Woah. Trenchant, who develops zero-days and surveillance tools for Five Eyes intelligence agencies (US, UK, Canada, Australia, and New Zealand). Has had an insider accused of selling secrets to Russia.
Former L3Harris/Trenchant GM Peter Williams charged with stealing trade secrets. DOJ claims he made $1.3M from the sale.

This BBC reporter was offered 25% of a ransom payout if he gave hackers access to the corporate network.

He played along, so we got a look inside their tactics here: Initial contact came to @JoeTidy via Signal from "Syndicate" offering 15% of potential ransom payment for access to BBC systems.

Offer later increased to 25% of what they claimed would be "1% of BBC's total revenue."

Breaking: House Oversight's top Dem Rep. Lynch requests Microsoft provide info on DOGE staffer's GitHub repo.

It allegedly contains code to extract data from the NLRB's case management system. Key context: This follows whistleblower Daniel Berulis's disclosure about ~10GB of data exfiltrated from NLRB's NxGen system.

DOGE engineer Jordan Wick's repo "NxGenBdoorExtract" was made private before investigation.

U.S. labs keep finding *undocumented* cellular radios hidden inside some Chinese-made solar inverters & battery packs

Those radios give the gear a second, undocumented path to the internet. Global governments are reacting already: 🧵 Inverters already need remote access for firmware updates, so utilities put them behind firewalls.

A covert LTE module can hop right over that barrier, reach a cloud service in China, and issue commands the operator never sees.

TeleMessage, the company behind the modified Signal client used by Trump admin officials, has been breached.

Attacker claims the hack took "15-20 minutes" with minimal effort. TeleMessage creates modified versions of Signal/WhatsApp/Telegram that archive messages for gov agencies.

Recently made headlines when National Security Advisor Waltz was photographed using it.

🧵 THREAD: A federal whistleblower just dropped one of the most disturbing cybersecurity disclosures I’ve ever read.

He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords

Media's coverage wasn't detailed enough so I dug into his testimony: Who’s the whistleblower?

Daniel Berulis — a senior DevSecOps architect at the National Labor Relations Board (NLRB), formerly with TS/SCI clearance.

He just told Congress the Department of Government Efficiency (DOGE) pulled off a covert cyber op inside a federal agency.

MSFT released new research on Silk Typhoon's supply chain attacks.

Key shift: Group now heavily leveraging stolen API keys and PAM credentials to hit downstream customers, particularly state/local gov and IT sector targets.

Here's what we know 🧵 Initial access vectors include 0days, compromised third-party services, and password spraying.

Notable: Found several instances of corporate creds exposed via public GitHub repos being used in attacks. (They should be following @InsecureNature)

Hackers are using Google Tag Manager (GTM) to inject credit card skimmers into E-commerce sites.

At least 6 compromised sites identified so far. Here's what we're seeing. 👇 Malicious GTM script reference (GTM-MLHK2N68) stored in Magento's cms_block.content table.

Attackers using GTM as delivery mechanism to bypass security controls.

🚨 New DPRK malware "FlexibleFerret" targeting MacOS discovered.

It's part of broader campaign that's been active since Nov 2023. Currently evading Apple's XProtect detection.

Here's what we know 👇 Campaign context: Threat actors posing as employers, targeting software devs through fake job interviews.

Previously identified by Unit 42 targeting Windows/Linux/MacOS platforms.

Hackers claim to have compromised Gravy Analytics, exposing millions of smartphone location records—including data sold to U.S. government agencies.

This could be the first major breach of a location data broker. Here’s what you need to know 👇 Potential impact:
- Precise GPS coordinates + timestamps on millions of people
- User movement classifications ("LIKELY_DRIVING")
- Customer lists (Apple, Uber, Equifax & more)
- Root access to Gravy's servers, control of domains, and Amazon S3 buckets

This is nuts.

Major investigation reveals ExxonMobil allegedly orchestrated hack-for-hire campaign targeting 500+ climate activists and journalists. The campaign deployed 28K+ malicious URLs and 100+ targeted phishing attempts.

