Jump to content
OpenSecurity.global

Kevin Beaumont

Members
  • Content Count

    228
  • Joined

  • Last visited

  • Days Won

    32
  • Invited by

    DarkOverlord

Kevin Beaumont last won the day on May 14

Kevin Beaumont had the most liked content!

Community Reputation

111 Excellent

Personal Information

  • Bio
    Security Operations Manager, once got punched in the arm by Lucy Lawless.

Recent Profile Visitors

6,956 profile views
  1. Nobody tell them very few people run this version of Windows, nor are still vulnerable.
  2. Seeing some minor variation of BlueKeep attack behaviour (maybe attackers updated Metasploit finally), I'm seeing some stable'ish exploitation of Windows 7 this week however they're failing to run commands properly. Example commands; Additional IoCs. Application event 1000, spawning Powershell.exe: This event spawns from C:\Windows\system32\UI0Detect.exe and UI0Detect.exe 224 (224 is the parameter). spoolsv.exe crash: They check the device has more than 3.5gb of RAM, and is 64 bit, then try running a payload. Network IOC 78.46.124.69 port 10095
  3. So I saw some exploitation of this in wild yesterday, looks like: Obviously the POST statements aren't there. Triggers code execution like this:
  4. There’s a public write up for triggering this vulnerability now (not RCE). https://www.coresecurity.com/blog/dejablue-vulnerabilities-windows-7-windows-10-cve-2019-1181-and-cve-2019-1182 @MalwareTech
  5. Perfect - thank you very much. So it is delayed now, and they're add opt out registry values for later. (If anybody is confused, Microsoft have multiple pieces of conflicting info on this - e.g. this one is still online: )
  6. I haven't noticed any performance issues here. This website supports HTTP/2 and TLS 1.3.
  7. 1000 member party. 🎉

    1. Show previous comments  1 more
    2. Kevin Beaumont
    3. Dave Ockwell-Jenner

      Dave Ockwell-Jenner

      Depressed Tina Fey GIF by Saturday Night Live

      I guess GIFs don't show up. Trust me, there was cake 🙂

    4. Alistair Cockeram

      Alistair Cockeram

        404 GIF not found

  8. In March this year, Microsoft plan to change LDAP (an authentication system) behaviour so you are required to make connections which is signed and basically secure. If you have systems which authenticate with Active Directory in an insecure way, they will break post update. More info here: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 This is a big change which may have production impacts, i.e. systems may break. How to identify systems which will break Go to your domain controllers and look for Event ID 2887: Product: Windows Operating System ID: 2887 Source: Microsoft-Windows-ActiveDirectory_DomainService Message: During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or (2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection If you see this error, you need to take action as something will break. You can manually enable LDAP interface event logging, and afterwards Event ID 2889 will be logged in same location with the IP addresses of clients using insecure LDAP. On each DC: # Enable Simple LDAP Bind Logging Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2 This will get you the IP address of systems using insecure LDAP.. the next issue is to get them to... not do that. Over to you!
  9. The boilerplate description "A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution." What it means in practice Unauthenticated remote code execution on internet connected Citrix Gateway devices = bad. Are attackers actually exploiting this vulnerability? Yes, at scale, against targeted and untargeted assets. Impact Lame stuff like coin miners, but also devices getting backdoored, and people trying to use this to deploy ransomware inside Windows orgs behind the Citrix boxes. Vendor advisory and patches Here: https://support.citrix.com/article/CTX267027 Checking if your device has already been exploited Check out this tool, which is getting frequent updates: https://github.com/fireeye/ioc-scanner-CVE-2019-19781/tree/v1.2 Scale of the issue Somewhere in the region of ~100k devices were exploitable with this back in December. After have a huge awareness campaign via all sorts of orgs, this one is about ~10k unpatched devices at present. Those orgs are still in serious danger of exploitation. If you patched late You want to run the FireEye tool linked above to look for exploitation, as attackers may have backdoored your device. I just applied the mitigations You should also apply the patch, as it hardens the setup - just the mitigations alone present some issues.
  10. I've fixed the issue where email invites were broken, and a bunch of other under the hood issues.

  11. Nice reference to you and Marcus on Microsoft Defender Security Centre, Kev... I see you continue to keep a low profile 🙂 Don't forget my offer to find your house and be there with a cup of tea when you wake up.

  12. I think as usual with Chrome stuff, as no code is disclosed nobody will know the deets.
  13. Cheers. It looks like you need to have a pretty specific config to end up vulnerable to this.
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy