Kevin Beaumont Profile picture
I used to think Richard and David Attenborough were the same person. Cybersecurity at Microsoft. Personal account.
Howard Yang Profile picture Robert McKenzie ⚜ 🇬🇧 🇨🇦 Profile picture TheNoirLoup Profile picture 6 added to My Authors
23 Jul
Insecure (read: no passwords) Elastic, MongoDB, Redis and Cassandra file stores/databases are being wiped worldwide, with the 'meow' being inserted in the place of records.
The word meow, that is.
Read 5 tweets
19 Jun
Some quickfire thoughts on the Australian cybersecurity breaches situation:

- The ACSC report is world leading. Their work on incident response and publicly releasing info is really excellent.

- Every part of this is publicly released offensive security tooling.
- The attackers didn't even compile tools, e.g. for priv esq they used precompiled binaries from the original author's Github pages.

- Detection of web shells needs to be a focus for defenders and industry.
- While orgs are tracking OS patching nowadays, application patching = ehhhhhh still. It's a very large gap attackers keep exploiting. Patching SharePoint and such is a pain, orgs maybe need additional controls (WAFs etc).

- Patching of firmware on security appliances = same.
Read 3 tweets
18 Mar
A thread for tracking Internet bandwidth in the age of Coronavirus.

In Manchester, we only see a modest leap in Bandwidth this week so far, I'd say tracking for a ~20% increase. The spike last week was caused by Call of Duty battle royale update and Champion's League streaming.
Here's the 7 day track for Manchester if anybody interested, we're crossing 100Gbps today but there is plenty of spare capacity on top of that (magnitudes more).
In terms of dropped routes there's been no outages. Also been keeping in contact with people at different cloud companies, they've had no issues at a top level with bandwidth and overall capacity.
Read 12 tweets
17 Mar
Gatwick, Heathrow, and the Manchester Airport want a government bailout. bbc.co.uk/news/live/worl…
Transport for London will seek a bailout itv.com/news/london/20…
Read 20 tweets
12 Mar
I’ve lost the tweet I made in January, but 2020 is going to be the year countries find out how vulnerable they are due to running on empty for so long.

Companies have stripped everything back to maximise profit margins, and countries have outsourced everything to said companies.
It’s really been fascinating working for last few decades as I’ve seen orgs pile on debt, outsource to MSPs and run on empty.

It’s why no deal Brexit was so threatening to many orgs, they couldn’t cope with any external change.
President Trump is almost the perfect leader for this situation, as he’s the embodiment of everything wrong in human, flesh and blood form.

He’s The Architect of a capitalist Matrix which is going to glitch the fuck out.
Read 17 tweets
8 Mar
It's been several months since Travelex got ransomware'd by REvil on December 31st, so I decided to check how their bank currency services look.
Their parent company, Finablr, is currently trading at 40p per share. Travelex say "Certain financial reporting tools were unavailable for part of January, as a result of which the publication of Travelex's FY19 results is now expected to be from mid-April."
Finablr (Travelex parent company) will be downgraded from the FTSE 250 following an index review last week. They are also warning investors of a £25m profit hit primarily due to ransomware incident. (They originally said no impact).
Read 25 tweets
4 Mar
Quick thread on Cathay Pacific, a Hong Kong based airline, getting maximum possible pre-GDPR fine from @iconews in UK for a data breach:
- The ICO finding says the breach spanned 4 years but was undetected during this time.

- It was eventually detected when they spotted credential stuffing causing Active Directory accounts to lock out, at which point they hired an external security company.
- The external cybersecurity firm found two live attackers on the network, who had access for years.

- 9.4m data records were impacted by the breach. Data included passport numbers and other sensitive PII.
Read 11 tweets
19 Feb
A thread of ballache things from doing security at enterprises for decades, which needs improvement.
I used to run vulnerability management @coopuk, with a team of 3 a significant amount of time was spent trying to keep $VENDOR tool working, chasing firewall rules for scanning, change requests for scanning etc.
Having vuln mgmt is half battle, the next is trying to get business to do anything.

Difficult to give business access to data, and demonstrating remediation steps. PDF reports look like cat shat in litter box, ate the shite, then shat it back out.

Needs easier actionability.
Read 19 tweets
11 Feb
Free threat intel - I am seeing increased exploitation of CVE-2019-0604 (SharePoint vuln from early 2019) in the wild for malicious activity. A thread about what I'm seeing.
Through BluePot we can see IIS is being used to spawn commands to run Powershell. Previous public exploits didn't work like this, so it looks like somebody has new, simple exploit tools.
This one is a key IOC - IIS spawning *.cmdline files.

Image: c:\windows\system32\inetsrv\w3wp.exe
TargetFilename: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\9bc31a32\c4f96d3e\*.cmdline
Read 9 tweets
27 Jan
Big change coming to Windows Server this March - insecure LDAP requests will be rejected by default. That's a change in behaviour which will absolutely break things in some orgs

How to get in front of the issue: opensecurity.global/forums/topic/2…
To give context, at all the orgs I've worked at there's been tools doing insecure LDAP - e.g. VPN appliances, photocopiers etc.
Depending on your MS stack maturity, Azure Sentinel has a built in dashboard which shows unencrypted LDAP. It's also visible in MS Advanced Threat Analytics (thank you @MrYiff).
Read 3 tweets
14 Jan
I love the infosec, vendor and press fight between Microsoft and NSA and hype trains and whatever the fuck.

The patch for the crypto thing is included in the roll up. You have to install it to patch. So, don’t panic, just do the usual patching.

Having a tribal war is funny tho
There’s some incentives around press coverage, vendor scares etc, along with tribalism and human condition concerns. My take; ignore it all, keep calm, carry on and do the needful.
The only actual impacts from Meltdown and Spectre was orgs rushing out patches into production without testing and breaking their services, by the way, as a reminder. Doing the needful includes the usual cycle of assessing severity for your org, testing etc.
Read 3 tweets
9 Jan
Some of the biggest and most costly breaches in recent memory caused by 20 year old security bugs in security products by security vendors:

- Fortigate SSL VPN.
- Citrix ADC (SSL VPN).
- Pulse Secure (SSL VPN).

In each case they all lacked basic security mitigations.
We’re literally talking ../ directory traversal, no security Perl scripts allowing writes and vendor backdoors.

These were problems when I began in late 90s.

These are easily solvable issues, too. Basic mitigations exist.
These products are huge in enterprise, just about every large org or gov use them.

It’s a genuinely huge issue, 2020 is going to be year huge companies fall due to their vendor’s lack of responsibility, and their customer’s lack of patching.

Build better or buy better. 🔨
Read 3 tweets
2 Jan
There’s a Beeb piece here. bbc.co.uk/news/business-…
Will be interesting to see which bit of Travelex got owned. They operate an FCA regulated B2C payment platform built in AWS (but law of averages would point more towards Emotet or some such on Windows). hostingjournalist.com/video/travelex…
Read 39 tweets
30 Dec 19
EmoPot Emotet honeypot activity - on boxing day at 11am UTC, somebody ran @harmj0y's PowerView via this command. Also used by PSReflect by @mattifestation. Image
@harmj0y @mattifestation They exfiled various things to an email address: Image
@harmj0y @mattifestation This isn't the juicy one btw, I also have somebody trying to lateral move around a fake company to ransom it :D But I don't wanna blow up the honeypot yet by tweeting it.

Back to this one - security vendors might want to flag this URL. virustotal.com/gui/url/e602e3… Image
Read 7 tweets
25 Dec 19
The University of Maastricht cyberattack is big game ransomware, they’ve deployed on Christmas Eve and basically fully burnt down their network, similar tactics to Norsk Hydro by looks of it (lateral movement, get DA etc).

Feel bad for them as going to be long road to recovery.
To the attackers: Xmas eve? Really?
University of Maastricht has an update, they're now calling it ransomware, say they're engaging external parties to aid recovery and looking to rebuild in a robust way for future.

All systems are offline with no ETA for restoration.

Good luck, staff!

maastrichtuniversity.nl/news/update-cy…
Read 8 tweets
17 Dec 19
While I think Twitter can be a nightmare hellscape, especially for mental health at times, I do want to talk about I think it has improved my life at times. A thread.
It’s taught me I’m not an expert at almost everything, and I am usually better if I shut up and listen. I’ve not nailed this yet.
Conversely, it’s also taught me it’s okay to talk to people. I’m quite shy in real life. This platform has enabled me to get involved with people and things I wouldn’t normally do, and my life has been better for it.
Read 17 tweets
12 Dec 19
PSA: Windows Firewall is included in Windows, it's been around for over a decade, it's enabled by default, it's very easy to manage via Group Policy etc, it's extremely feature rich, and it's a great best defense control against worms, ransomware etc. Don't just disable it.
You can control everything centrally with Group Policy, it's all free. You can even not bother with techy details like port numbers; you can allow programs, packages or services instead for ease of management.
You can even restrict certain things (e.g. SMB, WMI etc) to select Computers and Users. You can also use Groups to control this, e.g. allow jumpboxes, trusted admins etc through AD Groups. Super simple to administer, just do it.
Read 3 tweets
12 Nov 19
Pemex, the world’s second largest non-publicly listed company is offline globally due to ransomware. Largest tax contributor to Mexican government. Looks to be big game ransomware group again.
They’ve been offline since the weekend and I understand are effectively wiped out. reuters.com/article/us-mex…
I realise Pemex have issued a statement denying it, but they be lying. AV industry should add detection for this: virustotal.com/gui/file/f77b3…
Read 3 tweets
27 Aug 19
Imperva announce breach of their WAF product, dates back to 2017, includes SSL certificates (potentially breaking end to end encryption) imperva.com/blog/ceoblog/
If anybody understands the backstory behind this please DM me, I'm struggling to understand what the blog post means.
Imperva have a blog detailing what happened. Tl;dr is they made a mistake similar to Capita One it appears, they also found out via bug bounty. I’m a huge fan of vendors publicly detailing investigations, lets us all learn. imperva.com/blog/ceoblog/
Read 4 tweets
22 Aug 19
Fortigate Fortinet SSL VPN is being exploited in the wild since last night at scale using 1996 style ../../ exploit - if you use this as a security boundary, you want to patch ASAP opensecurity.global/forums/topic/1…
There's only half a million of these online :D
There's also a backdoor the Fortigate SSL VPN appliance where there's a forms parameter called "magic" which allows anybody to reset any user's password remotely, as seen in the GIF below. These are our SECURITY vendors.
Read 3 tweets
30 Jul 19
The Capital One thing is going to be a PR nightmare for Amazon and cloud vendors as the suspect is a former AWS staff member, and they appear to have (based on the Slack) targeted multiple AWS customers.

AWS need to go back and see what she was doing during employment methinks.
Also, AWS probably urgently need some form of default enabled logging of S3, even if just for internal usage.
Based on their Slack they appear to have been mass exfiling FinTech, telco and education orgs via cloud, apparently nobody noticed until they told somebody on Twitter via DM (per indictment).

Will be interesting to see how this plays out, lax security controls in this area.
Read 3 tweets