The Record: Feds charge alleged administrator of ‘sophisticated’ Rapper Bot botnet https://therecord.media/feds-charge-botnet-admin @therecord_media

KrebsonSecurity: Oregon Man Charged in ‘Rapper Bot’ DDoS Service https://krebsonsecurity.com/2025/08/oregon-man-charged-in-rapper-bot-ddos-service/ @briankrebs

DoJ, from yesterday: http://justice.gov/usao-ak/pr/oregon-man-charged-administering-rapper-bot-ddos-hire-botnet #cybersecurity #infosec

This dumb password rule is from AOK (German Health Insurance).

This is the online customer portal of the German health insurance company AOK. They have an extensive set of rules for both passwords and usernames.
The password rules are:
- Length between 8 and 14 characters
- At least one letter, one number and one special character
- Special characters are: !...

https://dumbpasswordrules.com/sites/aok-german-health-insurance/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

TrendMicro has published an analysis of Warlock, the ransomware group that most likely was behind the attack on Colt.

https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html

@GossiTheDog @campuscodi
#ThreatIntel #Cybersecurity #Infosec

This research by Marek Tóth presented at #DEFCON is good. The vulnerability he discusses is real.
However, exploiting it requires the attacker to compromise a website and add phantom workflows to it that the victim doesn't notice as suspicious. Not impossible, but also IMO not likely unless you visit shady websites frequently.
Personally, I do not think the likelihood is high enough to disrupt my existing workflows to protect against the attack.
#clickjacking #infosec
https://marektoth.com/blog/dom-based-extension-clickjacking/

This dumb password rule is from NordVPN.

- Password cannot be longer than 48 characters.

https://dumbpasswordrules.com/sites/nordvpn/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

🚨 Hacked India's biggest dating app Flutrr (backed by The Times of India). Critical security flaws expose millions of users.

Technical details:

• Zero authentication checks on ANY API endpoint
• Can read/send messages as any user via WebSocket
• Access anyone's sensitive profile data, matches, conversations
• Update any user's data by just changing UID in requests
• Delete anyones account

Reported November 2024, they responded in March 2025 with a $100 gift card offer. Still unfixed.

Every single endpoint trusts client-provided user IDs without verification. This is as bad as it gets for a dating app handling sensitive personal data.

Full Technical Writeup: https://bobdahacker.com/blog/indias-biggest-dating-app-hacked

#infosec #security #vulnerability #india #datingapp #responsibledisclosure #apisecurity #bugbounty #cybersecurity

🤖 Most people still treat AI chatbots like a private confessional, but they aren’t. 😳 Every question is logged, stored, and potentially discoverable, sometimes even after you’ve deleted it. OpenAI, Google, and Anthropic all retain user prompts by default, often under the guise of “memory” or “service improvement.”

And here’s the kicker: a federal court order now forces OpenAI to preserve all ChatGPT conversations, including “Temporary” ones users assumed were erased. So the notion of ephemeral chats is gone. That should change how people think about what they type into these systems.

The bigger issue is that the line between “helpful personalization” and “permanent surveillance record” is blurring fast. What looks convenient today could look like an exposure tomorrow.

TL;DR
⚠️ AI queries are logged
🔐 Deleted chats still saved
🧠 “Memory” is default setting
📂 Court orders enforce retention

https://www.theregister.com/2025/08/18/opinion_column_ai_surveillance/
#AI #Privacy #DataSecurity #Surveillance #FRCP #EDRM #security #privacy #cloud #infosec #cybersecurity #LegalHold

@GrapheneOS Yet another contributor attacked & banned by Daniel Micay 🤦

🔗 https://tech.michaelaltfield.net/2025/08/19/grapheneos-daniel-micay-banned/

I'm sad (and confused) that #DanielMicay 🚫 banned me from #GrapheneOS, and I wanted to document this experience for the historical record

#android #infosec #privacy

This dumb password rule is from Trade Me.

