techhub.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A hub primarily for passionate technologists, but everyone is welcome

Administered by:

Server stats:

4.7K
active users

#smb

11 posts9 participants1 post today

A Hybrid Approach with Data Exfiltration and Encryption

The BlackSuit ransomware group, believed to be a rebrand of Royal ransomware, has emerged as a significant threat to organizations. This sophisticated attack combines data exfiltration and encryption, utilizing tools like Cobalt Strike for command and control, rclone for data exfiltration, and BlackSuit ransomware for file encryption. The group's tactics include lateral movement through RDP, SMB, and PsExec, credential dumping, and deletion of shadow copies. Notably, the ransomware uses a -nomutex flag, allowing multiple concurrent executions. The attack flow involves initial access, lateral movement, data exfiltration, partial encryption, and ransom demands ranging from $1 million to $10 million USD in Bitcoin. This hybrid approach highlights the evolving nature of ransomware threats and the need for robust security measures.

Pulse ID: 687229325abbf82b9f462e99
Pulse Link: otx.alienvault.com/pulse/68722
Pulse Author: AlienVault
Created: 2025-07-12 09:21:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

Online extortion is the new ransomware. Is your organization prepared?

Today’s hackers frequently skip the encryption step of ransomware and go straight to online extortion, stealing your data and threatening to leak it unless you pay.

In our latest blog, we break down:
• Why exfiltration-only attacks are surging
• How threat actors like World Leaks operate
• What your organization can do to stay ahead

Read the details: lmgsecurity.com/online-extorti

Online extortion image
LMG SecurityOnline Extortion Is the New Ransomware: Why Hackers Just Want Your Data | LMG SecurityOnline extortion is on the rise as hackers skip ransomware encryption and go straight to data theft and blackmail. Read about this trend and how to protect your organization.

Hey lovelies 🩷

Question for any of y'all who have more knowledge than we do in relation to fixing networking issues within Windows 11 :Windows_11_Logo:

One PC on our network had been having intermittent networking issues on Windows 10, so we did an in-place upgrade to Windows 11 24H2.

This did fix some issues, but we're still having 2 major issues:

  1. The PC can see, but refuses to connect to, our Synology NAS (DS220J). It keeps asking for a username and password, like it's failing authentication.
  2. Other Windows-based PC can connect to it, and it can see them, but Kodi on a Fire TV stick (4K Max, 2024 model) refuses to connect to it over SMB (Samba), giving a "no route to host" error message.

We've reviewed guides such as:

... and made some settings tweaks. We've also gone through common troubleshooting tips such as:

  • Making sure the connection is private;
  • Making sure that filesharing is enabled;
  • Tweaking SMB connection settings in Synology NAS;
  • Deleting and manually re-entering the login details for the Synology NAS under the credentials manager;
  • Changing the minimum (no minimum, 1, 2) and and maximum (3) SMB level on Kodi;
  • Updating Windows and drivers;
  • Using DISM and SFC;
  • Group policy updates;

... but sadly to no avail.

We're trying to avoid a clean install, as there's a lot of stuff we'd need to reinstall, and we don't have the time, executive function, or (most importantly) and patience and emotional regulation to do that right now 🥺

Any thoughts?

Update, 2025-07-11:

With the help of suggestions from lovely folks, it looks tenuously like both issues have been resolved on the PC 🤞🩷

We didn't make it clear above, but both versions of Windows are the Pro versions. (Used a Home version of WIndows - XP Home - only once. Never again!!!)

In case it helps anyone else, here are the additional steps we took, based on comments, to resolve the issues described above:

  • Checked router (RX-AX88U) to check no DHCP issues.
    • Realised that the MAC address on the static IP address section for the PC was for the onboard NIC, rather than the PCI-E one we'd previously installed. This hadn't caused issues previously, but we did take the time to update this.
  • Reset the IP stack.
  • Uninstalled SMBv1 by removing from Windows Features.
  • Disabled SMB1 and verified that SMBv2/v3 enabled (per guide here).
  • Disabled SMB client signing requirement and enabled guest fallback protection (per guide here).
  • Deleted saved credentials for the Synology NAS again under Credential Manager
    • We'd done this previously, but it hadn't worked by itself.
    • Interestingly, when we deleted it once, it then reappeared, so we had to delete it twice.
  • Rebooted.

On the Fire TV Stick (4K Max, 2024), we'd also checked that the Kodi settings showed a minimum SMB protocol of V2.

Under the Synology NAS (a DS220J), we'd previously also gone into Control Panel > File Services > Advanced Settings > General and set:

  • Minimum SMB protocol to SMB2;
  • Transport encryption mode to Client defined;
  • Server signing status to Forced;

... per recommendations we'd read online.

TECHCOMMUNITY.MICROSOFT.COMAccessing a third-party NAS with SMB in Windows 11 24H2 may fail | Microsoft Community HubChanges to SMB security in Windows 11 24H2 release preview may prevent access to third party NAS appliances or other devices. 

New at SharkFest'25 Europe: Dive deep into modern SMB traffic analysis in this hands-on session designed for anyone working with file shares in real-world environments.

