Dropbox have filed an 8-K with the SEC for a breach. Access included user Oauth, API and MFA tokens.
https://www.sec.gov/Archives/edgar/data/1467623/000146762324000024/dbx-20240429.htm
Edited 1y ago
threatintel
Can’t find my thread to update it, but after a Chinese company acquired Polyfill.io last year (embedded in over 100k websites), it has started serving malware to users of said websites - prepare to be surprised.
Wild ass day in the Tor node operator world. Got an email from my VPS, forwarding a complaint from WatchDog CyberSecurity saying that my box was scanning SSH ports!
> Oh no, oh no, I knew I should have set up fail2ban, oh god why was I so lackadaisical!
So I remote in to the machine: no unusual network activity, no unusual processes, users, logins, command history, no sign that anything is doing anything I didn't tell it to do.
So what's up? Turns out there's been a widespread campaign where some actor is spoofing IPs to make it look like systems running Tor are scanning port 22: https://forum.torproject.org/t/tor-relays-tor-relays-source-ips-spoofed-to-mass-scan-port-22/15498/14
Operators from all over are saying they're getting nastygrams from their VPS providers because WatchDog is fingering their source IPs (which are being spoofed and NOT part of a global portscanning botnet).
@delroth did an amazing writeup of the whole thing here: https://delroth.net/posts/spoofed-mass-scan-abuse/
Ever seen a single QR code that can lead you to two different URLs? 🤯
Christian Walther just demoed that. He merged two QR codes in such a way that each “pixel” can be interpreted as black or white, depending on angle, focus settings, or even plain luck. Same device, same scanner - yet sometimes you get https://mstdn.social/@isziaui, other times it’s https://github.com/cwalther.
While this is currently just a wicked proof-of-concept, it’s a red flag for possible future scams
Check full thread: https://mstdn.social/@isziaui/113874436953157913
#socialengineering #threatintel #threatintelligence #programming
Edited 180d ago
I just published the source code for my very naive #Python implementation for generating a node network based on MITRE Intrusion Sets and Techniques. It will output linked #Markdown files linking intrusion sets to their used techniques.
Perhaps someone finds it useful or interesting to experiment with.
Source code: https://github.com/cstromblad/markdown_node
I hinted at this in a thread started by @Viss where he asked for input on a few very likely malicious domains. Me @Viss @cR0w @neurovagrant and others did some OSINT fun work with a couple of the original domains.
It was this thread: https://mastodon.social/@Viss/114145122623079635
Now I posted a picture of a node network rendered in Obsidian and I hinted that perhaps Obsidian could be used as a poor mans version of performing threat intelligence work.
The Russians aren't coming, they are already here. Without most anyone realizing, they've created an entire malicious adtech industry whose story is just as complex as the Chinese organized crime we're now realizing from their ventures into pig butchering.
VexTrio is just one Russian organized crime group in the malicious adtech world, but they are a critical one. They have a very "special" relationship with website hackers that defies logic. I'd put my money on a contractual one. all your bases belong to russian adtech hackers.
Today we've released the first piece of research that may eventually prove whether I am right. This paper is hard. i've been told. I know. We've condensed thousands of hours of research into about 30 pages. @briankrebs tried to make the main points a lot more consumable -- and wrote a fabulous complimentary article : read both!
There's so much more to say... but at the same time, between ourselves and Brian, we've released a lot of lead material ... and there's more to come. I've emphasized the Russian (technically Eastern European) crime here, but as Brian's article points out there is a whole Italian side too. and more.
We've given SURBL, Spamhaus, Cloudflare, Domain Tools, several registrars, and many security companies over 100k domains. They are also posted on our open github.
Super thanks to our collaborators at Qurium, GoDaddy Sucuri Security, and elsewhere.
#threatintel #scam #tds #vextrio #cybercrime #cybersecurity #infosec #dns #infoblox #InfobloxThreatIntel #malware #phishing #spam
https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/