@GossiTheDog@cyberplace.social
@GossiTheDog@cyberplace.social avatar

GossiTheDog

@GossiTheDog@cyberplace.social

Cybersecurity weather person and award winning shitposter. Shitposting is an anagram of Top Insights. You may be surprised to know I am not representing my employer here and these are not their opinions.

I have Direct Messages disabled - you can send them, but I will never receive them.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

GossiTheDog, (edited ) to random
@GossiTheDog@cyberplace.social avatar

If you're looking for Black Basta samples, VirusTotal search: engines:blackbasta

Includes ransom notes, you can monitor victim chats from them. Other notes: filename:instructions_read_me.txt

#BlackBasta #ransomware #threatintel

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

Black Basta have hit ABB. Their biggest victim so far, it’s bigger than Capita.

Not in article but Black Basta are using Qakbot via web links - eg SEO poisoning, fake browse updates.

#threatintel #qakbot #blackbasta

https://www.bleepingcomputer.com/news/security/multinational-tech-firm-abb-hit-by-black-basta-ransomware-attack/

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

Cat is bagless - there’s a new version of #BPFDoor https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game

I’ve found it on orgs in Taiwan and Hong Kong so far.

GossiTheDog,
@GossiTheDog@cyberplace.social avatar

Previously on #BPFDoor https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896

GossiTheDog,
@GossiTheDog@cyberplace.social avatar

Still zero detections on Virustotal (and real world AV and EDR) 🥳

Vendors should aim to have robust detection for this, as it's a real world nation state implant used in a global surveillance operation used for SIGINT for about a decade (including inside and against the US).. which still nobody can be arsed to investigate.

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

Vodafone deepens ties with Dubai amid national security concerns over Three deal https://www.telegraph.co.uk/business/2023/05/11/vodafone-deepens-ties-dubai-national-security-concerns/

dangoodin, to random

Leak of MSI UEFI signing keys stokes fears of “doomsday” supply chain attack

https://arstechnica.com/information-technology/2023/05/leak-of-msi-uefi-signing-keys-stokes-concerns-of-doomsday-supply-chain-attack/

GossiTheDog,
@GossiTheDog@cyberplace.social avatar

@dangoodin okay the picture is great

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

Really good joint blog from NCSC and ICO calling on companies to not try to cover up ransomware, and be transparent about it. Share widely.

There will be follow up toots to this thread in the years to come about orgs who didn’t do this. https://www.ncsc.gov.uk/blog-post/why-more-transparency-around-cyber-attacks-is-a-good-thing-for-everyone

GossiTheDog,
@GossiTheDog@cyberplace.social avatar

Follow on, Director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security says of ransomware: "When most companies detect a cyber-intrusion, too often their default response is: call the lawyers, bring in an incident response firm, and share information only to the minimum extent required... this is a race to the bottom."
https://www.foreignaffairs.com/united-states/stop-passing-buck-cybersecurity

GossiTheDog,
@GossiTheDog@cyberplace.social avatar

@iterativesec I agree, but it shouldn't be.

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

Really good blog by @recon_infosec on a new* ransomware group, with some interesting new detection opportunities - for example, they use Cloudflare for remote access rather than CobaltStrike - zero EDR and AV coverage. #threatintel

Pretty much certain some of the things in this will become common.

https://blog.reconinfosec.com/emergence-of-akira-ransomware-group

GossiTheDog,
@GossiTheDog@cyberplace.social avatar

Some Defender for Endpoint Advanced Hunting Queries to find Akira ransomware TTPs documented by @recon_infosec

Cloudflared Zero Trust tunnel: https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/Cloudflared-ZeroTrust-tunnel.AHQ

donPAPI credential theft:
https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/donPAPI-credential-theft.ahq

WMIexec Python:
https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/wmiexec-python-rce.ahq

DefenderControl tampering of Defender:
https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/DefenderControl.ahq

GossiTheDog,
@GossiTheDog@cyberplace.social avatar

Sophos MDR has a good write up about two Akira ransomware incidents https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/

Key other learnings for me:

  • Radmin also used for remote access
  • Dwell time was 7 days and over 30 days

#threatintel

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

Microsoft, one of the world’s most profitable companies - a story in two parts.

image/jpeg

GossiTheDog,
@GossiTheDog@cyberplace.social avatar
GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

I’m sexing Vasco https://kotaku.com/starfield-bethesda-xbox-microsoft-sex-drugs-rpg-fallout-1850419151

