Daniel Stinson

Talk about helping to build a better Internet -> har-sanitizer.pages.dev

Thanks @cloudflare.social 🔥

BeyondTrust Discovers Breach of Okta Support Unit | BeyondTrust This blog shared details of the Okta support unit attack to educate other Okta users and infosec professionals. For BeyondTrust customers who leverage our Identity Security Insights product, we have a...

Customer: Are we safe?
Okta: Give me a HAR and we’ll let you know when we find out from other customers.

Helpful context: www.beyondtrust.com/blog/entry/o...

Much less helpful context response: sec.okta.com/harfiles

I really believe that if your infrastructure can’t survive a user clicking a link, you are doomed. I’m the director of cybersecurity at NSA and you can definitely craft an email link I will click…

r.mtdv.me/TrustThis

Security Engineer, Detection & Response | Career Opportunities Want to work at Brex? Explore all of our current remote job openings right here. Apply today & join our team!

My team is hiring for a new member of our D&R team based in 🇨🇦 www.brex.com/careers/6952...

I'm very biased but I think we're a great team in the D&R space across a production & corporate environment. Big fans of open sourcing projects, managing components via source control where possible

Some new 🔥 reporting on everyones least favorite threat actor by Permiso: 0ktapus, Scattered Spider, UNC3944, and STORM-0875 and now LUCR-3 👀
permiso.io/blog/lucr-3-...

All these security vendors are trying to define XDR (eXtended Detection & Response) but Apple has been using XDR screens for years and improving it in iPhone 15 🧠

GitHub GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 330 million projects.

Friday afternoons are a great time for releasing and deploying new software! 🔥🚀

Substation v0.9.2 is here: github.com/brexhq/substation/d…

In addition to a new bitmath inspector I wrote, this release brings some QoL improvements, let us know if you find use-cases for these additions. XDR onwards!

🔥 an at cost registrar, with WebAuthN support adding more domains to help migrate off of Google/Squarespace 👏

One of my biggest pet peeves within infosec is how people still refer to "knowing your network". In the era of cloud networks that really aren't yours, SaaS networks that definitely aren't yours... let's rebrand to "knowing your environment" which consists of: endpoints, SaaS, servers, and cloud.

Great reporting @philofishal.bsky.social on the many variants 👏 https://www.sentinelone.com/blog/apple-crimeware-massive-rust-infostealer-campaign-aiming-for-macos-sonoma-ahead-of-public-release/

Fake Blockchain Games Deliver RedLine Stealer & Realst Stealer - A New macOS Infostealer Malware

More macOS stealers 👀

A simple detection for command lines w/ “security find-generic-password <chromium>” catches most 😂

https://iamdeadlyz.gitbook.io/malware-research/july-2023/fake-blockchain-games-deliver-redline-stealer-and-realst-stealer-a-new-macos-infostealer-malware#realst-stealer-macos

I’m clearly a fan of them getting caught because it gives us a glimpse of some of the only nation state macOS targeting with a pretty high cadence recently (and we’ll I’m a defender so suck it hackers). Are other macOS attacks undetected or is 🇰🇵 the only targeting entity?

🇰🇵 operators seem brutally effective at getting to target environments directly (crypto scams, backdoored apps) and now more supply chain targeting (3CX, and JumpCloud)… do they not care about stealth if they accomplish their goals? 🤔

North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack We responded to a supply chain compromise by a likely DPRK-nexus threat actor, who we believe leveraged JumpCloud.

Latest hacking from the DPRK with macOS payload details 👀 Great reporting from the Mandiant team!

https://www.mandiant.com/resources/blog/north-korea-supply-chain

Not sure how a UPX’d executable got a function named “setupsomething” through their agile code review 🤣

I had a great time in 2020 at OBTS v3.0 and hope to make the next one 🤞

The evolution through 8 versions and adding support for GCP & Azure is my favorite part of this series.

Inclusion of YARA based malware detection is great but would have loved CloudTrail and equivalent log based detection that defenders could use 🤞

Permiso | Blog | Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead Permiso p0 Labs and SentinelLabs team up to tackle the latest mass cloud credential harvesting and crypto mining campaign "SilentBob".

☁️ intel blogs coming in from Permiso & SentinelOne today 👀

- https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/
- https://www.sentinelone.com/labs/cloudy-with-a-chance-of-credentials-aws-targeting-cred-stealer-expands-to-azure-gcp/

Besides using it regularly to load and interrogate data - the Vertex blog is a great way to learn Storm recently 🔥

#OBTS v6.0: Talks Conference Talks

🔥 lineup coming for the Objective-by-the-Sea v6 conference all on macOS & iOS security: https://objectivebythesea.org/v6/talks.html

- 2 talks on DPRK malware analysis
- 1 talk from Kaspersky on Triangulation (🦅)
- ... and more on bug hunting across the OS and user applications!

2nd ever Apple Rapid Security Response update out for a WebKit bug (CVE-2023-37450):

iOS: https://support.apple.com/en-us/HT213823
macOS: https://support.apple.com/en-us/HT213825

Biggest question: how can I get a scaled down version for my home “cloud”?

I would test this and see what detection opportunities exist with the Jira/Confluence audit logs but I already know there is not enough info logged to find token theft. Defenders have to rely on EDR logging for the token theft and hope users only access from work machines 👎

Sowing Chaos and Reaping Rewards in Confluence and Jira Introducing AtlasReaper

I’m not hoping to start an big anti-OST flame war but it’s sad that the place that hosts a whole podcast drops offensive Atlassian tooling without a section on detection :(

https://posts.specterops.io/sowing-chaos-and-reaping-rewards-in-confluence-and-jira-7a90ba33bf62

Release LOOBins v1.1.0 · infosecB/LOOBins What's Changed Additions launchctl by @caffeinatedJAC in #132 mdls by @shellcromancer in #134 log by @infosecB in #135 scutil by @ethan-nay in #136 mktemp by @bobby-tablez in #137 Updates Update...

Woo, my addition to the LOOBins project got released today! https://github.com/infosecB/LOOBins/releases/tag/v1.1.0

I added the mdls command used by common adware like Genio

I doubt they'll fix things, I've only seen one vendor make effort since https://audit-logs.tax went up... On the other hand it's really satisfying to publish and worth it.

Seems like the answer to this was to some extent: yes, 0-day was used.

New *OS releases (see https://support.apple.com/en-us/HT213814) from today include a mention of the Kaspersky team for CVE-2023-32434 so it seems like there was some level of 0-day with the Triangulation attack

More macOS threats to be detected 👀

https://www.bitdefender.com/blog/labs/fragments-of-cross-platform-backdoor-hint-at-larger-mac-os-attack/

Iconic way for @killedbygoogle.com to enter this new platform.

Full schedule: https://fwdcloudsec.org/schedule.html#2023-06-13Follow us on Twitter: https://twitter.com/fwdcloudsec Fwd:cloudsec 2023 Conference Salon B - DAY 2

@jshlbrd.bsky.social is live at Fwd:cloudsec talking about
the design and use of https://substation.readme.io
at Brex! 🔥

https://www.youtube.com/watch?v=ZvdYgL6b9xE