Won't allow spaces or single quotes. Maybe other characters as well -
they do not say up front - but the password they accepted contained lots
of other special characters.

https://dumbpasswordrules.com/sites/trade-me/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

i really really wish #infosec companies would stop sending boxes full of packing materials and a card with a promise of a gift in return for a call - I’ve yet to find anyone in the industry who likes this approach.

A) it’s a massive waste of material/resources - a giant box and packing to deliver a bit of card.

B) it’s like they looked at the method used by kidnappers where they slowly drip stuff through the mail and were like, “hey we should apply that model to our direct marketing!”

Alt...

a box that appears to have headphones in it

Alt...

but alas it is a card with a thing to schedule a demo

Microsoft openly admitting they have not(!) had MFA, network segmentation, least privilege, software lifecycle, jump-servers, asset- and software-inventory etc for Azure PROD for years and they are not there yet.

This whole report is just so scary. At the same time, good that they are finally working on it and making it transparent.

Source: https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/sfi-april-2025-progress-report.pdf

#Microsoft #azure #infosec

This dumb password rule is from CWT Business Travel Management Company.

Password:
- 8 to 32 characters long
- Must contain a combination of letters, numbers and symbols
- Must be different from your username
- Must be different from 5 previous passwords

https://dumbpasswordrules.com/sites/cwt-business-travel-management-company/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

One of the most effective security controls you can ever invest in, is a decent work computer for your employees.

Yep, it’s a bit more cash up front to get a bit more RAM or a bit more CPU poke, but your job in IT/Security is to get people the gear they need to do their jobs without thinking ‘this would be quicker if I used….’

Because we all know what happens when your VP of Finance decides to prep the W2’s on their kids Alienware gaming desktop full of Minecraft plugins downloaded from every corner of the internet.

#infosec

https://help.iinet.net.au/information-on-cyber-incident

#infosec #australia

This dumb password rule is from Targobank.

Your password must:
- must not be your username
- must at least eight characters
- must contain at least one number character
- must contain at least one uppercase character and 1 lowercase character
- must not contain spaces
- must not contain three identical characters in a row
- must not conta...

https://dumbpasswordrules.com/sites/targobank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

How hacker gangs abuse Microsoft Teams for social engineering attacks to target companies

Ransomware gangs are exploiting Microsoft Teams' default permissive external access settings to conduct sophisticated social engineering attacks. They flood victims with spam emails, then impersonate IT support via fake Microsoft tenants to trick users into executing malicious PowerShell commands that steal data and compromise systems.

**Share this technique with your employees. The targeted people will not be IT. Consider blocking external Teams access in your admin settings to avoid fake "help desk" accounts. Advise that teams should check back with their IT via a well known channel and never run commands or programs sent via Teams messages from an unknown person, even if they claim to be from IT support.**
#cybersecurity #infosec #scam #phishing #activephishing
https://beyondmachines.net/event_details/how-hacker-gangs-abuse-microsoft-teams-for-social-engineering-attacks-to-target-companies-0-2-h-k-4/gD2P6Ple2L

🍔 Found huge security flaws in McDonald's - crew members could access sites reserved for corporate employees with internal functions, API keys exposed, and more. Had to call their HQ and pretend to know people just to report it 🤦

Technical details:

• Design Hub: Used to be client sided password, Registration endpoint exists and works even tho they dont want signups
• TRT portal: Crew accounts could enumerate/impersonate all employees from general manager to CEO
• GRS panel: Complete authentication bypass, arbitrary HTML injection
• Magicbell API keys/secrets exposed in client-side JS
• Algolia indexes listable with user PII
• CosMc's: Server-side validation missing for coupon redemption

They fixed it but fired my friend who helped find the OAuth vulnerabilities.

