snabelen.no is one of the many independent Mastodon servers you can use to participate in the fediverse.
Ein norsk heimstad for den desentraliserte mikroblogge-plattformen.

Administrert av:

Serverstatistikk:

359
aktive brukere

#CTI

12 innlegg5 deltakere0 innlegg i dag
Continued thread

Looking back at the Youtube account (archived here: archive.is/n9xEA#selection-358) we see additional social account details in the description of a recent video:

Mis redes:
Twitter: twitter.com/GermanRaul10

Instagram: instagram.com/german_t01/

Correo: shadowgamer5628@gmail.com
Skype: ShaDow Grt
Discord: ShaDowGRT #4582

This also confirms the gmail account originally seen in the git commit is indeed related to this person.

(6/???)

Continued thread

The Ghunt output provides us with a few good leads. First it confirms that it's a valid gmail account. Second it provides links to the TA's Google Maps reviews.

grey@thruntmachine:~$ ghunt email shadowgamer5628@gmail.com

By: mxrch (🐦 @mxrchreborn)
Support my work on GitHub Sponsors ! 💖

> GHunt 2.3.3 (🕷 Spider Edition) <

🎉 You are up to date !

[+] Stored session loaded !
[+] Authenticated !

🙋 Google Account data

[+] Custom profile picture !
=> lh3.googleusercontent.com/a-/A

[-] Default cover picture

Last profile edit : 2025/05/05 09:34:18 (UTC)

Email : shadowgamer5628@gmail.com
Gaia ID : 112604768676644210605

User types :
- GOOGLE_USER (The user is a Google user.)

📞 Google Chat Extended Data

Entity Type : PERSON
Customer ID : Not found.

🌐 Google Plus Extended Data

Entreprise User : False

🎮 Play Games data

[+] New token for playgames has been generated

[-] No player profile found.

🗺 Maps data

Profile page : google.com/maps/contrib/112604

[Statistics]
Ratings : 6

[-] Reviews are private.

🗓 Calendar data

[-] No public Google Calendar.

(2/???)

Continued thread

One of the best indicators Censys found for attribution is the email address accidentally left in a git commit:

% git log
commit fa480e80bc5b9e154fad138ef47191032e7ba4dd (HEAD -> main, origin/main, origin/HEAD)
Author: Shadow GRT <shadowgamer5628@gmail.com>
Date: Wed May 7 15:51:15 2025 +0000

Given this is a gmail the first tool we should immediately use is GHunt (github.com/mxrch/GHunt)

(1/???)

🕵️‍♂️ Offensive Google framework. Contribute to mxrch/GHunt development by creating an account on GitHub.
GitHubGitHub - mxrch/GHunt: 🕵️‍♂️ Offensive Google framework.🕵️‍♂️ Offensive Google framework. Contribute to mxrch/GHunt development by creating an account on GitHub.

New release: FlowIntel 1.6.0 — an open-source case management tool — now with extended support for importing MISP events as cases, a timeline view for attributes, a new templating system for notes, and many other new features!

🔗 github.com/flowintel/flowintel
🔗 github.com/flowintel/flowintel

@misp @circl

#opensource #threatintel #threatintel #dfir #cti #misp #flowintel

Thanks to @davcru for the continuous work on the project and all the new contributors.

MISP 2.4.211 & 2.5.13 Released - A Double Dose of Security, Search, and Stability.

These releases are packed with critical security patches, a major overhaul of the search functionality, and a host of improvements and bug fixes to enhance your threat intelligence experience.

#opensource #threatintelligence #threatintel #cti

🔗 misp-project.org/2025/06/06/mi

MISP Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing · MISP 2.4.211 & 2.5.13 Released - A Double Dose of Security, Search, and StabilityMISP Threat Intelligence & Sharing

I haven't posted here in ages so... Please share, this is my the start of my book on CTI I'm releasing as a series of articles, because it took too long. However, its also a CTF as over time you need to unlock content thru challenges. I hope you enjoy #CTI #infosec Part 1 and 2 included here.

cybersecstu.medium.com/my-book

medium.com/@cybersecstu/my-boo

Medium · My book on Cyber Threat Intel, that never quite made it as a book, Chapter 1.1Av CyberSecStu

Eyes up. HackRead pulled together a fresh list of OSINT tools making waves in 2025.

