Greg Linares (Laughing Mantis) Profile picture
Nov 4 13 tweets 3 min read Read on X
12 years ago my life was saved by Hurricane Sandy when I was supposed to be in a building performing incident response that got blown up.

There are not many public stories of physically targeted incidents directly related to cybersecurity but they exist.

This is the story
In August of 2012, Kaspersky and Symantec both discovered a relatively new malware named W32.DistTrack this would later be infamously known as Shamoon Wiper.

It's now public that Shamoon hit several middle eastern companies including Saudi Aramco.

I was on the original IR team
As now disclosed by others who were on the team, the attack probably originated by targeting IT workers and was planned for months. The delivery mechanism was advanced and targeted specifically for each target.

In October of 2012 I was asked to go to Saudi Arabia to do IR
My expired passport recently expired and I didn't have shots for Saudi (Always always get your shots, I had a friend who died from meningitis because he didn't get a shot going over seas)

A $600 bill from passport health and an overnight passport renewal at DC in was set to go
We got an email to coordinate and meet at a tractor showroom because likely the customer didn't want large groups of various experts coming in and appearing like a crisis was happening at their main facility, keep in mind none of this was public at the time.
I was in DC when hurricane Sandy hit, if you were as well you know how bad it was, the airport flooded, the highway between Baltimore and DC was inaccessible. My flight from late Oct 30th to land and to be on site was cancelled.

I stayed in DC to take the next available flight
October 31st just after 11 pm I had my security officer call me frantically

My security officer was one of my fave people, during his time in intelligence, he was at the Berlin Wall when it fell - he had the best stories.
SO: "Greg, you answered, holy shit, are you safe, do you need an extraction"

Me: "Hey, I'm ok, the hurricane wasn't that bad."

SO: "Wtaf are you talking about? Are you ok from the explosion?"

Me: ???

SO: where are you?

Me: my flight got cancelled I'm still stateside
When I managed to get back to our office (took a whole day because the highway was screwed)

So my SO greets me and has me sit in the office, and tells me about the situation

So roughly at 7:10 am Riyadh time a fuel truck blew past 2 security barriers and hit a overpass
The overpass was right next the Zahid tractor showroom which was exactly where we chose to coordinate that morning at 7 am.

This explosion flattened the entire building, 120+ injured, 25+ dead

Many of them the people I was scheduled to interface with

Here if the aftermath Image
Image
Image
Of course no terrorism exists in the great country of Saudi Arabia, so we were assured this was an isolated accident.

My SO investigation came to other conclusions, particularly with the air to fuel ratio of the truck involved IYKYK.
I will leave it up to the reader to draw to conclusions as who or why this incident happened but from our investigations it was likely an attempt against future capabilities.

Regardless these happen, we don't talk about them openly but they happen (research MITRE incident)
Sadly Twitter killed half of this thread but I will say that as cyber becomes more and more pivotal to critical components - the more we will see the crossover of physical events directly impacting the livelihood of people in cybersecurity

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Greg Linares (Laughing Mantis)

Greg Linares (Laughing Mantis) Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Laughing_Mantis

Oct 10
🚨 HEADS UP 🚨

I have now heard of 2 extortion attempts originating from the AI girlfriend site Muah breach.

Both victims are devs & they received emails with credible data to confirm they have seen their sensitive content

One requested the victim give them VPN access

A 🧵
Security teams should be aware of sensitive breaches like this - as this can now jeopardize their entire company

Work with your team to put in place work place awareness and a safe place to have employees report extortion.
Extortions at this stage can also include false accusations - an attacker could easily put out content to make a victim seem like they were an individual in the dump even though they weren't.

They can use this to attack someone's reputation and use it for leverage as well.
Read 10 tweets
Jun 8
Since I'm 6 drinks in for 20 bucks, let me tell you all about the story of how the first Microsoft Office 2007 vulnerability was discovered, or how it wasn't.

This was a story I was gonna save for a book but fuck it, I ain't gonna write it anyways.
So my first month at working at eEye in late 2006 good ol Microsoft announced Office 2007.

They said they added a shit ton of security including safe int, sandboxing, code analysis, and malformed doc detection.

I told my boss I was gonna break it.

So I started fuzzing by hand
I'm the kind of sicko who can open a Microsoft office document in a hex editor and start telling you what it is all about just by scrolling down.

I have spent an embarrassing amount of time looking at BIFF format in a hex editor, trust me it's nothing special
Read 60 tweets
May 9
A 🧵I wanted to share one of my more recent successful red team campaigns so others can test & tabletop

The client, like many others recently, implemented an approved internal AI interface for code questions and searches

This was essentially a wrapped chatGPT UI + file search
The site was 3rd party developed and has several implementations before rolling out in stages to all departments

For this scenario the goal was to compromise a separate dev and finance team with limited access in order to gain access to the production environment and financials
The attack first created a spoofed Google cloud and email to appear similar to the 3rd party company who used this service.

At this point a spoofed email was sent to several junior developers and low level HR people on the target teams posing as the AI portal dev team.
Read 16 tweets
Mar 27
Fam

It's 11pm and the VC bros next to me are starting a company and are gonna roll out WordPress as their CRM, and they think they can manage it themselves with a Microsoft Azure cloud and MongoDB. None of them have admin experience

💀💀💀💀
This is at a hotel bar

They are in the carbon footprint reduction industry, I have no clue wtaf that involves but it sounds like a lot of cold calling and selling people materials from what I heard
Guys they are discussing WordPress security and how one is their previous companies had to wipe everything "because a baddie broke their WordPress and shit"
Read 28 tweets
Mar 26
Hello,

Are these your sandboxes leaking out information that allows attackers to visibly fingerprint your environment and evade analysis?

This 🧵is a deep dive into this method and why I find it relatively primitive yet, elegant & efficient as a sandbox system bypass.


Image
Image
Image
Image
For those watchful eyes, they might have noticed the leaked information in the above screenshot is XML format of the entire system settings.

How much settings? 118,000 bytes worth detailing everything from Hardware, Firmware, BIOS, manufacturers, PNP devices, printers etc.
This information comes from Microsoft Windows System Assessment Tool aka WinSAT. It has been implemented since Windows Vista and can be read all about here:



Usually this is achieved via executing the binary Winsat.exe but that isn't fun...learn.microsoft.com/en-us/windows/…
Read 17 tweets
Nov 30, 2023
PSA In the last week I have seen 3 examples of a relatively new strategy targeting telcos & iPhones of victims

With the increased measures against SIM Swapping, it seems attackers are switching over to 2 other methods to compromise phones

- Call Forwarding
- Parental Tools
Both attacks are similar in which attackers (likely related to Lazarus) are either social engineering telcos or using an insider at these companies to conduct these attacks.

In all of these cases it was leading up to ATO of iCloud and/or password managers
The call forwarding attack is relatively straight forward:

Attacker calls in telco and social engineers the operator to convince the agent to switch a line to call forwarding because of vacation.

The attacker then forwards the number to a VOIP number they control
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(