Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Joshua Penny Profile picture
Joshua Penny
@josh_penny
Senior Threat Intelligence Analyst @Bridewellsec
Nov 24, 2023 8 tweets 2 min read
🚨New Analysis🚨: #LockBit 3.0 Exploit CVE 2023–4966 #CitrixBleed

@MichalKoczwara and I deep dive into the recent #CISA LockBit advisory, looking at IOCs provided by @Boeing to uncover additional #infrastructure.

Hope you find it an interesting read!

Link & Findings👇

Image
Image medium.com/@joshuapenny88…
Oct 27, 2023 10 tweets 4 min read
🚨New #Infrastructure #Tracking & #Pivoting Thread:

➡️#Pikabot -> #Meterpreter
➡️#BlackBasta – new connections?
➡️New Meterpreter C2’s

@bridewellsec

Let's start with this @Zscaler post on Pikabot dropping Meterpreter:

:

and jump in: 👇👇👇
Image Virus Total shows lack of detections for Meterpreter indicating a possible unique fingerprint. Additionally, the most recent domain draws interest. The IP address is running a small number of services on ports: 22, 80 and 8080.
Image
Image
May 7, 2023 12 tweets 10 min read
1/ New #MuddyWater 🇮🇷Infra detected; moves to #Metasploit and #HPAnywhere/#Teradici tool added?

@GroupIB_TI released a great report detailing MuddyWater’s use of SimpleHelp Remote Support Software. They tracked the #APT's infrastructure using Etags.

Let's take a look! 🧐 👇👇 Image 2/ First Etag(153): 🔟results.

First IP of interest: 👉164.132.237[.]67

If we now pivot on the SSH hash, we match on another IP:

👉3.6.222[.]144.

Looking at this IP, the SSL certificate presented mentions O=Teradici Corporation... Image