ONYPHE's Avatar

ONYPHE

@onyphe.io.bsky.social

Provider of Attack Surface Discovery (ASD), Attack Surface Management (ASM) and CTI solutions. Scanning at Internet-scale since 2017 - contact at onyphe dot io

128 Followers  |  56 Following  |  43 Posts  |  Joined: 06.12.2023  |  2.2708

Latest posts by onyphe.io on Bluesky

For personal use I added a "geolocus" tool to a Deno-based MCP server (that has alot of random tools/functions in it).

It's been useful enough that I started extracting it to a standalone geolocus MCP server I shld be able to release in a couple days.

The @onyphe.io folks are super rad.

03.06.2025 02:22 โ€” ๐Ÿ‘ 1    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

๐Ÿ“ฃ We have added a new #vulnerability detection to our #ASM #AttackSurfaceManagement solution for #Ivanti product:

CVE-2025-4427+CVE-2025-4428 unauth RCE

search.onyphe.io/search?q=cat...

Thanks to watchTowr for detection method.

16.05.2025 10:08 โ€” ๐Ÿ‘ 0    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
The image shows a block of structured JSON data displayed on a dark background. The JSON object has the following top-level structure: โ€ข abuse: A list of four email addresses related to reporting abuse at Amazon and AWS: โ€ข amzn-noc-contact@amazon.com โ€ข aws-routing-poc@amazon.com โ€ข aws-rpki-routing-poc@amazon.com โ€ข trustandsafety@support.aws.com โ€ข asn: "AS14618" (This is Amazonโ€™s autonomous system number.) โ€ข continent: "NA" (North America) โ€ข continentname: "North America" โ€ข country: "US" (United States) โ€ข countryname: "United States" โ€ข domain: A list of three domains: โ€ข amazon.com โ€ข amazonaws.com โ€ข aws.com โ€ข ip: "3.215.138.152" (The specific IP address being described.) โ€ข isineu: 0 (Indicates whether the IP is in the European Union โ€” 0 means no.) โ€ข latitude: "37.09024" โ€ข longitude: "-95.712891" โ€ข location: "37.09024, -95.712891" โ€ข netname: "AMAZON-IAD" (The name of the network.) โ€ข organization: "Amazon Data Services NoVa" โ€ข physical_asn: "AS14618" โ€ข physical_continent: "NA" โ€ข physical_continentname: "North America" โ€ข physical_country: "US" โ€ข physical_countryname: "United States" โ€ข physical_isineu: 0 โ€ข physical_latitude: "37.09024" โ€ข physical_longitude: "-95.712891" โ€ข physical_location: "37.09024, -95.712891" โ€ข physical_organization: "Amazon.com, Inc." โ€ข physical_subnet: "3.208.0.0/12" โ€ข physical_timezone: "America/Chicago" โ€ข subnet: "3.208.0.0/12" โ€ข timezone: "America/Chicago"

The image shows a block of structured JSON data displayed on a dark background. The JSON object has the following top-level structure: โ€ข abuse: A list of four email addresses related to reporting abuse at Amazon and AWS: โ€ข amzn-noc-contact@amazon.com โ€ข aws-routing-poc@amazon.com โ€ข aws-rpki-routing-poc@amazon.com โ€ข trustandsafety@support.aws.com โ€ข asn: "AS14618" (This is Amazonโ€™s autonomous system number.) โ€ข continent: "NA" (North America) โ€ข continentname: "North America" โ€ข country: "US" (United States) โ€ข countryname: "United States" โ€ข domain: A list of three domains: โ€ข amazon.com โ€ข amazonaws.com โ€ข aws.com โ€ข ip: "3.215.138.152" (The specific IP address being described.) โ€ข isineu: 0 (Indicates whether the IP is in the European Union โ€” 0 means no.) โ€ข latitude: "37.09024" โ€ข longitude: "-95.712891" โ€ข location: "37.09024, -95.712891" โ€ข netname: "AMAZON-IAD" (The name of the network.) โ€ข organization: "Amazon Data Services NoVa" โ€ข physical_asn: "AS14618" โ€ข physical_continent: "NA" โ€ข physical_continentname: "North America" โ€ข physical_country: "US" โ€ข physical_countryname: "United States" โ€ข physical_isineu: 0 โ€ข physical_latitude: "37.09024" โ€ข physical_longitude: "-95.712891" โ€ข physical_location: "37.09024, -95.712891" โ€ข physical_organization: "Amazon.com, Inc." โ€ข physical_subnet: "3.208.0.0/12" โ€ข physical_timezone: "America/Chicago" โ€ข subnet: "3.208.0.0/12" โ€ข timezone: "America/Chicago"

