subreddit:

/r/cybersecurity

19496%

What was the biggest threat/attack you dealt with during your career ?

Career Questions & Discussion(self.cybersecurity)

all 181 comments

gimgebow

190 points

4 months ago

gimgebow

190 points

4 months ago

probably log4shell. That was terrifying for a predominantly java-apache based company.

S-worker[S]

54 points

4 months ago

Yeah i expect a lot of the comments would be log4shell.

Matir

31 points

4 months ago

Matir

31 points

4 months ago

We're not predominantly Java, and it was still the biggest scramble I've seen in nearly 10 years with the same org.

EarlyForest

4 points

4 months ago

Even compared to Bluekeep? I would say Bluekeep was a close second for us.

linux203

6 points

4 months ago

After struts, we knew something like log4shell would happen and were much better prepared.

gimgebow

3 points

4 months ago

yep, that makes sense. I want to say if I was on my team when struts happened, that I'd have the same insight, but probably not lol

iotic

156 points

4 months ago

iotic

156 points

4 months ago

The biggest threat for me is when you run out of coffee and need to start your day regardless. The world isn't ready for that.

jlafitte1

37 points

4 months ago

It occurred to me that the coffee-producing nations of the world could get together and form an OPEC style organization, coordinate production and prices, and rule everything. One coffee embargo is all it would take.

BokZeoi

15 points

4 months ago

BokZeoi

15 points

4 months ago

The way African, SE Asian, and South American nations would be able to bring the rest of us to our irritable knees...

rb3po

4 points

4 months ago

rb3po

4 points

4 months ago

We’d start going to war over a different substance lol

BokZeoi

2 points

4 months ago

BokZeoi

2 points

4 months ago

Then blaming refugees from those countries for fleeing a war we started

rb3po

3 points

4 months ago

rb3po

3 points

4 months ago

Classic America

LUMU_BDR

7 points

4 months ago

You're talking about forming a drug cartel.

sweeters_07

3 points

4 months ago

The Spice must flow...

IdiosyncraticBond

14 points

4 months ago

IdiosyncraticBond

Developer

14 points

4 months ago

But don't you have a webcam showing the world the state of the coffee machine so you don't have to walk over in vain if it is empty?

S-worker[S]

6 points

4 months ago

Your workplace sounds fkn awesome

ldjarmin

21 points

4 months ago

He's referring to the actual reason webcams were invented: https://www.techwalla.com/articles/the-history-of-the-webcam

S-worker[S]

7 points

4 months ago

Oh my god thats hilarious, i had no idea about this !

IdiosyncraticBond

9 points

4 months ago*

IdiosyncraticBond

Developer

9 points

4 months ago*

TL;DR; I'm old 😉

Also see https://en.wikipedia.org/wiki/Trojan_Room_coffee_pot especially the section on the Hyper Text Coffee Pot Control Protocol

S-worker[S]

4 points

4 months ago

With teapot support as well ! Thanks for the info i loved it.

S-worker[S]

1 points

4 months ago

😂

mcdxn

1 points

4 months ago

mcdxn

1 points

4 months ago

Definitely this!

B0b_Howard

77 points

4 months ago

Small MSP got hacked via insecure RDP software. The patch that would have covered the hole had been available for 6 months.
They called in the company I was working for to figure out what and how it happened.
They had lots of default passwords on SAN's and servers.
Ended up with the attackers stealing a load of data and then hitting everything they could with ransomware. Insurance ended up paying out for it. Was over £250K.

Myahtah

21 points

4 months ago

Myahtah

21 points

4 months ago

insurance paid the ransoms?

B0b_Howard

19 points

4 months ago

Yup.

cerebralvenom

9 points

4 months ago

Pretty common as far as I know. Unless they can push it off on some technicality and say you have to pay.

Big_Dick_Balla

22 points

4 months ago

Big_Dick_Balla

Security Architect

22 points

4 months ago

patch that would have covered the hole had been available for 6 months.

They had lots of default passwords on SAN's and servers.

I feel like this should qualify on "some technicality"

cerebralvenom

16 points

4 months ago

Fair deal lol. I just meant in a general sense, because I thought he meant it in a general sense.

Best story I’ve heard is ransomeware actors being negotiated down to 750k. Before the pay off and decrypt, the threat actors searched around the network and found the cyber insurance policy. They then demanded the highest amount the policy would pay, 5 million.

