Nostr notes by Kevin Beaumont

Anthropic: we can't release our vuln research as it will end ...

2026-04-15T11:46:49Z

In reply to nevent1q…ntw4
_________________________

Anthropic: we can't release our vuln research as it will end the internet as we know it!!1!

Me: if I release Teams Roulette I'll probably cause global chaos with people getting their knobs out in board meetings

the word create isn't in the thread anywhere

2026-03-18T19:08:38Z

In reply to nevent1q…qcwc
_________________________

the word create isn't in the thread anywhere

Free copy of Battlefield 6 (PC I'm presuming) for anybody ...

2026-03-18T18:40:41Z

Free copy of Battlefield 6 (PC I'm presuming) for anybody with an EA account -- 3F5T-NDK4-WN93-VEBH

https://www.ea.com/redeem

don't worry, all these orgs are also hyping GenAI as the next ...

2026-03-18T18:11:57Z

In reply to nevent1q…fnqh
_________________________

don't worry, all these orgs are also hyping GenAI as the next big thing.

Meta, having renamed itself Meta and spending billions on it, is ...

2026-03-18T18:06:36Z

Meta, having renamed itself Meta and spending billions on it, is shutting down it's metaverse VR platform. https://www.theshortcut.com/p/meta-is-shutting-down-horizon-worlds-vr-despite-investing-billions-into-the-metaverse

We winning. https://www.bbc.co.uk/news/articles/cvg1gr5v333o

2026-03-18T15:15:24Z

We winning. https://www.bbc.co.uk/news/articles/cvg1gr5v333o

RE: https://mastodon.social/@404mediaco/116241338503387167 Add ...

2026-03-16T23:35:08Z

RE: https://mastodon.social/@404mediaco/116241338503387167

Add this to the long list of execs fucking up their entire company using GenAI - CEO decides he doesn’t want to pay $250m bonus to staff, asks ChatGPT how to avoid it, his legal team tell him ‘are u fuckin dumb’, he does it anyway, gets sued, and loses in court.

quoting
note1c24…x5y2

The CEO of Krafton used ChatGPT to push out the head of the studio developing Subnautica 2 against the advice of his own legal team and failed miserably.

https://www.404media.co/ceo-ignores-lawyers-asks-chatgpt-how-to-void-250-million-contract-loses-terribly-in-court/

Stryker have a liveblog of their security incident, linked from ...

2026-03-16T17:13:30Z

In reply to nevent1q…ffur
_________________________

Stryker have a liveblog of their security incident, linked from the front page of their website:

https://www.stryker.com/gb/en/about/news/a-message-to-our-customers-03-2026.html

tl;dr is most customer systems aren't impacted as they run on Linux, but their corporate Windows systems are toast so please hold the line.

I still don't understand the US war on Iran. They declared ...

2026-03-16T13:33:05Z

In reply to nevent1q…gxkz
_________________________

I still don't understand the US war on Iran. They declared war, then said it wasn't a war, then it was, then it wasn't, then it was, then declared victory, said Iran's military was totally disabled.. and now they're begging for help from the rest of the world as things keep getting blown up?

Like - what is the plan here?

There's not point asking the UK for help, we probably sold all our boats to Lidl.

In other news, Hulu passed on the Buffy reboot, they didn't ...

2026-03-15T19:46:48Z

In other news, Hulu passed on the Buffy reboot, they didn't like the pilot. It's easy to be cynical about that one but from what I'd heard it was actually good, and weird, and got death'd by a thousand exec cuts of clueless people going "we made Buffy The Vampire What?!"

The Firefly cast have secured the rights to Firefly, and plan to ...

2026-03-15T19:38:42Z

The Firefly cast have secured the rights to Firefly, and plan to turn it into an animated series with the original cast voicing. https://deadline.com/2026/03/nathan-fillion-firefly-animated-series-development-1236754122/

Buzzfeed journey: - Successful - Pivoted to GenAI for content - ...

2026-03-14T17:23:23Z

Buzzfeed journey:

- Successful
- Pivoted to GenAI for content
- Laid everybody off
- Now admits it probably can't stay in business

https://futurism.com/artificial-intelligence/buzzfeed-disastrous-earnings-ai

If you use Sourcescrub by Datasite, they're dumping all the ...

2025-11-20T18:39:26Z

If you use Sourcescrub by Datasite, they're dumping all the things people export into a public Azure Storage Blob - prodscrubstorage.blob.core.windows.net

http://prodscrubstorage.blob.core.windows.net/export?restype=container

I believe this is the fourth time Thalha Jubair has been arrested ...

2025-09-18T13:24:01Z

In reply to nevent1q…jeu0
_________________________

I believe this is the fourth time Thalha Jubair has been arrested btw.

Suspect arrested for M&S hack have been rearrested (again), ...

2025-09-18T13:22:10Z

In reply to nevent1q…060k
_________________________

Suspect arrested for M&S hack have been rearrested (again), this time for Transport for London hack last year: https://therecord.media/scattered-spider-teenage-suspects-arrested-britain-nca

Marks and Spencer CTO leaves, CISO still in role. It’s ...

2025-09-15T17:30:14Z

In reply to nevent1q…7ptr
_________________________

Marks and Spencer CTO leaves, CISO still in role.

It’s difficult to see what happened as her fault - eg the decision to outsource the frontline IT helpdesk that did the password resets dates 5 years before she joined.

https://www.computerweekly.com/news/366630565/MS-parts-ways-with-CTO-after-cyber-attack

This isn't a dig at MS btw, as they're actually really ...

2025-09-02T11:16:36Z

In reply to nevent1q…z3vf
_________________________

This isn't a dig at MS btw, as they're actually really good with high profile vulns in their own on prem products nowadays overall - they'll frequently give extensive details to hunt on.

Other vendors should learn from that.

The status updates on Colt's website describing a ...

2025-08-21T12:06:28Z

In reply to nevent1q…053c
_________________________

The status updates on Colt's website describing a "technical issue" have been removed, replacing it with always being a cyber incident.

Left - internet archive - https://web.archive.org/web/20250814102113/https://www.colt.net/status/
Right - now https://www.colt.net/status/#updates

M&S still working on system recovery. ...

2025-08-11T09:03:53Z

In reply to nevent1q…rdas
_________________________

M&S still working on system recovery. https://www.bbc.com/news/articles/cewyyjdzql4o

I understand the people released have not been charged.

2025-08-11T09:03:08Z

In reply to nevent1q…wf36
_________________________

I understand the people released have not been charged.

The people arrested as part of the Co-op and M&S hack ...

2025-07-17T13:07:57Z

In reply to nevent1q…a790
_________________________

The people arrested as part of the Co-op and M&S hack investigation have been released on bail.

https://nation.cymru/news/four-people-bailed-after-arrests-over-cyber-attacks-on-ms-co-op-and-harrods/

Previously when this happened with LAPSUS$, they just continued hacking stuff.

Personally I think Co-op did a really good job getting out of ...

2025-07-16T08:58:23Z

In reply to nevent1q…qy2j
_________________________

Personally I think Co-op did a really good job getting out of that situation and minimising impact.

I definitely think if you have a LAPSUS$ style advanced persistent teenagers situation, tilt towards open and honest comms as those kids will use secrecy against ya. It’s 2025, it’s okay to say you got hacked, people largely understand. Also, in IR, lawyers are usually stuck in 1980 advice - it’s just advice, they ain’t yo boss.

Co-op finally admitted the entire membership database was stolen ...

2025-07-16T08:47:29Z

In reply to nevent1q…04d9
_________________________

Co-op finally admitted the entire membership database was stolen

I had this in the thread months ago, they originally tried to deny it entirely then tried to say ‘some’ data was accessed when they knew it was the whole thing.

https://www.bbc.co.uk/news/articles/cql0ple066po

. @npub1vc3…axsh has broken the story that the key member (and ...

2025-07-10T21:07:55Z

In reply to nevent1q…9g7f
_________________________

. BrianKrebs (npub1vc3…axsh) has broken the story that the key member (and teenager) of LAPSUS$ runs Scattered Spider

https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ransom-group/

After almost 3 months, Marks and Spencer recruitment system came ...

2025-07-10T17:10:53Z

In reply to nevent1q…ntvz
_________________________

After almost 3 months, Marks and Spencer recruitment system came back online just now. First 4 jobs posted.

If you ever doubted the link between Scattered Spider(tm) and ...

2025-07-10T16:58:28Z

In reply to nevent1q…y79u
_________________________

If you ever doubted the link between Scattered Spider(tm) and LAPSUS$ - one of the people arrested today was a key part of the LAPSUS$ attacks a few years ago.

17 and two 19 year old teens picked up over Co-op and M&S ...

2025-07-10T11:17:17Z

In reply to nevent1q…f5m5
_________________________

17 and two 19 year old teens picked up over Co-op and M&S hacks, and a 20 year old woman.

Pretend to be surprised.

https://www.bbc.com/news/articles/cwykgrv374eo

Marks and Spencer’s CEO says half of their online ordering is ...

2025-07-01T12:56:48Z

In reply to nevent1q…ea5u
_________________________

Marks and Spencer’s CEO says half of their online ordering is still offline after their ransomware incident, they hope to get open in next 4 weeks.

They are also rebuilding internal systems and hope a majority of that will be done by August.

Lesson: mass contain early. M&S didn’t. Co-op did.

https://www.reuters.com/business/retail-consumer/ms-ceo-most-cyberattack-impact-will-be-behind-us-by-august-2025-07-01/

One thing for media covering the Co-op thing - attackers are not ...

2025-05-07T11:55:01Z

In reply to nevent1q…f3lq
_________________________

One thing for media covering the Co-op thing - attackers are not impersonating IT help desks to gain access. They’re impersonating *staff* calling in to the IT help desks - they’re different things.

Contactless payment has been fixed at all Co-op Group stores.

2025-05-06T14:52:01Z

In reply to nevent1q…alpn
_________________________

Contactless payment has been fixed at all Co-op Group stores.

It sounds like the situation at Co-op has got worse. They’ve ...

2025-05-06T10:21:14Z

In reply to nevent1q…u36j
_________________________

It sounds like the situation at Co-op has got worse. They’ve stopped taking card payments, it’s cash only. https://www.telegraph.co.uk/business/2025/05/06/co-op-shops-stop-taking-card-payments-amid-cyber-attack/

Co-op Group appear to be trying to course correct with their ...

