Jump to content

All Activity

This stream auto-updates     

  1. Yesterday
  2. Last week
  3. Earlier
  4. Seeing some minor variation of BlueKeep attack behaviour (maybe attackers updated Metasploit finally), I'm seeing some stable'ish exploitation of Windows 7 this week however they're failing to run commands properly. Example commands; Additional IoCs. Application event 1000, spawning Powershell.exe: This event spawns from C:\Windows\system32\UI0Detect.exe and UI0Detect.exe 224 (224 is the parameter). spoolsv.exe crash: They check the device has more than 3.5gb of RAM, and is 64 bit, then try running a payload. Network IOC port 10095
  5. So I saw some exploitation of this in wild yesterday, looks like: Obviously the POST statements aren't there. Triggers code execution like this:
  6. There’s a public write up for triggering this vulnerability now (not RCE). https://www.coresecurity.com/blog/dejablue-vulnerabilities-windows-7-windows-10-cve-2019-1181-and-cve-2019-1182 @MalwareTech
  7. Hello All I am a security "engineer" at a government contractor and I am currently looking at a possible change in direction. I have been in infosec about 11 years and the career had started to stagnate. I am currently teaching a little for SANS as a Community instructor for 401 and I started my expansion of certs by focusing on AWS and or Azure in 2020. Not sure what the future holds but perhaps will start doing contract/consulting shortly after my oldest daughter moves off to school. If you are a consultant these days and willing to help a n00b break into the biz.....just let me know!
  8. Conference Home https://www.bsidesseattle.com/ Tickets https://www.eventbrite.com/e/bsides-seattle-2020-tickets-86351434465 CFP https://forms.gle/mL64mSk1Uv9nh2V78 Date: April 18th, 2020Location: Microsoft Building 92, 15010 NE 36th St, Redmond, WA 98052Start Time: 8:30 AM PSTEnd Time: 7:00 PM PST
  9. Perfect - thank you very much. So it is delayed now, and they're add opt out registry values for later. (If anybody is confused, Microsoft have multiple pieces of conflicting info on this - e.g. this one is still online: )
  10. New information has come to light: apparently, the March 2020 update will NOT change the default settings for LDAP connections, but another monthly security update will later this year. https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-update/ba-p/921536 ***NEW NOTE*** ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers. A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings. Administrators can prevent the feature update from making those change either by enabling LDAP signing and channel binding NOW or by configuring non-default values prior to installing updates that enable LDAP signing and channel binding by default.
  11. hey, I'm Mark. I'm the security lead for a UK utilities company, and spend most of my day herding cats, people and incidents.
  12. hi, i'm gabs. i work as a security analyst and pentester. before that, i worked (and still continue to consult) in pharmaceutical/genetic science. i talk a lot about medical device security. i have a husky, he's the love of my life. i also like to powerlift and race cars. the end.
  13. On a note, if using our tool (FireEye linked above), make sure to keep updating as actors are actively trying to evade it.
  14. HTTP2 caused me a lot of problems. When I switched to HTTP2, my load balancers crashed under medium traffic. Before I made the switch I was able to handle triple the traffic that crashed the systems. I am still investigating the problem but my guess is the load balancers could not handle the strong ciphers and cores responsible from the crypto staff crashed. My app servers were fine, they did not even receive any traffic, but the load balancer could not handle the connections. This could be a problem of F5 or my configuration. Not sure yet.
  15. Given that both HTTP/2 and TLS 1.3 were designed to improve performance, the only scenario where I can imagine performance issues is if you happen to have a very idiosyncratic set-up.
  16. I haven't noticed any performance issues here. This website supports HTTP/2 and TLS 1.3.
  17. I am considering switching my apps to HTTP/2; however, there are some arguing that HTTP/2 causes performance issues rather than performance improvement. What do you guys think about switching to HTTP/2? Is there anyone who faced performance issues after switching to HTTP/2?
  18. Thanks for this. Raised the flag 2-3 months back when ADV190023 first came out. I was wondering how could we go about investigating which appliances/systems would break after this update goes through, and the default settings gets changed. Looks like I'll be working on it right away.
  19. 1000 member party. 🎉

    1. Show previous comments  1 more
    2. Kevin Beaumont
    3. Dave Ockwell-Jenner

      Dave Ockwell-Jenner

      Depressed Tina Fey GIF by Saturday Night Live

      I guess GIFs don't show up. Trust me, there was cake 🙂

    4. Alistair Cockeram

      Alistair Cockeram

        404 GIF not found

  20. In March this year, Microsoft plan to change LDAP (an authentication system) behaviour so you are required to make connections which is signed and basically secure. If you have systems which authenticate with Active Directory in an insecure way, they will break post update. More info here: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 This is a big change which may have production impacts, i.e. systems may break. How to identify systems which will break Go to your domain controllers and look for Event ID 2887: Product: Windows Operating System ID: 2887 Source: Microsoft-Windows-ActiveDirectory_DomainService Message: During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or (2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection If you see this error, you need to take action as something will break. You can manually enable LDAP interface event logging, and afterwards Event ID 2889 will be logged in same location with the IP addresses of clients using insecure LDAP. On each DC: # Enable Simple LDAP Bind Logging Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2 This will get you the IP address of systems using insecure LDAP.. the next issue is to get them to... not do that. Over to you!
  21. The boilerplate description "A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution." What it means in practice Unauthenticated remote code execution on internet connected Citrix Gateway devices = bad. Are attackers actually exploiting this vulnerability? Yes, at scale, against targeted and untargeted assets. Impact Lame stuff like coin miners, but also devices getting backdoored, and people trying to use this to deploy ransomware inside Windows orgs behind the Citrix boxes. Vendor advisory and patches Here: https://support.citrix.com/article/CTX267027 Checking if your device has already been exploited Check out this tool, which is getting frequent updates: https://github.com/fireeye/ioc-scanner-CVE-2019-19781/tree/v1.2 Scale of the issue Somewhere in the region of ~100k devices were exploitable with this back in December. After have a huge awareness campaign via all sorts of orgs, this one is about ~10k unpatched devices at present. Those orgs are still in serious danger of exploitation. If you patched late You want to run the FireEye tool linked above to look for exploitation, as attackers may have backdoored your device. I just applied the mitigations You should also apply the patch, as it hardens the setup - just the mitigations alone present some issues.
  22. I'm Dean Farrington, I'm a Cyber Security Research Strategist for a large financial institution in the US. I focus on hardware/device and IoT penetration testing.
  23. Sebastian Nerz


    Not a DFIR tool in itself, but might be helpful nonetheless 😉 (even if the number of DFIR-related help pages is pretty low at the moment). https://tldr.sh/ tldr tries to present "shortened" man pages - the most important commands in a very brief way.
  24. Unsexy but true; it’s the security policy stupid. Many orgs rely on inherited policies or worse just copy others found on the web. A fit for purpose and maintained policy defines what needs protecting. If you do not define that you’re pissing controls into the wind.
  1. Load more activity
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy