Nostr notes by Brian Clark

unless you live in or do business in Russia, this is not likely ...

2026-02-10T00:29:27Z

In reply to nevent1q…kwhz
_________________________

unless you live in or do business in Russia, this is not likely to affect you. This issue is about risk to you and your users. Security is always about tradeoffs, and for most people in the West, this tradeoff is a no-brainer.

you probably don’t want any files torrented out of Russia. 😬

2026-02-10T00:27:15Z

In reply to nevent1q…6d2c
_________________________

you probably don’t want any files torrented out of Russia. 😬

RE: https://infosec.exchange/@spamhaus/116013190680647542 Folks: ...

2026-02-05T23:48:44Z

RE: https://infosec.exchange/@spamhaus/116013190680647542

Folks: block the .ru TLD any and all ways that you can. #cybersecurity

quoting
note1zfn…wtl9

.ru serious? 🇷🇺 ccTLD .ru had an unbelievable +3741% ⏫ in #botnet C&C domains, placing it #1 for the most abused ccTLD in the latter half of 2025. This activity can be attributed almost entirely to #clearfake, a malicious JavaScript framework.

Learn more in the Botnet Threat Update Jul - Dec 2025 ⤵️ ⤵️
https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-july-to-december-2025/

#ccTLD #BotnetCC #ThreatIntel

Nostr event nevent1qqs9vgqhr2ndmgew57vfmvj5tpp4xy356luzwfvd7cxdmtjrqhlgnlqzyrvqzjsm4nu8vk2gkqzuz9h8hj992p6ctdqnwm6gkxj33l94hf0sghrwg5h

2026-01-19T02:43:24Z

JAW DROPPING. That was a Nintendo Tecmo Bowl play! #BEARS #nfl

tl;dr Block these domains and you’ll have broken several links ...

2026-01-07T23:30:57Z

tl;dr Block these domains and you’ll have broken several links in this attack’s kill chain:

Webhook[.]site
My-board[.]org
ngrok-free[.]app
rf[.]gd

If you followed B'ad Samurai :ifin: (npub1ctt…3ll8) ‘s advice and used his block lists, you’d have already blocked a couple of them.

https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting #cybersecurity

you ever look at Thuma? They have nice furniture made of real ...

2026-01-06T13:45:12Z

In reply to nevent1q…sehs
_________________________

you ever look at Thuma? They have nice furniture made of real wood. https://www.thuma.co

you sure they are not just blocking your scanner?

2025-11-25T22:49:25Z

In reply to nevent1q…fyv8
_________________________

you sure they are not just blocking your scanner?

thank you for sharing your knowledge and experience with us. ...

2025-11-25T03:42:05Z

In reply to nevent1q…a0x8
_________________________

thank you for sharing your knowledge and experience with us. I’ve learned a lot from you over the decade or so I’ve followed you.

it doesn’t appear that the csv files themselves are accessible. ...

2025-11-24T16:57:28Z

In reply to nevent1q…mnlx
_________________________

it doesn’t appear that the csv files themselves are accessible. Just the listing. Or at least that’s the behavior I’m seeing right now. You seeing anything different?

just apply the policy blocking those exe’s after initial ...

2025-11-13T13:49:51Z

In reply to nevent1q…hhg4
_________________________

just apply the policy blocking those exe’s after initial deployment

hasn’t had a significant impact in my environment. But I ...

2025-11-13T02:20:02Z

In reply to nevent1q…fffx
_________________________

hasn’t had a significant impact in my environment. But I imagine it depends on how much old software you have hanging around.

you absolutely should block the execution of mshta.exe. It will ...

2025-11-13T01:51:23Z

In reply to nevent1q…edne
_________________________

you absolutely should block the execution of mshta.exe. It will only block some of the ClickFix attacks, but block some other techniques too. Mshta.exe is an attacker favorite.

While you are at it, block cscript.exe and wscript.exe too.

I’m glad you are here. 🙂

2025-11-04T02:52:45Z

In reply to nevent1q…9rpq
_________________________

I’m glad you are here. 🙂

Steven Lim has written a Microsoft KQL detection for EDR Freeze ...

2025-09-23T22:19:53Z

In reply to nevent1q…u2cx
_________________________

Steven Lim has written a Microsoft KQL detection for EDR Freeze and made it available here:

https://detections.ai/share/rule/cicyA1JW

Zensec has a good article on the Akira ransomware group's ...

2025-09-21T22:48:32Z

Zensec has a good article on the Akira ransomware group's tactics taken directly from their DFIR experience on 16+ incidents. A few key take-aways:

- Initial Access: Please, please please patch your Internet-facing VPN and firewall devices including your Sonicwall, Cisco ASA and Watchguard devices.
- Patch our Veeam software. They used vulnerable Veeam installs to perform privilege escalation
- Block access to Anydesk.com and remotedesktop.google.com if you don't use those services

#cybersecurity #ransomware
https://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/

oh boy, I thought I had run out of stupidity for the day

2025-09-11T22:49:55Z

In reply to nevent1q…l53j
_________________________

oh boy, I thought I had run out of stupidity for the day

song is giving me Avril Lavigne vibes

2025-09-03T23:02:55Z

In reply to nevent1q…jsz5
_________________________

song is giving me Avril Lavigne vibes

I do t really know why, but I never watched B5 despite being a ...

2025-08-24T16:38:09Z

In reply to nevent1q…x3aj
_________________________

I do t really know why, but I never watched B5 despite being a sci-fi fan and watching all the Star Trek series. Is B5 worth watching now? Does it hold up?

I’m worried that they got documentation on their customer ...

2025-08-20T12:51:14Z

In reply to nevent1q…053c
_________________________

I’m worried that they got documentation on their customer network and router configurations. That could open up a lot of new attack paths.

love it!

2025-08-20T00:16:31Z

In reply to nevent1q…4tqz
_________________________

love it!

cool event ...

2025-08-10T17:18:05Z

In reply to nevent1q…rzlr
_________________________

cool event

Hello #DEFCON33 ...

2025-08-08T17:53:49Z

Hello #DEFCON33

it’s uncanny how much she looks like Taylor.

2025-08-03T19:59:08Z

In reply to nevent1q…69d3
_________________________

it’s uncanny how much she looks like Taylor.

<sigh> sold out

2025-07-13T19:46:49Z

In reply to nevent1q…qhvj
_________________________

<sigh> sold out

Doritos and cannabis is a winning combination if there ever was ...

2025-07-07T01:15:36Z

In reply to nevent1q…4jza
_________________________

Doritos and cannabis is a winning combination if there ever was one

is this a sub-toot?

2025-07-07T01:14:54Z

In reply to nevent1q…905u
_________________________

is this a sub-toot?

can confirm. I’ve got two of these.

2025-07-04T21:24:32Z

In reply to nevent1q…kw79
_________________________

can confirm. I’ve got two of these.

Please raise your hand if you've disabled PowerShell 2.0 on ...

2025-06-23T01:45:36Z

Please raise your hand if you've disabled PowerShell 2.0 on your Windows systems. What? Didn't know that was a thing you should do? PowerShell 2.0 does not have any of the modern logging and security features that newer versions like v5.1 or 7.x have. But if you don't remove or disable the old 2.0 version, it can be used and abused by malware, info stealers, ransomware operators, etc. Here's an article that provides you with several ways to remove it from you systems (while keeping the newer version in place) #cybersecurity

https://powershellcommands.com/disable-powershell-20

For this edition of #caturday I present a #cat and his stuffy toy ...

2025-05-31T14:44:06Z

For this edition of #caturday I present a #cat and his stuffy toy cat buddy. Which one is the real cat? 😉
#catsofmastodon

I can barely comprehend the awesomeness of her sparkly emerald ...

2025-05-28T01:00:31Z

In reply to nevent1q…l89n
_________________________

I can barely comprehend the awesomeness of her sparkly emerald green dress!

<sigh> yes, this is true. Will be made worse after all the ...