2025-05-05T16:21:58Z

In reply to nevent1q…04k7
_________________________

Co-op Group appear to be trying to course correct with their cyber incident comms.

They’re calling it a cyber incident now, and have put a statement on the front page of their website, along with an FAQ. They haven’t yet emailed members (they should).

https://www.coop.co.uk/cyber-incident

One of the points of exploitation of large orgs is they usually ...

2025-05-05T14:32:41Z

In reply to nevent1q…j0y6
_________________________

One of the points of exploitation of large orgs is they usually outsource their Service Desk to somewhere cheap offshore who don’t know the org staff, and when you call and say your name, they normally put big all caps bold red warning if the person is a VIP, eg C suite, so they get VIP service - ie anything goes.

BBC News has a look at teenagers phoning helpdesks and pretending ...

2025-05-05T14:18:45Z

In reply to nevent1q…qkf3
_________________________

BBC News has a look at teenagers phoning helpdesks and pretending to be the CISO. https://www.bbc.com/news/articles/c4grn878712o

The SignalNotSignal hack of US government is really big. Some ...

2025-05-05T12:23:15Z

In reply to nevent1q…px9h
_________________________

The SignalNotSignal hack of US government is really big. Some examples for those who haven’t seen it. The USG managed to take an encrypted platform, backdoor it, and got owned.

I’ve been using Recall for a few weeks now on my daily driver. ...

2025-05-05T10:42:28Z

In reply to nevent1q…rqu8
_________________________

I’ve been using Recall for a few weeks now on my daily driver.

It scooped up my credit card statements after I logged into online banking - both screenshots (text indexed) of the PDFs, transaction history from the website, and my name, date of birth and security question reminders.

Sensitive filtering mode only kicked in when I viewed my cards CVV number.

Worth excluding bank websites from Recall’s options, if you see it enabled.

#NoName are back targeting UK councils. Same config as prior UK ...

2025-05-05T06:25:55Z

#NoName are back targeting UK councils. Same config as prior UK runs. #threatintel

Sky News quote a source in M&S head office saying Marks and ...

2025-05-05T05:33:55Z

In reply to nevent1q…ktpq
_________________________

Sky News quote a source in M&S head office saying Marks and Spencer have no ransomware incident plan so they are making it up as they go along apparently, with staff sleeping in the office and communicating via WhatsApp.

M&S dispute this, saying they have robust business continuity plans.

https://news.sky.com/story/amp/mands-had-no-plan-for-cyber-attacks-insider-reveals-with-staff-left-sleeping-in-the-office-amid-paranoia-and-chaos-13361359

The third party version of Signal the White House has been using ...

2025-05-04T23:33:20Z

The third party version of Signal the White House has been using has been hacked, and Signal messages from devices stolen (as they were being sent to the supplier)

https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/

Great NCSC piece by ...

2025-05-04T18:40:10Z

In reply to nevent1q…sl34
_________________________

Great NCSC piece by [@ollie_whitehouse](https://infosec.exchange/@ollie_whitehouse )

I’d add - block by Entra policy specifically High risk logins (below is too FP prone), and SOC monitor them. SOC playbook = account probably compromised. How?

https://www.ncsc.gov.uk/blog-post/incidents-impacting-retailers

A wrote a piece about paying ransoms does not equal quick ...

2025-05-04T11:16:59Z

In reply to nevent1q…p72e
_________________________

A wrote a piece about paying ransoms does not equal quick restoration - in fact, quite often it makes things worse. https://doublepulsar.com/big-game-ransomware-the-myths-experts-tell-board-members-03d5e1d1c4b7

Sunday Times has a piece looking into ransomware incident at ...

2025-05-03T20:56:03Z

In reply to nevent1q…4du9
_________________________

Sunday Times has a piece looking into ransomware incident at Marks and Spencer. It's pretty good, goes into their contain and eradicate focus.

"By shutting down parts of the IT estate, Higham’s team had worked to prevent the attack from spreading, but had also stopped parts of its digital operations from functioning. This was considered a worthy trade-off."

One error in the article - lack of recovery doesn't mean no ransomware paid. Paying is not quick restoration.

https://www.thetimes.com/business-money/companies/article/m-and-s-cyber-attack-ms-klrnxvwq6

Here's the ITV News report anyhoo, logline: "ITV News ...

2025-05-03T16:52:07Z

In reply to nevent1q…lgg6
_________________________

Here's the ITV News report anyhoo, logline: "ITV News understands the the ongoing cyberattack faced by the supermarket has worsened since Friday, impacting the ordering system, drivers and warehouse staff."

https://www.itv.com/news/2025-05-03/worsening-cyberattack-shuts-down-co-op-orders-itv-news-understands

There's a report on ITV News that Co-op member data is ...

2025-05-03T16:27:51Z

In reply to nevent1q…ua97
_________________________

There's a report on ITV News that Co-op member data is available on the Dark Web(tm), but as far as I know this isn't accurate. DragonForce's portal hasn't been available for over a week.

By the way, this is absolutely terrible advice for dealing with a ...

