Leaderboard

OSINT Tools collections: Verification Toolset : https://start.me/p/ZGAzN7/verification-toolset Mapping & Monitoring : https://start.me/p/7k4BnY/mapping-monitoring Tools: https://start.me/p/Wrrzk0/tools Search Engines: https://start.me/p/b56G5Q/search-engines Social Media Dashboard : https://start.me/p/m6MbeM/social-media-intelligence-dashboard Threat Intel, OSINT and malware investigation resources : https://start.me/p/rxRbpo/ti AML Toolbox : https://start.me/p/rxeRqr/aml-toolbox Technisette collection : https://start.me/p/wMdQMQ/tools Ph055a collection : https://github.com/Ph055a/OSINT-Collection

This got more clear with a blog later in the day. https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/

Sadly PHP continues to show how not to write code, especially if you use it and not want to give free shells to all. A couple of weeks ago, neex, dropped a bug on the PHP sec bug list that detailed a rather ugly condition in fpm_main.c This function assumes that the env_path_info has a prefix that equals that of the php script being called. Now usually we'd validate this, but no, this is where they failed to abide by dem rules and this led to an invalid pointer. Add a newline character and a skip, hop and a jump later and boom, RCE. A lot of people who use PHP-FPM have configs like try_files $uri $uri/ /index.php$is_args$args;) and this is where the issue comes in. The code before the patch was path_info = env_path_info ? env_path_info + pilen - slen : NULL; tflag = (orig_path_info != path_info); That's pretty crap, you assume so much here and this is why it should have been path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL; tflag = path_info && (orig_path_info != path_info); Neex published his exploit yesterday after the PHP crew stopped arguing about how bad it was and made the patch and I thought I'd build the exploit and see what we could do to detect it. Running it is simple once you have your Go environment up and running, and all it needs is a url and php file. What I wanted to see was the URI sent, so rather than supply a legitimate resource, I opted for a non-existent one. As you can see, he is appending PHP%0Ais_the_shittiest_lang.php? and a load of Q's to the supplied URL. On the server side, you see So relatively easy to see and block in the original format, which most skids wont change. Here's a Cloudflare rule to block it Hope this is of some help to someone?

I've just released a new video Matthew Haynes and I put together on exposed RDP servers on the net and how we are seeing people get ransomwared via an initial RDP brute force or cred stuffing vector. Hopefully people find this useful, it's our first collaborative video and was a blast to make!

What solutions exist for dark web monitoring? Both commercial and open-source (regardless of cost). I'd like to monitor for threat detections that may exist in dark web oriented communities by searching for any mentions of a company's name in third-party data breach leaks, dark web search engines, dark web forums, and dark web marketplaces. Money is no issue. For data dumps + credentials (don't shame me for calling these 'dark web' oriented): Have I Been Pwned API WeLeakInfo API DeHashed API SnusBase API For general dark web forums and marketplaces, it seems that commercial solutions are the way to go: DarkOwl RecordedFuture (Kind of) Flashpoint-Intelligence as well I'd like to emphasize on third-party commercial platforms that are capable of monitoring dark web forums, marketplaces, and ideally more community types that I did not mention. I haven't seen any discussions in security communities covering this, and this discussion will help some threat intelligence analysts and leaders somewhere in the world, surely. What other solutions exist for "dark web" monitoring solutions, based around the topics discussed in this post? How does your company monitor for "dark web" threats? Let's get creative!