Full Technical Writeup: https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities

#infosec #bugbountry #responsibledisclosure #security #cybersecurity #hacking #vulnerability

🎢 Hacked South Park's Casa Bonita. Could access their entire POS system and see all customer payments/tips and more 😬

Technical details:

• Founders Club admin panel: No auth required, all member emails exposed
• POS registration: Form disabled client-side only, API endpoint still functional
• Reservation enumeration: Sequential IDs exposed full customer data
• Full control over customer tabs, payments, and inventory
• Supabase misconfiguration: Public signups triggered automated membership cards

No security.txt anywhere. Had to email parkcounty.com addresses then get help from my friend whose company partners with South Park.

Fixed fast but never thanked me. Got a Founders Club card 6 months later though, because the system automatically sends them 😂

Full Technical Writeup: https://bobdahacker.com/blog/i-hacked-southpark

#infosec #bugbounty #responsibleDisclosure #security #vulnerability #hacking #cybersecurity #southpark #CasaBonita

Seriously, the issue in this thread is why I think #passkeys are a ticking time bomb. Most people don't understand how they work, or that they're linked to a single device, or that they need to maintain a backup login method. Websites that support passkeys don't do enough to communicate and enforce good habits. If we continue down the passkey path, people losing access is going to be a much bigger problem in the future, and we're not ready for it. #infosec

Mini Pen Test Diaries story, happened in the last couple of years. The debrief meeting went like this:

“In your report you said you we’re able to crack the domain admin account instantly because the password was stored using the LM hash?”

“That’s right, yes.”

“But we’ve had LM hashing disabled for like 15 years, that can’t be possible?!”

“When was the last time that password was changed?”

“Well it’s been the same since I got here, 20 years ago.”

“And what hashing mechanism do you think was used back then?”

“Oh no."

For more, less mini stories like this, check out https://infosecdiaries.com.

#infosec #pentest #pentesting #redteam

This dumb password rule is from Coventry Building Society.

Password has to be between 6 and 10 characters, can't contain any punctuation and you have to give characters from it on the phone to confirm identity.

https://dumbpasswordrules.com/sites/coventry-building-society/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

🦀 New Rust reversing article! Let's take a look at a simple loader for some infostealer malware, distributed via a "can you try my game" scam on Discord. But it's Rust, so is it really simple? This malware sample has a few twists!

https://cxiao.net/posts/2025-08-17-not-so-simple-rust-loader/

Along the way, I'll go into detail about how threads, dynamic dispatch, and types work in Rust binaries. It may be helpful for your next Rust reversing adventure!

Thanks very much to @0xabad1dea and @demize for providing the sample!

#malware #rust #rustlang #infosec #ReverseEngineering #MalwareAnalysis #infostealer

This dumb password rule is from CenturyLink Residential.

Your password is too long. But how long can it be? Oh, we won't tell you.

https://dumbpasswordrules.com/sites/centurylink-residential/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I used to think that phishing tests and training were pretty pointless (like this study says), but I recently changed my mind.

Most people use tests as a (misguided) way to train employees. Instead, the value in tests is finding out how often phishing doesn't work, and how quickly employees will detect and report a non-targeted phishing attempt. This aids risk analysis and scoring, when phishing is the initial attack vector.

#infosec #phishing

https://www.scworld.com/news/phishing-training-is-pretty-pointless-researchers-find

This dumb password rule is from SAS Eurobonus.

The best thing about rules, is that you can multiple different ones!
Like SAS that allows you to have a long password at least when signing
up, but you'll be sorry if you want to change your password later on.

https://dumbpasswordrules.com/sites/sas-eurobonus/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@shodan this is a no-brainer for anyone in any #infosec role or who may one day be in an #infosec role or tbh anyone who uses a device connected to the internet

About eight months ago, this idea first took flight — and today, I'm thrilled to share some exciting news: "The Spacecraft Hacker's Handbook" is now in Early Access at @nostarch

https://nostarch.com/spacecraft-hacking

Use code SPACE30 to get 30% off!
#hacking #space #infosec

This dumb password rule is from California Department of Motor Vehicles.