2025-05-14T12:39:27Z

In reply to nevent1q…ta87
_________________________

<sigh> yes, this is true. Will be made worse after all the cuts to social services like Medicare and Medicaid the Republicans are putting in.

I assume this doesn’t work if Tamper Protection is enabled?

2025-05-08T22:54:52Z

In reply to nevent1q…slzp
_________________________

I assume this doesn’t work if Tamper Protection is enabled?

Hey @npub1dqd…8xy4 is your website down? I cannot get to ...

2025-05-04T22:39:38Z

Hey DEF CON (npub1dqd…8xy4) is your website down? I cannot get to https://defcon.org

I’m just glad the feature is off by default on managed systems ...

2025-04-28T22:19:20Z

In reply to nevent1q…ld6q
_________________________

I’m just glad the feature is off by default on managed systems and you have to have an admin specifically allow it to be enabled by an end user.

I didn’t realize this part. It won’t show up in MDE logs?

2025-04-17T21:55:37Z

In reply to nevent1q…j54v
_________________________

I didn’t realize this part. It won’t show up in MDE logs?

Sekoia has a good report out on Interlock ransomware. One thing ...

2025-04-17T13:02:47Z

Sekoia has a good report out on Interlock ransomware. One thing that jumped out at me is the continued abuse of Cloudflare’s free trycloudflare[.]com service. This domain should be blocked if you want to avoid ransomware as this isn’t the only group using this service for C2 and remote access. If your developers need this kind of functionality, you should have them sign up for the inexpensive paid version of the service that allows for the use of your own custom domain name. #cybersecurity

From: [@sekoia_io](https://infosec.exchange/@sekoia_io )
https://infosec.exchange/@sekoia_io/114346873677895469

Security Firm @npub1xrh…fkxn published another report, this one ...

2025-04-17T01:08:09Z

Security Firm Sophos X-Ops (npub1xrh…fkxn) published another report, this one on incidents at small and medium-sized businesses by Sean Gallagher :verified: 🐀 :donor: (npub1557…mf0x) and Anna Szalay. One of the things I always look for in these reports are easy #cybersecurity wins -- and this report has a bunch of them.

First off - take a look at this chart: Top 15 dual-use tools. Imagine the pain you can cause threat actors by blocking the use of these tools and disrupting their playbooks!

dark

2025-03-20T12:22:33Z

In reply to nevent1q…wstm
_________________________

dark

The free service from portmap.io is being abused to support ...

2025-03-15T18:58:32Z

The free service from portmap.io is being abused to support malware C2 communications. If you don’t use it, I suggest blocking *.portmap.io via DNS, NGFW and/or web proxy.

#cybersecurity #threatintel

From: ScumBots (npub1vcn…s5ug)
https://infosec.exchange/@ScumBots/114167879065509347

I’ve never heard of the MSP-focused bluetrait.io but add it to ...

2025-03-13T02:40:59Z

I’ve never heard of the MSP-focused bluetrait.io but add it to the list of legitimate services that get abused. If you don’t use this RMM service, I suggest blocking it via DNS, NGFW or Web security proxy. #cybersecurity

From: Threat Insight (npub1n2h…4lsk)
https://infosec.exchange/@threatinsight/114144688263847941

There’s been a #Microsoft #outage going on all day today ...

2025-03-01T22:54:30Z

There’s been a #Microsoft #outage going on all day today resulting in email and other M365 services including Teams being unavailable. Microsoft says they’ve rolled back the code change that caused the problem so things should start working again soon. Check on MO1020913 in the Microsoft Admin Portal for details.

I’m glad you are here!

2025-02-18T05:00:35Z

In reply to nevent1q…mvnc
_________________________

I’m glad you are here!

so this is a post about Telegram, but i also advocate for ...

2025-02-16T23:55:32Z

In reply to nevent1q…px3f
_________________________

so this is a post about Telegram, but i also advocate for blocking entire categories of apps, such as messengers and chat apps, and only allowing those that are vetted and approved in your org. The only way you can effectively do that is with a tool that keeps track of those apps for you, such as Netskope, Zscaler, an NGFW or maybe a DNS-based service like Cisco Umbrella.

