Fran Donoso
I'm an infosec person who currently works as the CTO of a security services firm. Have done DevSecOps, Red Teaming, and reverse engineering. I reversed some of the tooling leaked by the Shadow Brokers and spoke about it publicly
- Reposted by Fran Donosopatch ye MongoDB, there's an exploit for a vuln which has been in the product for over a decade that allows the remote, unauth read of any memory - which includes plaintext creds. Somebody posted an exploit on Christmas Day, Merry Christmas! doublepulsar.com/merry-christ...
- Reposted by Fran DonosoHARDEN YO' N8N - [CVSS 10.0 RCE] Remote Code Execution via Expression Injection m.cje.io/4qhl2JX cc: @networkchuck @danielmiessler @jhaddix
- I may have gone overboard on the Halloween goodies this year #halloween
- This report from @interseclab.bsky.social on how a Chinese company is exporting some of the capabilities of "The Great Wall of China" to other autocratic countries is INSANELY INTERESTING: interseclab.org/wp-content/u... *EVERY Page is worth reading* Some interesting tidbits in the thread
- From the report: "Cyber Narrator is a powerful tool capable of tracking network traffic at the individual customer level and can identify the geographic location of mobile subscribers in real time [..]. The system also allows the government client to see aggregated network traffic."
- "TSG is also capable of modifying HTTP sessions in realtime through techniques such as spoofing redirect responses, altering headers, injecting scripts, replacing text, and overriding response bodies."
-
View full threadI encourage cybersecurity professionals to read this report to understand the type of capabilities that can be deployed against citizens at scale by autocratic regimes. Organizations designing products that support privacy should understand these capabilities and design to protect users from them.
- Reposted by Fran Donoso
[This post could not be retrieved] - Plex was hacked. It included usernames, emails, and hashed passwords. Change your passwords when you can,
- official (not my email) source, thanks @zunderscore.tv for the link: forums.plex.tv/t/important-...
- Reposted by Fran Donoso#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7
- Reposted by Fran DonosoSentinelOne and Beazley Security have discovered a new Windows infostealer used in the wild named PXA Stealer, most likely the work of a Vietnamese-speaking cybercrime group. www.sentinelone.com/labs/ghost-i... labs.beazley.security/articles/gho...
- I mean I’ve been urging people to toss their sonicwall devices into a shredder for years now 🤷🏻♂️
- SonicWall is urging customers to take some VPN devices offline after multiple security firms discovered a campaign of ransomware attacks over the last two weeks SonicWall did not explain if the ransomware gangs are using a zero-day therecord.media/sonicwall-po...
- Our team collaborated with our friends at @sentinellabs.bsky.social to identify and disrupt a PXA infostealer campaign that has an intricate and complex delivery chain: labs.beazley.security/articles/gho... Thanks for the fantastic collab SentinelLabs team!
- Reposted by Fran Donoso[This post could not be retrieved]
- Reposted by Fran Donoso👀 Update from @threatintel.microsoft.com: 'our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware' www.microsoft.com/en-us/securi... #Microsoft #SharePoint #cybersecurity #ransomware @gate15.bsky.social @ransomwaresommelier.com @ecrime.ch
- We’re actively seeing this exploitation as well. Here is my team’s advisory on this vulnerability: labs.beazley.security/advisories/B... Is your have a publicly exposed SharePoint server, its probably already compromised so get ready to do some IR.
- Reposted by Fran Donoso🩸& #threatintel | We (GreyNoise) just published a quick note (www.greynoise.io/blo...) regarding CVE-2025-5777 - CitrixBleed 2 1/2
- Reposted by Fran DonosoTwo high-severity patches are coming to Node.js on Tuesday nodejs.org/en/blog/vuln...
- Reposted by Fran DonosoContext: labs.watchtowr.com/pre-auth-sql...
- Worth turning on if you have AT&T. Other carriers (like T-mobile) have similar programs.
- Reposted by Fran DonosoNeed something positive to do in your life this week? If you don’t have a library card, go get one. Then learn about all the awesome things your local public library has to offer.
- This is related to ROP code exec on switch 2
- Reposted by Fran DonosoNew, by me: Data broker giant LexisNexis has revealed that its risk solutions unit (think "know your customer," risk assessing, due diligence, and law enforcement assistance) was breached, affecting the personal data and Social Security numbers of at least 364,000 people.
- Reposted by Fran DonosoJust the tip of the iceberg from this roll-your-own security protocol. We're about to usher in a golden age of Valhalla-level AI pwnage, and it'll be riding on the coattails of badly designed agents. invariantlabs.ai/blog/mcp-git...
- Reposted by Fran DonosoBy making minor changes to command-line arguments, it is possible to bypass EDR/AV detections. My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees. Here’s what I found and why it matters 👉 wietze.github.io/blog/bypassi...
- Reposted by Fran DonosoUbiquiti has released a security update for UniFi Protect Cameras to fix an RCE vulnerability with a severity score of 10/10 Oh boy... community.ui.com/releases/Sec...
- Reposted by Fran DonosoNew from 404 Media: the Signal clone the Trump administration uses was just hacked. TeleMessage makes a modified version of Signal that archives messages for government agencies, Waltz used it. A hacker got some users' messages, group chats. Hugely significant breach www.404media.co/the-signal-c...