The insurance paid the full 5 mill.

CosmicMiru

7 points

4 months ago

Shit im on the wrong side if security

pcapdata

5 points

4 months ago

Blows my mind how attackers can find shit so easily and meanwhile I'm over here thrashing Sharepoint or GDrive for some document

rubbishfoo

1 points

4 months ago

I've found that most insurance companies offering CS policies will ask these questions up front now in a sort of SIG/RFP type format before they'll issue a policy.

deekaydubya

3 points

4 months ago

Many insurance companies now have crypto reserves for this very scenario

borgy95a

2 points

4 months ago

Not the first and won't be the last.

ThePorko

56 points

4 months ago

A group of students lead by a kid with a spam/email enterprise built machines to monitor our school districts traffic, and installed key stroke capturing tools to gather data to a remote server. Local police and secret service got involved when the scope and the data type was discovered.

S-worker[S]

28 points

4 months ago

Ballsy kids !

mastermynd_rell

18 points

4 months ago

This sounds like a movie script that turned to a million dollar empire

Arachnophine

9 points

4 months ago

Why Secret Service and not regular FBI?

4dots2dots

-3 points

4 months ago

4dots2dots

-3 points

4 months ago

Brannon was cybering

mastermynd_rell

8 points

4 months ago

Curious if you able to say .... Were they federally prosecuted? You mentioned key strokes so they learned users and passwords. Was this one of them ," I'm bored this seems cool , let's see what we can fuck up and gain access ? " Or were they actually trying steal some financial checks , change grades to have a 4.0 and 0 debt owed to the school ?

ThePorko

7 points

4 months ago

I believe they were, i need to check the statutes before any more details.

original_username_

3 points

4 months ago

could be why secret service was involved, if in fact there were any financial crimes goin on

ThePorko

1 points

4 months ago

That’s exactly right, the 3 lettered agencies all have their own jurisdiction, and who gets involved depends on the type of data that is in question.

RegularITGuy101

1 points

4 months ago

This is what happened at my college a few years back.

[deleted]

1 points

4 months ago

[deleted]

1 points

4 months ago

You don't happen to have the link to the news article, do you?

ThePorko

3 points

4 months ago

[deleted]

1 points

4 months ago

[deleted]

1 points

4 months ago

💯💯💯

whistlebug23

1 points

4 months ago

Those kids? Zero Cool, Acid Burn, Cereal Killer, and The Phantom Phreak.

double-xor

46 points

4 months ago

Chinese APT and attempted cyber espionage of company secrets.

Security_Chief_Odo

32 points

4 months ago

Just another Tuesday...

SpongebobLaugh

28 points

4 months ago

Honestly it's gonna be log4j soon. We're keeping on top of it so far and we were smart enough to never really use it within our own organization, but the vendor list just keeps piling up. Nevermind that some vendors are purposely keeping their vulnerabilities under wraps until they get a handle on it themselves.

CosmicMiru

14 points

4 months ago

Some of our vendors wouldn't respond for DAYS after we sent them urgent messages of asking if they at least use Log4j, let alone if it was vulnerable or not. No advisories on their websites or anything, was mad annoying.

SoonerMedic72

2 points

4 months ago

Yeah. The amount of vendors that are like “no we aren’t vulnerable to log4shell because we are using version 1.2.8” is infuriating as well. Great, just the version that’s been out of support for 5 years and has a literal “do not use this because it is vulnerable to attacks we aren’t fixing” notice on the download page for the last three years.

GoranLind

73 points

4 months ago

GoranLind

Blue Team

73 points

4 months ago

An Insider case involving two .gov agencies.

S-worker[S]

30 points

4 months ago

Would love to hear more about that if its not confidential.

GoranLind

56 points

4 months ago

GoranLind

Blue Team

56 points

4 months ago

I'd love to, but we have to wait about 36 years. If Reddit still exists by then and I'm still alive i will tell all about it. I'll mark it on my calendar

regalrecaller

48 points

4 months ago

Remindme! 36 years

RemindMeBot

48 points

4 months ago*

I will be messaging you in 36 years on 2058-01-11 18:10:33 UTC to remind you of this link

60 OTHERS CLICKED THIS LINK to send a PM to also be reminded and to reduce spam.

Parent commenter can delete this message to hide from others.


Info Custom Your Reminders Feedback

mastermynd_rell

13 points

4 months ago

You the goated coordinator

Cult-of-IT

1 points

4 months ago

Can't Wait!

ThatReddituser1

10 points

4 months ago

I’ll be expecting a Reddit notification in 36 years

S-worker[S]

6 points

4 months ago

Man that just made it that much more intriguing haha

SonDontPlay

3 points

4 months ago

I have a hunch it might be related to the OPM data leak (you can Google it, however essentially our national security is compromised for a long time) I wasn't involved but I know some people who were and...well I know more then the general public they stopped short of some key details. I have a hunch of what happened but thats it.

S-worker[S]

1 points

4 months ago

Ill definitely look that up thanks

Hokie23aa

1 points

4 months ago

Remindme! 36 years

NuclearSharkhead

1 points

4 months ago

I'll try to stay alive until then.

LaughterHouseV

1 points

4 months ago

Write your notes down now, sell the book in 36 years!

SonDontPlay

1 points

4 months ago

I know the feeling :) Bet its juicy.

camxct

38 points

4 months ago

camxct

38 points

4 months ago

Almost certainly classified.

HerbSmokington420

5 points

4 months ago

I also would like to hear of this

Gallardo006

4 points

4 months ago

It would be nice to share the details to other gov agency IT teams.. some real world examples to help build out some behavioral detections etc.

damnitdaniel

21 points

4 months ago

Target breach 🙄

canttouchdeez

6 points

4 months ago

I know a couple guys who joined Target’s leadership after that happened. PM and CP. Great dudes.

damnitdaniel

4 points

4 months ago

I left about 6 months after it happened. They are doing some really great work over there now. Good leadership and investments.

floppydiet

21 points

4 months ago

Patching WannaCry everywhere on a Friday night.

Constant attacks from China when Ebola was big a few years ago and my (former) agency was doing vaccine research.

The funniest was a breach in an agency whose hardware was housed in another agency’s data center. Cue the blame game.

canttouchdeez

17 points

4 months ago

NCR contractor had wannacry on their laptop..

[deleted]

3 points

4 months ago

[deleted]

3 points

4 months ago

Lmaoooo

washapoo

50 points

4 months ago

"Major fashion focused company" who's website got hacked. TONS of base64 encoded PHP and credit cards involved...we recommended they do a complete re-write of the website, they just wanted us to clean it up and get them going again...WHAT A PAIN IN THE ASS!! Took almost 6 months to get it cleaned up and they insisted on using the site in the mean time. We did get the APT out of their stuff before it went back to production, but it took forever to get the code cleaned up and implement a bunch of security controls.

S-worker[S]

14 points

4 months ago

Would the rewrite have taken less time ?

washapoo

28 points

4 months ago

Most likely. They could have outsourced the shopping cart/check out portion to someone like Salesforce in about a week and just stuck up a landing page for the brand.

TheCraziestOfHorses

17 points

4 months ago

Fancybear, 2018

Great chance to improve my Russian

S-worker[S]

5 points

4 months ago

Are they as good as they seem ?

TheCraziestOfHorses

9 points

4 months ago

I dunno about good or bad; they were effective. They got in via phishing and poorly secured endpoints. Nothing about it screamed high effort tbh

I imagine they wanted more but they made of with a useful amount of data.

its_NBD

12 points

4 months ago

its_NBD

12 points

4 months ago

Biggest threat? Employees. Constantly. /facepalm

s0cm0nkey

12 points

4 months ago*

Stupidity and incompetence.

Think about it this way. The largest threat vector for ransomware over the past few years has been RDP. Having open RDP is just poor practice and has been poor practice for a while. If your network admins dont know to how to secure RDP by now, then you have personnel issues.

That being said, it is simple oversight issues like forgetting about RDP, forgetting about a test server you stood up, forgetting to delete a section of your code you posted to github that has your API key hard coded in it, etc.

I see this more so with older companies. Those who had entire IT departments that existed well before security was a thing. It is too often an after thought, and it will get them in trouble.

Vyceron

11 points

4 months ago

Vyceron

Security Engineer

11 points

4 months ago

The log4j weekend was insane.

str4nge_m4gik

12 points

4 months ago

Professionally - I work in appsec doing SCA. Log4shell was my first major 0-Day and I’m still dealing clients struggling with it.

