"We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation."
"Return here for more information at: 11:30 GMT on Tuesday 20th Feb."
"Operation Cronos"
🤔 So, the main leak site / blog of the LockBit ransomware gang is currently displaying this deface page. Same with all the mirrors of it.

Mandiant's account also got pwned? The fuck is going on here?
🤔
😂 And just now the @ of Mandiant's account got changed to "phantomsolw".
😂

The "routine" company started to use bots to pump their numbers?
Until May 23 noon, most of their tweets got literally 1-2 likes, sometimes even 0, sometimes a bit more. From then, every single of their tweets get from 100s to 2-3k likes. While their RTs still get ~0.
🤔
😂





What you think, @idclickthat @Iamdeadlyz @ULTRAFRAUD @JAMESWT_MHT (and everyone else I forgot that "likes" this company)?

The fuck you are doing @elonmusk? Rate limiting years old 100k+ followers account when browsing like a fucking 🐌 is not the solution to stop trash companies' scraping...
🤦‍♂️ @elonmusk Can't even check if he tweeted anything about this shit as getting "429 Too Many Requests" response with "{ code: 88, message: "Rate limit exceeded." }" response content.
Basically he is killing Twitter in the name of "stopping scraping", while it's full of bots he dgaf about.
🤦‍♂️

3cx.com/community/thre…
Look at that staff response...
🤷‍♂️
cc @cyb3rops @cyb3rops Poor people/victims...
Anyway, you know, if you are excluding the perfect supply chain entry points to your system... then what is the point of using EDR solutions and other "fancy shits"?

Hey @Spotify, it's great to receive "Please update your Spotify password." to email addresses whose owners never registered a Spotify account. Maybe you first should confirm if the owner of an email address registered the account or not, and if not, treat the account as such.
😫 @Spotify Why this is not obvious for a company like @Spotify, @SpotifyCares? Or it is, but there is a bug or something that some people found?
🤔

😂
Hey @elonmusk, when you want to get these porn bots solved?

@elonmusk Just got one more...
😂

So, KyivPost editors and etc just made a "small" mistake here to allow Irina to publish articles on their site even after she got banned from Twitter (for you know...), or KyivPost is be like "anyone saying anything bad about Russia is welcomed here"?
🤔 In case anyone not knows her: she is doing lots mis/disinformation, spreading lies, etc.
My little thread about her (in relation to JD1/infosec only):

https://twitter.com/malwrhunterteam/status/1545723249690042368

If anyone wants to know more about her, JD0, @Yetkinmiller, @1njection, etc probably can tell lots more.

Among the usual stuffs like passport photos and etc, Clop ransomware gang published these screenshots in the leak page for Thames Water...
👀
🤔 Hard words. It sure will be interesting how this situation develops in the next days...

"The oldest international [Ransomware] LockBit affiliate program welcomes you."
"We are located in the Netherlands"
😂

https://twitter.com/malwrhunterteam/status/1555921621252284417

"This is due to the fact that most of our developers and partners were born and grew up in the Soviet Union, the former largest country in the world, but now we are located in the Netherlands."
😂

So, currently both the payment/chat site domains and the leak site domains of the LockBit ransomware gang are dead. Most of them gives the "Onionsite Not Found" error, while a few others simply can't connect...
👀
🤔 The data storage site for old data (and the mirrors for that) are still working - but even the links in the header and footer (except the Twitter, obviously) are all too dead...
🤔

"Iran_Newspaperscom.njsapp.alliraninnewspapersv1.1.apk": 1344517f7e19f42896ab5348a00e733d0df1150be41730870d2c4223bb6ed3ac
Looks some older APT sample... Also "Design_Wood_Furniturecom.DesignWoodFurniture.sitd212v1.2.apk":
5df56450f61f44938a0223ca0f8891042847f97b18c2e8a9bf0401e2dd9d6416

"GoodWill Ransomware!" is a totally unusual ransomware...
Added the note 8 parts in the thread to make it easily readable.
Extension: ".gdwill"
Note: "unlock your files.lnk" -> "launch.bat" -> "index.html" opened in fullscreen Chrome.
(1/3) "Team GoodWill is not hungry of Money and Wealth but kindness. We want to make every person on the planet to be kind and wants to give them a hard lesson to always help poor and needy people.
So, all our victims need to be gentle and kind to get their files back."
(2/3)

It's fucking 2022 man...
🤦‍♂️
😫

Looks like BBC also likes to spread fakenews.
Fucking joke... Ahh...
😂

What a fucking crazy thread.
Probably this ratio needs to be changed...

https://twitter.com/ov3rflow1/status/1484968499688706048

Other than the info it requires to user to enter, it collects so much info from the device... Crazy.
Something the experts @bl4ckh0l3z @LukasStefanko maybe want to look into too.
cc @1ZRR4H @cibercrimen @NickKalderon

Very interesting & not much detected sample, "armaan.apk" seen from India: 80c0d95fc2d8308d70388c0492d41eb087a20015ce8a7ea566828e4f1b5510d0
From a quick look, it is some app that should be developed by India's gov, related to their army.
Has a malware with lots of features. Leaving the analysis for the experts (obviously b/c they are the experts & because I'm very busy), but let me quickly highlight something: the C2's IP is grabbed from https://pastebin[.]com/VfRCefzG - it was already accessed more than 13 million times!
@bl4ckh0l3z @LukasStefanko

Interesting, very low detected "crazy.apk": 5efd92887bb72f3d2186a2c0bcaf7b14b43d3e41722cb70acf0c59dfd4cfd7ba
🤔
Again a case when @ESET detected alone...
👏
cc @LukasStefanko

@ESET @LukasStefanko Slowly other vendors starts to care too...
😂

Someone made a dnSpy version that has a "gift": https://github[.]com/isharpdev/dnspy
Until about an hour ago it was available here, then got renamed (probably to look more legit) to the above: https://github[.]com/carbonblackz/dnspy/
@GitHubSecurity @GitHubSecurity Meanwhile I was looking at the samples @0x7fff9 just RT this:

https://twitter.com/impost0r_/status/1479600560240222208

- so anyone is behind this also created looks a website too, not only the GitHub repo...

Some MS phishing file: https://airforcehq-my.sharepoint[.]com/:u:/g/personal/ddeptula_afa_org/ETEWZXyYRR9ChqCnciZZDPgBpMSc-qMW9ES1y7o985imPQ?e=JK363s
There from May 1...
Is this "airforcehq" the U.S Air Force's SharePoint & David Deptula's acc got pwned or actor(s) faked much?
🤔 This "something-my" is how companies/orgs/etc gets their SharePoint account usually.
Then the first result for this man's name is...
cc @DanielGallagher

"Important - COVID-19.rar" -> "Important - COVID-19.docx.exe" (bbc75560752ea882e6eff152427cb00cc1b2daa50351cfef7b10c6dfeea75e34)
Interesting sample...
🧐
@VK_Intel @JAMESWT_MHT @James_inthe_box Drops this "Wessex Learning Trust" document as decoy...
AnyRun here (thanks to @JAMESWT_MHT): app.any.run/tasks/0d8766c7…