Rumint is that the Change Healthcare was Chinese espionage that was caught and they overreacted and turned off all systems thinking ransomware was going to be deployed.
This fits with Chinese targeting of healthcare and pharmacies in the past. My assessment is that it could also be Russian long term staging or espionage as they are also known to target healthcare and pharmacies.
Netcompany (7k employees - end to end IT services in North Europe) has a data breach, where their source code and certificates have gone walkies to a data leak group called Zyndicate.
Just a friendly reminder that Googleweblight[.]com is still being used by malicious individuals/groups as a trusted URL in their phishing/malware emails.
Even though Google discontinued the service way back in 2022, it still lives on.
Apparently Google Web Light’s sole purpose now is for deceptive URL redirections for fake DocuSign emails. I guess that's one of the reasons why Google needed to buy Mandiant.
Exactag[.]com being used as the URL in phishing/malware emails I've seen over the last 24 hours. Email is pretending to be a Microsoft Office 365 mail delivery report. Sample Below.
Google says “the Exactag platform allows you to reshape and future-proof your measurement through unique data collection and cutting-edge algorithms.” Which I think in simpler terms translates to ‘a place where malicious actors can hide their malicious URLs’
Just a friendly reminder that malicious groups/individuals like to use URLs that point back to Cloudflare's IPFS system in their malicious emails (this isn't something new). Cloudflare-ipfs[.]com is the domain to watch out for.
Seeing a slight uptick in malicious email using Cloudflare IPFS again. Specifically ones pretending to be a “Salary Upgrade” email where the user is asked to click a link to confirm their new salary information for 2024.
I stopped #NoName monitoring and disruption over a week ago as I’ve been too busy.
I’ve just noticed from telegram they don’t appear to have had a public client since Friday, apparently somebody else has been taking down their C2 servers. Good.