CommieGIR posted:Cool little reverse shell generator: https://www.revshells.com/ EDIT: Welp, that's a lovely page bump. And I just noticed there's another list where it is on. orz
|
|
# ? Mar 9, 2021 19:48 |
|
|
# ? May 26, 2024 10:12 |
|
https://twitter.com/nyancrimew/status/1369390591700828170?s=20 TL;DR That's my current hypothesis. https://twitter.com/DanPatterson/status/1369443268476497922?s=20 CommieGIR fucked around with this message at 01:39 on Mar 10, 2021 |
# ? Mar 10, 2021 01:00 |
|
CommieGIR posted:TL;DR Got pinged on slack, and now there's going to be a big todo at work over this.
|
# ? Mar 10, 2021 01:43 |
|
Defenestrategy posted:Got pinged on slack, and now there's going to be a big todo at work over this. Yup, because they are openly claiming they popped Okta as well. No proof as of yet, but they already posted some screens of net configs for Tesla and Cloudflare.
|
# ? Mar 10, 2021 01:45 |
|
CommieGIR posted:https://twitter.com/nyancrimew/status/1369390591700828170?s=20 Who was the person who said why you might want two factor within your perimeter? Well here is an example. They used a username and a password to pivot across their internal networks. Credential security controls, network isolation, and some other very basic security controls could have hindered this fun little exercise to some degree. You have to expect some idiot is going to give the bad guys a way in, you can't rely on the front door to be your biggest security.
|
# ? Mar 10, 2021 02:28 |
|
Okta and Cloudflare are pretty good trophies, huh
|
# ? Mar 10, 2021 02:34 |
|
Apropos of nothing, I just did two days of training on a major HSM brand and holy moly is that whole system nothing but bits and pieces of functionality glued together by oddball code. It was fun and I have a good understanding of what’s what, but a lot of things about it felt like they were designed by developers who hate other humans.
|
# ? Mar 10, 2021 02:44 |
|
Martytoof posted:a lot of things about it felt like they were designed by developers who hate other humans. So... developers.
|
# ? Mar 10, 2021 02:52 |
|
.... yes :B
|
# ? Mar 10, 2021 02:55 |
|
Why would you ever have your security and BMS network touching your internal corporate network??
|
# ? Mar 10, 2021 04:40 |
|
AlternateAccount posted:Why would you ever have your security and BMS network touching your internal corporate network?? Because network segregation and isolation takes planning and more work than just having 1 huge network. They used up all their man hours paying extra close attention to their firewall rules.
|
# ? Mar 10, 2021 04:58 |
|
Sickening posted:Because network segregation and isolation takes planning and more work than just having 1 huge network. They used up all their man hours paying extra close attention to their firewall rules. "Bu....but we have VLANs" But no barriers between them....so still a flat network. And yeah, segmenting your surveillance network away from your normal enterprise network would have at least made what they did a little more difficult to get around. Not impossible. But still...
|
# ? Mar 10, 2021 05:42 |
|
There's no evidence presented that they actually managed to pivot from the cameras to something useful
|
# ? Mar 10, 2021 06:13 |
|
Volmarias posted:So... developers. Developers exacting their revenge for all the dev time they wasted in extraneous meetings.
|
# ? Mar 10, 2021 06:50 |
|
Update your F5s, more RCEs against APIs: https://support.f5.com/csp/article/K02566623
|
# ? Mar 11, 2021 01:32 |
|
lol pre-auth rce. https://twitter.com/pwnallthethings/status/1369682992403275780
|
# ? Mar 11, 2021 01:55 |
|
Diva Cupcake posted:lol pre-auth rce.
|
# ? Mar 11, 2021 03:11 |
|
I thought that vuln was control plane only, gently caress me lmao
|
# ? Mar 11, 2021 03:29 |
|
CLAM DOWN posted:I thought that vuln was control plane only, gently caress me lmao There are multiple vulnerabilities here, the most devastating pre-auth RCE one is still control plane only (according to F5). Edit: On second thought, F5's definition of "control plane" loving sucks and I actually thought I knew the implications of this vulnerability and now I'm not so sure. The project-zero write-up implies you can compromise an F5 device that's in-line given that the server it provides for has some specific conditions present. Edit2: yeah I apologize, F5 is clearly trying to down play an issue that is more severe than they are presenting. FungiCap fucked around with this message at 04:46 on Mar 11, 2021 |
# ? Mar 11, 2021 04:15 |
|
Infra: “After much blood sweat and tears we finally patched hybrid Exchange, now we can relax!” F5: “Haha boy are you guys gonna laugh —“
|
# ? Mar 11, 2021 04:16 |
|
the internet was a mistake
|
# ? Mar 11, 2021 04:31 |
|
lol on prem exchange sits behind the loving load balancer hail satan
|
# ? Mar 11, 2021 04:48 |
|
FungiCap posted:Edit2: yeah I apologize, F5 is clearly trying to down play an issue that is more severe than they are presenting. Never take F5 on their word for anything.
