Credential-stuffing waves against regional banks
Three months of honeypot telemetry, read as a field report: the tooling attackers reach for first, the hours they favour, and the login flows that hold the line.
FIELD NOTES
Threat intel, DFIR write-ups, and advisories from the OpasSecure response desk — written the way we brief a client at 3 a.m.
Three months of honeypot telemetry, read as a field report: the tooling attackers reach for first, the hours they favour, and the login flows that hold the line.
Reconstructing the timeline after staging directories and event logs are wiped — what still survives in volatile memory, and how to lift it cleanly.
Affected builds, the detection opportunities in your existing logs, and the interim mitigations to apply before the maintenance window.
Over-broad roles, dormant access keys, and trust policies that quietly widen the blast radius — the five patterns that recur across engagements.
What the source of a commodity kit tells you about the operator behind it — exfil endpoints, reused templates, and the tells that unmask a campaign.
The methodology reads clean on paper. Here is how the phases actually sequence when the pager goes off and the clock is already running.
The acquisition order, the artefacts worth pulling before shutdown, and the chain-of-custody notes that keep the evidence admissible later.