pancak3
@pancak3lullz
Followers
12,824
Following
378
Media
1,359
Statuses
6,237
Explore trending content on Musk Viewer
Kendrick
• 312668 Tweets
Taylor
• 269338 Tweets
Super Bowl
• 265988 Tweets
Drake
• 181034 Tweets
JENNIE
• 143530 Tweets
#TommyHilfigerNYFWxPPGF
• 135587 Tweets
Giants
• 119073 Tweets
Steelers
• 110551 Tweets
Wayne
• 109626 Tweets
Bears
• 107010 Tweets
JISOO AT NYFW WITH TOMMY
• 88689 Tweets
NYFW24 WITH GEMINI FOURTH
• 88034 Tweets
#ZEVENT2024
• 84828 Tweets
Cowboys
• 83096 Tweets
Bengals
• 81657 Tweets
Browns
• 77959 Tweets
Panthers
• 68387 Tweets
Falcons
• 56552 Tweets
重陽の節句
• 50656 Tweets
Raiders
• 48045 Tweets
Chargers
• 41890 Tweets
Seahawks
• 39660 Tweets
Broncos
• 35109 Tweets
Daniel Jones
• 32642 Tweets
Baker
• 29577 Tweets
#GHDBT1
• 27124 Tweets
Caleb Williams
• 27112 Tweets
Seattle
• 27046 Tweets
#わたしの宝物
• 25776 Tweets
Cleveland
• 24594 Tweets
Deshaun Watson
• 23619 Tweets
Tom Brady
• 22196 Tweets
Forbes
• 18281 Tweets
Diggs
• 13220 Tweets
Zeke
• 11999 Tweets
Bo Nix
• 11030 Tweets
Will Levis
• 10962 Tweets
チャウヌ
• 10186 Tweets
AvosLocker RaaS operators trying to avoid heat after hitting a US government entity by providing them the decryptor for free.
20
156
477
🤫 go block these 🤫
162.244.80.235
85.93.88.165
185.141.63.120
82.118.21.1
21
87
345
We are proud to announce that we assisted the joint international LE
#OperationEndgame
, targeting notorious botnets
#IcedID
,
#Smokeloader
,
#SystemBC
&
#Pikabot
We provided key infrastructure to LEA and internal partners to disrupt these botnet operations
14
36
244
“One of the most valuable pieces of threat intelligence we discovered is the the real IP address of Conti’s TOR hidden service and contirecovery[.]ws, and 217.12.204.135, on Tuesday, 28 September 2021 21:30:03 UTC.”
5
58
192
A couple more updates.
Cc:
@uuallan
Minor updates to the “Vulnerabilities Abused by Ransomware Actors” chart
1
22
57
1
59
151
If you have Fortinet VPN, please go force reset all your user’s passwords. Also, it’s probably not a bad idea to check logs and potentially spin up an IR or two 🥲
6
66
147
This week in 2019, five Chinese APT-41 cyber actors were indicted for compromising software providers around the world and installing back doors for further hacks against the providers’ customers. For more info on software supply chain attacks see:
17
257
578
0
33
129
Updates include $MSFT Office CVE-2021-38646 and
@billquick
’s web suite CVE-2021-42258.
Also, I feel enough time has passed since continuously trying to reach the company with no response to uncensor the EntroLink PPX-AnyLink 0day item.
Cc:
@uuallan
4
42
124
If you’re still getting caught up on ransomware “groups” - stop. The “groups” don’t matter anymore. LockBit, ALPV, RansomHub…it doesn’t matter. Real attack teams have freedom to use any locker they want at any time. Branding is a smokescreen.
8
28
121
Certain elements have been redacted and it’s still a work in progress (i.e. missing elements and connections), but nonetheless a way to visualize various cybercrime operation brands, malware, people and their connections.
4
26
112
the 'Ghost Legenden' aka LockBitSupp aka Dimitry Yuryevich Khoroshev
6
13
102
what the actual fuck?
"...the Company learned that a former executive officer of the Company deliberately de-activated and cancelled the renewal of the Company’s website..."
Thu, 01 Aug 2024 16:30:49 EDT
Cybersecurity incident disclosure found for $MMAT (CIK: 0001431959).
More details:
0
2
8
2
15
100
AvosLocker🐞 advertising their latest variants (avos2 / avoslinux)
2
40
97
I expanded upon
@uuallan
's chart and included some non-initial access items.
I sincerely appreciate all of the great suggestions. Here is the updated chart based on everyone's input. I had to reformat it make it readable. I originally had company logos where the ransomware icon is but I figure companies won't want their logo on a ransomware chart 🤣.
16
206
534
0
35
96
RE: Ticketmaster breach
Seems to me like they hadn't updated their Snowflake passwords in a while...
username: fanbuilder_user
password: <REDACTED>2019@
(they're now using their Live Nation Okta SSO to protect access)
3
6
90
ONYX ransomware (based off Conti) appears to be using rocket\.chat for communicating with victims
5
18
85
I’ve validated 232 BTC wallets from the Conti chat logs. Only a handful of them still have money in them. Spanning 232 addresses, they’ve received a combined 88.25744568 BTC.
88.25744568 BTC is currently $3,669,223.87
2
13
78
Ministry of Communities and Territories Development of Ukraine corporate mails out for grabs 🥶
2
17
74
Superstar75737 realizing his
#Smokeloader
botnet is gone
ALIAS: Superstar75737
#Smokeloader
NAME: ГРУБЕР Айрат Рустемович (Airat Rustemovich Gruber)
DOB: 21.05.1982
SNILS: 07803559786
TIN: 166005711627
PASSPORT: 9204429600
1
7
24
1
10
74
#ShadowSyndicate
appears to be much, much more than a RaaS affiliate...
Ref:
#LetsStopCybercrime
#CybercrimeFightersClub
2
18
71
#ApacheStruts
#CVE201811776
#snort
Some SNORT signatures I worked on today. Had some help from friends. Trying to detect people potentially attempting to exploit CVE-2018-11776. CC anyone that might care.
4
43
72
Minor updates to the “Vulnerabilities Abused by Ransomware Actors” chart
1
22
57
WHO IS LOOKING FOR A NEW JOB IN
#INFOSEC
?!?! Hit me up!
Please have previous SOC experience and be ready to roll. This is a Sr position.
8
48
53
"On December 12, 2023, HPE was notified that a suspected nation-state actor, believed to be the threat actor Midnight Blizzard, the state-sponsored actor also known as Cozy Bear, had gained unauthorized access to HPE’s cloud-based email environment."
Cybersecurity disclosure (1.05) found via SECurityTr8Ker for Hewlett Packard Enterprise Co (CIK: 0001645590)
Cc
@cocaman
4
3
29
0
19
56
yay sanctions. i can finally move these persons to the public map
1
11
53
“Login IDs and passwords of Tokyo Olympic ticket purchasers have been leaked on the internet”
To clear this up, looks like a bunch of people were generally infected with
#redline
and other stealers that supply “dark web markets” thus exposing their creds
The valid account information (ID/Password) of Tokyo 2020 volunteers and ticket buyers are also leaked, and it seems necessary to verify that this information includes personal information of domestic players and officials.
@Tokyo2020
@darktracer_int
#TokyoOlympics
0
15
37
2
41
53
Cute APT espionage farm in Romania 🐓
🐓 🐓 . . . . . . . . . . . 🐓 🐓 🐓 . . . . .
. . 🐓 🐓 . . . . . . . . 🐓 . . . . . . 🐓 . .
. . . . . 🐓 🐓 . . . . . 🐓 🐓 . . . 🐓 . . . .
. . 🐓 . . . . . . 🐓 . . . . 🐓 . . . . . . . .
🐓 . . . 🐓 🐓 . . . . . . . . 🐓 🐓 . . . . .
2
6
51
ngl the artwork in this manual is awesome
hxxps://www.yuumeiart[.]com/
1
11
45
Here is a heavily redacted, public version. Enjoy <3
7
6
44
Bazarloader 🤝 Emotet
2021-11-04: Bazarloader starts using AppxBundle (ms-appinstaller) as an attack vector.
2021-11-26: Emotet starts using the AppxBundle (ms-appinstaller) as an attack vector.
More info:
Cc
@1ZRR4H
BREAKING:
#Emotet
malspam links can since yesterday link to an Universal App installer hosted on
@azure
imposing as an Adobe Update that drops E4 payload. This is the same initial attack vector as
#BazarLoader
used a few weeks ago, even using the same
@SectigoHQ
cert.
5
123
216
2
18
45
I made a Python version
I coded up a bot in Rust that parses the SEC's RSS feed of filings to watch for any company that files a cybersecurity incident disclosure (Item 1.05 on their 8-K). I've had it running for several weeks with no hits. But, today, it worked! It picked up the MSFT filing! I am
76
58
895
6
3
43
saw some real sketchy shit fingerprinting and targeting F5 BIG IP appliances today. keep your eyes peeled folks 👀
2
5
43
Looks like “naned” was responsible for the creation of ‘TrickBoot’ - Trickbot’s UEFI module (permaDLL).
