Did you know that since v3.0.0 of misp-modules and v3.0.1 of misp-docker/misp-modules it is possible to load custom misp-modules without building your own image? Just drop them in the corresponding /custom/ directory.
github.com/MISP/misp-do...
github.com/MISP/misp-do...
Vulnerability in Billion Electric Router - Use of Hard-coded Credentials. vulnerability.circl.lu/vuln/CVE-202... CVE-2025-1143 ; routers typically used in an industrial environment. #cve #ics
A clever technique to fool detection analysts: path masquerading to disguising malware as legit system files in SIEM logs. Unicode tricks make C:\Program Files\Windows Defender look real, hiding payloads in plain sight. www.zerosalarium.com/2025/01/path... #siem #soc #monitoring
Reporting by AhnLab shows Kimsuky keeps relying on LNK malware in spear-phishing attacks, but also shifting to the use of RDP Wrapper and Proxy to remotely control the infected systems instead of installing backdoors. asec.ahnlab.com/en/86098/ IOCs: www.botvrij.eu/data/feed-os...
Agencies now released guidance on digital forensics & monitoring for edge devices to boost threat detection & incident response. www.ncsc.gov.uk/guidance/gui... #initialaccess #ir
Google’s Threat Intelligence Group (GTIG) found that threat actors (mostly Iran, China and DPRK) using generative AI (Gemini) gain productivity but no novel capabilities. services.google.com/fh/files/mis... #ai
If you’re using @letsencrypt.bsky.social certificates it becomes time to setup a certificate expiration monitor (if you haven’t done already).
There's a wealth of useful threat data available via Rösti, Repackaged Öpen Source Threat Intelligence. Formats include STIX, JSON, CSV and MISP. Provided by @viql.bsky.social . And now also available as a default @mispproject.bsky.social feed. Check out rosti.bin.re
"Tear Down The Castle", great writeups @malmoeb.bsky.social on common configuration issues in Active Directory. #pingcastle #lowhangingfruit dfir.ch/posts/tear_d... dfir.ch/posts/tear_d...
Well done to all at @europol-eu.bsky.social and other law enforcement agencies involved in this operation. Two online forums allegedly providing a range of cybercriminal services were taken offline resulting in 2 suspects arrested so far.
www.europol.europa.eu/media-press/...
#cybercrime
Ransomware actors further embracing alternative distribution mechanisms, including botnets. In this case LockBit3 uses Phorpiex botnet. By Cybereason www.cybereason.com/blog/threat-... ; IOCs also available via @mispproject.bsky.social botvrij feed www.botvrij.eu/data/feed-os... #Ransomware #cti
PlushDaemon compromises supply chain of Korean VPN service (IPany) by @esetresearch.bsky.social www.welivesecurity.com/en/eset-rese... #CTI
We are sharing backdoored Ivanti Connect Secure devices that *may* have been compromised as part of a CVE-2025-0282 exploitation campaign (but also we believe may include older or other activity).
379 new backdoored instances found on 2025-01-22:
dashboard.shadowserver.org/statistics/c...
Need to analyse Windows DNS server logs? Extract hostnames & domains from the DNS server analytical logs, save them to CSVs, and check against @mispproject.bsky.social , all without centralised DNS logging. A quick win for investigations! github.com/cudeso/tools... #cti #automation #itsalwaysdns
A quick parser to extract whois and country data from the darkweb forum post listing #Fortinet devices victim (?) to CVE-2022-40684.
Parser at github .com/cudeso/tools/blob/master/CVE-2022-40684/README.md
Affected (?) IPs at github.com/arsolutioner...
Spot-on article by @theregister.com El Reg: “After China’s Salt Typhoon, the reconstruction starts now.” www.theregister.com/2025/01/06/o...
Examples of threat actor names to use and to avoid
MISP has introduced a new Threat Actor Naming Standard
www.misp-standard.org/blog/Naming-...
Interesting talk by @pylos.co at @firstdotorg.bsky.social CTI "The Disclosure Dilemma and Ensuring Defense" www.youtube.com/watch?v=Cuhs... A nuanced topic with no one-size-fits-all answer. Requires rethinking per case, considering context, nuances and conditions of available options #CTI #sharing
Watched @datadoghq.bsky.social talk at @firstdotorg.bsky.social CTI on "Automating Cyber Threat Intelligence" www.youtube.com/watch?v=t8M3... Great tips on streamlining vulnerability classification, gather abuse data, and report it to customers. Also check HASH github.com/datadog/HASH #cti
Presentation by ENISA on "Vulnerability Coordination in the EU" during the @firstdotorg.bsky.social VulnCon www.youtube.com/watch?v=MY0W... #CVD #CVE #responsibledisclosure #vulnerability
Reporting from Forescout indicate engineering workstations not immune for malware www.forescout.com/blog/ics-thr... Ramnit on Mitsubishi and experimental strain targets SiemensTIA. Latter uploaded from BE, with Flemish strings. @mispproject.bsky.social indicators via: www.botvrij.eu/data/feed-os...
It’s been a while since I posted a new @mispproject.bsky.social tip, but in the meantime you can now also enjoy the tips via a simple HTML page at cudeso.github.io/misp-tip-of-...
Report from RecordedFuture : BlueAlpha leverages Cloudflare Tunneling as staging infrastructure for GammaDrop. Monitor activity tied to trycloudflare[.]com. go.recordedfuture.com/hubfs/report... Indicators also shared via www.botvrij.eu/data/feed-os...
The NCA reports on ‘Operation Destabilise', exposes and disrupts a Russian money laundering network. MO consists of, ao., collecting funds in one country and make the equivalent value available in another, often by swapping cryptocurrency for cash.
www.nationalcrimeagency.gov.uk/news/operati...
Report from @microsoftti.bsky.social and BlackLotus Labs how Secret Blizzard (Turla, linked to Russian FSB) targets Pakistan-based Storm-0156 C2s to infiltrate government and military networks in Afghanistan and India. www.microsoft.com/en-us/securi... Indicators via www.botvrij.eu/data/feed-os...
Remember the wiper attack against KA-SAT/Viasat during Russia's invasion of Ukraine? Joe (@pylos.co) provides a great overview of this campaign. The talk also covers alignment with #Sandworm, a little-known DHCP DoS attack and risks with satellite comms for ICS/SCADA.
youtu.be/0a-qza6YSZA
You can now browse the @mispproject.bsky.social playbooks on GitHub Pages: misp.github.io/misp-playboo... . The playbooks are automatically converted into easy-to-navigate HTML pages. Dive in and explore!
"Seeing Through a GLASSBRIDGE: Understanding the Digital Marketing Ecosystem Spreading Pro-PRC Influence Operations." Interesting discoveries by TAG on PRC influence behaviour, similar to Russian and Iranian actors. cloud.google.com/blog/topics/... #IO #inauthenticcontent
#CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber Attacks https://buff.ly/3V7dixd
#CTI #Hacktivism #Ransomware