2025-05-02T23:26:54Z

In reply to nevent1q…3qcx
_________________________

By the way, this is absolutely terrible advice for dealing with a major and high visibility ransomware incident.

One of M&S’ biggest suppliers have said they have reverted ...

2025-05-02T23:24:45Z

In reply to nevent1q…xaax
_________________________

One of M&S’ biggest suppliers have said they have reverted to pen and paper for orders due to M&S lacking IT.

Additionally, M&S staff are raising concern about how they will be paid due to lack of IT systems.

M&S are over a week into a ransomware incident and still don’t have their online store working.

https://www.bbc.com/news/articles/cvgnyplvdv8o

#threatintel #ransomware

Bleeping Computer have more on the Co-op breach ...

2025-05-02T19:58:23Z

In reply to nevent1q…8yjs
_________________________

Bleeping Computer have more on the Co-op breach https://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/

#threatintel #ransomware

Pass the bong ...

2025-05-02T19:53:27Z

In reply to nevent1q…79g5
_________________________

Pass the bong

Regarding IOCs around the UK retailer activity - there’s loads ...

2025-05-02T19:49:46Z

In reply to nevent1q…yyk2
_________________________

Regarding IOCs around the UK retailer activity - there’s loads doing the rounds, and they’re almost all not useful.

Eg hundreds of dynamic VPN IPs from 2022. If you google them you’ll find them on vendor blogs from years ago for Scattered Spider - people are recycling in panic and passing around in panic.

Don’t hunt on random IOCs. IP addresses change. Strengthen foundational controls. Review sign in logs for abnormal activity etc.

New by me - breaking down the attacks on UK highstreet retailers ...

2025-05-02T18:33:10Z

In reply to nevent1q…4056
_________________________

New by me - breaking down the attacks on UK highstreet retailers

https://doublepulsar.com/dragonforce-ransomware-cartel-attacks-on-uk-high-street-retailers-walking-in-the-front-door-52ed8ba68534

Co-op Group have now admitted a significant amount of member ...

2025-05-02T17:51:34Z

In reply to nevent1q…m202
_________________________

Co-op Group have now admitted a significant amount of member (customer) information has been stolen by DragonForce Ransomware Cartel, saying they "accessed data relating to a significant number of our current and past members" - around 20 million people. The Member database, basically.

Up until now Co-op hadn't even used the words cyber or threat actor, referring to an "IT issue" and "third party" in comms.

https://www.bbc.co.uk/news/articles/crkx3vy54nzo

The individuals operating under the DragonForce banner are using ...

2025-05-02T17:17:15Z

In reply to nevent1q…s6f3
_________________________

The individuals operating under the DragonForce banner are using social engineering for entry.

Defenders should urgently make sure they have read the CISA briefs on Scattered Spider and LAPSUS$ as it's a repeat of the 2022-2023 activity.

Links: https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf

https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider_0.pdf

I would also suggest these NCSC guides on incident management: https://www.ncsc.gov.uk/collection/incident-management

and effective cyber crisis comms: https://www.ncsc.gov.uk/guidance/effective-communications-in-a-cyber-incident

I'm going to make this the new ongoing megathread for ...

2025-05-02T17:13:18Z

In reply to nevent1q…472t
_________________________

I'm going to make this the new ongoing megathread for DragonForce Ransomware Cartel's attack on UK retailers as they're all connected.

Why it matters: these are some of the UK's largest retailers, think Target or some such in a US sense.

Prior threads

M&S: https://cyberplace.social/@GossiTheDog/114381946765071799

Co-op: https://cyberplace.social/@GossiTheDog/114426688834113446

Harrods:
https://cyberplace.social/@GossiTheDog/114433519351165250

DragonForce Ransomware Cartel are claiming credit for attacks on ...

2025-05-02T16:56:56Z

DragonForce Ransomware Cartel are claiming credit for attacks on Marks and Spencer, Co-op and Harrods and say more are coming https://www.bloomberg.com/news/articles/2025-05-02/-dragonforce-hacking-gang-takes-credit-for-uk-retail-attacks

in account.microsoft.com you can turn on passwordless, so your ...

2025-05-01T14:36:36Z

In reply to nevent1q…zmc9
_________________________

in account.microsoft.com you can turn on passwordless, so your hotmail account has no password at all, MFA is used for access.

But if you enable it, can you still RDP with the old password?

what happens if you turn passwordless on with the account, does ...

2025-05-01T12:31:43Z

In reply to nevent1q…ehgw
_________________________

what happens if you turn passwordless on with the account, does it still accept the old password?

Lord, feel sorry for the M&S CISO. He only arrived just over ...

2025-04-29T21:38:23Z

Lord, feel sorry for the M&S CISO. He only arrived just over a year ago.

It looks like they outsourced lots of their IT systems to TCS many years ago. He's spend years warning about ransomware and now he's on the hook for a barn fire likely caused by years of prior decisions.

I’m very tempted to take next week off work 😅 ...

2025-04-16T20:14:55Z

In reply to nevent1q…c2gq
_________________________

I’m very tempted to take next week off work 😅

Oblivion Remastered vs vanilla comparison ...

2025-04-16T20:08:18Z

In reply to nevent1q…m5mg
_________________________

Oblivion Remastered vs vanilla comparison https://youtu.be/BppeLAz37rc

CVE extension to March 16th 2026 See y’all March 15th 2026 for ...

2025-04-16T14:31:21Z

In reply to nevent1q…j2yh
_________________________

CVE extension to March 16th 2026

See y’all March 15th 2026 for the last minute renewal 🫡😅

https://www.usaspending.gov/award/CONT_AWD_70RCSJ24FR0000018_7001_70RSAT20D00000001_7001

CVE extension by CISA = 11 months. ...

2025-04-16T14:14:22Z

In reply to nevent1q…ucax
_________________________

CVE extension by CISA = 11 months. https://infosec.exchange/@metacurity/114348047105534455

Now all we need is for Breachforums to get back online and the ...

2025-04-16T12:44:06Z

In reply to nevent1q…dvj9
_________________________

Now all we need is for Breachforums to get back online and the threat intelligence industry is alive again!

CISA have, at the last minute, extended the MITRE CVE contract. ...

2025-04-16T12:14:24Z

In reply to nevent1q…xy3h
_________________________

CISA have, at the last minute, extended the MITRE CVE contract. “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.” HT Metacurity (npub102x…wzj6)

Another effort - https://gcve.eu/ Global CVE Allocation System

2025-04-16T09:14:43Z

In reply to nevent1q…xwxx
_________________________

Another effort - https://gcve.eu/ Global CVE Allocation System

Looks like the US Government are going to lose control of CVE. ...

2025-04-16T08:22:44Z

In reply to nevent1q…edwe
_________________________

Looks like the US Government are going to lose control of CVE. https://www.thecvefoundation.org/

If you want to know how stupid the CVE situation is - CISA are ...

2025-04-16T08:08:09Z

In reply to nevent1q…4h67
_________________________

If you want to know how stupid the CVE situation is - CISA are trying to source last minute funding or look at taking CVE management in house, but they themselves have had a massive budget cut where the staff trying to fix it are also at risk of being cut.

DOGE have terminated MITREs contracts, they say they will be ...

2025-04-16T07:54:47Z

In reply to nevent1q…pt2n
_________________________

DOGE have terminated MITREs contracts, they say they will be laying off nearly 500 people. This will have impacts beyond CVE - think MITRE ATT&CK etc. https://virginiabusiness.com/nova-govcon-firm-mitre-to-lay-off-442-employees-after-doge-cuts-contracts/

Just as an update to this - @npub1vc3…axsh has confirmed with ...

2025-04-15T21:38:37Z

In reply to nevent1q…u0ag
_________________________

Just as an update to this - BrianKrebs (npub1vc3…axsh) has confirmed with MITRE the letter is real, and as it stands the CVE database is likely to offline tomorrow.

My take on the CVE contract issue for businesses: don’t ...

2025-04-15T18:58:37Z

In reply to nevent1q…695g
_________________________

My take on the CVE contract issue for businesses: don’t overreact, wait and see what impacts are.

The NVD backlog was already pretty crazy.. the US gov has gotta put real funding into this area if it wants to retain control of cyber standards.

Also in both cases Oracle hasn’t filed an 8-K or told ...

2025-04-03T13:05:12Z

In reply to nevent1q…67ur
_________________________

Also in both cases Oracle hasn’t filed an 8-K or told regulators or provided an IR report to customers or a written technical statement of what happened or put anything on their website or commented to press.

To answer my own question up thread - from talking to people, the ...

2025-04-03T12:55:16Z

In reply to nevent1q…j9hk
_________________________

To answer my own question up thread - from talking to people, the Oracle Health breach appears to be unrelated to the Oracle SaaS incident this thread describes.

In both cases they’re being extorted, and in both cases they’re working with the FBI and external incident response.

Oracle were still trying to get SaaS solutions they manage off ...

2025-04-03T12:09:26Z

In reply to nevent1q…jf42
_________________________

Oracle were still trying to get SaaS solutions *they* manage off Oracle Classic aka Gen1 as of 2023. They made a mess of it.

Yeah, by legacy system Oracle mean ‘a system we manage housing ...

2025-04-03T12:05:46Z

In reply to nevent1q…cazv
_________________________

Yeah, by legacy system Oracle mean ‘a system we manage housing active customer data’. They’ve also been telling people it isn’t Oracle Cloud.. but it is, and they know it is, they’re just doing customer talking points to wordsmith around it.

https://infosec.exchange/@Fringedcrow/114273919390396133

The Bloomberg article is paywall so here’s screenshots. ...

2025-04-03T08:54:12Z

In reply to nevent1q…dkk0
_________________________

The Bloomberg article is paywall so here’s screenshots.

“The company informed customers that the system has not been in ...

2025-04-03T08:25:37Z

In reply to nevent1q…2w9f
_________________________

“The company informed customers that the system has not been in use for eight years and that the stolen client credentials therefore pose little risk, the report added. The stolen data included Oracle customer log-in credentials from as recently as 2024, the report said.”

This would be Oracle Classic, aka Gen1. I’ve been told the systems were left online after migration.. unpatched.

Oracle are trying to play legacy angle - but what else was stolen? What else did the attacker do? Why cover up?

