Share this page!

Greg Linares Profile picture
Twitter logo
Mar 2 8 tweets 2 min read
Helped uncover a massive cyber incident today affecting multiple residential complexes and built in switches and infrastructure.

It appears the attackers were trying to reroute and intercept numerous individuals WFH residential traffic.

Add this to your threat list
Residential complexes have their own built in routing for fiber.

After plugging in a new device into the residential facility preconfigured using ISP setup, after 24 hours noticed unknown devices being directly connected to subnet of the victims router.
Victims router was then exploited and administrative password was changed, additional devices were allowed by MAC address to join subnet of targeted victim

Looking over pcaps revealed that entire network in residential was turned into a flat network with no guest isolation.
Confirmed with ISP today that this was not intentional, and that switch configurations were not in original state and that default remote administrative passwords on many of them were changed.

Another review of pcap logs revealed attempted https spoofing, layer 2 attacks
Being delivered by devices connected remotely who were bridging themselves into each switch and subnet systematically. They spent extra time on a few locations and then allowed themselves to reconnect and join via MAC
They specifically denied VPNs from connecting, changing any victim who connected via VPN a bad gateway.

Got to watch this happen in real time.

This is essentially the same as blasting your victims MFA with requests until they accept. Users turned off VPN to work
ISP is not throwing out the possibility of hybrid physical and cyber incidents being employed here.

They said they are beefing up the physical protection of this and other units and will be inspecting other properties as well.
Reminder: If you plug directly into an ethernet connection in your apartment/condo - that switch is *somewhere* and likely out of your control.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Greg Linares

Greg Linares Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Laughing_Mantis

Greg Linares Profile picture
Mar 3
PSA If you haven't focused on the #Nvidialeaks and you work with any defense in depth teams, please take the time to today

For ones it appears Nvidia driver signing controls & certs were leaked & private API that allows for potential abuse

Attackers already planning to use this
Read 8 tweets
Greg Linares Profile picture
Dec 20, 2021
#Log4J Worm is ITW

@vxunderground has a sample of the self propagating worm using log4j as a vector.

It installs a Mirai bot which makes sense to targeting embedded Linux devices

Looks like it uses user-agent for exploitation and modifies the binary before sending (?)
From what I can quickly reverse engineer it looks like this malware is targeting mainly Huawei routers

Very very similar to CVE-2017-17215

For reference:

securitynews.sonicwall.com/xmlpost/new-wa…
This variant will quickly get modified and used and repurposed to exploit other hardware and devices.

Welcome to the age of the log4j worms everyone.

🪵🪱
Read 9 tweets
Greg Linares Profile picture
Dec 19, 2021
This is a reminder to ask my friends here, please take Omicron seriously.

As someone who has dealt with having chronic illness for years that are nearly identical to long COVID symptoms; it is really really hard

Quality of life is something you don't appreciate until it's lower
I have #fibromyalgia and some days I can't physically get out of bed, and that's because of pain, or fatigue.

My pain comes in 2 types:
Phantom Sunburn
Torture Compression

The 1st feels identical to like an Arizona sunburn, except no skin color and putting on aloe doesn't help
The crushing feels like having rubber bands on your limbs that keeps getting tighter and tighter and you can't take them off.

Sometimes I imagine a steamroller crushing my legs is how it feels.

And these are not my worse symptoms

The fatigue is what kills me.
Read 8 tweets
Greg Linares Profile picture
Dec 13, 2021
#log4j theoretical worm depending on propegation speed might just blend in with the noise for a while.

Ideally right now reducing attack surface should be everyone's top priority

Unfortunately we are dealing with a bug with unprecedented vectors.
Everyone right now shouldn't even focus on worm capabilities because exploitation is so wide spread right now it doesn't even increase your risk level, attackers are doing nearly identical to what worm activity would be like.

Traffic congestion and network bottlenecking tho...
Historically if we look at worm activity it took roughly a week to 14 days for them to be widespread & developed

However those in the past didn't use logic flaws & required memory corruption exploits which are less reliable & complex payloads.

This is much lower skill ceiling
Read 5 tweets
Greg Linares Profile picture
Dec 12, 2021
#Log4J based on what I've seen, there is evidence that a worm will be developed for this in the next 24 to 48 hours.

Self propagating with the ability to stand up a self hosted server on compromised endpoints.

In addition to spraying traffic, dropping files, it will have c2c
Biggest hurdle appears to be implementing a JDK gadget to enable code execution on limited env.

That is currently being researched by several groups.
Honestly I'm kinda surprised it isn't finished yet, but I have seen at least 3 groups (Eastern euro, .ru and .cn) that are investigating options to do this.

Goals appear varied: financial gain via extortion as well as selling access to compromised hosts to RaaS groups
Read 7 tweets
Greg Linares Profile picture
Dec 12, 2021
#Log4J Data Exfiltration & Env Var List 🧵

I will use this thread to discuss env variables I have seen being used in the wild alongside log4j exploitation from both remote & in local subnets

This isn't a complete list but it will give you an idea what attackers are looking at
In addition to the AWS variables I have discussed earlier I am also seeing these:

For Hadoop I am seeing threat actors attempt to query the following env vars

HADOOP_HOME
HADOOP_CLIENT_OPTS
HADOOP_SHELL_EXECNAME
HADOOP_USER_PARAMS
HADOOP_SECURE_CLASSNAME
HADOOP_SECURE_USER
For postgress I am seeing several attempts:

PGPASSWORD
PGDATABASE
PGPASSFILE
PGHOST
PGSSLKEY
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @Laughing_Mantis has new unrolls!

Check out other threads from @Laughing_Mantis!

Read all threads by @Laughing_Mantis

:(