Also, I’d add that blocking an app in your environment that has ...

2025-02-16T23:30:08Z

In reply to nevent1q…6jct
_________________________

Also, I’d add that blocking an app in your environment that has more than a few users requires communicating with those users beforehand. Doesn’t seem like that happened in your case.

If you help maintain #cybersecurity on a business network you ...

2025-02-16T19:23:37Z

If you help maintain #cybersecurity on a business network you should absolutely block Telegram—there’s nothing good there. If you have a web security proxy like Netskope or Zscaler, or an NGFW, block it there. You can also block it via DNS. Blocking these domains should do the job:

telegram.me
telegram.org
t.me
cdn-telegram.org
telegram-cdn.org

From: Christoffer S. (npub1nfc…yzp9)
https://swecyb.com/@nopatience/114009822145442393

If you can completely disable device code flows using Conditional ...

2025-02-16T19:08:06Z

If you can completely disable device code flows using Conditional Access, you should do so. If you cannot, at least limit which user IDs can use them. If you allow any users to use device code flows, use the #KQL provided to hunt for abuse.

#cybersecurity #microsoft

From: [@fabian_bader](https://infosec.exchange/@fabian_bader )
https://infosec.exchange/@fabian_bader/114013896376345681

This tactic of sending unsolicited messages and calls via Teams ...

2025-01-21T19:36:22Z

This tactic of sending unsolicited messages and calls via Teams has an easy solution—only allow specific external domains to communicate with your end users. Review your Teams logs, see which domains your users are communicating with, add them to the allow list and enable the control. Make your end users open up a support ticket for future domain adds so you can vet them.

Forget about Zero Trust and apply best practice security configurations. Let the marketing people and the CISO worry about whether something is “zero trust” or not. #Cybersecurity

Microsoft docs:
https://learn.microsoft.com/en-us/microsoft-365/solutions/trusted-vendor-onboarding?view=o365-worldwide#allow-the-vendors-domain-in-teams-external-access

From: Not Simon 🐐 (npub14g0…znd6)
https://infosec.exchange/@screaminggoat/113867636525001029

I’m glad you still do these write-ups!

2025-01-14T23:49:04Z

In reply to nevent1q…xyl9
_________________________

I’m glad you still do these write-ups!

My daughter put a sweater on the #cat and now he looks like a Dr. ...

2024-12-08T01:50:35Z

My daughter put a sweater on the #cat and now he looks like a Dr. Seuss character #caturday #catsofmastodon

they just went GA (for Microsoft anyway) last month. Who’s ...

2024-12-05T23:18:30Z

In reply to nevent1q…mykl
_________________________

they just went GA (for Microsoft anyway) last month. Who’s going to widely deploy something from Microsoft that’s not GA?

“The Man from Earth” is an underrated movie. Hard to believe ...

2024-12-04T03:08:40Z

In reply to nevent1q…paka
_________________________

“The Man from Earth” is an underrated movie. Hard to believe it is so good when it’s really just a bunch of people talking for almost two hours.

no interest was ever shown where I am — until Copilot PC’s ...

2024-12-04T00:40:48Z

In reply to nevent1q…3rzm
_________________________

no interest was ever shown where I am — until Copilot PC’s were promoted by Microsoft. Now we have some interest.

it’s faithful to the book too. The author was the show runner.

2024-11-23T19:35:44Z

In reply to nevent1q…g67t
_________________________

it’s faithful to the book too. The author was the show runner.

I love nerd insults!

2024-11-22T22:49:21Z

In reply to nevent1q…p3l9
_________________________

I love nerd insults!

aren’t all forward web proxies identity-aware these days?

2024-11-18T23:54:49Z

In reply to nevent1q…5mra
_________________________

aren’t all forward web proxies identity-aware these days?

that hurricane is TIGHT!

2024-10-08T02:56:04Z

In reply to nevent1q…e7pm
_________________________

that hurricane is TIGHT!

This #cat is well-snuggled #caturday #catsofmastodon ...

2024-10-05T21:51:45Z

This #cat is well-snuggled #caturday #catsofmastodon