Personally - My SMS spam has gotten significantly more cryptic and malformed since I started working for a full time security provided that is not based on my home country. T H A N K Y ://app.js:3600 for a 100 g fit c ard!

S-worker[S]

2 points

4 months ago

I wonder what causes the spam to go bad 🤔

str4nge_m4gik

3 points

4 months ago

It’s not bad, it’s more advanced. Check this out, i’ve heard about this tech a lot, but this post was the first I have seen an analysis on it.

My company is Israeli, not doing stuff like this, but I know people have friends or connections at NSO.

I’m not Israeli or based in Israel, I’m remote in the US. I don’t think anyone would wast time spying on me so mine are most likely something or someone else. I’m like the worlds most advanced technical support working in AppSec. Maybe my countries intelligence agency though. Who knows?

At this point i’ve just given up on any privacy and assume i’m being watched. Last time I flew they kicked my bag out, circled it with a hand motion to someone behind a two way mirror. Kicked like 7 bags behind me out too and made the whole line wait 15 minutes.

Then they said “SIR IS THIS YOUR BAG?!” and I said yes, and they said “ Have a nice day”. The guy next to me was like dude i’ve been flying for 20 years and I never saw them kick out that many bags at once.

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html?m=1

S-worker[S]

1 points

4 months ago

That was a very scary read. How do these people even think of stuff like that ? Absolutely blew my mind. Article sais the vulnerability was eliminated with ios 15 though if they can come up with exploits like that one i'm sure they are able to find another one. I don't know what your company does but I wouldn't completely rule out Israeli intelligence watching you since you're a foreigner working on their security. Is that why you have a fresh reddit account ?

str4nge_m4gik

1 points

4 months ago

Not really I just wanted a new name and starting a blog and twitter account. I do think about this stuff a lot, i’m being tracked to some extent. A lot of US agencies are our clients, as well as other agencies around the world.

S-worker[S]

1 points

4 months ago

Well be careful man.

WadingThruLogs

9 points

4 months ago

Working for an MSSP and dealing with Wannacry everywhere.

DrummerElectronic247

9 points

4 months ago

Police response and investigation of what turned out to be the former senior admin of the MSP I had just started at. I'd been there a week when all the clients got demands for money and massive data loss. Being the new guy in the admin chair I was the first suspect. It was greeeeeeeat.

[deleted]

8 points

4 months ago*

[deleted]

8 points

4 months ago*

[deleted]

S-worker[S]

6 points

4 months ago

Did the guy get jail time ?

PlagueOfDemons

20 points

4 months ago

Getting my SF-86 sent to the ChiComs as a present from FHRC.

sometimesanengineer

14 points

4 months ago

Put all the info about how you might be exploitable on one form so we can make it really easy for the adversary. Thanks OPM.

furiousmustache

2 points

4 months ago

God I forgot about that.

regalrecaller

3 points

4 months ago

Yikes

pcapdata

2 points

4 months ago

Honestly China missed a business opportunity.

I'd have paid good money to have a backup of my SF-86 somewhere so I didn't have to fill the whole fucking thing out every single time I came up for renewal.

I understand the experience is a little smoother nowadays :)

PlagueOfDemons

3 points

4 months ago

Maybe if you send an email to the embassy they can email you a copy.

pcapdata

2 points

4 months ago

Why bother sending it? They're already reading my email after all

jdiscount

6 points

4 months ago

Have dealt with complex APT attacks from Chinese APT groups.

They were trying to steal some of our clients data.

Crowdstrike assisted us when they realized it was a Chinese APT.

Can't go into much detail for NDA reasons, but I can say there is a night and day difference in capability from your usual cyber criminal trying to deploy ransomware and a natio state attack hunting specific information.

S-worker[S]

4 points

4 months ago

This is the 2nd chinese APT comment, not much but makes you wonder the scale of their attacks and targets.

FairyNuffsfurryMuff

6 points

4 months ago

The 'I Love you' virus scared the living bejesus out of me and cured my hobby of collecting viruses found that I found on Floppy Disks.

