john fitzpatrick
@j0hn__f
Followers
1K
Following
2K
Media
154
Statuses
2K
CyberSecurity | Lab539 and HPCsec | HPC | Supercomputers | TCDO | formerly MWRlabs & Jumpsec | @[email protected]
London, UK
Joined January 2010
I see Cloudflare just had a hiccup. Is it wrong that I'm now looking forward to the write-up on what happened because they tend to be quite interesting!
0
0
3
My regular reminder whenever a vendor discloses a 0-day on an edge device: Patching it doesn’t fix the breach that already happened. If it was exposed for months, patching it is like changing the front door lock while the burglars are already in your living room.
9
54
313
We tracked #ClickFix infrastructure for a while. Turns out there is a lot of overlap with #AiTM infrastructure. Find our dataset of 13k+ hosts in this blog post: https://t.co/kbmPePSMvk
0
1
0
Block login from AS24875 (1337 Services) and AS18450 (Evoxt) you'll squash some of the most prolific #voidproxy infrastructure. Block workers[.]dev you'll block a lot of frontend #voidproxy chains too. Aitm-Feed users can just toggle those on, takes 1 second!
0
1
0
If you want to block ShadowCaptcha campaigns blocking these three domains will help: - cloudshielders[.]com - analytiwave[.]com - analyticanoden[.]com There is heavy geo/user-agent/os detection going on, so you may not see click-fix but your users might #clickFix #shadowCaptcha
0
2
0
Azure Front Door AiTM Phishing
aitmfeed.com
Investigation AiTM infrastructure utilising Microsoft Azure Front Door
0
5
22
Technical deep dive into some current AiTM infrastructure using Azure Front Door and some other rather clever techniques. https://t.co/wfIfDVDckB
#AiTM
aitmfeed.com
Investigation AiTM infrastructure utilising Microsoft Azure Front Door
0
2
4
OK, that got burned just now. So here is another targeting Coinbase by the looks of it which drops some very obsfucated powershell on your clipboard: #ClickFix
We've been keeping an eye on ClickFix domains. If you've not seen them before here is a (at the point of posting) live example: #ClickFix
0
1
0
Forced myself to write up a (non)incident where our AiTM feed successfully foiled an AiTM attack utilising redirects, workers[.]dev and other techniques we're commonly seeing. Interesting to see re-use of existing infrastructure too. https://t.co/8w2TaNgxYH
#AiTM
aitmfeed.com
We delve into an AITM attack involving Cloudflare workers.dev infrastructure that was foiled by conditional access policies and the Lab539 AITM feed.
0
1
2
It's not just MS users targeted by AiTM, here is one (live now) targeting users of the Australian Gov services: australiaqovlodgmentservces[.]org
1
1
0
If you'd like a copy of Aeza's prefixes (AS216246) as sanctions were announced we've dropped a copy here: https://t.co/616Utx9VO1
drive.proton.me
Securely store, share, and access your important files and photos. Anytime, anywhere.
0
1
0
Can anyone recommend a service that provides good reverse IP lookup data (i.e. DNS records associated with an IP address)? VirusTotal is the obvious answer but is cost prohibitive other options don't seem to have the richness of data. Willing to pay.
1
0
0
Someone targeting M&S again? Or targeting MSN? You decide: *.mnsonlines[.]lat - 185.165.44[.]25, previously 209.74.81[.]5 Positive #AiTM detection::Action=block
0
2
0
If you're reading the @MsftSecIntel report on Void Blizzard, things to note, the *.micsrosoftonline[.]com IOC they share was deployed on 5th+6th March 2025, so focus your hunts there. It was Evilginx and there were several subdomains (Cloudflare fronted)
1
1
0
Expect the lures to relate to documents (e.g. PDFs) being shared and/or webmail related activity.
TA with a particular interest in the military and gov in BD, IR, TR and PK is continuing their campaigns with the updatemind52[.]com domain and IP 36.50.40[.]202
0
0
0
Today would be a good day to block authentication from 2a0b:7140:8:1:5054:ff:fe10:9356 in your conditional access policies. Backend of several active AiTM campaigns (targeting Microsoft accounts). #ThreatIntel #IndicatorsOfAttack
0
1
0
This is not a drill! I'm investigating. May share some analysis if I get the time. I suspect there will be some central infrastructure co-ordinating it that we need to take out of action. #AiTM
There's an absolutely huge AiTM rampage on its way. Yesterday we saw over 5x our largest previous daily detections. Most is sat behind Cloudflare so "should" be squashed by them (we think we trigger their fingerprinting) the stuff hosted elsewhere is gonna cause the pain #AiTM
0
0
0
I’m an Incident Responder on the AWS Customer Incident Response Team (CIRT). And I get asked a lot of questions, like: “Where do I even start with incident response in the cloud?” Here’s a beginner-friendly thread on AWS IR tips — with a few lessons I learned 🧵👇
34
340
2K
Doesn't look like whoever is behind the AiTM on Tesco Bank has hit the go button yet or have been very targeted. Fortunately our AiTM Feed customers have been protected for a little while already. #AiTM
https://t.co/ky7ybIby2C
1
1
0