We have an update. Reuters and Bloomberg confirm my blog, ...

2025-04-03T08:22:25Z

In reply to nevent1q…vx4n
_________________________

We have an update. Reuters and Bloomberg confirm my blog, that’s there’s a security incident going on at Oracle cloud. Oracle declined to comment, after lying to BleepingComputer (npub1pkr…6763) and other outlets on the record.

CrowdStrike is the IR company.

“Oracle staff acknowledged to some clients this week that an attacker had gotten into a legacy environment, Bloomberg News report said.”

https://www.reuters.com/technology/cybersecurity/oracle-tells-clients-second-recent-hack-log-in-data-stolen-bloomberg-news-2025-04-02/

100% on this one, seen all the time on real world incidents. ...

2025-04-02T17:21:23Z

In reply to nevent1q…6epr
_________________________

100% on this one, seen all the time on real world incidents.

Problem: somebody got a password for an account and nobody knows how.

How: the business user signed into their personal Google account in Chrome at work, which synced all their bookmarks and saved passwords to Google. Then they switched on their home PC, Chrime synced, and infostealer took all the details

Solution: Google Chrome ADMX, and set Group Policy to turn off personal account sign in with Chrome.

https://infosec.exchange/@Walker/114268652560517693

I should also point out there's a lot of infosec people at ...

2025-04-02T16:20:00Z

In reply to nevent1q…uvk8
_________________________

I should also point out there's a lot of infosec people at trillion dollar tech companies sat thinking quantum and AI is going to be the next big problem...

...when in reality SMBs make up a vast majority of the global economy - and are getting owned by people running this as they can't work out nmap parameters, while playing Call of Duty on their second monitor (this isn't even a joke, this was a ransomware deployment):

Finally, if you want the raw incident data to analyse, Sophos has ...

2025-04-02T15:16:55Z

In reply to nevent1q…h22d
_________________________

Finally, if you want the raw incident data to analyse, Sophos has it, anonymized: https://github.com/sophoslabs/Active_Adversary_Report/blob/main/sophos-aar2501-github-share.csv

Notably, for the second year running (and same with all prior ...

2025-04-02T15:15:06Z

In reply to nevent1q…ylal
_________________________

Notably, for the second year running (and same with all prior reports) (and the same across other IR and MDR providers), the report doesn't mention AI or Generative AI once.

Absolutely not popular to say that and always get next to zero engagement on LinkedIn, but let me be super clear on this one:

The threat to your business is foundational IT and security. The big incident that screws you over will be somebody pointing and clicking. Focus on what actually matters, not AI.

In 84% of cases - you know, almost all - attackers use RDP, aka ...

2025-04-02T15:12:07Z

In reply to nevent1q…apaq
_________________________

In 84% of cases - you know, almost all - attackers use RDP, aka Remote Desktop.

Yes, you think attackers are hacking the matrix and using Generative AI to generate 31337 code... but in fact, almost all of them are using Remote Desktop to *point and click* hack you.

There's some really good recommendations in that for monitoring internal RDP usage. It's by far one of the biggest ways to catch people internally being naughty. Why is somebody RDPing to a domain controller at 3am?

If you have a way of being able to block or at least alert on ...

2025-04-02T15:09:31Z

In reply to nevent1q…zy45
_________________________

If you have a way of being able to block or at least alert on software, yeet these:

- SoftPerfect Network Scanner
- AnyDesk
- mimikatz (lol 2025)
- Rclone
- WinRAR
- Advanced IP Scanner
- Advanced Port Scanner

Bruteforce and external remote access drives a significant ...

2025-04-02T15:07:31Z

In reply to nevent1q…k7q2
_________________________

Bruteforce and external remote access drives a significant portion of incidents, which also ties to compromised credentials (78% of cases is remote access with valid creds, infostealers go brrrr).

CitrixBleed was 5% of all security incidents - may explain why I made an MSPaint.exe logo for it

The long story short is you need really robust authentication - if you get it wrong, you are toast in 2025 - and really, really robust external services patching. Don't ever present RDP to the internet.

Compromised credentials continue to drive a majority of ...

2025-04-02T13:00:21Z

In reply to nevent1q…svjx
_________________________

Compromised credentials continue to drive a majority of incidents. Why? home PCs and infostealers.

MS Recall got the shite kicked out of it because it would have been a disaster for exactly this reason, we don't need to pour petrol on that already raging and unsolved fire.

Bruteforcing of VPNs and exploitation of network border vulnerabilities continues to be a major (and growing) problem.

Bang for buck: Concentrate on MFA everything, patch everything internet facing, monitor bruteforce.

The 2025 Sophos Active Adversary Report is out. I thread these ...

2025-04-02T12:55:31Z

The 2025 Sophos Active Adversary Report is out.

I thread these every year as, personally, I think yearly IR and MDR reports are the best source of data for defenders on _real world_ threats.

https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/

Key take aways for me:

- Despite what you read from scare vendors, ransomware dwell time (initial access to deployment) is still measured days.

It is not hopeless and by active monitoring you *can* stop attackers.

Meanwhile, on the Oracle cloud front, Oracle’s silence is ...

2025-04-02T12:00:13Z

In reply to nevent1q…mscw
_________________________

Meanwhile, on the Oracle cloud front, Oracle’s silence is deafening.

