Austin Larsen
LightNews LightNews
banner
austinlarsen.me
Austin Larsen
@austinlarsen.me
1.2K followers 310 following 19 posts
Principal Threat Analyst - Google Threat Intelligence Group
Posts Replies Media Videos
Pinned
austinlarsen.me
Austin Larsen @austinlarsen.me · Jan 9
🚨 New: Zero-day vulnerability #CVE-2025-0282 in Ivanti Connect Secure VPN is being actively exploited, including by suspected China-nexus cyber espionage groups. Our team at Mandiant in partnership with Ivanti just published our initial findings. 🧵
cloud.google.com/blog/topics/...
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog
Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024.
cloud.google.com
Reposted by Austin Larsen
pdub5.bsky.social
Join @austinlarsen.me and me next Tuesday for a deep-dive into PRC-nexus threat actor capabilities! Learn about advanced social engineering tactics, novel malware delivery, and strategies to defend your organization.

www.brighttalk.com/webcast/7451...
September 9, 2025 at 10:49 PM
Reposted by Austin Larsen
campuscodi.risky.biz
A story in two acts
September 1, 2025 at 8:39 PM
Reposted by Austin Larsen
hultquist.bsky.social
Major Update: We now believe this incident impacts other Salesloft Drift integrations, not just Salesforce. We’re advising Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.
hultquist.bsky.social John Hultquist @hultquist.bsky.social · Aug 26
An actor we are tracking as UNC6395 is targeting Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. This is ongoing and widespread. cloud.google.com/blog/topics/...
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift | Google Cloud Blog
A widespread data theft campaign targeting Salesforce instances via the Salesloft Drift third-party application.
cloud.google.com
August 29, 2025 at 2:43 PM
Reposted by Austin Larsen
campuscodi.risky.biz
A threat actor (UNC6395) is accessing Salesforce accounts and data through the Salesloft Drift AI chat agent

cloud.google.com/blog/topics/...
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift | Google Cloud Blog
A widespread data theft campaign targeting Salesforce instances via the Salesloft Drift third-party application.
cloud.google.com
August 26, 2025 at 5:19 PM
Reposted by Austin Larsen
hultquist.bsky.social
An actor we are tracking as UNC6395 is targeting Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. This is ongoing and widespread. cloud.google.com/blog/topics/...
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift | Google Cloud Blog
A widespread data theft campaign targeting Salesforce instances via the Salesloft Drift third-party application.
cloud.google.com
August 26, 2025 at 4:44 PM
Reposted by Austin Larsen
campuscodi.risky.biz
APT folks... is UNC3886 becoming a top-tier actor?

www.trendmicro.com/en_us/resear...

www.sygnia.co/blog/fire-an...

supportportal.juniper.net/s/article/20...

cloud.google.com/blog/topics/...
July 29, 2025 at 10:06 AM
austinlarsen.me
New @mandiant.com research: UNC6032 (Vietnam-nexus actor 🇻🇳) is exploiting interest in AI tools, using fake AI video generator sites & malicious ads to spread malware.

The campaign, active since mid-2024, aims to steal credentials, cookies & financial data.
May 28, 2025 at 8:40 PM
Reposted by Austin Larsen
pdub5.bsky.social
🚨 Heads up! 🚨 APT41 is using Google Calendar 🗓️ as their latest C2 trick. GTIG just pulled back the curtain 🎭 on the TOUGHPROGRESS malware campaign and how we shut it down 💪. Dive into the details here: 🚀https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
May 28, 2025 at 2:11 PM
Reposted by Austin Larsen
ericjgeller.com
Confirming that CISA has stopped using VirusTotal and Censys.

"Makes their jobs a lot harder," a person familiar with the matter told me, adding, "There's a possibility that more services might be limited or cut due to budget."
April 18, 2025 at 5:39 PM
Reposted by Austin Larsen
gabagool.ing
Excellent breakdown of the “Rogue RDP” TTP we’ve seen susp Russian APT UNC5837 using in their campaigns written by my colleague Rohit (@IzySec over on X)
Windows Remote Desktop Protocol: Remote to Rogue | Google Cloud Blog
A novel phishing campaign by Russia-nexus espionage actors targeting European government and military organizations.
cloud.google.com
April 7, 2025 at 3:06 PM
Reposted by Austin Larsen
shaneharris.bsky.social
In 25 years of covering national security, I’ve never seen a story like this: Senior Trump officials discussed planning for the U.S. attack on Yemen in a Signal group--and inadvertently added the editor-in-chief of The Atlantic. www.theatlantic.com/politics/arc...
The Trump Administration Accidentally Texted Me Its War Plans
U.S. national-security leaders included me in a group chat about upcoming military strikes in Yemen. I didn’t think it could be real. Then the bombs started falling.
www.theatlantic.com
March 24, 2025 at 4:11 PM
austinlarsen.me
🚨 Following a months-long investigation stemming back to mid-2024, Mandiant just published details on a campaign by China-nexus actor UNC3886 targeting Juniper routers. Our investigation uncovered a custom malware ecosystem on end-of-life Juniper MX devices.
cloud.google.com/blog/topics/...
Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers | Google Cloud Blog
We discovered China-nexus threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers.
cloud.google.com
March 12, 2025 at 7:36 PM
Reposted by Austin Larsen
extrasuperkk.bsky.social
Hundreds protested at the national labs today in Boulder, Colorado. #SaveOurServices #resist #NOAA #NIST #NCAR #ScienceSavesLives
March 3, 2025 at 8:34 PM
Reposted by Austin Larsen
radiofreetom.bsky.social
Today was a grim, terrible day for the United States and the cause of democracy. Putin, along with other dictators around the world, can finally look at Trump with confidence and think: one of us.

