Part 2 is live ๐
Followed the Ethereum wallet trail and found 4 more contracts, 2 live C2 domains, and a Russian comment in the source code.
The operator is actively iterating. The blockchain is forever.
https://t.co/wD03cSEolh
#ThreatIntel#Remus#EtherHiding#CTI#DFIR
@VECERTRadar Thanks for the update.
The Belgian centre for Cybersecurity published a bulletin about a month ago about active exploitation of a CVE affecting Joomla CMS. Could that be the entry point?
https://t.co/6NQ45WQ2eQ
Blocking is one aspect but how about getting more context out of it? Grab cert information, subject fields, before-after expiration dates, check for lookalikes or similar domains based on content header/hashes, passive DNS analysis, fingerprinting etc. From there create detection rules instead of just blocking an indicator in your DB that will (or should) expire soon.
๐New blog: C2 in the Ether
๐https://t.co/O2LwIA9mpu
Remus infostealer hides its C2 inside an Ethereum smart contract. The malware calls it at runtime, decodes the response, connects to its C2.
The immutability that makes blockchain C2 resilient is the same property that makes it permanently auditable. The attacker can't erase their history.
#ThreatIntel #Malware #EtherHiding #Remus #CTI
@Proton_Pass Nice breakdown here
https://t.co/p8VmyN8qIB
Haven't changed the validity of data on all countries but the results for NL are pretty accurate.
@loezzieloes You can use https://t.co/lb3zWYCrhR to see if your email is in the data.
If it's there, then your personal info that you provided when registering a number with Odido will be in the database.
๐ข Digging deeper in the Odido breach and it's worse than I thought. This is huge.
โน๏ธ The Saleforce DB contains 14 categaories and 335 data fields including:
- Full names, birthdates, gender, nationality, and government ID numbers
- Bank account numbers (IBANs), payment methods, billing scenarios
- Phone numbers, email addresses, fax numbers
- Full residential addresses including street, city, postal code, country
- Customer value scores, segments, brands, VIP status, churn risk
- Chamber of Commerce numbers, tax IDs, company details and more
Since Odido has not disclosed the full scope to its customers, I created an interactive catalog of all the fields found in the database.
You can view the categories and data fields below ๐
๐ https://t.co/prqF4GN3mM
To be clear, this is a static page showing only field names. No personal data is or will be shared โ the page is not connected to the actual database.
#odido #shinyhunters #databreach #netherlands #infosec