The New Oil<p><a href="https://mastodon.thenewoil.org/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a> rotating code signing certificates over security concerns</p><p><a href="https://www.bleepingcomputer.com/news/security/connectwise-rotating-code-signing-certificates-over-security-concerns/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/connectwise-rotating-code-signing-certificates-over-security-concerns/</span></a></p><p><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.
Administered by:
Server stats:
513active users
101010.pl: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.0-beta.1
#ConnectWise
1 post · 1 participant · 0 posts today
Zeljka Zorz<p>ConnectWise is rotating code signing certificates. What happened?</p><p><a href="https://www.helpnetsecurity.com/2025/06/11/connectwise-is-rotating-code-signing-certificates-what-happened/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">helpnetsecurity.com/2025/06/11</span><span class="invisible">/connectwise-is-rotating-code-signing-certificates-what-happened/</span></a></p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/Connectwise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Connectwise</span></a></p>
Andrew 🌻 Brandt 🐇<p>What a wonderful thing to find out while on vacation that my phone is blowing up because a news article about <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a> published yesterday (<a href="https://www.bleepingcomputer.com/news/security/connectwise-rotating-code-signing-certificates-over-security-concerns/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/connectwise-rotating-code-signing-certificates-over-security-concerns/</span></a>) referenced something I posted here in April (<a href="https://infosec.exchange/@threatresearch/114315246724920453" translate="no" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@threatresear</span><span class="invisible">ch/114315246724920453</span></a>). (Thanks, Bill ❤️ & <span class="h-card" translate="no"><a href="https://infosec.exchange/@BleepingComputer" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>BleepingComputer</span></a></span>)</p>
The New Oil<p><a href="https://mastodon.thenewoil.org/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISA</span></a> warns of <a href="https://mastodon.thenewoil.org/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a> <a href="https://mastodon.thenewoil.org/tags/ScreenConnect" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ScreenConnect</span></a> bug exploited in attacks</p><p><a href="https://www.bleepingcomputer.com/news/security/cisa-warns-of-connectwise-screenconnect-bug-exploited-in-attacks/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/cisa-warns-of-connectwise-screenconnect-bug-exploited-in-attacks/</span></a></p><p><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
The New Oil<p><a href="https://mastodon.thenewoil.org/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a> breached in cyberattack linked to nation-state hackers</p><p><a href="https://www.bleepingcomputer.com/news/security/connectwise-breached-in-cyberattack-linked-to-nation-state-hackers/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/connectwise-breached-in-cyberattack-linked-to-nation-state-hackers/</span></a></p><p><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://mastodon.thenewoil.org/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a> <a href="https://mastodon.thenewoil.org/tags/DataBrach" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DataBrach</span></a></p>
Hackread.com<p>⚠️ <a href="https://mstdn.social/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a> RAT is the most popularly abused legitimate remote access tool and accounted for 56% of all active threat reports.</p><p>Read: <a href="https://hackread.com/connectwise-screenconnect-tops-abused-rats-2025/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hackread.com/connectwise-scree</span><span class="invisible">nconnect-tops-abused-rats-2025/</span></a></p><p><a href="https://mstdn.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://mstdn.social/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RAT</span></a> <a href="https://mstdn.social/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a> <a href="https://mstdn.social/tags/Scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Scam</span></a> <a href="https://mstdn.social/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a></p>
Andrew 🌻 Brandt 🐇<p>Last week I posted a thread about a <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> campaign delivering a <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a> client as its payload. As of this morning, the threat actors have changed the payload (<a href="https://www.virustotal.com/gui/file/30e1d059262b851a2b432ec856aeba5bb639ba764aa85643703163d62000a2f4" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/file/30e1d0</span><span class="invisible">59262b851a2b432ec856aeba5bb639ba764aa85643703163d62000a2f4</span></a>) and it appears to try to connect to the address "relay.noscreener[.]info" which resolves to 104.194.145.66.</p><p>Embedded in the installer .msi file is a file called system.config, which contains this domain name and a base64-encoded string.</p><p>The fake Social Security website is still being hosted on a compromised site that belongs to a temp agency based on the east coast of the US.</p><p>Previous thread:</p><p><a href="https://infosec.exchange/@threatresearch/114315246724920453" translate="no" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@threatresear</span><span class="invisible">ch/114315246724920453</span></a></p><p><a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malspam</span></a></p>