It's annual budget is estimated at $10M+ through DCI Group (PR firm).

New series of Palo Alto Networks vulnerabilities, chained together for a bad time.

“We find that a simple request to that exact endpoint over the web service resets the admin password.”

Well, I don’t like the sound of that… 🧵 First up -

CVE-2024-9464 is an OS command injection vulnerability in Palo Alto Networks Expedition

This allows an authenticated attacker to run arbitrary OS commands as root

So U.S. uses backdoors in it's own Internet providers to spy on it's citizens.

China says "don't mind if we do" and backdoors the backdoors.

They sat for months undetected on the U.S. wiretap system for Verizon, AT&T, and more... Who watchers the watchers? Turns out China does.

My summary:

vulnu.com/p/government-w…

Woah. Millions of cars can be hacked just by knowing the license plate number.

This is done through a simple web app bug too, no complicated car hacking involved.

I also don't think it's fixed yet... 🧵 The bug seems to impact all Kias right now and the researchers didn't disclose a PoC since it isn't fixed but it's been 90 days since disclosure so they're talking about it.

This is an absolutely wild one by @iangcarroll and @samwcyo

The most basic SQL injection ever in the Known Crewmember (KCM) and Cockpit Access Security System (CASS) used by airlines and TSA.

Literally ' OR 1=1 got them admin access. Here's what we know: @iangcarroll @samwcyo The vulnerability was found in FlyCASS, a web-based interface used by smaller airlines to manage KCM and CASS.

A simple SQL injection in the login page allowed unauthorized access to the admin panel for Air Transport International.

⚠️ Breaking: North Korea just burned an 0-Day in Chromium.

They used it to install a Windows rootkit and the campaign targeted cryptocurrency platforms and users.

Here's what we know: Microsoft reports that a North Korean hacking group, Citrine Sleet, exploited a previously unknown Chromium bug to target crypto organizations just a few days ago.

Google uncovered evidence that Russian government hackers (APT29) are using exploits "identical or strikingly similar" to those developed by spyware companies Intellexa and NSO Group.

And we don't know how they got their hands on it...

Here's what we know: 🧵 APT29 should sound familiar. Re: Microsoft and Solarwinds hacks.

They're patient and persistent. Pair that with incredibly skilled and well funded and this is a deadly combo.

Whelp. Another North Korean laptop farm just got taken down in the US.

This time at a guy's house in Nashville. The NK team made over $250k for their remote work between 2022 and 2023.

Hey if someone shows up and asks you to host a pile of laptops at your house, just say no? 38 year old Matthew Isaac Knoot offered his address up to the NK teams.

He'd get laptops to his HOME for an employee named "Andrew M." who got remotely hired for a number of US jobs.

His house would act as the local IP and addy for these overseas spies to tunnel through.

The DoJ just busted a massive scam involving North Korean IT workers infiltrating major US companies.

They had some help in the US and were posing as remote freelancers to siphon off money and sensitive info.

Holy crap, here's what we know: How they operated:

North Korean operatives are stationed in countries like China, Russia, and parts of Eastern Europe and Southeast Asia.

They then use fake documents and buy accounts to get remote jobs in the States.

Kevin Briggs, a senior advisor at CISA, has publicly revealed ongoing vulnerabilities in U.S. telecom networks.

TL;DR - He has evidence vulns in teleco's are being used to track and spy on U.S. citizens.

Buckle up, here's what we know: Oversimplified: The attacks involve 2 teleco techs

SS7 - crucial for routing messages when roaming
Diameter - SS7's more efficient successor

They are both being exploited to track phones, intercept calls, and access texts.

🚨 GitHub and GitLab comments are being abused to push malware via Microsoft repo URLs.

Let's dive in: GitHub comments can host files uploaded during issue discussions or commit annotations.

Once uploaded, these files are accessible via GitHub's CDN, regardless of the comment's visibility or existence.