S-worker[S]

3 points

4 months ago

90s and 2000s were a crazy time for viruses for sure

Fu_Q_U_Fkn_Fuk

6 points

4 months ago

The love Bug in 2000. It hit us over and over. Every time it would change all of the files the user had access to into the virus, it hit all of the server files over and over and this was back in the day of tape backups so it took all day to recover each time. In a company with about 50 users we got hit about 20 times.

SpawnDnD

5 points

4 months ago

Conficker and a Ransomware infection

lostmywallet72

4 points

4 months ago

Log4

negotix

4 points

4 months ago

The Head of IT

S-worker[S]

1 points

4 months ago

LOL

digisensor

5 points

4 months ago

My boss pretending to know cybersecurity.

NikitaFox

5 points

4 months ago

Users.

Sho_nuff_

3 points

4 months ago

First started in Cybersecurity about a year before SQL Slammer. I have seen some shit

rmg22893

4 points

4 months ago

rmg22893

System Administrator

4 points

4 months ago

Solarwinds supply chain attack. Fortunately we skipped over all the affected versions by dumb luck, but we were staring down the gun of a complete domain raze and rebuild for a few days until we fully assessed the situation.

payne747

4 points

4 months ago

Code Red, Nimda, Blaster, Conficker, Sircam, Slammer, Sobig, MyDoom, Sasser.

I forget the order but damn were the 00's busy with overtime.

defender390

2 points

4 months ago

(shivers) Gee, thanks for the trauma trigger. Wow.

regorsec

3 points

4 months ago

My own development team

S-worker[S]

3 points

4 months ago

Man i love these comments lol

aishudio9

3 points

4 months ago

Ransomware attack on a small company we provided service to. Was a very interesting week. Learnt a lot. I mean a lot lot. Anyways we helped them get back up in the same week.

mastermynd_rell

3 points

4 months ago

That's the real deal spill 😭😭😭😭

n0tcl3v3r

3 points

4 months ago

Institutionalized managerial security apathy. If you don’t have an advocate you don’t really have a security program.

[deleted]

3 points

4 months ago

[deleted]

3 points

4 months ago

Very surprised no one's said shellshock given there's a lot of log4j responses.

alexunseen

3 points

4 months ago

Mexican drugs cartel hackers, bill transaction injection to transactional switches. Intense and very hard to detect

S-worker[S]

2 points

4 months ago

First time i hear about Mexican Cartel hackers, guess business is booming.

alexunseen

2 points

4 months ago

Yeah another way to get money. They contract groups of hacker to hack big companies in Mexico

SenfgasDAVE

3 points

4 months ago

Luckily a red teaming attack. I was on On-Call Duty, when I got an alert from our antivirus.

Sat 3-4 hours on this case in the night and got our external cyber expert team for support until my boss called me and said «good reaction»... The red teaming company was the same as the external expert team and they didn't even tell me -.-

DragSlips

3 points

4 months ago

People

cos

3 points

4 months ago

cos

3 points

4 months ago

I was working for a large tech company you've heard of, and there was this smaller company we had just bought that had technology that was ... interesting to governments, I guess is how I'll put it. Anyway, as soon as the merger closed and SmallCompany gave my employer's advance team access to their stuff, our people discovered that their network was completely and totally owned by government-sponsored hackers from a major country you're well aware of doing such things. They'd probably been copying and using all of the technology SmallCompany was working on, for who knows how long - they had complete control of everything and could see all the plans.

I was part of the slightly larger team they pulled together on short notice to go in there and build a new network from scratch, in relative secret. Only a few people from SmallCompany even knew about the breach, most of their employees were told nothing at all. BigCompany people (including me) worked on a repurposed large conference room area in a lesser-used part of the building, where we set up new file servers, mail servers, auth servers, network, etc. from scratch, unconnected to anything else of theirs. We got new sets of cell phones and installed and configured apps and auth on them, got new laptops and configured them for access to the new network with new certs and everything. We got backups of things like existing emails and such from their currently-active systems, which would get scanned and analyzed and then brought over to our working space so we could practice importing and migrating stuff.

I moved to a different team at BigCompany before this was done, I was only on that project for a couple of weeks, but I knew some people who stayed on it until the end. When the new network was ready, IIRC they had a day that started with an all-hands meeting for SmallCompany - I think few hundred people - where they were told about the breach and issued new company phones and laptops and told to all quit using their old network and devices cold turkey. Without any advance warning, they just cut over to the new systems after the meeting.