A class action lawsuit has been filed in the US around Oracle ...

2025-04-02T11:54:23Z

In reply to nevent1q…ltf2
_________________________

A class action lawsuit has been filed in the US around Oracle failing to publicly disclose a breach of Oracle Health. https://storage.courtlistener.com/recap/gov.uscourts.txwd.1172831612/gov.uscourts.txwd.1172831612.1.0.pdf

Heise has a look at the Oracle security incident. Oracle didn’t ...

2025-04-02T07:23:00Z

In reply to nevent1q…7ku9
_________________________

Heise has a look at the Oracle security incident. Oracle didn’t return request for comment when asked about Oracle Classic - I understand from multiple large outlets they’ve also declined to comment.

https://www.heise.de/en/news/Data-leak-at-Oracle-Up-to-2000-German-victims-What-is-known-and-what-is-not-10336366.html

Oracle Health customers dealing with the breach there of patient ...

2025-04-01T10:26:57Z

In reply to nevent1q…wa3k
_________________________

Oracle Health customers dealing with the breach there of patient PII, if you’ve had a verbal briefing could you please Signal me? GossiTheDog.1337

I’m interested to see if they’ve told you it was in legacy Oracle Classic aka OCI Gen1 environments, like they have with Oracle Cloud customers - I’m trying to line up if the breaches are actually related.

It appears Oracle migrated people off OCI G1 a few years ago, but left the systems on and unpatched with customer data.

I can confirm there has definitely been a serious security ...

2025-03-31T11:53:59Z

In reply to nevent1q…kqqa
_________________________

I can confirm there has definitely been a serious security incident at Oracle's managed cloud service, and they're attempting to wordsmith their way out of it. https://doublepulsar.com/oracle-attempt-to-hide-serious-cybersecurity-incident-from-customers-in-oracle-saas-service-9231c8daff4a

Going back to the Oracle Cloud security incident, the 2019 video ...

2025-03-28T15:31:43Z

In reply to nevent1q…hnyn
_________________________

Going back to the Oracle Cloud security incident, the 2019 video posted by the threat actor: https://youtu.be/375_G9wAffo

Now has an audio transcription https://github.com/j-klawson/oracle_breach_2025/blob/main/youtube_video_transcript.txt

There’s now been a data breach at Oracle Health, which is ...

2025-03-28T15:27:15Z

In reply to nevent1q…29f0
_________________________

There’s now been a data breach at Oracle Health, which is separate to the ongoing security issue at Oracle Cloud.

Oracle have not commented publicly on the breach, instead telling people to only talk to their CISO by phone, not in writing. They’ve sent out letters without Oracle letterheads, using external lawyers instead.

The behaviour going on at Oracle with cybersecurity is extremely alarming.

https://www.bleepingcomputer.com/news/security/oracle-health-breach-compromises-patient-data-at-us-hospitals/

Also, that YouTube video I linked above has two hours of audio of ...

2025-03-26T21:42:15Z

In reply to nevent1q…mer6
_________________________

Also, that YouTube video I linked above has two hours of audio of Oracle employees talking. I haven’t transcribed it yet.

Separately, the threat actor has shared what they claim to be current config files from Oracle Cloud servers with a different reporter.

I’m deliberately staying out of this one for now as I’m trying to finish Assassin’s Creed Shadows first.. but I think Oracle may have a pending PR disaster when the TikTok deal is due to complete.

Bleeping Computer say multiple Oracle customers confirm their ...

2025-03-26T21:26:28Z

In reply to nevent1q…8kkz
_________________________

Bleeping Computer say multiple Oracle customers confirm their customer data has been stolen from Oracle Cloud. Oracle continue to deny there is a problem.

https://www.bleepingcomputer.com/news/security/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/

I think it’s entirely possible the US gov will try arresting ...

2025-03-26T12:40:31Z

In reply to nevent1q…u0h8
_________________________

I think it’s entirely possible the US gov will try arresting the reporters and staff at that outlet to try to shut the story down, we’ll see.

Nostr event nevent1qqs84w5762v52dle6cv7ynk6fwwdv64gjm44ftk75rh8pff57uugvngzyrlrrf6vu7nn26yks6j230dhvk50fku5tkgmvaqjcag932p2288l6czavc3

2025-03-25T20:39:51Z

In reply to nevent1q…hf9f
_________________________

lol

The Trump administration claims the Signal chats don’t contain ...

2025-03-25T17:35:51Z

In reply to nevent1q…deqw
_________________________

The Trump administration claims the Signal chats don’t contain classified material, but they refused to release them publicly.

The journalist in the conversations is saying he won’t release them, as they do contain classified information.

https://www.bbc.co.uk/news/live/cg70xgxl3vmt?post=asset%3Ac0c0c6ea-9066-4cd0-88d9-f5b1e59cb801#post

Well done to Trump administration officials for starting a major ...

2025-03-25T13:11:08Z

In reply to nevent1q…74zz
_________________________

Well done to Trump administration officials for starting a major diplomatic crisis via a secure messaging platform that children should be able to operate. https://www.bbc.co.uk/news/live/cg70xgxl3vmt

CloudSEK are doubling down on their Oracle Cloud breach ...

