almost a year. It was initially a gift for my 40th, but it took longer to make than she anticipated (BIG UNDERSTATEMENT).
It is - I cannot stress this enough - the coolest and most incredible thing I have ever owned, and I am moved beyond words that someone would put the time in to create something this awesome. For me (!!!).
Here is the London Underground Map... in cross stitch.
I've published my scan in progress of CVE-2025-5777 patching status, listing IPs, hostnames, Citrix Netscaler build numbers and if they're vulnerable to CitrixBleed2.
The scan isn't finished yet so these are only about a quarter of the results - unfortunately my coding skills are shite and it's really slow - should be finished over weekend or early next week.
Also, the SSL certificate hostnames are separated by comma which throws out CSV - sorry, I'll fix that later.
nixCraft 🐧Just saw a software devloper coding in a cafe
-NO Cursor
-NO Windsurf
-NO DeepSeek
-NO ChatGPT
-No Google
He just sat there typing code manually in vim on his rusty Thinkpad and reading man pages on Arch Linux
What a psychopath 🫣
Gonçalo Valério"How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets"
Guest Post: How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets ◆ Truffle Security Co.
GitHub Archive logs every public commit, even the ones developers try to delete. Force pushes often cover up mistakes like leaked credentials by rewriting Git history. GitHub keeps these dangling commits, from what we can tell, forever. In the archive, they show up as “zero-commit” PushEvents.
k3ym𖺀Scattered Spider hackers shift focus to aviation, transportation firms
If you work in aviation or transportation, LISTEN
- Scattered Spider is actively targeting your industry.
- They are using trycloudflare.com to deliver Chisel, a FOSS encrypted reverse proxy.
ACTION ITEMS:
- block trycloudflare.com by FQDN.
- make sure you are using IPS or app signatures on your firewalls to detect the chisel traffic.
NOTE: Chisel is encrypted, so you need to be doing full SSL inspection (TLSI) to effectively detect and block the app.
Additional Resources:
Please don't let this fuck up your 4th.
#ScatteredSpider #UNC3944 #Chisel #ChiselMalware #ThreatIntel #CyberSecurity
If you see this GitHub PoC for CVE-2025-5777 doing the rounds:
https://github.com/mingshenhk/CitrixBleed-2-CVE-2025-5777-PoC-
It’s not for CVE-2025-5777. It’s AI generated. The links in the README still have ChatGPT UTM sources.
The PoC itself is for a vuln addressed in 2023 - ChatGPT has hallucinated (made up) the cause of the vuln using an old BishopFox write up of the other vuln.