Ref.
Account (nicknames): naned
---
---
#trickbotleaks
#trickbot
#ransom
#ransomware
#malware
#conti
#trickleaks
@briankrebs
@VK_Intel
@MalwareTechBlog
@trickbotleaks
@pancak3lullz
@BleepinComputer
@ForbesTech
1
24
42
2
17
43
veron (Emotet guy) and best (campaign engineer) discussing validating corps from their pick of the litter of Emotet installs.
0
15
42
BlackCat/ALPHV crew made some adjustments to their ransomware. Previous methods for extracting the config aren’t working anymore. Introducing BlackCat/ALPHV 2.0??
SHA1: 8c70191b12f14eed594388c8fbe05efe6ebaa564
Cc
@vxunderground
@f0wlsec
Blackcat ransomware group (alternately refered to as ALPHV) has changed some of their binary characteristics. Previous methods of extracting binary configurations fails, some YARA rules no longer match
Example from
@hatching_io
:
tl;dr Maybe Blackcat 2.0?
1
15
57
0
11
41
Probably all that malware they’re hosting and refusing to do anything about 🙃🥲
1
3
40
Prematurely adding CVE-2021-40449. I give it about a week before MysterySnail is used to achieve ransomware goals or ransom-oriented actors start abusing CVE-2021-40449.
0
9
40
Looks like a few additions need to be made to this entry. Thanks for the great read
@briankrebs
the 'Ghost Legenden' aka LockBitSupp aka Dimitry Yuryevich Khoroshev
6
13
102
2
9
39
This is NightSky/Rook/AtomSilo/LockFile ransomware group
Cobalt Strike Server Found
C2: HTTPS @ 149[.]28[.]143[.]29:443
C2 Server: service[.]trendmrcio[.]com,/owa/63ll45DCfiTEg8lm7o3M
Country: Singapore
ASN: AS-CHOOPA
Host Header: www[.]google[.]com
#C2
#cobaltstrike
1
13
24
1
8
38
In our tracking of the
#LockBit
drama saga,
@Bl4ckSky28
and I have discovered EquiLend and Ernest Health are two prime examples of LockBit scrambling to appear like they are still a properly functioning RaaS.
1
10
38
Emotet EPOCH5 currently targeting Europe automotive industry.
maldoc hashes, download URLs, and C2 addresses here:
Cc
@DragosInc
@th3_protoCOL
@Cryptolaemus1
2
26
36
Be cautious in linking things here. "Scattered Spider" describes tactics, not a group. Also, being in Star Fraud chat doesn't necessarily mean they are part of the crew who used ALPHV.
⚠️ Ransomware Takedown Notification
Scattered Spider member arrested — a group linked to ALPHV/BlackCat ransomware campaigns
1
63
205
3
3
34
#Egregor
claiming 25 companies are in their queue for analysis to determine ransom amounts 👀
0
15
33
While you all are worried about Citrix CVE-2023-3519, you should know there’s also ongoing exploitation of Array Networks CVE-2023-28461 🫡
2
11
32
Lmaooo...and just like that LockBit removes EquiLend and Ernest Health
In our tracking of the
#LockBit
drama saga,
@Bl4ckSky28
and I have discovered EquiLend and Ernest Health are two prime examples of LockBit scrambling to appear like they are still a properly functioning RaaS.
1
10
38
2
3
30
These are Hive payloads from early-mid September and a ‘how-to deploy’ text file.
1
5
27
inb4 the old Conti Team 1 (Zeon) team are acting as ALPHV affiliates
0
4
31
REvil imposters/scammers?
Who uses RUTOR for ransomware adverts?
“The same proven (but improved) software” lol
2
5
29
"...to disrupt the botnet..."
unfortunately not a full takedown. they are still operating
Qakbot malware disrupted in international cyber takedown
8
154
286
4
7
30
Seems like TA551 may be collaborating with FIN12.
#TA551
>
#IcedID
>
#Nokoyawa
who is the only one with overlap between IcedID and Nokoyawa?
#FIN12
Proofpoint observed the HTML attachment campaign described in this report on October 31, 2022. Together with 10+ other HTML Smuggling campaigns leading to IcedID from September to November, we attribute to TA551.
Great work on detailing follow-on activity by
@TheDFIRReport
!
1
16
52
1
5
28