www.theatlantic.com/ideas/archiv...
It Was an Ambush
Today marked one of the grimmest days in the history of American diplomacy.
www.theatlantic.com
March 1, 2025 at 12:56 AM
Reposted by Austin Larsen
mattkapko.com
A 21-year-old U.S. Army soldier linked to last year's Snowflake attack spree allegedly tried to sell stolen data to a foreign intelligence service after searching for information about how to defect to Russia. Hat tip to @nixonnixoff.bsky.social @austinlarsen.me cyberscoop.com/army-soldier...
Army soldier linked to Snowflake attack spree allegedly tried to sell data to foreign spies
Federal prosecutors accuse Cameron Wagenius of searching how to defect to Russia days after he tried to sell stolen data to a foreign intelligence service.
cyberscoop.com
February 27, 2025 at 11:02 PM
Reposted by Austin Larsen
nixonnixoff.bsky.social
The no-opsec Army guy who was part of the group that leaked Trump's call logs (and worse, threatened me) google searched how to defect to Russia and "can hacking be treason" 💀💀💀💀

He was never going to get away.
February 27, 2025 at 1:18 AM
Reposted by Austin Larsen
richardbranson.bsky.social
For the US to side with Russia and North Korea to oppose a UN resolution condemning the illegal invasion of Ukraine defies all common sense and adds insult to the countless injuries suffered by the brave Ukrainian people. edition.cnn.com/2025/02/24/p...
US joins Russia to vote against UN resolution condemning Russia’s war against Ukraine | CNN Politics
The United States joined Russia to vote against a UN General Assembly resolution condemning Russia’s war against Ukraine Monday in a stunning shift from years of US policy.
edition.cnn.com
February 25, 2025 at 9:29 AM
Reposted by Austin Larsen
danwblack.bsky.social
Today, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts.

cloud.google.com/blog/topics/...
Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger | Google Cloud Blog
Russia state-aligned threat actors target Signal Messenger accounts used by individuals of interest to Russia's intelligence services.
cloud.google.com
February 19, 2025 at 11:05 AM
Reposted by Austin Larsen
ericjgeller.com
DHS has terminated the memberships of everyone on its advisory committees.

This includes several cyber committees, like CISA's advisory panel and the Cyber Safety Review Board, which was investigating Salt Typhoon.

That review is "dead," person familiar says.

www.documentcloud.org/documents/25...
January 21, 2025 at 8:43 PM
Reposted by Austin Larsen
josephcox.bsky.social
A bug in Cloudflare (and just the nature of how CDNs work) let an attacker learn the broad location of Discord, Signal, Twitter users by just sending them an image, according to a security researcher. It works because check which data center cached the image www.404media.co/cloudflare-i...
Cloudflare Issue Can Leak Chat App Users' Broad Location
A security researcher made a tool that let them quickly check which of Cloudflare's data centers had cached an image, which allowed them to figure out what city a Discord, Signal, or Twitter/X user mi...
www.404media.co
January 21, 2025 at 2:40 PM
Reposted by Austin Larsen
metacurity.com
"FBI leaders have warned that they believe hackers who broke into AT&T Inc.’s system last year stole months of their agents’ call and text logs, setting off a race within the bureau to protect the identities of confidential informants."
www.bloomberg.com/news/article...
FBI Has Warned Agents It Believes Hackers Stole Their Call Logs
FBI leaders have warned that they believe hackers who broke into AT&T Inc.’s system last year stole months of their agents’ call and text logs, setting off a race within the bureau to protect the ...
www.bloomberg.com
January 16, 2025 at 7:19 PM
Reposted by Austin Larsen
bigbadw0lf.bsky.social
🔥 new blog detailing 0day exploitation of Ivanti appliances as well as some newly observed malware families tracked as PHASEJAM and DRYHOOK. We also detail activity related to the previously observed SPAWN* malware ecosystem tied to China-nexus cluster UNC5337.

cloud.google.com/blog/topics/...
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog
Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024.
cloud.google.com
January 9, 2025 at 12:42 AM
austinlarsen.me
🚨 New: Zero-day vulnerability #CVE-2025-0282 in Ivanti Connect Secure VPN is being actively exploited, including by suspected China-nexus cyber espionage groups. Our team at Mandiant in partnership with Ivanti just published our initial findings. 🧵
cloud.google.com/blog/topics/...
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog
Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024.
cloud.google.com
January 9, 2025 at 12:42 AM
Reposted by Austin Larsen
wylienewmark.bsky.social
Probably the most comprehensive narrative to date about the Volt and Salt Typhoon campaigns.
How Chinese Hackers Graduated From Clumsy Corporate Thieves to Military Weapons
Massive “Typhoon” cyberattacks on U.S. infrastructure and telecoms sought to lay the groundwork for potential conflict with Beijing, as intruders gathered data and got in position to impede response a...
www.wsj.com
January 5, 2025 at 7:49 PM