Learn how to troubleshoot authentication issues, analyze performance bottlenecks, decrypt SMB traffic, and uncover what's really happening behind the scenes in SMB2/3 communication. If you’ve ever dealt with slow file access or mysterious errors, this class will give you the tools to trace and solve them.

sharkfest.wireshark.org/sfeu

Replied in thread

@vwestlife Yes they did, and I saw them #retail in #Germany at #ConradElectronic but they quickly flopped for two reasons:

1. The #hinge mechanism made them fiddly to insert into devices, as that design isn't up to #SD spec which expects a ridgid body.

2. They costed more than an equal-capacity & speed card plus a #cardreader.

3. Basically everyone who used #SDcard already had a #CardReader and #USB #flashdrives were also cheaper than these things.

The only person I knew that used one was someone who fiddled with an original #RaspberryPi|s a lot and they used it with a USB cable permanently plugged in so they can quickly access the files when the Pi is shut down.

  • Once I showed them that they can also access files and transfer them via #SSH instead of having to setup #Samba for #SMB shares they ditched that.

Malware Delivered to Businesses via SEO Attacks Using Fake AI Tools

A targeted SEO poisoning campaign is affecting over 8,500 SMB users by delivering malware disguised as popular AI and productivity tools like ChatGPT, Zoom, and Microsoft Teams.

Pulse ID: 686c52b0167c0726e56c6413
Pulse Link: otx.alienvault.com/pulse/686c5
Pulse Author: cryptocti
Created: 2025-07-07 23:05:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

No Click. No Warning. Just a Data Leak.

Think your AI assistant is secure? Think again. The new EchoLeak exploit shows how Microsoft 365 Copilot, and tools like it, can silently expose your sensitive data without a single user interaction. No clicks. No downloads. Just a well-crafted email.

In this eye-opening blog, we break down how EchoLeak works, why prompt injection is a growing AI threat, and the 5 actions you need to take right now to protect your organization.

Read now: lmgsecurity.com/no-click-night

AI data security image
LMG SecurityNo-Click Nightmare: How EchoLeak Redefines AI Data Security Threats | LMG SecurityIs your AI assistant leaking data? New EchoLeak attack exploits Copilot with zero clicks. We share the details and tips to boost your AI data security.

DEVMAN Ransomware: Analysis of New DragonForce Variant

A new ransomware strain resembling DragonForce but with unique traits has emerged, possibly connected to an entity called DEVMAN. The sample reuses DragonForce code but adds its own elements, including the .DEVMAN file extension. Attribution is unclear, as the ransom note is identical to DragonForce's. The malware operates offline, probes for SMB connections, and uses three encryption modes. It exhibits different behaviors on Windows 10 and 11, particularly in changing wallpapers. The ransomware encrypts its own ransom notes, likely due to a builder flaw. DEVMAN claims to have stopped using DragonForce months ago, suggesting this may be an experimental or outdated build.

Pulse ID: 6864dc456365182d0e43bd32
Pulse Link: otx.alienvault.com/pulse/6864d
Pulse Author: AlienVault
Created: 2025-07-02 07:14:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

Hide Your RDP: Password Spray Leads to RansomHub Deployment

This report details a cyberattack where threat actors gained initial access through a password spray attack on an exposed RDP server. They used Mimikatz and Nirsoft for credential harvesting, and employed living-off-the-land techniques along with tools like Advanced IP Scanner for network discovery. The attackers utilized Rclone for data exfiltration via SFTP and deployed RansomHub ransomware across the network using SMB and remote services. The intrusion lasted six days, culminating in widespread encryption and ransom demands. Key phases included initial access, lateral movement, credential theft, data exfiltration, and ransomware deployment, demonstrating a sophisticated and multi-staged attack methodology.

Pulse ID: 6862dc349ae605bef0998ced
Pulse Link: otx.alienvault.com/pulse/6862d
Pulse Author: AlienVault
Created: 2025-06-30 18:49:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

Hundreds of Brother printer models are affected by a critical, unpatchable vulnerability (CVE-2024-51978) that allows attackers to generate the default admin password using the device’s serial number—information that’s easily discoverable via other flaws.

748 total models across Brother, Fujifilm, Ricoh, Toshiba, and Konica Minolta are impacted, with millions of devices at risk globally.

Attackers can:
• Gain unauthenticated admin access
• Pivot to full remote code execution
• Exfiltrate credentials for LDAP, FTP, and more
• Move laterally through your network

Brother says the vulnerability cannot be fixed in firmware and requires a change in manufacturing. For now, mitigation = change the default admin password immediately.

Our pentest team regularly highlights printer security as a critical path to system compromise—and today’s news is another example that underscores this risk. This is your reminder: Printers are not “set-and-forget” devices. Treat them like any other endpoint—monitor, patch, and lock them down.

Need help testing your network for exploitable print devices? Contact us and our pentest team can help!

Read the Dark Reading article for more details on the Brother Printers vulnerability: darkreading.com/endpoint-secur

16 Billion Leaked Credentials? Don’t panic—this isn’t a new data breach.

Headlines about a “historic data breach” are making waves, but this isn’t a new breach. The story about 16 billion credentials circulating online is actually a compilation of old leaks, mostly gathered by infostealer malware and credential stuffing attacks.

However, this is a good reminder about your cybersecurity hygiene. Remember to protect yourself and your organization:

• Use strong, unique passwords for every account
• Store them securely with a reputable password manager
• Turn on two-factor authentication (2FA)—preferably with an app like Authy or Google Authenticator
• Scan your devices for malware before changing passwords if you suspect an infection

Read the article for details: bleepingcomputer.com/news/secu