Crocodyli
@crocodylii
Followers
1,679
Following
1,101
Media
114
Statuses
645
Threat Intelligence Specialist, Digital Forensics and Incident Response. I'm a speaker, teacher and a few other things... In a constant learning loop.
127.0.0.1
Joined July 2022
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#ไฟไหม้รถบัส
• 749641 Tweets
GLORIOUS REBECCA IN PFW25
• 649537 Tweets
JENNIE FOR CHANEL
• 250139 Tweets
Nigeria
• 222647 Tweets
Happy New Month
• 129030 Tweets
Iniesta
• 32718 Tweets
世界4位
• 30075 Tweets
メガネの日
• 30019 Tweets
레이예스
• 26877 Tweets
#格付けチェック
• 25017 Tweets
Fate/Zero
• 22420 Tweets
夕刊フジ
• 17229 Tweets
対象作品
• 17114 Tweets
集英社秋マンガチャ開催
• 15143 Tweets
#ドレミファドン
• 13038 Tweets
日本酒の日
• 12667 Tweets
Pinned Tweet
I updated the repository of TTPs and threat actors, now we will not only have evidence or ttps of ransomware groups, but also of other types of groups and actors.
I'm trying to keep up to date.
2
13
49
Returning to work after a period of rest.
Ransomware Hunters International group server host identified.
Your .onion website is hosted at 193.106.175[.]48 (Russia)
5
38
290
The reverse IP address of the Meow server used for the data leak (onion:
http://meow6xanhzfci2gbkn3lmbqq7xjjufskkdfocqdngt3ltvzgqpsg5mid[.]onion/)
is the IP address: 62.122.184[.]83
4
7
46
Added TTPs and information about Hunters International and Cactus Ransomware.
0
9
41
Lockbit is hiring a tester to test the software (products) they develop. The focus is on fixing possible bugs. Payment of 1k dollars.
@malwrhunterteam
@vxunderground
@Gi7w0rm
@D4RKR4BB1T47
10
10
37
New Stealer being marketed in the dark. Interesting that for marketing they put a "free trial". The subscription price is 150$ monthly, cheaper than Eternity's Stealer, which costs 300$.
#stealer
#malware
#mysticstealer
#stealer
#infosteal
6
6
32
New activity from IP addresses exploiting the Atlassian vulnerability (CVE-2023-22518) according to
@GreyNoiseIO
Address list:
87.249.138[.]203
45.94.211[.]81
45.135.232[.]69
103.73.67[.]95
193.176.179[.]41
193.43.72[.]11
1
4
30
A new group emerged known as "Apos" and reportedly claimed 4 companies.
2 Brazilians, 1 French and 1 Indian.
The curious fact is that they are using Notion for the blog.
2
3
24
I'm going to post a series that may help (or not) CTI researchers to track down possible servers for Ransomware operations, it's for educational purposes ok? The focus is on the Ransomware INC group.
#1
1
2
20
Critical Security Issue Affecting TeamCity On-Premises (CVE-2024-23917) causing RCE without user interaction.
FOFA Query:"TeamCity" && icon_hash="-1944119648"
Link🔗:
Blog:
#OSINT
#FOFA
#CyberSecurity
#TeamCity
1
10
19
The initial access broker "Br0k3r" announced the sale of access to a Hospital with revenue of $3B with approximately 2,600 users and 1,600 computers. This broker came about mid-July 17, 2023 and advertised other companies.
@noexceptcpp
@BruteBee
@Iam4ndr3y
3
7
20
Don't Believe Your Eyes - A WhatsApp Clickjacking Vulnerability - Security Is Broken
0
8
18
Some two commands used by ransomware to interrupt services and operation of operating systems.
I would like to contribute...
Exclude all shadow copies stored in the VSS service
vssadmin.exe delete shadows /all /quiet
10
5
20
The server in question is probably using SSH-2.0-OpenSSH_7.9p1 and RDP.
Including vulnerabilities.
1
0
19
Hosting a cpanel, webmail... and so on.
Vulnerable server? I don't know.
I didn't perform the tests. Just sharing.
2
0
19
The “backup” server infrastructure using the backup server favicon is no longer online at IP: 5[.]182.5.126. Are you rebuilding your infrastructure?
@fofabot
FOFA= icon_hash="-1776106944"
3
8
17
I know it's not much, but I added two more groups to the repository, APT73 and DoNex. There are still a few more to go up, in my free time I'm uploading everything and keeping it organized. Anyone who wants to contribute, talk to me.
0
1
16
Basically with the vast majority in Russia and one in the United States.
1
1
15
Other domains were identified hosted on that server using "younglving[.]co[.]uk" but with the aim of SSH connections with SSH-2.0-OpenSSH_8.2p1 in operation.
1
0
15
Interestingly, the number of times that the user (affiliate) possibly used to compile the types of LockBit variants. Interestingly, specific affiliates still use LB Red (2.0).
#lockbit
1
2
13
Ransomware INC operators use free React admin template provider Horizon UI. If we perform a search on Shodan with this favicon it returns some addresses. If you scan directories on these IPs, some match the INC directories in use... interesting...
0
2
14
In addition,
@RakeshKrish12
published a post in January about Hunters referencing more details about the domain used, including some details about email addresses collected during his research.
#HuntersInternational
#Ransomware
Group identity exposed!
huntersinternational[.]org
IP: 193.106.175.48
Location:🇷🇺
Hosting: IQ HOST
AS50465
Reg: NICENIC
Threat Actor Mail: oyewolelawrence
@gmail
.com
#OSINT
#security
#infosec
#malware
#darkweb
#TOR
1
12
38
2
0
13
Remote code execution on more than 3 million assets... If we filter further, 32 thousand in Brazil alone... However, the USA and Russia won...
Ref: CVE-2023-42115
0
4
13
IP addresses of Meduza Stealer dashboard infrastructures: 92.246.136[.]222, 185.225.200[.]120, 94.228.168[.]159, 45.141.215[.]173 and 141.98.83[.]242
1
2
11
LockBitSupp's identity revealed... what are the consequences of this now?
- Confirmation of acting for the Russian Federation?
- Condition for launching new attacks in favor of the Kremlin x extradition?
- Affiliates afraid of having "leaked" information.
- More paranoia?
3
1
11
Blackout in Brazil, suspected hacker attacks, sabotage, misconfiguration... what other options do we have?
7
3
11
Other IP addresses were identified as using Hunters International pages, with server addresses:
193.106.175[.]48
185.185.68[.]40
193.106.174[.]58
109.172.85[.]126
185.185.69[.]129
185.12.127[.]116
1
0
9
Well that's it, I would just like to add that
@karol_paciorek
identified in March the use of the main DLS IP address (192.106.175[.]48) to host a phishing website.
Further information obtained will possibly be on github.
🔍 While researching
#FletchenStealer
, I found two phishing sites:
ledgercheck[.live - 193.106.175[.48
test.brosecure360[.com - 162.241.85[.73
Both crafted by
#fletchen
.
Watch out for the first site's IP. 🕵️♂️
#stealer
5
9
28
1
1
9
Lockbit stating that the payment would not be exactly 1k dollars, but something continuous...
Also stating that there were more than 30 calls in Tox...
#lockbit
@vxunderground
@Gi7w0rm
@malwrhunterteam
1
0
10
So far, the group has announced three companies, which are potentially victims and are located in Brazil 🇧🇷
Two of the two affected companies are beauty clinics and the other sells vehicles.
New Qiulong Ransom leak site
⚠️ read the data sample description ⚠️
/62brsjf2w77ihz5paods33cdgqnon54gjns5nmag3hmqv6fcwamtkmad[.]onion
1
2
14
1
2
10
Mapping an attack from an affiliate of the Medusalocker Ransomware, “.infected” variant. Interesting access via RDP, brute force on other accounts.
#diamondmodel
#ransomware
#medusalocker
3
1
8
I may be missing another group, but I identified the operation of at least 12 new ransomware actors from March to June.
-Ransomware NoEscape
-Ransomware Rhysida
-Ransomware BlackSuit
-Ransomware 8base
-Ransomware MalasLocker
#ransom
#ransomware
1
0
9
I love those companies that pay "sales executives" to go to hacking events. They could count on their fingers how many times they saw a terminal.