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

TechCrunch published a story earlier today about Capita having an insecure S3 bucket. Capita claim the bucket is "industry standard practice" data, so I've published the file names. https://doublepulsar.com/capitas-standard-industry-practice-633gb-open-cloud-storage-5d87e7e96a70

GossiTheDog, (edited )
@GossiTheDog@cyberplace.social avatar

Your favourite Capita “information such as release notes and user guides, which are routinely published alongside software releases in line with standard industry practice” file

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

From experience: if you create culture inside an org where you acknowledge security breaches happen, and place protecting customers and society at the heart of discussions, you will by proxy protect org from reputation damage, and employees, as everybody wants to do best thing.

There are always trade offs - but if you nail the culture, lead by CEO, intentions start from a good place.

Cybersecurity effectiveness isn’t just playing with technical toys. If you get culture wrong, outcomes are bad.

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

PSA if it this helps people - if you want a full Microsoft 365 subscription, with E5, test data etc - that you can add Defender MDE on too - for free, head here: https://developer.microsoft.com/en-us/microsoft-365/dev-program#Subscription

It's really good, you can test all the MS Office and security technology for free, access Threat Analytics (normally paywalled) etc.

image/png

GossiTheDog,
@GossiTheDog@cyberplace.social avatar

If you're wondering how to add Defender and all the E5 tools to above - go to admin.microsoft.com, Billing, Products, search for Enterprise Mobility, then click "Start free trial".

If you get a message about needing a valid company location, click the edit button, and enter 123 in the missing fields, then add it again.

You can then edit any user and add EMS E5, then visit security.microsoft.com

image/png
image/png

GossiTheDog, (edited ) to random
@GossiTheDog@cyberplace.social avatar

The #QueueJumper MSMQ vuln is a great find. I don’t know if there’s much knowledge in InfoSec about MSMQ but it’s very widely used in middleware - eg pretty much all the main Siemens ICS products use it.

https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/

GossiTheDog,
@GossiTheDog@cyberplace.social avatar

Pretty funny easy query to know if #QueueJumper request is internet scanning or malicious - filters out internet scanning. A month since publication, I haven't seen any in the wild exploitation (even just crashing the service, which is ridiculously easy).

VMConnection
| where ProcessName == "mqsvc"
| where BytesSent <> 572
| where BytesSent <> 0

MDE AHQ for exploitation: https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/QueueJumper.ahq

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

The Guardian (who are themselves working out of a pub still due to a ransomware attack in December 2022) are reporting (a major IT supplier) have a "IT incident", staff have been told to not use VPN, and they are working with pen and paper since this morning. Thread follows. https://www.theguardian.com/business/2023/mar/31/capita-it-systems-fail-cyber-attack-nhs-fears?CMP=share_btn_tw

GossiTheDog,
@GossiTheDog@cyberplace.social avatar

The Sunday Times newspaper has a big feature about ransomware today, featuring me, @ciaranmartin, @brett

I just want to call out this bit about Capita and say their failure to acknowledge the fact they lost security vetting data impacts real people, at a scale way bigger than one person - I think it is ethically poor that Capita just deny stuff that matters.

https://www.thetimes.co.uk/article/how-hackers-are-recruiting-on-the-dark-web-mpl2hvsss

GossiTheDog,
@GossiTheDog@cyberplace.social avatar

#Capita have issued a market update and confirmed data exfiltration. They wordsmith it to be data exfil from 0.1% of their server estate, rather than data volume or what was taken. They also use the cyberattack update to boast revenue wins.

image/jpeg

GossiTheDog,
@GossiTheDog@cyberplace.social avatar

However, the company could use the cyber attack to its advantage, he added.

“If Capita is smart it’ll come out of this saying we’ve more experience of handling this than anybody else, you should be using us, because we know what we’re doing and we employ leading experts in this field,” Rawlinson said.

Lmao, that’s one take.

https://www.ft.com/content/20aa4844-2ebe-44dc-9550-7d950150e784

  • All
  • Subscribed
  • Moderated
  • Favorites
  • anitta
  • InstantRegret
  • mdbf
  • ngwrru68w68
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • osvaldo12
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • DreamBathrooms
  • JUstTest
  • tacticalgear
  • ethstaker
  • modclub
  • cisconetworking
  • tester
  • GTA5RPClips
  • cubers
  • everett
  • megavids
  • provamag3
  • normalnudes
  • Leos
  • lostlight
  • All magazines
    •