Lightnews — Scholar-powered news

Reposted by Austin Larsen

pdub5.bsky.social @pdub5.bsky.social · Sep 9

Join @austinlarsen.me and me next Tuesday for a deep-dive into PRC-nexus threat actor capabilities! Learn about advanced social engineering tactics, novel malware delivery, and strategies to defend your organization.

www.brighttalk.com/webcast/7451...

1 1

Reposted by Austin Larsen

Catalin Cimpanu @campuscodi.risky.biz · Sep 1

A story in two acts

3 3 19

Reposted by Austin Larsen

John Hultquist @hultquist.bsky.social · Aug 29

Major Update: We now believe this incident impacts other Salesloft Drift integrations, not just Salesforce. We’re advising Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.

John Hultquist @hultquist.bsky.social · Aug 26

An actor we are tracking as UNC6395 is targeting Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. This is ongoing and widespread. cloud.google.com/blog/topics/...

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift | Google Cloud Blog

A widespread data theft campaign targeting Salesforce instances via the Salesloft Drift third-party application.

cloud.google.com

11 15

Reposted by Austin Larsen

Catalin Cimpanu @campuscodi.risky.biz · Aug 26

A threat actor (UNC6395) is accessing Salesforce accounts and data through the Salesloft Drift AI chat agent

cloud.google.com/blog/topics/...

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift | Google Cloud Blog

A widespread data theft campaign targeting Salesforce instances via the Salesloft Drift third-party application.

cloud.google.com

1 11 15

Reposted by Austin Larsen

John Hultquist @hultquist.bsky.social · Aug 26

An actor we are tracking as UNC6395 is targeting Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. This is ongoing and widespread. cloud.google.com/blog/topics/...

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift | Google Cloud Blog

A widespread data theft campaign targeting Salesforce instances via the Salesloft Drift third-party application.

cloud.google.com

2 5 17

Reposted by Austin Larsen

Catalin Cimpanu @campuscodi.risky.biz · Jul 29

APT folks... is UNC3886 becoming a top-tier actor?

www.trendmicro.com/en_us/resear...

www.sygnia.co/blog/fire-an...

supportportal.juniper.net/s/article/20...

cloud.google.com/blog/topics/...

2 3 15

Austin Larsen @austinlarsen.me · May 28

This campaign deploys malware like STARKVEIL, XWORM & FROSTRIFT. Our report covers their TTPs including the use of Unicode Braille patterns to obfuscate executable file names and their continuous rotation of domains to evade detection.

cloud.google.com/blog/topics/...

Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog

Cybercriminals are using fake AI-themed ads and websites to deliver malware such as infostealers and backdoors.

cloud.google.com

1

Austin Larsen @austinlarsen.me · May 28

New @mandiant.com research: UNC6032 (Vietnam-nexus actor 🇻🇳) is exploiting interest in AI tools, using fake AI video generator sites & malicious ads to spread malware.

The campaign, active since mid-2024, aims to steal credentials, cookies & financial data.

1 6

Reposted by Austin Larsen

pdub5.bsky.social @pdub5.bsky.social · May 28

🚨 Heads up! 🚨 APT41 is using Google Calendar 🗓️ as their latest C2 trick. GTIG just pulled back the curtain 🎭 on the TOUGHPROGRESS malware campaign and how we shut it down 💪. Dive into the details here: 🚀https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics

1 4 8

Reposted by Austin Larsen

Eric Geller @ericjgeller.com · Apr 18

Confirming that CISA has stopped using VirusTotal and Censys.

"Makes their jobs a lot harder," a person familiar with the matter told me, adding, "There's a possibility that more services might be limited or cut due to budget."

David DiMolfetta @ddimolfetta.bsky.social · Apr 18

New: CISA’s threat hunting division warned 500+ staff it will discontinue Google-owned VirusTotal and has already ceased use of Censys. Nightwing and Peraton contractors also had to turn in their phones Thursday:
www.nextgov.com/cybersecurit...

CISA warns threat hunting staff of end to Google, Censys contracts as agency cuts set in

“We understand the importance of these tools in our operations and are actively exploring alternative tools to ensure minimal disruption,” said the email sent to several hundred CISA cyber threat hunt...

www.nextgov.com

3 26 52

Reposted by Austin Larsen

gab 🇺🇦🇵🇸 @gabagool.ing · Apr 7

Excellent breakdown of the “Rogue RDP” TTP we’ve seen susp Russian APT UNC5837 using in their campaigns written by my colleague Rohit (@IzySec over on X)

Windows Remote Desktop Protocol: Remote to Rogue | Google Cloud Blog

A novel phishing campaign by Russia-nexus espionage actors targeting European government and military organizations.

cloud.google.com

8 16

Reposted by Austin Larsen

Shane Harris @shaneharris.bsky.social · Mar 24

In 25 years of covering national security, I’ve never seen a story like this: Senior Trump officials discussed planning for the U.S. attack on Yemen in a Signal group--and inadvertently added the editor-in-chief of The Atlantic. www.theatlantic.com/politics/arc...

The Trump Administration Accidentally Texted Me Its War Plans

U.S. national-security leaders included me in a group chat about upcoming military strikes in Yemen. I didn’t think it could be real. Then the bombs started falling.

www.theatlantic.com

790 6.5K 17K

Austin Larsen @austinlarsen.me · Mar 12

🚨 Following a months-long investigation stemming back to mid-2024, Mandiant just published details on a campaign by China-nexus actor UNC3886 targeting Juniper routers. Our investigation uncovered a custom malware ecosystem on end-of-life Juniper MX devices.
cloud.google.com/blog/topics/...

Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers | Google Cloud Blog

We discovered China-nexus threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers.

cloud.google.com

4

Reposted by Austin Larsen

Kristine ❌👑 @extrasuperkk.bsky.social · Mar 3

Hundreds protested at the national labs today in Boulder, Colorado. #SaveOurServices #resist #NOAA #NIST #NCAR #ScienceSavesLives

12 210 840

Reposted by Austin Larsen

Tom Nichols @radiofreetom.bsky.social · Mar 1

Today was a grim, terrible day for the United States and the cause of democracy. Putin, along with other dictators around the world, can finally look at Trump with confidence and think: one of us.

www.theatlantic.com/ideas/archiv...

It Was an Ambush

Today marked one of the grimmest days in the history of American diplomacy.

www.theatlantic.com

280 1.5K 5.3K

Reposted by Austin Larsen

Matt Kapko @mattkapko.com · Feb 27

A 21-year-old U.S. Army soldier linked to last year's Snowflake attack spree allegedly tried to sell stolen data to a foreign intelligence service after searching for information about how to defect to Russia. Hat tip to @nixonnixoff.bsky.social @austinlarsen.me cyberscoop.com/army-soldier...

Army soldier linked to Snowflake attack spree allegedly tried to sell data to foreign spies

Federal prosecutors accuse Cameron Wagenius of searching how to defect to Russia days after he tried to sell stolen data to a foreign intelligence service.

cyberscoop.com

2 11 27

Reposted by Austin Larsen

Allison Nixon @nixonnixoff.bsky.social · Feb 27

The no-opsec Army guy who was part of the group that leaked Trump's call logs (and worse, threatened me) google searched how to defect to Russia and "can hacking be treason" 💀💀💀💀

He was never going to get away.

8 33 140

Reposted by Austin Larsen

Richard Branson @richardbranson.bsky.social · Feb 25

For the US to side with Russia and North Korea to oppose a UN resolution condemning the illegal invasion of Ukraine defies all common sense and adds insult to the countless injuries suffered by the brave Ukrainian people. edition.cnn.com/2025/02/24/p...

US joins Russia to vote against UN resolution condemning Russia’s war against Ukraine | CNN Politics

The United States joined Russia to vote against a UN General Assembly resolution condemning Russia’s war against Ukraine Monday in a stunning shift from years of US policy.

edition.cnn.com

3.6K 14K 63K

Reposted by Austin Larsen

Dan Black @danwblack.bsky.social · Feb 19

Today, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts.

cloud.google.com/blog/topics/...

Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger | Google Cloud Blog

Russia state-aligned threat actors target Signal Messenger accounts used by individuals of interest to Russia's intelligence services.

cloud.google.com

3 120 170

Reposted by Austin Larsen

Eric Geller @ericjgeller.com · Jan 21

DHS has terminated the memberships of everyone on its advisory committees.

This includes several cyber committees, like CISA's advisory panel and the Cyber Safety Review Board, which was investigating Salt Typhoon.

That review is "dead," person familiar says.

www.documentcloud.org/documents/25...

54 610 1.1K

Reposted by Austin Larsen

Joseph Cox @josephcox.bsky.social · Jan 21

A bug in Cloudflare (and just the nature of how CDNs work) let an attacker learn the broad location of Discord, Signal, Twitter users by just sending them an image, according to a security researcher. It works because check which data center cached the image www.404media.co/cloudflare-i...

Cloudflare Issue Can Leak Chat App Users' Broad Location

A security researcher made a tool that let them quickly check which of Cloudflare's data centers had cached an image, which allowed them to figure out what city a Discord, Signal, or Twitter/X user mi...

www.404media.co

98 660 2.4K

Reposted by Austin Larsen

Cynthia Brumfield @metacurity.com · Jan 16

"FBI leaders have warned that they believe hackers who broke into AT&T Inc.’s system last year stole months of their agents’ call and text logs, setting off a race within the bureau to protect the identities of confidential informants."
www.bloomberg.com/news/article...

FBI Has Warned Agents It Believes Hackers Stole Their Call Logs

FBI leaders have warned that they believe hackers who broke into AT&T Inc.’s system last year stole months of their agents’ call and text logs, setting off a race within the bureau to protect the ...

www.bloomberg.com

2 6

Reposted by Austin Larsen

John @bigbadw0lf.bsky.social · Jan 9

🔥 new blog detailing 0day exploitation of Ivanti appliances as well as some newly observed malware families tracked as PHASEJAM and DRYHOOK. We also detail activity related to the previously observed SPAWN* malware ecosystem tied to China-nexus cluster UNC5337.

cloud.google.com/blog/topics/...

Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog

Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024.

cloud.google.com

23 34

Austin Larsen @austinlarsen.me · Jan 9

Patch immediately, run the Ivanti external ICT checker, read our latest research for a detailed breakdown of the threat, and checkout Ivanti's advisory for the latest guidance:
forums.ivanti.com/s/article/Se...

Ivanti Community

forums.ivanti.com

1