Bart
@bartblaze
Threat Intel and more. Opinions are my own, unless retweeted. Open DMs.
100 Days of YARA, YARA Rule Tips and The Current State of Email borne Threats with Greg Lesnewich x.com/i/broadcasts/1…
Wrote Yara rules to cover some of the toolset used by Storm-2603 as discussed in Microsoft's latest blog post : microsoft.com/en-us/security… Covers an IIS backdoor, Warlock ransomware and SharpHostInfo: github.com/bartblaze/Yara… #Yara #CVE202553770 #ToolShell
We updated our blog with expanded analysis and threat intelligence from newly observed activity by Storm-2603 leading to the deployment of Warlock ransomware. msft.it/6011s132J
🚨XSSis Admin arrested by French authorities. The arrest took place in Kyiv, Ukraine, on July 22. He is also believed to have run thesecure[.]biz, a private messaging service. Through these services, the suspect is thought to have made over EUR 7 million in advertising and…
Using the UnpacMe byte-search IDA plugin we found some Scavenger related malware dating back to October 2024. At the time the malware was dubbed ExoTickler. Analysis follows...
A few weeks ago, I was responding to a cybersecurity incident - $500,000 have been stolen from a #blockchain developer. The infected operating system was freshly installed, and the victim was vigilant about cybersecurity. How could this happen? New supply chain attack? [1/6]
Microsoft is sharing details from ongoing investigations of threat actors exploiting vulnerabilities targeting on-premises SharePoint servers. Linen Typhoon, Violet Typhoon, and Storm-2603 have been observed exploiting the vulnerabilities: msft.it/6015sE1p5
FARA, or Faux YARA, is a simple repository that contains a set of purposefully erroneous #Yara rules. It is meant as a training vehicle for anyone that wants to write Yara rules: github.com/bartblaze/FARA
🚨A new powerful decryption tool has been developed against Phobos/8Base ransomware, and is now available on the No More Ransom website. 💡NMR is a global initiative for #ransomware victims to recover their data without paying criminals. Learn more on nomoreransom.org
👮The Japanese Police Developed a Decryption Tool for ransomware💻 The Japanese Police has developed the tool to decrypt data encrypted by the Phobos/8Base #ransomware. The tool can be downloaded from the NPA's website and is free to use for everyone. ▶npa.go.jp/english/bureau…
👮The Japanese Police Developed a Decryption Tool for ransomware💻 The Japanese Police has developed the tool to decrypt data encrypted by the Phobos/8Base #ransomware. The tool can be downloaded from the NPA's website and is free to use for everyone. ▶npa.go.jp/english/bureau…
Microsoft is aware of active attacks targeting on-premises SharePoint Server customers, exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770. We have outlined mitigations and detections in our blog. Our team is working urgently to release…
Sorry to disturb your weekend. There is a SharePoint 0day actively abused. Do not only focus on the rule of MSRC for hunting, other blogs also share different files and folders in use! Additional info: MSRC: msrc.microsoft.com/blog/2025/07/c… Blog by @eyesecurity_: research.eye.security/sharepoint-und…
This is big. In #XDR there is now a new table in preview: GraphApiAuditEvents It's the "free" version of the MicrosoftGraphActivityLogs and will enable more companies to detect threats without having to pay a lot of money. learn.microsoft.com/en-us/defender…
We've released Procmon for Linux, Sysmon for Linux, and SysinternalsEBPF with Azure Linux 3.0 support! Get the tools at sysinternals.com. See what's new on the Sysinternals Blog: techcommunity.microsoft.com/blog/Sysintern…
An interesting case of a recent phishing campaign targeting users of the X platform. #ESETResearch analyzed the campaign and found that, in addition to the expected focus on individuals involved in crypto and digital assets, the attackers also targeted prominent journalists, a…
Last night my Twitter account was hijacked. I’ve now regained access and can tell the full story — it was a sophisticated phishing attack. Essentially, I handed over all my passwords and 2FA myself, so it’s entirely my fault. 1. I received an email (screenshot) claiming there…
Last night my Twitter account was hijacked. I’ve now regained access and can tell the full story — it was a sophisticated phishing attack. Essentially, I handed over all my passwords and 2FA myself, so it’s entirely my fault. 1. I received an email (screenshot) claiming there…
Creating on-the-fly graphs with #Kusto is nice via make-graph, but what if Kusto could natively handle graphs as a data source just like it does with tables? Meet Persistent Graphs, now in preview: 📎learn.microsoft.com/en-us/kusto/ma… ➡️ azure.microsoft.com/en-us/updates/…
This tweet thread discusses how to use #Kusto explorer to graph data on the fly. ➡️ Get kusto explorer: aka.ms/ke ⬇️ Read on!
Open source being more secure has always been a myth. Very few devs want to spend time auditing code. If the original author didn't find the bug at time of writing it, it almost never gets seen because nobody is taking the time to go back and look (except red team).
So apparently the --host option in sudo has been broken since 2013. You could just trick it into accepting remote rules on the local system and get root. No exploit needed. And nobody noticed. For 12 years. Open source security at its finest: “If enough people look at the code,…
New writeup: Early last month, @samwcyo, @sshell_, and I found a Django ORM injection in an online shooter game that let us steal cryptocurrency from the game's wallet. Read the blog post here: blog.p1.gs/writeup/2025/0…