Reverse Engineering, IR, InfoSec. Also huge RPG guy. Elder of the Internet. IR Lead @TrustedSec.Tweets and opinions are my own and not the views of my employer.
Oct 7, 2022 • 6 tweets • 1 min read
I'm at a security conference and sat in on an interesting talk. Not interesting as it was good, more interesting as in I can't believe what I was seeing. Let me explain. (1/6)
Towards the end of the talk the presenter started talking about their security infrastructure at their company and how it was deployed. No issues there, until... (2/6)
Sep 20, 2022 • 10 tweets • 3 min read
Kudos to the @TrustedSec IR team effort for completing @OSINTDojo's OSINT challenge this week.
The image is a South Korean Internet cafe. There were 0 people in seats on 8/1, but that was not the last screenshot. On 8/10 there were 4 people. How did we find it? (1/X)
We initially recognized it as a screen capture from a cam. The most logical place for that was shodan. But there are a lot of images on shodan. (side note, there are some creepy things people have cameras on...) (2/X)
Apr 4, 2022 • 8 tweets • 4 min read
Quick 5 minute on quickly analyzing Linux exes...even if you don't know how to do malware analysis. Hopefully this is helpful to someone.
Got a log4j hit on a Tomcat honeypot I set up. Used cyberchef and it decodes to download malware (1/8)
#dfir
After dl'ing it on an analysis system (a mac), my first step is to run file to see what we are dealing with. I always run file - it saves steps and gives valuable info.
A Linux ELF executable, so can't just cat it out to see its contents. (2/8)
Mar 23, 2022 • 9 tweets • 2 min read
Everyone has their hot take on Okta and what is going on. I usually don't comment on these things, but why not.
Here is my take on it based on similar IRs I have worked. THIS IS ALL CONJECTURE AND I HAVE NO INTERNAL KNOWLEDGE!
Here's a secret most orgs don't want you to know.
Customer support is outsourced ALOT.
These third parties accounts are social engineered/compromised ALL THE TIME.
Oct 8, 2021 • 9 tweets • 2 min read
Set up a honeypot last night that was vulnerable to CVE-2021-41773 #Apache code execution. Just got compromised. This is what happened.
IOCs in last tweet.
Attacker ran the following code through the CVE:
May 4, 2021 • 11 tweets • 2 min read
I've worked a lot of #ransomware incidents and I've found that most companies don't realize what the true cost of a ransomware incident is.
But isn't it just paying the ransom or restoring and you're done? Nope. Here are the (potential) costs (based on my experience): (1/X)
Cost 1. Insurance
Wait, won't insurance help me recover money? Yep. But there's a little thing called a deductible. So, while this isn't a direct cost, it's still gonna cost you money. (2/X)