1
0
9
I created a repository on Github containing some TTP and information from ransomware groups. This was the first version. The idea is to collect data from open sources to organize and gather information.
Link:
2
2
9
ALPHV, Rhysida, LockBit... all suffering some kind of blow. Two for seized sites and one with an encryptor failure. What will be next? Guesses?
4
0
9
The Qiulong ransomware has so far only published Brazilian companies. The curious thing is that 4 are beauty companies.
I think the operator may have performed a procedure that he didn't like the result of.
3
1
9
A análise que realizei sobre o KL Reboleto foi publicado pelo
@canaltech
. Ela é uma ferramenta que intercepta e é possível alterar informações de PDF.
0
4
8
Interesting, why is Team R70 now focusing on Brazilian sites? As well as some publications on his Telegram channel aimed at the Brazilian public. Their allegations don't really seem like the official ones to me.
4
0
8
It is interesting to note that the flow of new affiliate IDs in the Lockbit program increased after December 10th.
Just after ALPHV started having problems with its website (primary domain) and rumors that LE was taking down the infrastructure.
#lockbit
2
2
7
I have so many things to update on the Threat Actors TTPs project... these backend CTI activities are consuming me 😵💫
0
0
8
0
1
8
Interestingly, in a recent incident I observed the use of ScreenConnect for remote access. It was previously observed being used by Zeppelin Ransomware actors in released incidents and reports.
#ransomware
#zeppelin
2
1
7
Great work
@AlvieriD
, another address for the list of IPs collected as part of their infrastructure.
New Hunters International leak site.
/huntersinternational[.]net
1
13
54
1
1
7
Server-based C2: 91.142.74[.]67:443
Shodan Search:
SWOT Survey:
(Title and Favicon)
Axile Stealer
9b28e3a3fb43c917019ed3dd4ce4949c
- Exfiltrate stolen data via Telegram
- Telegram channel
https://t[.]me/AxileStealer
- C2 Panel
http://axile[.]su
#AxileStealer
#Stealer
#IOC
3
7
18
0
2
7
Performs the use of the RSA algorithm to encrypt.
Use the 1.bat file to kill the processes below:
Before performing the reset, it performs encryption.
@BleepinComputer
@vxunderground
@siri_urz
5
1
7
Summary of the report produced today. APT28 focuses on corrupting emails and uses Outlook and other vulnerabilities for initial access. Uses EdgeOS as infrastructure and performs brute force on services, NTLM and phishing sending. Use VPNs in attacks.
#APT28
0
0
7
More and more TTPs added from groups based on incidents. Including, I created 2 folders for: Localized commands and also execution locations of ransomware and malicious codes found in incidents.
0
1
7
Being caught in the moment of relaxation... operator launching the famous five against one? hahahah fuck
@BushidoToken
@UK_Daniel_Card
@BratvaCorp
...
0
2
5
Alert about CVE-2023-30799 MikroTik vulnerability affecting RouterOS servers. The vulnerability could cause privilege escalation. (Still requires authentication)
2
2
5
Lockbit was unable to recover the seized domains. It will create others and publicize the operation again. From what it seems to me and even shared by the Lockbit profile that they exploited CVE-2023-3824.
Partial interruption? How much will this damage your image?
0
0
6
Interesting that the data published by
@BlackBerry
mentions the use of the "Wedgecut" tool by the operators of the Cuba ransomware.
I see some commenting about signature-based protection not working.
3
2
5
Bugs and bugs
Vulnerabilities and vulnerabilities
Plenty of coffee to keep up with everything...
1
0
5
Added 2 new topics to the Repository and provided more details on actors.
+ Ransomware Crosslock
+ Ransomware Play
Over the days, we will have more!
@Iam4ndr3y
@P4nd3m1cb0y
0
1
5
A slight rant. The CTI community in Brazil that is being formed due to professionals who support sharing information in urgent ways as if the world were going to end and don't even weigh in or give more details about the information is sad.
3
0
5
Analyzing a sample I came across a sample that "speaks for the ransom note" to the victim on the host.
This ransom is Army Signal Ransomware, variant of Hidden Tear.
@vxunderground
@Gi7w0rm
@malwrhunterteam
5
1
5
Information from Ivan Kondratyev (Bassterlord) and Artur Sungatov released.
1
0
5
More vulnerabilities identified in TeamCity according to the statement published today by JetBrains!
1st CVE-2024-27198
2nd CVE-2024-27199
FOFA: title="Log in to TeamCity"
@fofabot
Critical Security Issue Affecting TeamCity On-Premises (CVE-2024-23917) causing RCE without user interaction.
FOFA Query:"TeamCity" && icon_hash="-1944119648"
Link🔗:
Blog:
#OSINT
#FOFA
#CyberSecurity
#TeamCity
1
10
19
0
0
5
The ransomware operation identified by Talos on a threat agent mentions the use of GitHub and a "Google" email to contact the agent.
1
0
5
Rewards for delivering malware analysis and threat hunting training. These two beers 🤟🏻 and too much... typical event kit we love.
#bsidesp
0
1
5
Requirements:
- basic OS admin skills
- English
- Ability to find bugs and software versions
- Lack of other work
- Lack of personal life
- Lack of bad habits
- Ability to keep secrets
- Online 24/7
- Ambition
1
0
5
In addition to the Snatch Ransomware, the new strain known as NoEscape also uses Windows Safe Mode scripts to restart and encrypt files. What is this effective? Do you remember other groups that also use safe mode?
#ransom
#ransomware
#snatch
#noescape
2
3
4
Look, another article reinforcing that ScreenConnect is a great weapon to use in a cyber attack, as its domain can apparently go unnoticed by an analyst.
Interestingly, in a recent incident I observed the use of ScreenConnect for remote access. It was previously observed being used by Zeppelin Ransomware actors in released incidents and reports.
#ransomware
#zeppelin
2
1
7
0
2
5
@Br0k3rIAB
@ido_cohen2
@SophosXOps
I think it's time to create a "feedback list" from the groups. Apparently Alphv -2. They will offer you a check to compensate.
0
0
4
An application used by Brazilians known as WebDetetive would have been the victim of an invasion. More precisely, the company responsible for the software and tool would have been the victim of the invasion.
3
0
4
There are asshole people in this world. Wanting to know more than others and show that they know more... and worst of all, they still misunderstand a simple publication and talk shit about it. What's the solution for this? Leave talking alone?
3
0
4
Is using a project like Notion for your blog innovative (that I remember) or an opsec failure?
@NotionHQ
take action, your blog is being used to extort companies.
1
0
4
It's funny that they use "Hello Kitty", and then that crazy thing starts with linking the old Meow (based on the leaked Conti code) or (based on the leaked Hello Kitty code).
0
0
3
Favicon + Title was also possible to categorize the domain that was used as "MEOW LEAK", hosted on CloudFlare:
Domain: domain2proof[.]com with IP address: 172.67.221[.]108
0
0
4
@infosec1000grau
Falta a parte de copia e cola de inteligência externa e apresentam como inteligência própria, está tendo o curso de formar sireninhas 🚨🚨🚨
0
0
4
An important warning for everyone who uses some type of service from ISPs (Internet Service Providers).
7
0
4
I would like to submit some lectures to other international forums, however, my speech in other languages is intermediate.
1
0
3
@N4hualH
Maybe some public place like a CERT that would collect information about certain attacks could be useful. Here in Brazil we don't have that, because the Data Law hinders this type of reporting by companies. It is a huge job to identify these differences... I suffer from this too
1
0
4
After 261 days. CVE-2023-29360 was made "exploitable" by actors seeking to gain privileges in the operating system. There is already a PoC for use.
0
1
4
I recommend reading. Understand Chainalysis' blockchain data collection methodology to identify digital currency transactions for government investigations.
#tracersinthedark
#criptocurrency
#darkweb
1
0
4
The Goiasa 🇧🇷 group were announced by the Akira Ransomware. These operators are known to exploit CVE-2023-20269 (Cisco VPN). In both domains used there is a public service available for access. Both Goiasa domains.
1
1
4
Another incidence of a possible attack on companies in China 🇨🇳. Following some publications, including
@BushidoToken
, the increase is really notable, LockBit with ICBC, Rhysida with China Energy Eng. Corp.
This time AlphV with China Petrochemical Development is in TW 🇹🇼.
0
0
2