They also prohibit pasting into the password field by using a JavaScript
`alert()` whenever you right-click or press the `Ctrl` button, so
you can't use a password manager.

https://dumbpasswordrules.com/sites/california-department-of-motor-vehicles/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Não adianta querer vencer essa praga por poder de processamento e/ou perturbação às pessoas de carne e osso. Pois eles [usurpadores] têm a força nesse quesito, financiados pelo alto Capital. Só falta deixarem o recado antes de nos atacarem para assimilar nosso conhecimento:

We are the Borg. Lower your shields and surrender your ships. Resistance is futile.

#botnet #IA #AI #Borg #StarTrek #DDoS #InfoSec

Alt...

Patrick Stewart como Locutus, o Borg, em cena do episódio "Emissário" de Jornada nas Estrelas: Deep Space Nine.

Happy Birthday!

Founded: 16.08.1993

Thank you to everyone in the community that has contributed to the project.

Website: https://www.debian.org
Mastodon: @debian

#Debian #Linux #FreeSoftware #OpenSource #FOSS #Privacy #InfoSec #CyberSecurity #GNU

Alt...

Debian logo.

This dumb password rule is from ING Australia.

4 numeric digits.
"Added security" by randomising the positions on the keypad. Must be clicked.

https://dumbpasswordrules.com/sites/ing-australia/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

If DNS is one of your interests, make sure you're following @pgl. From about my first day long ago at Farsight Security to current day at DomainTools, he continues to be an oft-mentioned and highly-regarded subject matter expert who regularly finds and shares awesome things.

#infosec #DNS

https://infosec.exchange/@pgl/115033093601740459

This dumb password rule is from ASN Bank.

Your password needs to be between 8 and 20 characters long - at least 1 number, 1 lower case letter, 1 upper case letter, 1 special character.

https://dumbpasswordrules.com/sites/asn-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Every time I go on a flight I post a bullet pointed list of all the things I learned about various other companies from the laptop screens around me, to our own Slack, as a reminder of the importance of being aware of surroundings when working on stuff in public.

Along with an additional reminder that we provide privacy screens.

#infosec

This dumb password rule is from Hetzner.

- 8 or more characters
- At least one uppercase and one lowercase letter
- At least one number or special character

Okay, fair enough, but after putting in a password with some special characters this message appears:
- Invalid characters, allowed are: A-Z a-z 0-9 ä ö ü ß Ä Ö Ü ^ ! $ % / ( ) = ?...

https://dumbpasswordrules.com/sites/hetzner/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Oopsie! It's Signal Gate, the sequel. A random person was added to a law enforcement group chat that included officers from Immigration and Customs Enforcement (ICE). In it, they discussed highly sensitive information about an active search for an individual seemingly marked for deportation. Here's more from @404mediaco

https://flip.it/4O2FqQ

#Immigration #Technology #Encryption #LawEnforcement #ICE #InfoSec

there's lots of research that meets this criteria, but this is specifically the piece I had in mind when I wrote yesterday about reading excellent work that makes you feel energized.

go read it! I guarantee you'll learn something.

https://censys.com/blog/2025-state-of-the-internet-digging-into-residential-proxy-infrastructure

#security #infosec

Incident Response company Profero on "AI-induced destruction" - a new incident category that they say now makes up 25% of their calls in which AI coding assistants deployed by legitimate insiders wreak havoc.

#infosec #RiskManagement

https://profero.io/blog/new-attack-vector--ai-induced-destruction

This dumb password rule is from College Board.

Password must be 9-30 characters with at least one upper case letter, one lower case letter, one number and one special character (no spaces) and be different than your username.

https://dumbpasswordrules.com/sites/college-board/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Bruce Schneier wrote a short post about the Prompt||GTFO infosec-ish prompt pit events I've been rambling about lately.

Session #4 is today; registration link included in Schneier's post.

