- The attackers didn't even compile tools, e.g. for priv esq they used precompiled binaries from the original author's Github pages.
- Detection of web shells needs to be a focus for defenders and industry.
- While orgs are tracking OS patching nowadays, application patching = ehhhhhh still. It's a very large gap attackers keep exploiting. Patching SharePoint and such is a pain, orgs maybe need additional controls (WAFs etc).
- Patching of firmware on security appliances = same.
A thread for tracking Internet bandwidth in the age of Coronavirus.
In Manchester, we only see a modest leap in Bandwidth this week so far, I'd say tracking for a ~20% increase. The spike last week was caused by Call of Duty battle royale update and Champion's League streaming.
Here's the 7 day track for Manchester if anybody interested, we're crossing 100Gbps today but there is plenty of spare capacity on top of that (magnitudes more).
In terms of dropped routes there's been no outages. Also been keeping in contact with people at different cloud companies, they've had no issues at a top level with bandwidth and overall capacity.
It's been several months since Travelex got ransomware'd by REvil on December 31st, so I decided to check how their bank currency services look.
Their parent company, Finablr, is currently trading at 40p per share. Travelex say "Certain financial reporting tools were unavailable for part of January, as a result of which the publication of Travelex's FY19 results is now expected to be from mid-April."
Finablr (Travelex parent company) will be downgraded from the FTSE 250 following an index review last week. They are also warning investors of a £25m profit hit primarily due to ransomware incident. (They originally said no impact).
A thread of ballache things from doing security at enterprises for decades, which needs improvement.
I used to run vulnerability management @coopuk, with a team of 3 a significant amount of time was spent trying to keep $VENDOR tool working, chasing firewall rules for scanning, change requests for scanning etc.
Having vuln mgmt is half battle, the next is trying to get business to do anything.
Difficult to give business access to data, and demonstrating remediation steps. PDF reports look like cat shat in litter box, ate the shite, then shat it back out.
I love the infosec, vendor and press fight between Microsoft and NSA and hype trains and whatever the fuck.
The patch for the crypto thing is included in the roll up. You have to install it to patch. So, don’t panic, just do the usual patching.
Having a tribal war is funny tho
There’s some incentives around press coverage, vendor scares etc, along with tribalism and human condition concerns. My take; ignore it all, keep calm, carry on and do the needful.
The only actual impacts from Meltdown and Spectre was orgs rushing out patches into production without testing and breaking their services, by the way, as a reminder. Doing the needful includes the usual cycle of assessing severity for your org, testing etc.
Will be interesting to see which bit of Travelex got owned. They operate an FCA regulated B2C payment platform built in AWS (but law of averages would point more towards Emotet or some such on Windows). hostingjournalist.com/video/travelex…
The University of Maastricht cyberattack is big game ransomware, they’ve deployed on Christmas Eve and basically fully burnt down their network, similar tactics to Norsk Hydro by looks of it (lateral movement, get DA etc).
Feel bad for them as going to be long road to recovery.
To the attackers: Xmas eve? Really?
University of Maastricht has an update, they're now calling it ransomware, say they're engaging external parties to aid recovery and looking to rebuild in a robust way for future.
All systems are offline with no ETA for restoration.
While I think Twitter can be a nightmare hellscape, especially for mental health at times, I do want to talk about I think it has improved my life at times. A thread.
It’s taught me I’m not an expert at almost everything, and I am usually better if I shut up and listen. I’ve not nailed this yet.
Conversely, it’s also taught me it’s okay to talk to people. I’m quite shy in real life. This platform has enabled me to get involved with people and things I wouldn’t normally do, and my life has been better for it.
PSA: Windows Firewall is included in Windows, it's been around for over a decade, it's enabled by default, it's very easy to manage via Group Policy etc, it's extremely feature rich, and it's a great best defense control against worms, ransomware etc. Don't just disable it.
You can control everything centrally with Group Policy, it's all free. You can even not bother with techy details like port numbers; you can allow programs, packages or services instead for ease of management.
You can even restrict certain things (e.g. SMB, WMI etc) to select Computers and Users. You can also use Groups to control this, e.g. allow jumpboxes, trusted admins etc through AD Groups. Super simple to administer, just do it.
Imperva announce breach of their WAF product, dates back to 2017, includes SSL certificates (potentially breaking end to end encryption) imperva.com/blog/ceoblog/
If anybody understands the backstory behind this please DM me, I'm struggling to understand what the blog post means.
Imperva have a blog detailing what happened. Tl;dr is they made a mistake similar to Capita One it appears, they also found out via bug bounty. I’m a huge fan of vendors publicly detailing investigations, lets us all learn. imperva.com/blog/ceoblog/
Fortigate Fortinet SSL VPN is being exploited in the wild since last night at scale using 1996 style ../../ exploit - if you use this as a security boundary, you want to patch ASAP opensecurity.global/forums/topic/1…
There's only half a million of these online :D
There's also a backdoor the Fortigate SSL VPN appliance where there's a forms parameter called "magic" which allows anybody to reset any user's password remotely, as seen in the GIF below. These are our SECURITY vendors.
The Capital One thing is going to be a PR nightmare for Amazon and cloud vendors as the suspect is a former AWS staff member, and they appear to have (based on the Slack) targeted multiple AWS customers.
AWS need to go back and see what she was doing during employment methinks.
Also, AWS probably urgently need some form of default enabled logging of S3, even if just for internal usage.
Based on their Slack they appear to have been mass exfiling FinTech, telco and education orgs via cloud, apparently nobody noticed until they told somebody on Twitter via DM (per indictment).
Will be interesting to see how this plays out, lax security controls in this area.