Skip to main content

Search

Items tagged with: threatintel

Wild ass day in the Tor node operator world. Got an email from my VPS, forwarding a complaint from WatchDog CyberSecurity saying that my box was scanning SSH ports!

> Oh no, oh no, I knew I should have set up fail2ban, oh god why was I so lackadaisical!

So I remote in to the machine: no unusual network activity, no unusual processes, users, logins, command history, no sign that anything is doing anything I didn't tell it to do.

So what's up? Turns out there's been a widespread campaign where some actor is spoofing IPs to make it look like systems running Tor are scanning port 22: forum.torproject.org/t/tor-rel…

Operators from all over are saying they're getting nastygrams from their VPS providers because WatchDog is fingering their source IPs (which are being spoofed and NOT part of a global portscanning botnet).

@delroth did an amazing writeup of the whole thing here: delroth.net/posts/spoofed-mass…

#tor #infosec #cybersecurity #threatintel #privacy


[tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

It would be hard to explain to Verizon I run Tor relays since they technically don't allow servers. I hope I'm not forced onto AT&T Internet Air as my particular co-op rental unit won't let met get Spectrum even when other units can, not that I wante…
Tor Project Forum
#privacy #infosec #Tor #cybersecurity #threatintel @Pierre Bourdon

PSA to orgs: if you use Microsoft 365, check your email logs for an email from mbsupport@microsoft.com

Microsoft are emailing tenant admin email addresses about a breach by Midnight Blizzard - you might not get the emails due to spam filtering etc.

reddit.com/r/microsoft/comment… #threatintel

#threatintel

Can’t find my thread to update it, but after a Chinese company acquired Polyfill.io last year (embedded in over 100k websites), it has started serving malware to users of said websites - prepare to be surprised.

sansec.io/research/polyfill-su…

#threatintel


Polyfill supply chain attack hits 100K+ sites

The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites.
Sansec
#threatintel

Don't sleep on this; I am pretty sure 100k is an undercount. www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/
#ThreatIntel
#threatintel

Microsoft published a report last month acknowledging the existence of a long running honeypot operation running on code.microsoft[.]com.

techcommunity.microsoft.com/t5…

#microsoft #infosec #threatintel


Examining the Deception infrastructure in place behind code.microsoft.com

The domain name code.microsoft.com has an interesting story behind it. Here we examine how we've used this to collect actionable threat intelligence.
TECHCOMMUNITY.MICROSOFT.COM
#infosec #microsoft #threatintel