SentinelOne

Just A Sec - Cybersecurity Unfiltered. Fast, Frank, Fun Podcast · SentinelOne · Just a Sec is cybersecurity like you’ve never heard it before — unfiltered, formatted to entertain, and always on-point. This isn’t your typical industry livestream. Each episo...

Not attending Black Hat? Don't worry, we will still be posting the show recording on LinkedIn, YouTube and Spotify:

🎧 Spotify - bit.ly/4mm657z
📱LinkedIn (pre register for notifications) - bit.ly/4mkd54Q
📺 YouTube - bit.ly/4kWpbAb

We will also be announcing the master topic and on-the-clock countdown topics early next week, so keep an eye out!

Don't miss your chance to see Drea London, @stonepwn3000.bsky.social, @dakotaindc.bsky.social, and @jags.bsky.social spice it up. 👀 😤

🚨 Black Hat... meet 'Just A Sec' 🖤 💜

🔥We are bringing our livestream show to the expo floor of Black Hat at SentinelOne Booth #3033 on Wednesday, Aug. 6 at 11 a.m. PT.

China’s Covert Capabilities | Silk Spun From Hafnium China-linked hackers used patented spyware tech from front companies tied to Hafnium, exposing gaps in cyber threat attribution.

🔗 Full report, authored by @sentinellabs.bsky.social's @dakotaindc.bsky.social: s1.ai/SilkPatents

📚 Zoom out: Hafnium’s 2021 MES campaign triggered an unprecedented joint U.S.-EU-UK rebuke. This report shows that wasn’t a one-off—it was a glimpse into a broader, layered offensive apparatus.

These offensive patents include:
🔍 Tools to bypass Apple FileVault
📱 Mobile and router forensics software
🏠 Surveillance tools for smart home devices

💡 What’s new:
– Direct links between indicted hackers, contracting companies, and China’s state security
– Evidence that Hafnium’s tooling goes far beyond what’s publicly documented
– Fresh questions about how China’s Ministry of State Security (MSS) supports its contractors

🧵 Why it matters: This is a deep dive into the ecosystem behind one of China’s most notorious threat actors.

China’s Covert Capabilities | Silk Spun From Hafnium China-linked hackers used patented spyware tech from front companies tied to Hafnium, exposing gaps in cyber threat attribution.

The Cyber Patents China Didn’t Want Us to Find…

@sentinellabs.bsky.social has uncovered 10+ patents for highly intrusive forensics and data collection tools—filed by companies named in U.S. government indictments for working with the Chinese Hafnium (aka Silk Typhoon) APT group.

The Good, the Bad and the Ugly in Cybersecurity – Week 29 Police disrupt ransomware and DDoS attackers, Katz Stealer expands multi-stage infection campaign, and DPRK-actors spread npm malware.

📖 Full breakdown from SentinelOne: s1.ai/GBU7-Wk29

🧠 What to do now:
- Patch SharePoint servers immediately
- Share the Phobos decryptor with impacted users
- Monitor dark-web channels for Lumma activity

🤢 UGLY
• ToolShell exploit chain escalates including instances attributed to two China-based hacking groups
• Microsoft patches SharePoint zero-days
• CISA issues emergency directive

✅ GOOD
• Free decryptor for Phobos/8Base ransomware
• Admin of XSS[.]is, the notorious Russian-speaking cybercrime platform, arrested in Kyiv

🚨 This Week in Cyber: The Good, the Bad, and the Ugly 🚨

🛡️ SentinelOne continues to monitor and assist customers.

SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers SentinelOne shares distinct attack clusters and a detailed timeline of events on an active exploit of the ToolShell 0-day in MS SharePoint.

📌 Go deeper ➡️ s1.ai/toolshell
- Timeline of in-the-wild exploitation
- Technical deep dive on all three TTP clusters
- Mitigation steps and IOCs
- Detection & hunting queries from SentinelOne

🛠️ Why it matters: “ToolShell” is trivial to exploit, stealthy, and lets attackers gain persistent access to valuable environments. SharePoint’s role as a data store and delivery mechanism makes it a high-value target.

PoC code is now public. Broader exploitation is expected.

🧵 What’s happening:
– The three unique attacker clusters are targeting tech, critical infrastructure and architecture and engineering firms
– Two clusters deployed webshells designed to execute commands or collect sensitive system information. Another operated filelessly.

We first observed SharePoint exploitation on July 17, two days before Microsoft’s official advisory.

SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers SentinelOne shares distinct attack clusters and a detailed timeline of events on an active exploit of the ToolShell 0-day in MS SharePoint.

🚨 SentinelOne Uncovers 3 Distinct Attack Clusters Targeting Microsoft SharePoint: As part of the “ToolShell” Zero-Day being exploited in-the-wild, our threat researchers have identified three distinct attack clusters, each with unique tradecraft and objectives.

With cyber threats surging in the AI era, your ideas can reshape the battlefield. Submit your insights by August 15 at s1.ai/OneConCFC

💡Ignite the AI Era discussion with your ideas at OneCon, where our industry redefines and reimagines cybersecurity with fearless innovation. Share the stage with the industry’s top minds, together pushing the boundaries that spark groundbreaking ideas 🔥

Don't the miss the opportunity to speak at OneCon 2025. Submit your paper for consideration 🗣️ s1.ai/OneConCFC

Katz Stealer | Powerful MaaS On the Prowl for Credentials and Crypto Assets A stealthy MaaS infostealer exfiltrating browser, crypto, and system data, Katz Stealer is enabling full campaign control for threat actors.

👉 Read the full analysis from our threat researchers: s1.ai/katz

The bottom line: Katz is a modern infostealer built for more widespread adoption. Its success highlights the dangerous trend of professional-grade malware made accessible to the masses.

🧠 Driving the rise:
• Easy-to-use builder for custom payloads
• Built-in campaign and log management
• Support for crypto wallets, browsers, messaging apps
• Stealthy delivery: Steganography, process hollowing, in-memory loaders

Why it matters: Katz Stealer is a turnkey Malware-as-a-Service with a slick web panel, lower cost, and a feature set built for scale. It’s marketed across Telegram, Discord, and cybercrime forums—and being used by threat actors of all skill levels.

Katz Stealer | Powerful MaaS On the Prowl for Credentials and Crypto Assets A stealthy MaaS infostealer exfiltrating browser, crypto, and system data, Katz Stealer is enabling full campaign control for threat actors.

💰 Credential Theft-as-a-Service? A new, turnkey infostealer is gaining traction fast—and it’s not just for sophisticated actors, with this malware’s "accessible" pricing and low barrier to entry.

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware NimDoor reflects a leap in DPRK’s offensive toolkit, mixing compile-time trickery with native scripting to complicate and deter analysis.

📖 Full research by @philofishal.bsky.social and @syrion89.bsky.social: s1.ai/nimdoor