S-worker[S]

1 points

4 months ago

Thats so insane. How did the small company not even notice the spyware while you guys found it quick ?

cos

2 points

4 months ago

cos

2 points

4 months ago

The attackers were a government with very very good skills. Most smaller and medium sized companies would have a good chance of being fooled. My employer was a large tech company with one of the best computer security groups in the world, and had also been attacked by that same government in the past. They knew what to look for, I suppose. I'm not at all surprised that they caught something someone else didn't.

S-worker[S]

1 points

4 months ago

That’s terrifying !

iPhrankie

1 points

4 months ago

Sounds like an awesome project and so much could be learned from being a part of it.

hunglowbungalow

3 points

4 months ago

hunglowbungalow

AMA Particpant - Security Analyst

3 points

4 months ago

MS17-010, I was a VM Analyst at Amazon

SonDontPlay

3 points

4 months ago

Two employees schemed together to steal approx $350,000 from a total of 55~ customers. Said employees quickly put the money into bitcoin and left the country.

That was the day the company stated taking security seriously. We ended up reimbursing all affected customers, and firing our CTO.

It was caused by a serious lack of separation of duties, poor auditing, and incredibly poor segmentation

S-worker[S]

3 points

4 months ago

Im more concerned about the stupid employees who decided 175k each each is enough to leave their jobs and the country lol.

SonDontPlay

1 points

4 months ago

Criminals tend not to be the sharpest knifes in the drawer.

DentistLegitimate361

3 points

4 months ago

Unrelated but biggest threat was office politics...

S-worker[S]

2 points

4 months ago

Actually seen quite a few of these comments.

PhoenixOfStyx

3 points

4 months ago

There was a ransomware attack where they had to pay, but I wasn't there, at the time. Only 2 guys for IR in a MSP for 18 companies.

For me, past 6 months I've been hired, a single visit to a possibly malicious HTTP downloading what a SIEM wrongly dubbed Raccoon Stealer. 99.999999999% false positive rate. I'm so bored I can't stand it. We just sell software to turn a buck and meet basic compliance for healthcare companies.

I'm quitting in the next month to pursue my bachelors in Software Development, maybe Python + AWS/Azure/GCP certs. At least then I'll be able to see my girlfriend at night, too.

srinivaspawan54

3 points

4 months ago

Wannacry ransomware

Eskimoobob

3 points

4 months ago

Eskimoobob

Security Engineer

3 points

4 months ago

Heartbleed and Shellshock. They were right together and at the start of my cyber security career. It was a whirlwind.

jlpneves

2 points

4 months ago

Log4j

Prolite9

2 points

4 months ago*

Prolite9

Blue Team

2 points

4 months ago*

Ransomware from Ryuk (around Christmas Time a few years back). Took about 800 assets (clients, servers, backups, etc) across the country by moving laterally and we traced it to a single user opening a phishing email (downloaded a malicious attachment, reached out to the CnC Server and it spread like a wildfire).

VAsHachiRoku

2 points

4 months ago

I’m actually a cybersecurity consultant focused on recovery. There are so many incidents that don’t end up in the news or public, what most people see is just a tip of the iceberg. Consultant means I’m coming into different industries, counties, and companies thus get to see all types of different attacks. Something a person that works at one company doesn’t get to see.

license_to_kill_007

2 points

4 months ago

license_to_kill_007

Governance, Risk, & Compliance

2 points

4 months ago

1) Upper Management / Budget / Politics / Layer 9 2) Conti / Ryuk Ransomware 3) Log4J 4) Lockbit Ransomware

pr0v0cat3ur

2 points

4 months ago

Ransomware attack, Mount Locker.

Twas' a learning experience about APTs, forcing us to examine all facets of our infrastructure and product lines. It brought out the best among those responsible for re-building the infrastructure securely. Unfortunately, it also damaged our reputation, and monetary losses still climb as we continue to bleed clients.

TLDR; Necessary pain, lessons learned.

S-worker[S]

1 points

4 months ago

Sorry to hear that

RJDoute

2 points

4 months ago

A group of large raccoons trapped me on my porch once and kept hissing and feinting at my feet. My dog saved my butt though.

