FreshRSS

πŸ”’
❌ Secure Planet Training Courses Updated For 2019 - Click Here
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

UK Arrests Four in β€˜Scattered Spider’ Ransom Group

Authorities in the United Kingdom this week arrested four people aged 17 to 20 in connection with recent data theft and extortion attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. The breaches have been linked to a prolific but loosely-affiliated cybercrime group dubbed β€œScattered Spider,” whose other recent victims include multiple airlines.

The U.K.’s National Crime Agency (NCA) declined verify the names of those arrested, saying only that they included two males aged 19, another aged 17, and 20-year-old female.

Scattered Spider is the name given to an English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access. The FBI warned last month that Scattered Spider had recently shifted to targeting companies in the retail and airline sectors.

KrebsOnSecurity has learned the identities of two of the suspects. Multiple sources close to the investigation said those arrested include Owen David Flowers, a U.K. man alleged to have been involved in the cyber intrusion and ransomware attack that shut down several MGM Casino properties in September 2023. Those same sources said the woman arrested is or recently was in a relationship with Flowers.

Sources told KrebsOnSecurity that Flowers, who allegedly went by the hacker handles β€œbo764,” β€œHoly,” and β€œNazi,” was the group member who anonymously gave interviews to the media in the days after the MGM hack. His real name was omitted from a September 2024 story about the group because he was not yet charged in that incident.

The bigger fish arrested this week is 19-year-old Thalha Jubair,Β a U.K. man whose alleged exploits under various monikers have been well-documented in stories on this site. Jubair is believed to have used the nickname β€œEarth2Star,” which corresponds to a founding member of the cybercrime-focused Telegram channel β€œStar Fraud Chat.”

In 2023, KrebsOnSecurity published an investigation into the work of three different SIM-swapping groups that phished credentials from T-Mobile employees and used that access to offer a service whereby any T-Mobile phone number could be swapped to a new device. Star Chat was by far the most active and consequential of the three SIM-swapping groups, who collectively broke into T-Mobile’s network more than 100 times in the second half of 2022.

Jubair allegedly used the handles β€œEarth2Star” and β€œStar Ace,” and was a core member of a prolific SIM-swapping group operating in 2022. Star Ace posted this image to the Star Fraud chat channel on Telegram, and it lists various prices for SIM-swaps.

Sources tell KrebsOnSecurity that Jubair also was a core member of the LAPSUS$ cybercrime group that broke into dozens of technology companies in 2022, stealing source code and other internal data from tech giants including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber.

In April 2022, KrebsOnSecurity published internal chat records from LAPSUS$, and those chats indicated Jubair was using the nicknames Amtrak and Asyntax. At one point in the chats, Amtrak told the LAPSUS$ group leader not to share T-Mobile’s logo in images sent to the group because he’d been previously busted for SIM-swapping and his parents would suspect he was back at it again.

As shown in those chats, the leader of LAPSUS$ eventually decided to betray Amtrak by posting his real name, phone number, and other hacker handles into a public chat room on Telegram.

In March 2022, the leader of the LAPSUS$ data extortion group exposed Thalha Jubair’s name and hacker handles in a public chat room on Telegram.

That story about the leaked LAPSUS$ chats connected Amtrak/Asyntax/Jubair to the identity β€œEverlynn,” the founder of a cybercriminal service that sold fraudulent β€œemergency data requests” targeting the major social media and email providers. In such schemes, the hackers compromise email accounts tied to police departments and government agencies, and then send unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.

The roster of the now-defunct β€œInfinity Recursion” hacking team, from which some member of LAPSUS$ hail.

Sources say Jubair also used the nickname β€œOperator,” and that until recently he was the administrator of the Doxbin, a long-running and highly toxic online community that is used to β€œdox” or post deeply personal information on people. In May 2024, several popular cybercrime channels on Telegram ridiculed Operator after it was revealed that he’d staged his own kidnapping in a botched plan to throw off law enforcement investigators.

In November 2024, U.S. authorities charged five men aged 20 to 25 in connection with the Scattered Spider group, which has long relied on recruiting minors to carry out its most risky activities. Indeed, many of the group’s core members were recruited from online gaming platforms like Roblox and Minecraft in their early teens, and have been perfecting their social engineering tactics for years.

β€œThere is a clear pattern that some of the most depraved threat actors first joined cybercrime gangs at an exceptionally young age,” said Allison Nixon, chief research officer at the New York based security firm Unit 221B. β€œCybercriminals arrested at 15 or younger need serious intervention and monitoring to prevent a years long massive escalation.”

Camtruder - Advanced RTSP Camera Discovery and Vulnerability Assessment Tool

By: Unknown


Camtruder is a high-performance RTSP camera discovery and vulnerability assessment tool written in Go. It efficiently scans and identifies vulnerable RTSP cameras across networks using various authentication methods and path combinations, with support for both targeted and internet-wide scanning capabilities.


🌟 Key Features

  • Advanced Scanning Capabilities
  • Single IP targeting
  • CIDR range scanning
  • File-based target lists
  • Pipe input support
  • Internet-wide scanning with customizable limits
  • Intelligent port discovery
  • Location-based search using RIPE database
  • Raw CIDR output for integration with other tools

  • Screenshot Capability

  • Capture screenshots of discovered cameras
  • Automatic saving of JPEG images
  • Requires ffmpeg installation
  • Configurable output directory

  • Location-Based Search

  • Search by city or country name
  • RIPE database integration
  • Detailed output with netnames and IP ranges
  • CIDR notation support
  • Raw output mode for scripting

  • Comprehensive Authentication Testing

  • Built-in common credential database
  • Custom username/password list support
  • File-based credential input
  • Multiple authentication format handling
  • Credential validation system

  • Smart Path Discovery

  • Extensive default path database
  • Vendor-specific path detection
  • Dynamic path generation
  • Automatic path validation

  • High Performance Architecture

  • Multi-threaded scanning engine
  • Configurable connection timeouts
  • Efficient resource management
  • Smart retry mechanisms
  • Parallel connection handling

  • Advanced Output & Analysis

  • Real-time console feedback
  • Detailed logging system
  • Camera fingerprinting
  • Vendor detection
  • Stream capability analysis
  • Multiple output formats (verbose, raw)

πŸ“‹ Requirements

  • Go 1.19 or higher
  • ffmpeg (required for screenshot functionality)
  • Internet connection
  • Root/Administrator privileges (for certain scanning modes)
  • Sufficient system resources for large-scale scans

πŸ”§ Installation

Using go install (recommended)

go install github.com/ALW1EZ/camtruder@v3.7.0

From source

git clone https://github.com/ALW1EZ/camtruder.git
cd camtruder
go build

πŸš€ Usage

Basic Commands

# Scan a single IP
./camtruder -t 192.168.1.100

# Scan a network range
./camtruder -t 192.168.1.0/24

# Search by location with detailed output
./camtruder -t london -s
> [ NET-ISP ] [ 192.168.1.0/24 ] [256]

# Get raw CIDR ranges for location
./camtruder -t london -ss
> 192.168.1.0/24

# Scan multiple IPs from file
./camtruder -t targets.txt

# Take screenshots of discovered cameras
./camtruder -t 192.168.1.0/24 -m screenshots

# Pipe from port scanners
naabu -host 192.168.1.0/24 -p 554 | camtruder
masscan 192.168.1.0/24 -p554 --rate 1000 | awk '{print $6}' | camtruder
zmap -p554 192.168.0.0/16 | camtruder

# Internet scan (scan till 100 hits)
./camtruder -t 100

Advanced Options

# Custom credentials with increased threads
./camtruder -t 192.168.1.0/24 -u admin,root -p pass123,admin123 -w 50

# Location search with raw output piped to zmap
./camtruder -t berlin -ss | while read range; do zmap -p 554 $range; done

# Save results to file (as full url, you can use mpv --playlist=results.txt to watch the streams)
./camtruder -t istanbul -o results.txt