FBI Watchdog — tracks domain seizures as they happen
VenariX — scrapes ransomware chatter from the dark
Telegago — digs through Telegram groups, trends, sentiment

Not the usual suspects. Worth a look.

hackread.com/2025-top-osint-to

2025’s Top OSINT Tools: A Fresh Take on Open-Source Intel
Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto · 2025’s Top OSINT Tools: A Fresh Take on Open-Source IntelFollow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Okta has published a decent repository of custom detection and hunting queries for your Okta tenant. I highly recommend taking a look and considering implementation, bearing in mind the likelihood of false positives.

I also recommend monitoring for any user enabling impersonation access for support cases. This allows Okta engineers into your tenant, and threat actors will abuse this to pivot. Any attempts to turn this on should be audited to ensure it aligns with remote troubleshooting with Okta engineers.

Finally, audit any Okta admins who run reports from the admin portal. Threat actors love these reports to identify org MFA policies, password health, and admin role assignments.

sec.okta.com/articles/2025/05/

support.okta.com/help/s/articl

help.okta.com/en-us/content/to

Okta SecurityLeveraging Okta System Logs for Proactive Threat DetectionOkta Threat Intelligence is thrilled to announce the launch of our Customer Detection Catalog, a repository of detection queries designed to help Okta
Continued thread

As the image shows, we see that inside the results, many actors are classified as benign, which confirms that although the exploit is dangerous, the actual campaign is not. This level of enrichment provided by CrowdSec CTI helps security teams prioritize alerts, and IPDEX supports this workflow, allowing analysts to filter out harmless campaigns such as the one by the Shadowserver Foundation. You can also add a filter within IPDEX to remove those benign actors and filter on the date of last activity.

You can get started with IPDEX by heading over to the CrowdSec GitHub 👉 github.com/crowdsecurity/ipdex

🧵[2/2]

🚨Spike in Fortinet CVE-2024-55591 vulnerability rapidly increased in the past week 👇

The #CrowdSec Network has detected a wave of exploitation attempts targeting CVE-2024-55591, a Fortinet vulnerability that affects FortiWAN versions before 5.3.2. First seen on April 23rd, the CrowdSec Network still sees elevated levels of probing and exploitation.

ℹ️ About the exploit:
This flaw allows remote attackers to perform unauthenticated command injection on exposed FortiWAN instances. This vulnerability affects FortiWAN versions prior to 5.3.2. It enables attackers to execute arbitrary commands via crafted HTTP requests — no authentication required.

🔎 Trend analysis:
🔹 April 23rd: The CrowdSec Network detects a shift in the long-term trend of CVE-2024-55591 exploits.
🔹 April 23rd - April 28th: Activity increases rapidly from 30 to about 80 malicious IPs reported daily, producing over 400 distinct attack events.
🔹 April 29 - May 2nd: The attackers take a break. This provides a key point of insight into the nature of this attack campaign.
🔹 May 3rd - May 19th: The attack picks back up with increased intensity. It now originates from around 200 unique IP addresses per day and produces about 900 attack events per day.
🔹 May 19th: The CrowdSec Network still sees elevated levels of probing and exploitation attempts.

✅ How to protect your systems:
🔹 You can use CrowdSec’s open CTI search bar and blocklists to stay ahead of the curve. app.crowdsec.net/cti?q=cves%3A
🔹 Alternatively, you can use CrowdSec’s newest tool, IPDEX, to build instant reports for this particular CVE and explore the data CrowdSec has aggregated. crowdsec.net/blog/introducing-

For more information, visit 👉 crowdsec.net 🧵[1/2]