2025-03-25T11:01:32Z

In reply to nevent1q…m6yj
_________________________

CloudSEK are doubling down on their Oracle Cloud breach reporting, despite a denial from Oracle: https://cloudsek.com/blog/part-2-validating-the-breach-oracle-cloud-denied-cloudseks-follow-up-analysis

I am still looking into this and will probably do a blog post this week. The threat actor is still dropping files everywhere and they do tend to point to a security incident at Oracle Cloud.

Nostr notes by Kevin Beaumont

Anthropic: we can't release our vuln research as it will end ...

the word create isn't in the thread anywhere

Free copy of Battlefield 6 (PC I'm presuming) for anybody ...

don't worry, all these orgs are also hyping GenAI as the next ...

Meta, having renamed itself Meta and spending billions on it, is ...

We winning. https://www.bbc.co.uk/news/articles/cvg1gr5v333o

RE: https://mastodon.social/@404mediaco/116241338503387167 Add ...

Stryker have a liveblog of their security incident, linked from ...

I still don't understand the US war on Iran. They declared ...

In other news, Hulu passed on the Buffy reboot, they didn't ...

The Firefly cast have secured the rights to Firefly, and plan to ...

Buzzfeed journey: - Successful - Pivoted to GenAI for content - ...

If you use Sourcescrub by Datasite, they're dumping all the ...

I believe this is the fourth time Thalha Jubair has been arrested ...

Suspect arrested for M&S hack have been rearrested (again), ...

Marks and Spencer CTO leaves, CISO still in role. It’s ...

This isn't a dig at MS btw, as they're actually really ...

The status updates on Colt's website describing a ...

M&S still working on system recovery. ...

I understand the people released have not been charged.

The people arrested as part of the Co-op and M&S hack ...

Personally I think Co-op did a really good job getting out of ...

Co-op finally admitted the entire membership database was stolen ...

. @npub1vc3…axsh has broken the story that the key member (and ...

After almost 3 months, Marks and Spencer recruitment system came ...

If you ever doubted the link between Scattered Spider(tm) and ...

17 and two 19 year old teens picked up over Co-op and M&S ...

Marks and Spencer’s CEO says half of their online ordering is ...

One thing for media covering the Co-op thing - attackers are not ...

Contactless payment has been fixed at all Co-op Group stores.

It sounds like the situation at Co-op has got worse. They’ve ...

Co-op Group appear to be trying to course correct with their ...

One of the points of exploitation of large orgs is they usually ...

BBC News has a look at teenagers phoning helpdesks and pretending ...

The SignalNotSignal hack of US government is really big. Some ...

I’ve been using Recall for a few weeks now on my daily driver. ...

#NoName are back targeting UK councils. Same config as prior UK ...

Sky News quote a source in M&S head office saying Marks and ...

The third party version of Signal the White House has been using ...

Great NCSC piece by ...

A wrote a piece about paying ransoms does not equal quick ...

Sunday Times has a piece looking into ransomware incident at ...

Here's the ITV News report anyhoo, logline: "ITV News ...

There's a report on ITV News that Co-op member data is ...

By the way, this is absolutely terrible advice for dealing with a ...

One of M&S’ biggest suppliers have said they have reverted ...

Bleeping Computer have more on the Co-op breach ...

Pass the bong ...

Regarding IOCs around the UK retailer activity - there’s loads ...

New by me - breaking down the attacks on UK highstreet retailers ...

Co-op Group have now admitted a significant amount of member ...

The individuals operating under the DragonForce banner are using ...

I'm going to make this the new ongoing megathread for ...

DragonForce Ransomware Cartel are claiming credit for attacks on ...

in account.microsoft.com you can turn on passwordless, so your ...

what happens if you turn passwordless on with the account, does ...

Lord, feel sorry for the M&S CISO. He only arrived just over ...

I’m very tempted to take next week off work 😅 ...

Oblivion Remastered vs vanilla comparison ...

CVE extension to March 16th 2026 See y’all March 15th 2026 for ...

CVE extension by CISA = 11 months. ...

Now all we need is for Breachforums to get back online and the ...

CISA have, at the last minute, extended the MITRE CVE contract. ...

Another effort - https://gcve.eu/ Global CVE Allocation System

Looks like the US Government are going to lose control of CVE. ...

If you want to know how stupid the CVE situation is - CISA are ...

DOGE have terminated MITREs contracts, they say they will be ...

Just as an update to this - @npub1vc3…axsh has confirmed with ...

My take on the CVE contract issue for businesses: don’t ...

Also in both cases Oracle hasn’t filed an 8-K or told ...

To answer my own question up thread - from talking to people, the ...

Oracle were still trying to get SaaS solutions *they* manage off ...

Yeah, by legacy system Oracle mean ‘a system we manage housing ...

The Bloomberg article is paywall so here’s screenshots. ...

“The company informed customers that the system has not been in ...

We have an update. Reuters and Bloomberg confirm my blog, ...

100% on this one, seen all the time on real world incidents. ...

I should also point out there's a lot of infosec people at ...

Finally, if you want the raw incident data to analyse, Sophos has ...

Oracle were still trying to get SaaS solutions they manage off ...