Really big scoop (I don't think @BrianKrebs knows how big yet) here - he's tracked down somebody who says they are Rey from Lapsus$. I don't wanna say why yet as I don't have all the pieces of the jigsaw, but I imagine this is going to turn into a long thread over time.

Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ – Krebs on Security

Stealing this phrase - “AI is a Dunning-Kruger accelerator”

Excited to see cyberslop becoming a regular term on LinkedIn.

#mastoadmin Check and evict username ptorrone on your instances, he's making lots of accounts to get into conflict with somebody. Also, don't buy from Adafruit until they apologise.

On Thursday, this blog was released about CVE-2025-61757 in Oracle Fusion Middleware - OIM really

Breaking Oracle’s Identity Manager: Pre-Auth RCE (CVE-2025-61757) › Searchlight Cyber

Within 24 hours, it was added to CISA KEV 🤔

RE:

Infosec Exchange

John Hammond (@JohnHammond@infosec.exchange)

Attached: 1 image Uncovered screen recordings from threat actors! 👀 Real footage of cybercriminals using anti-detect browsers and infostealer m...

If you want to learn about how threat actors bypass MFA and security controls, this is a really good video. Spoiler: they just use infostealers. It’s 2x real threat actor videos, where the threat actor recorded themselves. From 2023. 1st is YouTube account takeover replaying session cookie 2nd is corporate Outlook email theft using session token, via GraphAPI. As I’ve said before, attackers live in Graph now (yes, it’s a pivot of John Lambert’s saying). View quoted note →

The Scattered Spider Lapsus Whatever people are posting phone shots of CrowdStrike systems. CrowdStrike says they had a malicious insider who has been terminated. I still think this cycle of having companies pay millions to Advanced Persistent Teenagers is stupid, as it is giving them stupid money to buy exploits and inside access - including at the very vendors who facilitate coverups (sorry typo, I meant to type incident response via legal privilege).