Reid H.

Something nerds don't want to admit: they low-key enjoy the chaos Yeah, yeah, ransomware is bad, state sponsored threat actors are bad, but deep down when shit hits the fan it is exciting. Even though it's just a beep boop computer your adrenaline gets pumping

Analysis of the macho malware used in the Axios supply chain compromise gist.github.com/joe-desimone/f…

@dez_ Amazing work. Just sent this over a few of our affected clients.

@techspence @SimoKohonen Delete this right now. Last summer was brutal.

@SimoKohonen Sonicwall? 😅

Citrix, F5, now Fortinet - all in one week.. what next?

@UK_Daniel_Card CISA forgot to include personal VPNs make your MDR analysts angry when they have to review Entra logs :)

Cyber Tweeps, check this out: From CISA, Mobile Communications Best Practice Guidance 'Do not use a personal virtual private network (VPN). Personal VPNs simply shift residual risks from the internet service provider (ISP) to the VPN provider, often increasing the attack surface. Many free and commercial VPN providers have questionable security and privacy policies. However, if your organization requires a VPN client to access its data, that is a different use case.' cisa.gov/sites/default/…

Whenever I have clients that talk about DLP to prevent exfil and so on I ask them to do one test: Go on a random server, download the portable version of WinSCP or FileZilla, connect to an outbound SFTP or FTP server and transfer files. Neither DLP or EDR will do anything here

Responded to a Teams phishing attack and identified the threat actors were storing victim’s creds in clear text on their fake support portal. Poked around some and saw one of the victim’s works at Fortinet. Looks like they don’t block Teams chats from external domains 🤣

@wbmmfq You guys see any Clickfix payloads drop VirtualBox? Saw two cases today and confused the hell out of me.

A fun new-ish #Clickfix payload has been using Node.js to deploy a local SOCKS proxy, then connecting to Tor over that to download a secondary payload. Maybe I'll do a bit more of a writeup of it later. We'll see how the day goes.

@0x534c @IAMERICAbooted Any cool new execution method or still boring powershell?

Fresh *CLICKFIX* coffee brewing 😂 This one just showed up on my radar, defender you know what to do with it 🤭 coffeemaxusa[.]com #cybersecurity #clickfix #defender

@sudo_Rem @HuntressLabs Thanks for the write up. Had a ton of ADNotificationManager infections last week and was curious what the malware was/did.

🧑‍💼"Your Outlook has an issue. Let me help you fix it." @HuntressLabs Threat Hunting and Tactical Response teams join forces to open new pages on an old playbook, leading to custom Havoc agent deployment via sophisticated DLL side-loading. huntress.com/blog/fake-tech…

@tarapalmeri @JohnKiriakou that smile said a thousand words

Michael Tracey, who calls himself a journalist, has been smearing Jeffrey Epstein survivors — and sometimes me. I can take it. But I asked him one simple question: Are you being paid by someone powerful to attack sex-crime victims? Yes or no. His audio mysteriously died. Weird. @PiersUncensored

@sudo_Rem @wbmmfq @HuntressLabs Think one of our cases was attributed to Sinobi.

🚨Widespread SonicWall SSLVPN Compromise @HuntressLabs has observed a significant uptick in SonicWall SSLVPN intrusions stemming from DigitalOcean, LLC ASNs. This intrusion activity has resulted in 83 compromised SSLVPN accounts over 3 days, both local and LDAP-backed. Source IPs - 192.241.185[.]61 - 159.223.171[.]114 - 138.68.9[.]204 Details - Many authentications were 'replayed' several hours later on some devices from the same source IP addresses. - Multiple SonicWall SSLVPNs showed evidence of 10+ users compromised from the same source IP address. - Authentications where multiple user accounts were compromised were performed alphabetically, with intermittent failures. - Authentications were performed in short "bursts", where multiple user accounts were authenticated in the same 60 second period. - Authentications rarely failed for users who were compromised-- that is, accounts maliciously accessed did not display characteristics of bruteforcing. - This may suggest adversaries possess a valid username/password combination list, and are validating credentials automatically.

Microsoft Defender researchers observed attackers using yet another evasion approach to the ClickFix technique: Asking targets to run a command that executes a custom DNS lookup and parses the `Name:` response to receive the next-stage payload for execution.

@RonnyTNL @craiu Our SOC takes a shot every time a new firewall vuln gets exploited

@craiu This is becoming a water is wet meme by now...

Fortinet confirms 0day exploitation in the wild of fully-patched devices:

Fortinet confirms critical FortiCloud auth bypass not fully patched - @serghei bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

If you have a FortiGate, disable the FortiCloud SSO login feature. We have observed multiple compromises of fully patched Fortinet firewalls in the last 24 hours that exhibit behavior similar to a CVE disclosed last December. fortiguard.com/psirt/FG-IR-25…

Last week our CISO asked me to present on “zero trust architecture.” I don’t know what that means. I make $340,000 a year. I haven’t touched a firewall since Obama’s first term. But I have a CISSP. I passed by memorizing acronyms. I still don’t know what half of them stand for. I opened my presentation with “assume breach.” Everyone nodded gravely. I said “defense in depth” three times. The board was captivated. Then a junior analyst raised her hand. She asked how we’d implement microsegmentation. I felt a cold sweat. I said, “Great question. Let’s take that offline.” She persisted. I said we should “leverage AI-driven solutions.” She asked which ones. I said, “The cloud-native ones.” She looked confused. I told her confusion was natural. I said, “Security is a journey, not a destination.” The CEO started clapping. I don’t know why. But others joined in. The analyst stopped asking questions. I ended with “security is everyone’s responsibility.” This meant it was no one’s responsibility. Especially not mine. We got breached two weeks later. I blamed the analyst for “creating a culture of doubt.” She got put on a PIP. I got promoted to VP. Resilience isn’t about preventing failure. It’s about surviving it. Preferably while others don’t.

@malmoeb @hackerkartellet Thought that hostname looked familiar. Two of our clients got hit from the same device in September. 10/10 opsec Akira

Reading a report from a recent Incident Response case from my teammate, @hackerkartellet. "It was observed that an unknown hostname “DESKTOP-LDIG48N” from the VPN DHCP IP address 192.168.128.149 made multiple failed login attempts using the username “admin” against various hosts within the network." I keep repeating myself here, but developing a naming convention for computers and servers, and then start monitoring the DHCP requests for hostnames that are outside the naming conventions. Same thing for event logs: If you ingest and/or monitor Security/RDP logs, check for naming convention outliers, as in the example above. That might be a quick win for detecting an attacker in your network. On a side note, you might want to restrict access coming from your VPN LAN to your internal servers as well, to complicate and slow down lateral movements.

My first @HuntressLabs blog is live: we break down some funky ClickFix lures that lead to a loader which uses steganography to extract shellcode and ultimately deliver LummaC2/Rhadamanyths stealers. Big thanks to @RussianPanda9xx for the help! 😇 huntress.com/blog/clickfix-…

@IceSolst @UK_Daniel_Card Are you including vendors who switched from sponsoring the best performing F1 team to the worst? Asking for a friend.

Why vendors don’t list their prices: (Maybe go for vendors not paying millions to be on an f1 car)