- Reposted by Fran Donoso[This post could not be retrieved]
- Reposted by Fran Donoso🧙 Want to join the team? 🧙 We’re on the hunt for volunteer DFIR analysts—with potential for paid opportunities! You’ll get a set of artifacts and a limited time to show us what you’ve got. 🔎 Follow us on socials—details drop soon!
- This is interesting. Good write up here: www.stepsecurity.io/blog/harden-... The commit that backdoors this is bash that executes something that is base64 encoded which is something that attempts to run a python script to scrape memory on the runner for secrets (see attached image) 🧵 1/2
- Image referenced above is attached to this post. The GitHub action ultimately outputs a double base64 encoded value that is the secrets it was able to extract. See the second image for what this output looks like in Github action logs (I blacked out some of the output). 2/2
- Okay 3rd (and last post) someone in the linked GitHub issue noticed that all of the tags in the project have been pointed to the malicious commit. The malicious commit was made by a "renovate" bot - perhaps its creds were compromised? 3/2 github.com/tj-actions/c...
- Okay I clearly lied with the number of posts in this thread lol. It doesn't look like the malicious commit is actually renovate bot. Commits made by the bot are signed. However, the malicious commit is not. Compare the following commits: github.com/tj-actions/c... github.com/tj-actions/c...
- Reposted by Fran DonosoWrote up something about Techdirt's recent coverage, and why (whether we like it or not) we need to be a "democracy blog" now, rather than just a "tech" blog (not that we've ever been just a tech blog). This story is *the* story and it impacts everything else. www.techdirt.com/2025/03/04/w...
- Reposted by Fran DonosoChina's Salt Typhoon hackers are still breaching telecom networks worldwide, including two in the US in Dec-Jan, says Recorded Future. Lately they're exploiting Cisco devices with unpatched 2023 bugs and seem undeterred by high profile exposure and sanctions. www.wired.com/story/chinas...
- Reposted by Fran DonosoNEW: Security patch for Apple iPhones and iPads fixes an "actively exploited" flaw that allows law enforcement to unlock your device. Install it right now.
- Reposted by Fran DonosoThe new book Chasing Shadows by Ron Deibert, founder and leader of Citizen Lab, reads like an adventure in telling how he wove security expertise, human rights activism and political savvy together to expose government malfeasance and save a generation of heroes from arrest and murder. Five stars.
- Reposted by Fran Donoso[This post could not be retrieved]
- The last few weeks have made me proud to be a subscribed of @wired.com and have solidified by desire to remain subscribed for the foreseeable future. Great work keeping us informed about the craziness that is happening.
- I’ve updated the cybersec feed to temporarily remove “social engineering” due to that language showing up in a recent Executive Order and causing the feed to fill up with non infosec stuff.
- This was a great talk! Worth a watch for sure
- LABScon24 Replay | The Ransomware Trust Paradox - SentinelOne www.sentinelone.com/labs/labscon...
- Reposted by Fran DonosoQiAnXin's XLab found "Glutton," a new PHP backdoor likely from Winnti (APT41). Active since 2023, it targets multiple countries (China, US, etc.), using a modular design for stealth and potentially exploiting the cybercrime market.#GluttonBackdoor
- Reposted by Fran DonosoCleo Harmony, VLTrader, and LexiCom - RCE via Arbitrary File Write (CVE-2024-50623) labs.watchtowr.com/cleo-cve-202...
- Reposted by Fran DonosoPro tip for bad guys: do not, in your efforts to evade detection, give @nixonnixoff.bsky.social an extra strong motivation to hunt you down and peel the layers of your opsec back like an onion, because she will fucking do it www.therecord.com/news/waterlo...
- Reposted by Fran DonosoMSTIC is hiring! Current roles in US and AU. The Microsoft Threat Intelligence Center (MSTIC) is recruiting experienced nation-state threat hunters with highly honed threat intel analysis skills. MSTIC is responsible for delivering timely threat intelligence across our product & services teams.
- Reposted by Fran DonosoAWS launches an incident response service to combat cybersecurity threats
- Interesting discussion in this thread.
- Reposted by Fran DonosoTime to update your 7-zip install to avoid this remote code execution vulnerability in ZSTD decompression www.zerodayinitiative.com/advisories/Z...
- Reposted by Fran DonosoA ransomware attack has disrupted a third-party software system that Starbucks uses to track and manage its baristas’ schedules, forcing the coffee chain to shift to manual mode to ensure its employees get paid properly, a Starbucks spokesperson said.
- Great research from the Volexity team into how a Russian APT weaponized some WIFI access points close to their target to ultimately pivot into target networks. www.volexity.com/blog/2024/11...
- Reposted by Fran Donoso
- Reposted by Fran Donoso🚨 New Research Drop: 🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China Summary: ⚪ Newly Disrupted Front Companies by USG ⚪ Impersonating US based software and tech orgs ⚪ Links to still-active front orgs, CN association Report: www.sentinelone.com/labs/dprk-it...
- Reposted by Fran DonosoRIP "Within this assessment, the red team (also referred to as ‘the team’) gained initial access through a web shell left from a third party’s previous security assessment." www.cisa.gov/news-events/...
- Anyone else on #Mac experiencing notification delays with Apple “Intelligence”? Even with “Notification Summaries” OFF, enabling Apple Intelligence causes a noticeable multi-second delay for notifications (e.g., Slack messages) to show up after they’re sent. WTF?
