banner
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈
@hrbrmstr.mastodon.social.ap.brid.gy
400 followers 12 following 3.6K posts
Pampa • Don't look @ me…I do what he does—just slower. #rstats avuncular •👨‍🍳• ✝️ • 💤 • Varaforseti í Gögn Vísindi @ GreyNoise + Carnegie Mellon […] 🌉 bridged from https://mastodon.social/@hrbrmstr on the fediverse by https://fed.brid.gy/
mastodon.social
Posts Media Videos Starter Packs
Reposted by hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈
greynoise.infosec.exchange.ap.brid.gy
GreyNoise @greynoise.infosec.exchange.ap.brid.gy · 16h
GreyNoise Feeds are here: real-time webhook alerts for CVE status changes, exploitation spikes, and IP classification changes. No more polling. Respond the moment threats emerge. 🦾
www.greynoise.io/blog/introducing-greynoise-feeds-real-time-intel-real-time-response
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 14h
I HATE THE INTERNET

So, going back to the previous Cisco ASA event, we have the same attacker JA4t and same infra being used for all three campaigns.
heatmap
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 15h
tzulu's blaming everything in their address space on a VPN provider that has procured infra and network from them.

i hate the internet. it was a bad idea.
2
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 16h
Blog is coming but until then, these are the unique creds (so far) for the Fortinet campaign:

https://github.com/GreyNoise-Intelligence/gn-research-supplemental-data/tree/main/2025-10-08-fortinet-vpn-bruteforce
gn-research-supplemental-data/2025-10-08-fortinet-vpn-bruteforce at main · GreyNoise-Intelligence/gn-research-supplemental-data
A public repo to share IPs, CVEs, PCAPs, IoCs (etc.) - GreyNoise-Intelligence/gn-research-supplemental-data
github.com
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 18h
Same temporal cred slinging pattern for Fortinet with some acceleration in the last 24 hours.
line chart with near linear progression
1
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 18h
Fired off an incident report to tzulo to see if they care about stopping this.

This sure is a GREAT time for CISA to be short-staffed.
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 18h
These are (so far) the common subnet infrastructure providers for both the Fortinet and Palo activity.
heatmap
2
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 18h
@adulau 🙏🏼!!!!!
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 18h
HEY WHAT DO YA KNOW?!

Fortinet SSL VPN Bruteforcer spike, now, with ~60K unique creds so far.

Shares _some_ common infra with the Palo Alto one (tzulo).

Will dig a bit and provide some more deets. Prbly gonna blog this too.

https://viz.greynoise.io/tags/fortinet-ssl-vpn-bruteforcer?days=90
time series showing recent spike
1 1
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 18h
@adulau 👋 (ref this thread and https://mastodon.social/@hrbrmstr/115337770142049854)

I know your team doesn't handle the region where AS200373 3xK Tech GmbH is but I was wondering if you might be able to let cert bund know that this egregiously malicious activity is ongoing and that provider […]
1
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 18h
Went ahead and submitted an incident report with CERT-BUND. We'll see if that goes anywhere.
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 20h
Oh ffs. They run https://plainproxies.com/, so likely dgaf about any of this.
PlainProxies - Scraping made simple
PlainProxies.com offers a premier web data collection infrastructure designed to prevent rate limiting. With a unique proxy system featuring millions of IPs, PlainProxies.com ensures the success and security of your operations.
plainproxies.com
1
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 20h
Longshot ask, but does anyone know anyone @ AS200373 3xK Tech GmbH · 3xktech.cloud? Cold inbound requests from us to providers generally do not work well, but since they are the major concentration for this campaign, I'd like to try to do something to get it to stop.
2
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 20h
All this firepower, and it's taking this daft attacker forever to get through whatever credential list(s) they have.
heatmap of top 50 subnet activity
Reposted by hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈
0xabad1dea.infosec.exchange.ap.brid.gy
abadidea @0xabad1dea.infosec.exchange.ap.brid.gy · 1d
jetbrains is far from the first company to make this particular pair of claims but it is simply, on the most fundamental level, impossible to mass-collect people’s terminal and editor contents and also not collect sensitive or personal data.

I realize they […]

[Original post on infosec.exchange]
screenshot: We’re now adding the option to allow the collection of detailed code‑related data pertaining to IDE activity, such as edit history, terminal usage, and your interactions with AI features. This may include code snippets, prompt text, and AI responses. That sounds like a lot, and it is, but that’s where the real value for improvements comes from. If you allow us to collect this data, we will make sure that: No sensitive or personal information is shared. (Snippets of the text have been highlighted: “edit history, terminal usage, code snippets, prompt text … no sensitive or personal information is shared.”
2 40
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 1d
The day is young, so we'll see if the incompetent buffoon who's doing the Palo bruting gets to the same levels as yesterday.

Currently up to 1,342,177 unique creds tried as of this post.
time series chart showing elevate brute-forcing since October 3rd. chart showing cumulative sum pace of attempts (fairly linear)
1
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 1d
Bari Weiss can and should (repeatedly) go REDACT herself.
Reposted by hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈
greynoise.infosec.exchange.ap.brid.gy
GreyNoise @greynoise.infosec.exchange.ap.brid.gy · 1d
Palo login attempts are escalating, potentially driven by iteration through a large credential dataset. GreyNoise is sharing observed usernames/passwords for defender review.

🔗 Latest: https://www.greynoise.io/blog/palo-alto-scanning-surges

#paloaltonetworks #threatintel
4
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 1d
Oh, so I figured out why this has been a multi-day Palo Alto login event.

The dimwitted attacker with THOUSANDS of IP addresses is slowly iterating through a multi-million record credentials list across all Palos on the internet.

Literally the STUPIDEST […]

[Original post on mastodon.social]
line chart showing slow pace of credential slinging
1 1
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 1d
To the wonderful nerd[s] who made this: you have won the internet for Q4.

https://www.flawtinet.com/
Flawtinet - Your Most Trusted Vulnerable Product
www.flawtinet.com
1 1
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 1d
Picked up a Wokyis M5 on Kickstarter and thx to `mpv` it's perfect for browser-free C-SPAN hearing viewing https://www.kickstarter.com/projects/wokyis/wokyis-m5-retro-outside-powerful-inside/faqs
Wokyis mini-screen playing C-SPAN via mpv
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 1d
Drop #714 (2025-10-07): Typography Tuesday

Today's Drop introduces Retrocide Mono, a unique monospaced font suitable for retro-futurist designs, devoid of descenders for a mechanical look. It highlights James Edmondson's OH no Type School as an interactive resource for learning glyph design […]
Original post on mastodon.social
mastodon.social
Reposted by hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈
paninid.mastodon.world.ap.brid.gy
Coach Pāṇini ® @paninid.mastodon.world.ap.brid.gy · 1d
INCONCEIVABLE
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 1d
The bonkers Palo activity continues today, unabated.

On the surface and at this point, this activity makes zero sense.

The uniform nature of the IP/physical org (via ONYPHE Geolocus) distribution for the past 3 days is also odd.
top 10 physical orgs per day subnet novelty per day vpn usage per day all source physical org per day
Reposted by hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈
mattblaze.federate.social.ap.brid.gy
Matt Blaze @mattblaze.federate.social.ap.brid.gy · 2d
Apparently theres a new wave of people joining mastodon, and with them a new wave of self-appointed cops "welcoming" them with long lists of mostly fictitious "rules" they need to follow.

This is a social media platform, with many of different ways to use it. It's fine. Mostly, just try to be […]
Original post on federate.social
federate.social
2 3 6