Andrew 🌻 Brandt 🐇<p>However, because this attack has been going on for two weeks, some endpoint protection tools (well, about a third of them) are catching on that this particular file is bad, and should feel bad.</p><p><a href="https://www.virustotal.com/gui/file/13d71b884a0625f3aa3805fb779d95513d0485671ab8c090a0c790ceda071e63" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/file/13d71b</span><span class="invisible">884a0625f3aa3805fb779d95513d0485671ab8c090a0c790ceda071e63</span></a></p><p>The most important lesson here is that attackers always come up with new ways to evade detection. Using a commercially available, normally legitimate remote access tool with a valid cryptographic signature lets the attacker bypass some kinds of endpoint detection.</p><p>Remember to check the From: address in emails, and the destination of any links they point to. You can do this by hovering your mouse over the link without clicking, and waiting a second. If it says it's from the SSA, but it isn't pointing to SSA.gov, then it's a lie. </p><p>If you find content like this useful, please follow me here, or on LinkedIn: <a href="https://www.linkedin.com/in/andrew-brandt-9603682/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">linkedin.com/in/andrew-brandt-</span><span class="invisible">9603682/</span></a></p><p>9/fin</p><p><a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malspam</span></a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>attacks</span></a></p>
Andrew 🌻 Brandt 🐇<p>When clicked, the button delivers malware, but it's an unexpected payload: A client installer for the commercial remote-access tool ConnectWise. </p><p>Every time I clicked the download link, it gave me the same file with six different random digits appended to the filename. Note that it is not, as the website implies, a PDF document, but a Windows executable file, with a .exe extension.</p><p>8/</p><p><a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malspam</span></a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>attacks</span></a></p>
Andrew 🌻 Brandt 🐇<p>This is where I tell you: don't do this! I am a trained professional. I click all the bad links so you don't have to. I am going to show you what happens next.</p><p>A button appears on this page, labeled "Access Your Statement." The site serving up this payload delivers a file named "Social Security Statement Documents [six digit random number].exe"</p><p>7/</p><p><a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malspam</span></a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>attacks</span></a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a></p>
Andrew 🌻 Brandt 🐇<p>Finally the target lands on a page on the InMotion site that closely resembles the look-and-feel of the content in the email message. </p><p>The page tells the visitor, in part "Download your statement as a PDF file" and "For security reasons, we recommend accessing your statement through your secure device."</p><p>Spoiler alert: It was not a PDF file.</p><p>(Edit: A reader informs me that this appears to be the hosting space used by the temp agency website, and that for whatever reason, the URL appears differently here.) </p><p>6/</p><p><a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malspam</span></a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>attacks</span></a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a></p>
Andrew 🌻 Brandt 🐇<p>The target's browser then lands on another website, hosted by a large hosting service, InMotion Hosting. As with the temp agency website, the attackers have set up multiple URLs on this site, where the first URL performs a 302 redirect to go to the second URL, for no apparent reason other than to create the URL equivalent of a Rube Goldberg contraption.</p><p>5/</p><p><a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malspam</span></a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>attacks</span></a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a></p>
Andrew 🌻 Brandt 🐇<p>That link then immediately 302 redirects the target's browser to a link on a second website, one that belongs to a temp agency based in the US state of Maryland. </p><p>The attackers have created two URLs on this company's site for this purpose. The first one redirects to the second one. </p><p>Again, the site appears to have been compromised and used specifically for the purpose of obfuscating the redirection chain.</p><p>4/</p><p><a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malspam</span></a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>attacks</span></a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a></p>