# Internet scan with limit of 50 workers and verbose output
./camtruder -t 100 -w 50 -v

πŸ› οΈ Command Line Options

Option Description Default
-t Target IP, CIDR range, location, or file Required
-u Custom username(s) Built-in list
-p Custom password(s) Built-in list
-w Number of threads 20
-to Connection timeout (seconds) 5
-o Output file path None
-v Verbose output False
-s Search only - shows ranges with netnames False
-ss Raw IP range output - only CIDR ranges False
-po RTSP port 554
-m Directory to save screenshots (requires ffmpeg) None

πŸ“Š Output Formats

Standard Search Output (-s)

[ TR-NET-ISP ] [ 193.3.52.0/24 ] [256]
[ EXAMPLE-ISP ] [ 212.175.100.136/29 ] [8]

Raw CIDR Output (-ss)

193.3.52.0/24
212.175.100.136/29

Scan Results

╭─ Found vulnerable camera [Hikvision, H264, 30fps]
β”œ Host : 192.168.1.100:554
β”œ Geo : United States/California/Berkeley
β”œ Auth : admin:12345
β”œ Path : /Streaming/Channels/1
β•° URL : rtsp://admin:12345@192.168.1.100:554/Streaming/Channels/1

⚠️ Disclaimer

This tool is intended for security research and authorized testing only. Users are responsible for ensuring they have permission to scan target systems and comply with all applicable laws and regulations.

πŸ“ License

This project is licensed under the MIT License - see the LICENSE file for details.

πŸ™ Acknowledgments

  • Thanks to all contributors and the security research community
  • Special thanks to the Go RTSP library maintainers
  • Inspired by various open-source security tools

πŸ“¬ Contact


Made by @ALW1EZ



MemTracer - Memory Scaner

By: Zion3R


MemTracer is a tool that offers live memory analysis capabilities, allowing digital forensic practitioners to discover and investigate stealthy attack traces hidden in memory. The MemTracer is implemented in Python language, aiming to detect reflectively loaded native .NET framework Dynamic-Link Library (DLL). This is achieved by looking for the following abnormal memory region’s characteristics:

  • The state of memory pages flags in each memory region. Specifically, the MEM_COMMIT flag which is used to reserve memory pages for virtual memory use.
  • The type of pages in the region. The MEM_MAPPED page type indicates that the memory pages within the region are mapped into the view of a section.
  • The memory protection for the region. The PAGE_READWRITE protection to indicate that the memory region is readable and writable, which happens if Assembly.Load(byte[]) method is used to load a module into memory.
  • The memory region contains a PE header.

The tool starts by scanning the running processes, and by analyzing the allocated memory regions characteristics to detect reflective DLL loading symptoms. Suspicious memory regions which are identified as DLL modules are dumped for further analysis and investigation.
Furthermore, the tool features the following options:

  • Dump the compromised process.
  • Export a JSON file that provides information about the compromised process, such as the process name, ID, path, size, and base address.
  • Search for specific loaded module by name.

Example

python.exe memScanner.py [-h] [-r] [-m MODULE]
-h, --help show this help message and exit
-r, --reflectiveScan Looking for reflective DLL loading
-m MODULE, --module MODULE Looking for spcefic loaded DLL

The script needs administrator privileges in order incepect all processes.



Traffic Light Protocol for cybersecurity responders gets a revamp

Traffic lights make a handy global metaphor for denoting the sensitivity of cybersecurity threat data - three colours that everyone knows.

US Government says: Patch VMware right now, or get off our network

Find and patch. Right now. If you can't patch, get it off the network. Right now! Oh, and show us what you did to comply.

Colonial Pipeline facing $1,000,000 fine for poor recovery plans

How good is your cybersecurity? Are you making the same mistakes as lots of other people? Here's some real-life advice...

Ransomware Survey 2022 – like the Curate’s Egg, β€œgood in parts”

You might not like the headline statistics in this year's ransomware report... but that makes it even more important to take a look!

Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!

The crooks have shown that they're willing to learn and adapt their attacks, so we need to make sure we learn and adapt, too.

❌