Black Lotus Labs

We’ve identified a new downloader that large numbers of #mylobot bots are connecting to: 212.8.242[.]104. #virustotal shows #khalesi malware downloads since 9/7. This confirms our analysis of the transition from the old downloader, 138.128.150[.]133 in early Sept.pic.twitter.com/b4IeRr8rH5

We’re investigating a large increase in bots connecting to the #mylobot C2s starting on 11/1. This could represent a new campaign by the malware authors.pic.twitter.com/UVLungUTMt

After news of the takedown of KV Solutions BV, we saw a significant decrease in the number of active #Mirai & #Gafgyt C2s. Less than a day later, we identified several new C2s potentially signifying actors moving to new infrastructure across many different hosting providers.pic.twitter.com/6hAnteF8Ms

21/25 winners have been able to say #Gotcha to a limited edition @BlackLotusLabs prize back in our #CTLCipherCoverChallenge. Only 4 Remain!pic.twitter.com/wy36pCnEjr

Keep crackin' for @BlackLotusLabs limited edition swag! 15/25 winners #Hunted down the right answer in our #CTLCiperCoverChallenge. Only 10 Remain! #NoHints http://bit.ly/CenturyLink_2019ThreatReport …pic.twitter.com/2oiybDG2L6

Have you #flagged the @CenturyLink 2019 Threat Report for reading yet? Do it right now to understand how we identify 130K+ DGAs daily. #SeeMoreStopMore http://bit.ly/CenturyLink_2019ThreatReport …pic.twitter.com/lFIMn75lP1

Do you notice anything interesting about our threat report cover? http://bit.ly/CenturyLink_2019ThreatReport … The first 25 to crack a cipher win limited edition @BlackLotusLabs swag. DM decrypted answers (the key doesn’t count ). #CTLCipherCoverChallengepic.twitter.com/vnLR4SwyXY

We know you’ve #hunted for the @CenturyLink 2019 Threat Report. So here you go: http://bit.ly/CenturyLink2019ThreatReport …. Let the games begin. #BotnetSlayer #CleanInternet #ThreatHunter #CyberSecuritypic.twitter.com/47v7h3Emxw

BOLO for our @CenturyLink 2019 Threat Report... https://twitter.com/CenturyLink/status/1171816460500402176 …pic.twitter.com/lhuUw5UGsL

Researching activity into #Webmin RCE (CVE-2019-15107) we are seeing anomalous traffic on port 10000 beginning 5 days ago. With over 14K of the IPs scanning being reported via @shodanhq we are still investigating the impact. If you want to collaborate with us please DM.pic.twitter.com/mx3tB9ph3J

Continued monitoring for scanners targeting #SACKpanic on TCP port 8728 reveals a roughly a 45% decrease in scanning activity from its peak in mid-July. Maybe patching is effective! Thanks @Netflix research team for sharing your work! https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md#advisory … #cybersecuritypic.twitter.com/KwBAezOnYc