Andrew 🌻 Brandt 🐇<p>The first 302 redirect points to a page on a website belonging to a small business that has, apparently, been compromised and abused for this purpose. </p><p>3/</p><p><a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malspam</span></a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>attacks</span></a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a></p>
Andrew 🌻 Brandt 🐇<p>In this attack, the spammers have been sending emails that look like this official-appearing notification from the Social Security Administration. </p><p>The message says "Your Social Security Statement is ready to review" and includes a button at the bottom labeled "Download Statement." </p><p>The button links to a shortened URL that uses the link-shortening service t.ly to lead the target to a chain of 302 redirects. Malware spammers often do this to fool web reputation services and obfuscate the final destination of the link.</p><p>2/</p><p><a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malspam</span></a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>attacks</span></a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a></p>
Andrew 🌻 Brandt 🐇<p>It sometimes pays to run domains that serve purely as spam honeypots. Case in point: A spammer has been delivering a ConnectWise commercial remote access client application as a payload in a scam that uses the purported arrival of a US Social Security statement as its hook.</p><p>A 🧵 ...</p><p><a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malspam</span></a> <a href="https://infosec.exchange/tags/attacksurface" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>attacksurface</span></a> <a href="https://infosec.exchange/tags/SocialSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SocialSecurity</span></a> <a href="https://infosec.exchange/tags/SocialSecurityAdministration" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SocialSecurityAdministration</span></a> <a href="https://infosec.exchange/tags/SSA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSA</span></a> <a href="https://infosec.exchange/tags/usgov" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>usgov</span></a></p>
James<p>This is probably only relevant to a *very* small number of people, but since I just spent all morning figuring it out…</p><p>If you are trying to get <a href="https://vmst.io/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a> (remote screen-share tool) working on <a href="https://vmst.io/tags/Pop_OS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Pop_OS</span></a> <a href="https://vmst.io/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a> and the shellscript installer is just failing silently, and the client never launches, try installing the "icedtea-netx" package.</p><p>That seems to be installed on stock Ubuntu 22.04 desktop (or at least it was on my Ubuntu machines), but for whatever reason my Pop_OS machine didn't have it. </p><p>With it installed, ConnectWise suddenly works. Magic!</p><p>Glad CW supports Linux, but slight shade at having a setup script fail silently.</p>
Sascha Stumpler<p><a href="https://hessen.social/tags/Connectwise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Connectwise</span></a> <a href="https://hessen.social/tags/PowerShell" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PowerShell</span></a> Upload a file to Connectwise and Attach it to a Service Ticket with PowerShell <a href="http://dlvr.it/T7bqfk" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">http://</span><span class="">dlvr.it/T7bqfk</span><span class="invisible"></span></a> via PlanetPowerShell</p>
IT News<p>Ransomware associated with LockBit still spreading 2 days after server takedown - Enlarge (credit: Getty Images) </p><p>Two days after an international... - <a href="https://arstechnica.com/?p=2005464" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">arstechnica.com/?p=2005464</span><span class="invisible"></span></a> <a href="https://schleuss.online/tags/screenconnect" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>screenconnect</span></a> <a href="https://schleuss.online/tags/connectwise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>connectwise</span></a> <a href="https://schleuss.online/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ransomware</span></a> <a href="https://schleuss.online/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://schleuss.online/tags/lockbit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lockbit</span></a> <a href="https://schleuss.online/tags/biz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>biz</span></a>&it</p>
Hambone Fakenamington<p>The Fediverse and <span class="h-card" translate="no"><a href="https://cyberplace.social/@GossiTheDog" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>GossiTheDog</span></a></span> has just helped me do my job better. Outsourced supplier has just asked me to install <a href="https://fosstodon.org/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectWise</span></a>. If it were not for the recent posts by <a href="https://fosstodon.org/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> people on here; I wouldn't be aware of the recent issues so wouldn't be checking with the supplier that their ConnectWise setup is up to date!</p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload