Joshua Penny Profile picture
Senior Threat Intelligence Analyst @Bridewellsec
Nov 24, 2023 8 tweets 2 min read
🚨New Analysis🚨: #LockBit 3.0 Exploit CVE 2023–4966 #CitrixBleed

@MichalKoczwara and I deep dive into the recent #CISA LockBit advisory, looking at IOCs provided by @Boeing to uncover additional #infrastructure.

Hope you find it an interesting read!

Link & Findings👇

Image
Image
medium.com/@joshuapenny88…
Oct 27, 2023 10 tweets 4 min read
🚨New #Infrastructure #Tracking & #Pivoting Thread:

➡️#Pikabot -> #Meterpreter
➡️#BlackBasta – new connections?
➡️New Meterpreter C2’s

@bridewellsec

Let's start with this @Zscaler post on Pikabot dropping Meterpreter:

:

and jump in: 👇👇👇
Image Virus Total shows lack of detections for Meterpreter indicating a possible unique fingerprint. Additionally, the most recent domain draws interest. The IP address is running a small number of services on ports: 22, 80 and 8080.
Image
Image
May 7, 2023 12 tweets 10 min read
1/ New #MuddyWater 🇮🇷Infra detected; moves to #Metasploit and #HPAnywhere/#Teradici tool added?

@GroupIB_TI released a great report detailing MuddyWater’s use of SimpleHelp Remote Support Software. They tracked the #APT's infrastructure using Etags.

Let's take a look! 🧐 👇👇 Image 2/ First Etag(153): 🔟results.

First IP of interest: 👉164.132.237[.]67

If we now pivot on the SSH hash, we match on another IP:

👉3.6.222[.]144.

Looking at this IP, the SSL certificate presented mentions O=Teradici Corporation... Image