#infosec

https://www.schneier.com/blog/archives/2025/08/ai-applications-in-cybersecurity.html

"It was a comment he couldn't take back, even though he deleted the words and never sent the email. School administrators saw it within an hour because of a monitoring software installed on school laptops."

I've had challenging kids and have dealt with school systems that don't give a fuck about protecting kids. They just hide behind the rules once they've decide you're a bad kid. I really feel for this guy. HE DIDN'T EVEN SEND THE EMAIL?!? Just pisses me off.

Go tell your kids (and your friends with kids) to treat the school computer like us #infosec folks. Don't fuck around. Everything is monitored and now with #AI, that data can be consumed at mass and alerted on.
https://www.azcentral.com/story/news/local/arizona-education/2025/08/13/parents-sue-arizona-school-son-shooting-joke/85463429007/

This dumb password rule is from Targobank.

Your password must:
- must not be your username
- must at least eight characters
- must contain at least one number character
- must contain at least one uppercase character and 1 lowercase character
- must not contain spaces
- must not contain three identical characters in a row
- must not conta...

https://dumbpasswordrules.com/sites/targobank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Williams-Sonoma.

25 maximum characters and disallowing some specials.

https://dumbpasswordrules.com/sites/williams-sonoma/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

So yesterday, I emailed a state court system that appears to be linked to the exposed data I mentioned recently and that the host notified on or about July 28.

No reply was received.

Today, I sent a contact form message to the lawyer for a juvenile whose records were sealed. Sealed, except 11 of them were exposed to anyone who can access the data. I told him what was going on and suggested he contact the court and tell them to get the data secured.

No reply was received.

Today, I sent an email to the judge who ordered the juvenile's records sealed and I cc:d the district attorney. I gave them the juvenile's name, case number and that I could see all the sealed records. I urged them to have their IT or vendor call me and I could give them the IP address over the phone, etc.

No reply was received.

Dear Russia, China, and North Korea:

You do not need to hack our courts. They are leaking like sieves and do not respond when we try to tell them they need to secure the data.

Yours in total frustration,

/Dissent

#infosec #cybersecurity #incident_response #dataleak #databreach #WAKETHEFUCKUP

I understand that one strategy employed by spammers and phishers is to make their messages stupid and absurd on purpose, so that only gullible and stupid people will fall for them, thus ensuring the scammers won't waste their time trying to scam people smart enough to figure it out.
Nevertheless, the mind boggles at how stupid someone would have to be to fall for a message like the one below, which I received this morning.
#spam #phishing #infosec

Alt...

Phishing spam message from "Ms. Anita Mbambazi <93293371a@pracharath.ac.th>", to "undisclosed-recipients:;", reply-to "um307549@gmail.com", subject line "ATTENTION DEAR". The body of the message is too large to include in full in the alt text, but here are some excerpts: ATTENTION DEAR This message is from the Department of Blacklist Removal office USA, why we decided to communicate with you today is because we have discovered that you are pursuing too many transactions in internet in which all are failing you after wasting too much money in pursuing them , some of these transactions are FAKE and Some are REAL [elided] your name is in US.BLACKLIST which makes it impossible for you to send money out and also receive your inheritance funds out of the country or within,so it is better you stop wasting your money in the name of receiving your inheritance funds until your name is removed from the BLACKLIST and enter into the US.WHITELIST [elided] So if you want to remove your name from the blacklist and place it in American white-list then contact this office [elided] The requirement for removing your name from the Blacklist are as follow Your full Name....... Your home address... Cell Phone number... Your occupation... Country..... Your international passport/or drivers license /or state I.D Above all, you are obliged to pay the sum of $100 for the insurance [elided] and after that we shall facilitate the clearance of your total fund $9,500,000.00 [elided] Regards,

🚨 How #Rhadamanthys Stealer Slips Past Defenses using ClickFix
⚠️ Rhadamanthys is now delivered via ClickFix, combining technical methods and social engineering to bypass automated security solutions, making detection and response especially challenging.
👾 While earlier ClickFix campaigns mainly deployed #NetSupport RAT or #AsyncRAT, this C++ infostealer ranks in the upper tier for advanced evasion techniques and extensive data theft capabilities.

#ANYRUN Sandbox lets SOC teams observe and execute complex chains, revealing evasive behavior and providing intelligence that can be directly applied to detection rules, playbooks, and proactive hunting.

🔗 Execution Chain:
ClickFix ➡️ msiexec ➡️ exe-file ➡️ infected system file ➡️ PNG-stego payload

In a recent campaign, the phishing domain initiates a ClickFix flow (#MITRE T1566), prompting the user to execute a malicious MSI payload hosted on a remote server.

🥷 The installer is silently executed in memory (#MITRE T1218.007), deploying a stealer component into a disguised software directory under the user profile.

The dropped binary performs anti-VM checks (T1497.001) to avoid analysis.

In later stages, a compromised system file is used to initiate a TLS connection directly to an IP address, bypassing DNS monitoring.

📌 For encryption, attackers use self-signed TLS certificates with mismatched fields (e.g., Issuer or Subject), creating distinctive indicators for threat hunting and expanding an organization’s visibility into its threat landscape.

🖼️ The C2 delivers an obfuscated PNG containing additional payloads via steganography (T1027.003), extending dwell time and complicating detection.

🎯 See execution on a live system and download actionable report: https://app.any.run/tasks/a101654d-70f9-40a5-af56-1a8361b4ceb0/?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_term=120825&utm_content=linktoservice

🔍 Use these #ANYRUN TI Lookup search queries to track similar campaigns and enrich #IOCs with live attack data from threat investigations across 15K SOCs:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522threatName:%255C%2522clickfix%255C%2522%2522,%2522dateRange%2522:180%7D
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522threatName:%255C%2522rhadamanthys%255C%2522%2522,%2522dateRange%2522:180%7D
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522(threatName:%255C%2522clickfix%255C%2522%2520OR%2520threatName:%255C%2522susp-clipboard%255C%2522)%2520AND%2520threatName:%255C%2522netsupport%255C%2522%2522,%2522dateRange%2522:180%7D
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522(threatName:%255C%2522clickfix%255C%2522%2520OR%2520threatName:%255C%2522susp-clipboard%255C%2522)%2520AND%2520threatName:%255C%2522asyncrat%255C%2522%2522,%2522dateRange%2522:180%7D

👾 IOCs:
84.200[.]80.8
179.43[.]141.35
194.87[.]29.253
flaxergaurds[.]com
temopix[.]com
zerontwoposh[.]live
loanauto[.]cloud
wetotal[.]net
Find more indicators in the comments 💬

Protect critical assets with faster, deeper visibility into complex threats using #ANYRUN 🚀

#cybersecurity #infosec

Remember, Trump defunded the police who work on investigating foreign hacking.

Putin and his KGB turds know everything about #Epstein and trump. It’s the only explanation for trump‘s public acquiescence and self-humiliation. Something he would never tolerate from anyone else in the world except his puppet master putin. The kompromat must be huge. Monumentally huge. It must be revealed.

https://www.nytimes.com/2025/08/12/us/politics/russia-hack-federal-court-system.html?unlocked_article_code=1.dk8.mfUW.OXAKNuZZDsSv&smid=url-share

#Ukraine #eu #Uk #europe #nato #usa #courts #infosec

This dumb password rule is from Taiwan Pingtung University.

Password must:
- Be between 8 ~ 15 characters long.
- Exceeding 15 will result in an account lockout instead of
erroring on submit. Otherwise, the max character
length should be 20.
- Contains at least 1 number character
- Contains at least 1 lowercase character
- Contains at least 1 uppercase ...

https://dumbpasswordrules.com/sites/taiwan-pingtung-university/

#password #passwords #infosec #cybersecurity #dumbpasswordrules