CIRCL (Twitter feed) @circl@mastodon.opencloud.lu

Monitoring plugin for the Exchange Server? We remember some cases where external components in Microsoft Exchange could lead to serious issues.

lol

so everyone can run their own too.

which can be used by any tools for expansion such as Cortex analyzer, MISP modules or alike.

Nice catch! It should be fixed. Thanks for the feedback.

We can add it in the CIRCL OSINT feed but is this TLP:WHITE?

We are doing some maintenance on LookyLoo and BGP Ranking services. So you might experience some disruptions. Sorry for the inconveniences.

You found something useful in the Microsoft description? ;-)

to a new infrastructure. If you have any firewall rules or access-list, don't forget to update those.

also look to CD71D5A969C2AA32BE7BC9D01B0D163F and 0EF603B5E887FEBFADF6B44EC31FD319

)

Especially when information is gathered from a community and without telling that the final outcome is a legal procedure while doing the take-down at the same time.

I would not take the "operation b54" as best practices for botnet take-down.

Which might explain the various AWS entries which use the same software stack (similar TLS handshake).

)

Thanks a lot for the sharing. We added it in the OSINT feed. There are some very old CD "54.174.1[.]56" which was seen as CobaltStrike in an incident in February 2019. Do you know the last-seen of this one?

Long lasting one... interesting.

We hope it will be recorded. We are sure that you'll contribute.

So let's recap recent ransomware attacks origin:

- vulnerable assets exposed to the internet compromised because unpatched
- compromised VPN account without MFA
- compromised workstations by third party malware (emotet / bazar...)

Reminder: no 0-day, no mystery just that !

Thanks for sharing. Just be sure about the naming, is it still vidar?