Usage # Download the latest Geolocus database geolocus-cli download # Look up IPs from a file geolocus-cli lookup -i ips.txt -o results.json # Process IPs from stdin and output to stdout cat ips.txt | geolocus-cli lookup # Output in CSV format geolocus-cli lookup -i ips.txt -f csv -o results.csv # Output in JSONL format (one JSON object per line) geolocus-cli lookup -i ips.txt -f jsonl -o results.jsonl # Disable session caching geolocus-cli lookup -i ips.txt --no-cache Command-line Options Commands: download Download a fresh copy of the geolocus.mmdb database lookup Lookup and enrich IP addresses from a file or stdin Options: -h, --help Show help information -i, --input <file> Input file containing IP addresses (one per line) -o, --output <file> Output file for results (defaults to stdout) -f, --format <format> Output format: json, csv, or jsonl (default: json) --no-cache Disable IP caching for the current session

Usage # Download the latest Geolocus database geolocus-cli download # Look up IPs from a file geolocus-cli lookup -i ips.txt -o results.json # Process IPs from stdin and output to stdout cat ips.txt | geolocus-cli lookup # Output in CSV format geolocus-cli lookup -i ips.txt -f csv -o results.csv # Output in JSONL format (one JSON object per line) geolocus-cli lookup -i ips.txt -f jsonl -o results.jsonl # Disable session caching geolocus-cli lookup -i ips.txt --no-cache Command-line Options Commands: download Download a fresh copy of the geolocus.mmdb database lookup Lookup and enrich IP addresses from a file or stdin Options: -h, --help Show help information -i, --input <file> Input file containing IP addresses (one per line) -o, --output <file> Output file for results (defaults to stdout) -f, --format <format> Output format: json, csv, or jsonl (default: json) --no-cache Disable IP caching for the current session

ONYPHE has a super cool geolocus MMDB โ€” https://www.geolocus.io/ โ€” that gets updated daily and has network-level metadata for IP addresses (ref first image JSON).

Since it's way more efficient to use this than their API, I built a cross-platform CLI tool for [โ€ฆ]

[Original post on mastodon.social]

27.04.2025 17:09 โ€” ๐Ÿ‘ 4    ๐Ÿ” 3    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
New geolocus-cli For ONYPHEโ€™s Geolocus Database ONYPHE has made available a free API and free MMDB download of their new Geolocus database. It provided IP address metadata in the form of: { "abuse": [ "amzn-noc-contact@amazon.com", "aws-routing-poc@amazon.com", "aws-rpki-routing-poc@amazon.com", "trustandsafety@support.aws.com" ], "asn": "AS14618", "continent": "NA", "continentname": "North America", "country": "US", "countryname": "United States", "domain": [ "amazon.com", "amazonaws.com", "aws.com" ], "ip": "3.215.138.152", "isineu": 0, [โ€ฆ]

New geolocus-cli For ONYPHEโ€™s Geolocus Database

ONYPHE has made available a free API and free MMDB download of their new Geolocus database. It provided IP address metadata in the form of: { "abuse": [ "amzn-noc-contact@amazon.com", "aws-routing-poc@amazon.com", "aws-rpki-routingโ€ฆ

#hackernews #news

28.04.2025 14:01 โ€” ๐Ÿ‘ 2    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

The recovery continues, but things are not yet back to normal

29.04.2025 04:54 โ€” ๐Ÿ‘ 1    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Things are not yet getting better in Spain and Portugal. General downward trend and some visible instability in the remaining networks that are reachable.

#PowerOutage

28.04.2025 18:47 โ€” ๐Ÿ‘ 2    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 2
A chart showing Internet scan data plots for three countries; Spain, Portugal and France. The three lines are stable, with minor variations from 09:00 to 12:30. At 12:30 the lines for Spain and Portugal drop almost vertically to roughly 50% of their original levels. The line for France continues as for the start of the day. The lines for Spain and Portugal have not returned to their original levels.

A chart showing Internet scan data plots for three countries; Spain, Portugal and France. The three lines are stable, with minor variations from 09:00 to 12:30. At 12:30 the lines for Spain and Portugal drop almost vertically to roughly 50% of their original levels. The line for France continues as for the start of the day. The lines for Spain and Portugal have not returned to their original levels.

The electrical power outage in Spain and Portugal as seen from the Internet (France included for reference)

28.04.2025 16:03 โ€” ๐Ÿ‘ 2    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 1

ERRATUM: the CVSS was given, it is a 9.8

25.04.2025 17:01 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
CVE-2025-32432 โ€“ 0day Craft CMS discovered by Orange Cyberdefense โ€“ Blog | Big Data for Cyber Defense

#CVE-2025-32432 #0day #CraftCMS discovered by Orange Cyberdefense

๐Ÿ’ฅUnauthenticated Remote Code Execution. No CVSS yet, we suggest to give it a 10

๐Ÿ“Œ40,000 IP addresses representing over 37,000 domain names exposed, 12,168 unique domains vulnerable

Blog:

blog.onyphe.io/en/cve-2025-...

25.04.2025 15:45 โ€” ๐Ÿ‘ 1    ๐Ÿ” 2    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

UPDATE: our scan has finished, near 22,000 devices are compromised.

22.04.2025 13:48 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Backdoor symlink sur des VPN SSL Fortinet โ€“ Blog | Big Data for Cyber Defense

๐Ÿ’ฅMรฉthode de dรฉtection de la #backdoor #symlink sur #fortinet

"nous sommes prรชts ร  la partager, en privรฉ"

Plus de 18,000 รฉquipements compromis

Lire l'article : blog.onyphe.io/backdoor-sym...

21.04.2025 12:50 โ€” ๐Ÿ‘ 2    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Symlink backdoor on Fortinet SSL-VPN devices โ€“ Blog | Big Data for Cyber Defense

๐Ÿ’ฅDetection method for #symlink #backdoor on #fortinet

"we are willing to share it, privately"

More than 18k devices compromised

Read more: blog.onyphe.io/en/symlink-b...

21.04.2025 12:49 โ€” ๐Ÿ‘ 4    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 2

Time to search for a decentralized way to deal with vulnerability identifiers.

16.04.2025 11:36 โ€” ๐Ÿ‘ 2    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

You're nice to us, thank you for saying we are honorable โ˜บ๏ธ

24.03.2025 17:14 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Many thanks :)

24.03.2025 10:12 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

And there's an #RStats package for itโ€”now.

codeberg.org/hrbrmstr/geo...

24.03.2025 08:38 โ€” ๐Ÿ‘ 16    ๐Ÿ” 4    ๐Ÿ’ฌ 2    ๐Ÿ“Œ 0
Preview
Geolocus by ONYPHE Geolocus is an IPv4 & IPv6 geolocation service. Our motto is: you don't need misleading GPS coordinates, you need trusted IP to country locations. Furthermore, an IP address truly has 2 locations: 1 l...

โ“Ever wanted to have an IP geolocation database with 2 locations, one physical for the device and one logical from whois data?

๐Ÿ‘‰We provide a free MMDB file for download and a brand new Website for lookups & even a free API access:

www.geolocus.io

24.03.2025 07:46 โ€” ๐Ÿ‘ 3    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 2
Preview
Zero Day Bonjour โ˜• Bienvenue dans la Cyber-revue ร  bas bruit de la semaine. Je sais, รงa fait un bail, mais : j'ai eu des semaines de ouf (dont une qui s'est finie avec votre dรฉvouรฉe bloquรฉe ร  Bruxelles pour ca...

๐Ÿ‘“La Cyber-revue ร  bas bruit est de retour ! L'alpha et l'omรฉga de cette รฉdition : les zero days. C'est... surprenant ๐Ÿ˜‡

Et aussi un podcast (coucou @nolimitsecu.bsky.social), des chiffres passionnants d' @onyphe.io et de La tech est politique et sa nouvelle rubrique.
www.linkedin.com/pulse/zero-d...

23.03.2025 14:01 โ€” ๐Ÿ‘ 7    ๐Ÿ” 4    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 1
Installation | ONYPHE Installation

The latest version of our cli tool has been released. Get v4.19.0 and find wrappers with sweet new APIs inside.

Available here โžก๏ธ
search.onyphe.io/docs/onyphe-...

or here ๐Ÿณ hub.docker.com/r/onyphe/ony...

or even here ๐Ÿฅท metacpan.org/dist/Onyphe

18.03.2025 06:54 โ€” ๐Ÿ‘ 3    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

๐Ÿ’ฅ Great news ๐Ÿ’ฅ

#ASD #AttackSurfaceDiscovery APIs are on their way to general availability.

It will never be as easy to create an asset inventory for any organization attack surface #EASM

Backed by 10th of billions of informations we collect.

01.03.2025 17:37 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

๐Ÿ“ฃ Meet Thomas Damonneville - our founder - at the #M3AAWG organized by the Messaging, Malware, Mobile Anti-Abuse Working Group in Lisbon next week for his presentation entitled: โ€œHunting for phishing URLs, kits and businessโ€.

๐Ÿ‘‹ In partnership with Signal Spam

#phishing #phishingkit #cybersecurity

15.02.2025 18:20 โ€” ๐Ÿ‘ 3    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

Yes, still 50k compromised devices. Since more than 12 months.

14.02.2025 12:21 โ€” ๐Ÿ‘ 2    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

๐Ÿ“ฃ We have added a new #vulnerability detection to our #ASM #AttackSurfaceManagement solution for #PaloAltoNetworks PA product:

CVE-2025-0108: authentication bypass on management interface

search.onyphe.io/search?q=cat...

Thanks to @assetnote.io for having shared the detection method.

14.02.2025 09:16 โ€” ๐Ÿ‘ 6    ๐Ÿ” 3    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
The XE Files - Trust No Router hack.lu 2024 On the 16th October 2023 Cisco Talos shared intelligence about a handful of compromised routers discovered while resolving customer support requests. As the full story unfolded, a handful of backdoore...

Yet by performing an awkward legal waltz around the subject, Talos have helpfully supported my hypothesis that compromised IOS XE devices are part of an ORB network serving multiple APTs.

archive.hack.lu/hack-lu-2024...

12.02.2025 09:21 โ€” ๐Ÿ‘ 2    ๐Ÿ” 2    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Post image

๐ŸŽ‰ Retrospective 2024 and Roadmap 2025

๐Ÿ‘‰ Over the last 12 months, we massively increased our visibility of Internet exposed assets. Until now, we focused on #ASM, but this year we will improve our automatic #ASD and expand into the #CTI segment.

Read more: search.onyphe.io/docs/write-u...

31.01.2025 14:22 โ€” ๐Ÿ‘ 5    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
onyphe ctiscan result showing the number of rpc protocol exposed on Windows boxes, that is 2193060 found in 0.26 seconds

onyphe ctiscan result showing the number of rpc protocol exposed on Windows boxes, that is 2193060 found in 0.26 seconds

we tag it at a risky protocol

there are 2.2M results for Windows RPC boxes

03.01.2025 09:56 โ€” ๐Ÿ‘ 1    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

Cc @greynoise.infosec.exchange.ap.brid.gy

21.01.2025 16:00 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Thanks, will do โ˜บ๏ธ

21.01.2025 14:15 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image Post image Post image

And for the previous report, written in 2022:

www.greynoise.io/blog/new-sen...

Many thanks to @hrbrmstr.dev on X for this study.

21.01.2025 13:21 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

๐Ÿ Our main competitor, The Leading Internet Intelligence Platform for Threat Hunting and Attack Surface Management, can count on us to be their biggest challenger.

#AttackSurfaceManagement #ASM #CyberThreatIntelligence #CTI

Read the complete report here:

www.greynoise.io/blog/checkin...

21.01.2025 13:21 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

@onyphe.io is following 19 prominent accounts