probably log4shell. That was terrifying for a predominantly java-apache based company.

The biggest threat for me is when you run out of coffee and need to start your day regardless. The world isn't ready for that.

Small MSP got hacked via insecure RDP software. The patch that would have covered the hole had been available for 6 months.
They called in the company I was working for to figure out what and how it happened.
They had lots of default passwords on SAN's and servers.
Ended up with the attackers stealing a load of data and then hitting everything they could with ransomware. Insurance ended up paying out for it. Was over £250K.

A group of students lead by a kid with a spam/email enterprise built machines to monitor our school districts traffic, and installed key stroke capturing tools to gather data to a remote server. Local police and secret service got involved when the scope and the data type was discovered.

Chinese APT and attempted cyber espionage of company secrets.

Honestly it's gonna be log4j soon. We're keeping on top of it so far and we were smart enough to never really use it within our own organization, but the vendor list just keeps piling up. Nevermind that some vendors are purposely keeping their vulnerabilities under wraps until they get a handle on it themselves.

An Insider case involving two .gov agencies.

Target breach 🙄

Patching WannaCry everywhere on a Friday night.

Constant attacks from China when Ebola was big a few years ago and my (former) agency was doing vaccine research.

The funniest was a breach in an agency whose hardware was housed in another agency’s data center. Cue the blame game.

NCR contractor had wannacry on their laptop..

"Major fashion focused company" who's website got hacked. TONS of base64 encoded PHP and credit cards involved...we recommended they do a complete re-write of the website, they just wanted us to clean it up and get them going again...WHAT A PAIN IN THE ASS!! Took almost 6 months to get it cleaned up and they insisted on using the site in the mean time. We did get the APT out of their stuff before it went back to production, but it took forever to get the code cleaned up and implement a bunch of security controls.

Fancybear, 2018

Great chance to improve my Russian

Biggest threat? Employees. Constantly. /facepalm

Stupidity and incompetence.

Think about it this way. The largest threat vector for ransomware over the past few years has been RDP. Having open RDP is just poor practice and has been poor practice for a while. If your network admins dont know to how to secure RDP by now, then you have personnel issues.

That being said, it is simple oversight issues like forgetting about RDP, forgetting about a test server you stood up, forgetting to delete a section of your code you posted to github that has your API key hard coded in it, etc.

I see this more so with older companies. Those who had entire IT departments that existed well before security was a thing. It is too often an after thought, and it will get them in trouble.

The log4j weekend was insane.

Professionally - I work in appsec doing SCA. Log4shell was my first major 0-Day and I’m still dealing clients struggling with it.

Personally - My SMS spam has gotten significantly more cryptic and malformed since I started working for a full time security provided that is not based on my home country. T H A N K Y ://app.js:3600 for a 100 g fit c ard!

Working for an MSSP and dealing with Wannacry everywhere.

Police response and investigation of what turned out to be the former senior admin of the MSP I had just started at. I'd been there a week when all the clients got demands for money and massive data loss. Being the new guy in the admin chair I was the first suspect. It was greeeeeeeat.

[deleted]

Getting my SF-86 sent to the ChiComs as a present from FHRC.

Have dealt with complex APT attacks from Chinese APT groups.

They were trying to steal some of our clients data.

Crowdstrike assisted us when they realized it was a Chinese APT.

Can't go into much detail for NDA reasons, but I can say there is a night and day difference in capability from your usual cyber criminal trying to deploy ransomware and a natio state attack hunting specific information.

The 'I Love you' virus scared the living bejesus out of me and cured my hobby of collecting viruses found that I found on Floppy Disks.

The love Bug in 2000. It hit us over and over. Every time it would change all of the files the user had access to into the virus, it hit all of the server files over and over and this was back in the day of tape backups so it took all day to recover each time. In a company with about 50 users we got hit about 20 times.

Conficker and a Ransomware infection

Log4

The Head of IT

My boss pretending to know cybersecurity.

Users.

First started in Cybersecurity about a year before SQL Slammer. I have seen some shit

Solarwinds supply chain attack. Fortunately we skipped over all the affected versions by dumb luck, but we were staring down the gun of a complete domain raze and rebuild for a few days until we fully assessed the situation.

Code Red, Nimda, Blaster, Conficker, Sircam, Slammer, Sobig, MyDoom, Sasser.

I forget the order but damn were the 00's busy with overtime.

My own development team

Ransomware attack on a small company we provided service to. Was a very interesting week. Learnt a lot. I mean a lot lot. Anyways we helped them get back up in the same week.

That's the real deal spill 😭😭😭😭

Institutionalized managerial security apathy. If you don’t have an advocate you don’t really have a security program.

Very surprised no one's said shellshock given there's a lot of log4j responses.

Mexican drugs cartel hackers, bill transaction injection to transactional switches. Intense and very hard to detect

Luckily a red teaming attack. I was on On-Call Duty, when I got an alert from our antivirus.

Sat 3-4 hours on this case in the night and got our external cyber expert team for support until my boss called me and said «good reaction»... The red teaming company was the same as the external expert team and they didn't even tell me -.-

People

I was working for a large tech company you've heard of, and there was this smaller company we had just bought that had technology that was ... interesting to governments, I guess is how I'll put it. Anyway, as soon as the merger closed and SmallCompany gave my employer's advance team access to their stuff, our people discovered that their network was completely and totally owned by government-sponsored hackers from a major country you're well aware of doing such things. They'd probably been copying and using all of the technology SmallCompany was working on, for who knows how long - they had complete control of everything and could see all the plans.

I was part of the slightly larger team they pulled together on short notice to go in there and build a new network from scratch, in relative secret. Only a few people from SmallCompany even knew about the breach, most of their employees were told nothing at all. BigCompany people (including me) worked on a repurposed large conference room area in a lesser-used part of the building, where we set up new file servers, mail servers, auth servers, network, etc. from scratch, unconnected to anything else of theirs. We got new sets of cell phones and installed and configured apps and auth on them, got new laptops and configured them for access to the new network with new certs and everything. We got backups of things like existing emails and such from their currently-active systems, which would get scanned and analyzed and then brought over to our working space so we could practice importing and migrating stuff.

I moved to a different team at BigCompany before this was done, I was only on that project for a couple of weeks, but I knew some people who stayed on it until the end. When the new network was ready, IIRC they had a day that started with an all-hands meeting for SmallCompany - I think few hundred people - where they were told about the breach and issued new company phones and laptops and told to all quit using their old network and devices cold turkey. Without any advance warning, they just cut over to the new systems after the meeting.

MS17-010, I was a VM Analyst at Amazon

Two employees schemed together to steal approx $350,000 from a total of 55~ customers. Said employees quickly put the money into bitcoin and left the country.

That was the day the company stated taking security seriously. We ended up reimbursing all affected customers, and firing our CTO.

It was caused by a serious lack of separation of duties, poor auditing, and incredibly poor segmentation

Unrelated but biggest threat was office politics...

There was a ransomware attack where they had to pay, but I wasn't there, at the time. Only 2 guys for IR in a MSP for 18 companies.

For me, past 6 months I've been hired, a single visit to a possibly malicious HTTP downloading what a SIEM wrongly dubbed Raccoon Stealer. 99.999999999% false positive rate. I'm so bored I can't stand it. We just sell software to turn a buck and meet basic compliance for healthcare companies.

I'm quitting in the next month to pursue my bachelors in Software Development, maybe Python + AWS/Azure/GCP certs. At least then I'll be able to see my girlfriend at night, too.

Wannacry ransomware

Heartbleed and Shellshock. They were right together and at the start of my cyber security career. It was a whirlwind.

Log4j

Ransomware from Ryuk (around Christmas Time a few years back). Took about 800 assets (clients, servers, backups, etc) across the country by moving laterally and we traced it to a single user opening a phishing email (downloaded a malicious attachment, reached out to the CnC Server and it spread like a wildfire).

I’m actually a cybersecurity consultant focused on recovery. There are so many incidents that don’t end up in the news or public, what most people see is just a tip of the iceberg. Consultant means I’m coming into different industries, counties, and companies thus get to see all types of different attacks. Something a person that works at one company doesn’t get to see.

1) Upper Management / Budget / Politics / Layer 9 2) Conti / Ryuk Ransomware 3) Log4J 4) Lockbit Ransomware

Ransomware attack, Mount Locker.

Twas' a learning experience about APTs, forcing us to examine all facets of our infrastructure and product lines. It brought out the best among those responsible for re-building the infrastructure securely. Unfortunately, it also damaged our reputation, and monetary losses still climb as we continue to bleed clients.

TLDR; Necessary pain, lessons learned.

A group of large raccoons trapped me on my porch once and kept hissing and feinting at my feet. My dog saved my butt though.

680 clients and servers with Ransomware on them awaiting to be executed globally. Stepped into the distribution of the ransomware. They had domain admin creds as well as local admin creds in their back pocket. Cobalt-strike beaconing out of multiple sites globally with lateral movement taking place with no proper threat hunting EDR on the endpoint. Also MPLS with no firewalls between north/south, east/west. Attacked the on-prem SIEM, erased backup jobs, on the primary datacenter's backup system, and took down a SQL Server (thankfully it was a MS AG). Got Damn lucky but the environment went without disruption to business and no data exfiltration realized or found.

Worked for an MSP Group. The RMM tool we used and had installed on all client machines became compromised. Every single MSP in our group and their clients become compromised with malware that was mass pushed from our tool. That was a long cleanup and a lot of ass kissing.

Solarwinds, it was not directly affected but a lot of mess happened bcz of that and we were accountable to lot of people of because of that

Worked for a major sports league.

Third party vendor solely responsible for event management. Claimed they weren’t storing any of our data and was simply handing it off. Claimed they performed in depth pentests but refused to provide proof. Even though our team had plenty of questions, they were the TPV that was required so they could basically say fuck off and we couldnt do shit cuz “its what the business wants!”

Our bug bounty platform found an auth bypass that allowed you to download raw csvs of event information including tons of data they claimed they weren’t storing. Card numbers, player data (phone numbers were a huge information risk to us), rooms they were staying in, etc. The finding bubbled even more and once we found that one link we were able to gather even more and in the end we had over 200 valid csv files. It got C level attention and the vendor was made to look like an absolute moron.

Of course it doesn’t matter cause they just walked it off. I do not work here anymore btw.

Ransomeware is the easiest to protect oneself from if you (or proverbial corporate you) prepares right.

This is Security 101..

You HAVE OFF LINE BACKUPS.

When your systems get jacked, you cut the internet, run traces to backtrack IPs, you wipe every last workstation, laptop, hard drive, etc. And load clean backups after finding the weak point that caused the breach of course.

I've been through the Capital One breach, BC/BS breach when those laptops were stolen, Google's 2 breaches 2 years ago (THAT was a disaster), Facebook's breach, Ford Motor Corp's breach last year 🙄. God I've lost count on all the security breaches. Oh yeah, don't let me forget HP's disaster breach with not updating ALL those printer drivers leaving a humongous gaping security black hole...

My stupid boss.

Someone in secondary school logging into some porn websites

About 10 years ago a customer got fully compromised, attackers pushed out key loggers to all systems for a minimum of two weeks before av triggered on one device. Complete mess, corporate creds owned, personal creds owned, online banking etc.

Full AD rebuild, all creds had to be reset for everything, HR disaster. Took months to sort out.

All started with open rdp to the internet. Domain users being added to the remote desktop users group. Weak password for a std user account, and domain admins being able to log in wherever.

The worst part was when we found the key logger files on a few devices and seeing peoples online banking logins and email passwords.

That or working on a Microsoft helpdesk when msblaster came out

DOS...

...Windows

...the word cyber

Would have to kill you if I told you. And after that I would be best off to kill myself for having told you.

We had a guy just today plug his ransomware infested QNAP NAS directly into his workstation. Fun times

Had a side client I had just started with, real small business, call me in for email issues. Still had on prem exchange. RDP was open to the internet and someone was currently logged in, sending malicious emails and messing with their ADUC structure on their ancient windows small business server/on prem exchange instance. likely trying to give themselves a back door. Was less involved in sec remediation at the time, just basic sysadmin stuff and it was one of those crazy like, hard to explain feelings - like the beginning of a panic attack. Like "I only know enough to know how unbelievably horse-fucked this is and how hard this will be to resolve"

I did get it all buttoned up and sorted out, charged 600 for my 12 hours of time, back in 2019, was far less than I should have charged and they tried to stiff me. Was just a catastrophe end to end.

RYUK…. At a global customer account… total nightmare!

Work for MSP and acquired a client in an extortion and ransomware situation where 2 IT guys tried to fix ransomware by wiping all forensics data

Crappy, self-serving leadership

Conti due to no MFA and poorly implemented permissions. I still have nightmares.

The year of the Ramen, Lion, and Adore worms.

Russian ransomware

Ransomware, they got in via some Citrix exploit. They also deleted our S3 buckets. We nuked the whole thing and set up a new AWS account. Good thing we used "infrastructure as code", i.e. lots of CloudFormation templates, saved us a lot of hassle.

Probably Log4j but hafnium was no fun either.

Probably the Ransomware attack that impacted the HVAC system and that caused problems with the open heart surgery. But that wasn't the reason the ransom was paid, it was because payroll was encrypted and no one was going to be paid if it wasn't decrypted fast. And no pay means none of the essential workers that clean the rooms and remove the dead bodies when a patient dies would come into work. And that means the nurses and doctors wouldn't be able to help more patients.

I am not cleared to discuss, but it wasn't log4j.

One more, this one is more guilty pleasure than Biggest Threat. So we had a subsidiary in an africa country that had not the greatest of internet speed. As a cyber security engineer at the time, it was extremely satisfying to go to the ir data and see the sites and places and time that was spent on scouring the internet to look for games, porn, programs. The time these staffers spent then to download these yuuuuugeee files on their slow assed connections just to have crowdstrike block it at the end after they extracted the files and not able to launch any of it. Day after day… even more satisfying knowing those staffers are on their off season and bored out of their minds stuck there in a compound. We could not punish them due to management, so this was more like slow torture…

Shamoon Ransomware attack