|
# ? Mar 11, 2021 10:29 |
|
Tryzzub posted:the internet was a mistake It’s clear now that it’s a series of smaller mistakes connected by a mass of fibre optics.
|
# ? Mar 11, 2021 18:13 |
|
Martytoof posted:It’s clear now that it’s a series of smaller mistakes connected by a
|
# ? Mar 11, 2021 20:43 |
|
The sad thing is that his explanation was widely laughed at, except that it actually was a pretty accurate description.
|
# ? Mar 11, 2021 21:40 |
CommieGIR posted:https://twitter.com/nyancrimew/status/1369390591700828170?s=20 Lol one of our vendors tried to sell us this poo poo in the middle of the pandemic when our offices were closed.
|
|
# ? Mar 11, 2021 21:57 |
|
so the exchange proxylogon PoC is out in the wild. MS removed the original researcher’s upload, but streisand effect and all that
|
# ? Mar 11, 2021 22:18 |
|
Volmarias posted:The sad thing is that his explanation was widely laughed at, except that it actually was a pretty accurate description. I reference it basically any time I try to explain throughput, including giving credit to the old speech.
|
# ? Mar 12, 2021 00:01 |
|
CyberPingu posted:Lol one of our vendors tried to sell us this poo poo in the middle of the pandemic when our offices were closed. Yeah, I've had like 5-6 email pitches today namedropping Verkada. Just rolled my eyes and dumped to spam. Tryzzub posted:so the exchange proxylogon PoC is out in the wild. MS removed the original researcher’s upload, but streisand effect and all that Yeah, I don't know what MS was thinking: Its a done deal, its out there. Dropping it from Github does nothing.
|
# ? Mar 12, 2021 00:11 |
|
It’s sad, I actually thought of that an hour after posting and decided not not bother coming back to edit it
|
# ? Mar 12, 2021 01:25 |
|
https://twitter.com/MalwareJake/status/1362578351236517888 https://twitter.com/AzuraSpaceFace/status/1362580185531359236
|
# ? Mar 12, 2021 01:37 |
|
Volmarias posted:The sad thing is that his explanation was widely laughed at, except that it actually was a pretty accurate description. He lucked into an okay metaphor for network congestion while describing an event that had nothing to do with network congestion, and thought that somehow it all meant that net neutrality was bad.
|
# ? Mar 12, 2021 02:12 |
|
Random security related anecdote for today: My company was acquired by a much, MUCH bigger company. So now my team of 4 IT workers are being invited to meetings with all the various teams within the bigger company's 5,000 strong IT department, where we repeat the same information over and over (now we just share them the folder/smartsheet with the information ready to consume). Their Cybersecurity team asked us to install some device in our network that monitors all traffic. There is no certificate/MITM stuff here, so anything encrypted is just garbage (as I understand it) to them. After we installed it and they said it was working, I started downloading gigs and gigs of literal Linux ISOs from random Russian and Chinese HTTPS mirrors. They didn't say poo poo. They also gained access to our MSSP SaaS SIEM and asked us what we were going to do when a user downloaded a PUP to C:\users\profile\downloads which was stopped by our endpoint AV. They haven't asked me about our infrastructure patch maintenance process at all in 4 months. Seems all a bit silly. Maybe I'm just too new to 'big security'. edit: Oh and they like to brag about having "Wake Up Authority" a lot. Martytoof posted:It’s sad, I actually thought of that an hour after posting and decided not not bother coming back to edit it I cede all credit to you droll fucked around with this message at 02:29 on Mar 12, 2021 |
# ? Mar 12, 2021 02:25 |
|
droll posted:"Wake Up Authority" a lot. What and the who now?
|
# ? Mar 12, 2021 02:31 |
|
Defenestrategy posted:What and the who now? They think they can call me at 2 in the morning and I'll answer.
|
# ? Mar 12, 2021 02:33 |
|
One of the highlights of my job is reviewing how thrid-party audit vendors perform "external/internal pen" and "social engineering" tests. I've seen some really clever poo poo. I've also seen just strickly port scans and "free amazon gift card" email attempts from firms that are charging astronomical ammounts of money to clients.
|
# ? Mar 12, 2021 02:55 |
|
droll posted:They think they can call me at 2 in the morning and I'll answer.
|
# ? Mar 12, 2021 03:01 |
|
droll posted:After we installed it and they said it was working, I started downloading gigs and gigs of literal Linux ISOs from random Russian and Chinese HTTPS mirrors. They didn't say poo poo. Unsure what other outcome you would expect here? That's going to look like normal web traffic.
|
# ? Mar 12, 2021 03:09 |
|
|
# ? May 26, 2024 10:12 |
|
Yeah its also just so they can get a feel for they layout of your network, not an IDS/IPS.
|
# ? Mar 12, 2021 03:22 |