Tootfinder

For my #threatintel folks here’s an easy one: any traffic in your environment to/from 45.142.166[.]112? If so, track it down. You have an infected system.
#cybersecurity
From: @…
https://mastodon.social/@campuscodi/112332564574881707

Spamhaus always has good #threatintel in their reports. Great source for #threathunting and/or evidence to support blocking commonly abused TLDs like .bond
#cybersecurity
From: @…
https://infosec.exchange/@spamhaus/112326636357658553

The best weekly curated list of #DFIR and #threatintel on the net
From: @…
https://infosec.exchange/@Phillmoore/112467920237249561

A known threat actor has stated that they breached #Zscaler and are selling the access for $20k. Zscaler is investigating #threatintel

Someone’s been busy. A whole lotta new botnet and C2 domains from Sarlack Lab. Block all but the major service providers like Microsoft.com, cloudfront.net, azureedge.net and azurefd.net
#threatintel #cybersecurity
From: @…
https://ioc.exchange/@SarlackLab/112571128382217974

This article from @… has a ton of great #threatintel I highly recommend searching for web browsing activity to:
*.run.app
*.my.id
*.biz.id
And if you don’t have any activity, consider blocking the domains, or at least alerting on them.
#cybersecurity
From: @…
https://infosec.exchange/@r1cksec/112564802134098899

I have never seen a legitimate .xyz domain. I’m sure there’s at least one, but you should block this TLD if you can.
I recommend blocking it both at the DNS layer and at your email gateway to prevent email spam and phishing campaigns. As an example, here’s how to block TLDs in #Exchange Online
#cybersecurity #threatintel
From: @…
https://infosec.exchange/@threatcat_ch/112582463875887635

I found this graph from Google’s Threat Analysis Group and Google Mandiant extremely interesting. This pie chart highlights the motivation behind various threat groups that are using #ZeroDay vulnerabilities.
That yellow section... "The commercial surveillance industry has emerged to fill a lucrative market niche: selling cutting edge technology to governments around the world that exploit vulnerabilities in consumer devices and applications to surreptitiously install spyware on individuals’ devices. "
Thoughts? Are you surprised by this data?
Full Report: #infosec #google #mandiant #threatintel

Do you work for a business? Is that business in the video gaming industry? If not, block access to steamcommunity.com. You’ve just neutered this malware. Have a cup of tea and pat yourself on the back. 🙂
#cybersecurity #threatintel #ioc
From: @…
https://infosec.exchange/@sekoia_io/112355399877140404

Sophos has done quite an extensive investigation into this malware operation and provided over 450 #IOCs to hunt for. I also find they are abusing WebDAV servers (those servers with <at>80 in the URL). WebDAV is an uncommonly used protocol these days. If you can, try to block access to all WebDAV servers except those that are used by your organization.
#threatintel #cybersecurity
From: @…
https://infosec.exchange/@SophosXOps/112351480339066844