Another Fujitsu security breach, unrelated to other one - they setup an open S3 bucket called fjbackup, including client data, email server backups, private AWS keys, LastPass vaults, plaintext credentials and more and left it exposed for over a year until security researchers pointed it out. This happened over a year ago, it looks like they didn't tell anybody.
(And no, I'm not a massive fan of the meme in that article).
Cloudflare has more services to watch for. Workers[.]dev and pages[.]dev have been being used as links in malicious emails.
Cloudflare says Workers is a system to “deploy serverless code instantly across the globe”. Whereas “Pages is a JAMstack platform for frontend developers to collaborate and deploy websites.”
Both services have free versions which are abused. Silver lining, Cloudflare might not be directly profiting from the malicious use of all of their services.
For anyone that ever wanted to get some threat hunting experience, feel free to join us on March 20th for our monthly workshop, this time we will be tackling the MITRE ATT&CK Tactic of Initial Access! Hope to see you there!
Here's one I missed, good old Cloudflare has another wonderful service to look out for - Cloudflare R2 Object Storage. I've been seeing malicious URLs in emails using this service. URLs to watch out for contain r2[.]dev in them.
Google says this about Cloudflare R2, “Store large amounts of unstructured data without costly egress bandwidth fees.” Which I think really translates to, ‘Host your nasty malware/phishing stuff on the cheap.’
Update on the Microsoft 365 hack - Russia has used the exfiltrated data to push further into Microsoft’s network.
“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems.”
An important bit: “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.” #threatintel
NoName's DDoSia platform has been deleted from Telegram. The chat channels, support channels, client downloads, documentation and tasking bot have all been shut down.
The last public version of the Ddosia client is also disconnected from users.
The non-public C2, 193.17.183.123, is still online at present.
At it's height this thing had 20k volunteer users.
Nissan Australia and New Zealand are dealing with a “cyber incident”, which likely translates as ‘paying the ransom with the help of the Australian government’. https://www.nissan.com.au/#threatintel