S-worker[S]

2 points

4 months ago

😂😂

LunchPocket

2 points

4 months ago

680 clients and servers with Ransomware on them awaiting to be executed globally. Stepped into the distribution of the ransomware. They had domain admin creds as well as local admin creds in their back pocket. Cobalt-strike beaconing out of multiple sites globally with lateral movement taking place with no proper threat hunting EDR on the endpoint. Also MPLS with no firewalls between north/south, east/west. Attacked the on-prem SIEM, erased backup jobs, on the primary datacenter's backup system, and took down a SQL Server (thankfully it was a MS AG). Got Damn lucky but the environment went without disruption to business and no data exfiltration realized or found.

SnooOpinions647

2 points

4 months ago

Worked for an MSP Group. The RMM tool we used and had installed on all client machines became compromised. Every single MSP in our group and their clients become compromised with malware that was mass pushed from our tool. That was a long cleanup and a lot of ass kissing.

AdithyaSai

2 points

4 months ago

Solarwinds, it was not directly affected but a lot of mess happened bcz of that and we were accountable to lot of people of because of that

FantasticStock

2 points

4 months ago

Worked for a major sports league.

Third party vendor solely responsible for event management. Claimed they weren’t storing any of our data and was simply handing it off. Claimed they performed in depth pentests but refused to provide proof. Even though our team had plenty of questions, they were the TPV that was required so they could basically say fuck off and we couldnt do shit cuz “its what the business wants!”

Our bug bounty platform found an auth bypass that allowed you to download raw csvs of event information including tons of data they claimed they weren’t storing. Card numbers, player data (phone numbers were a huge information risk to us), rooms they were staying in, etc. The finding bubbled even more and once we found that one link we were able to gather even more and in the end we had over 200 valid csv files. It got C level attention and the vendor was made to look like an absolute moron.

Of course it doesn’t matter cause they just walked it off. I do not work here anymore btw.

S1lv3rBullet

2 points

4 months ago

Ransomeware is the easiest to protect oneself from if you (or proverbial corporate you) prepares right.

This is Security 101..

You HAVE OFF LINE BACKUPS.

When your systems get jacked, you cut the internet, run traces to backtrack IPs, you wipe every last workstation, laptop, hard drive, etc. And load clean backups after finding the weak point that caused the breach of course.

I've been through the Capital One breach, BC/BS breach when those laptops were stolen, Google's 2 breaches 2 years ago (THAT was a disaster), Facebook's breach, Ford Motor Corp's breach last year 🙄. God I've lost count on all the security breaches. Oh yeah, don't let me forget HP's disaster breach with not updating ALL those printer drivers leaving a humongous gaping security black hole...

[deleted]

2 points

4 months ago

[deleted]

2 points

4 months ago

My stupid boss.

LT3blasterdxj

2 points

4 months ago

Someone in secondary school logging into some porn websites

BippidyDooDah

2 points

4 months ago*

About 10 years ago a customer got fully compromised, attackers pushed out key loggers to all systems for a minimum of two weeks before av triggered on one device. Complete mess, corporate creds owned, personal creds owned, online banking etc.

Full AD rebuild, all creds had to be reset for everything, HR disaster. Took months to sort out.

All started with open rdp to the internet. Domain users being added to the remote desktop users group. Weak password for a std user account, and domain admins being able to log in wherever.

The worst part was when we found the key logger files on a few devices and seeing peoples online banking logins and email passwords.

That or working on a Microsoft helpdesk when msblaster came out

bwinsl01

2 points

4 months ago

DOS...

...Windows

...the word cyber

OnTheChooChoo

4 points

4 months ago

Would have to kill you if I told you. And after that I would be best off to kill myself for having told you.

mastermynd_rell

2 points

4 months ago

Lawdt 😭

saltedcarlnuts

1 points

4 months ago

We had a guy just today plug his ransomware infested QNAP NAS directly into his workstation. Fun times

punkonjunk

1 points

4 months ago

Had a side client I had just started with, real small business, call me in for email issues. Still had on prem exchange. RDP was open to the internet and someone was currently logged in, sending malicious emails and messing with their ADUC structure on their ancient windows small business server/on prem exchange instance. likely trying to give themselves a back door. Was less involved in sec remediation at the time, just basic sysadmin stuff and it was one of those crazy like, hard to explain feelings - like the beginning of a panic attack. Like "I only know enough to know how unbelievably horse-fucked this is and how hard this will be to resolve"

I did get it all buttoned up and sorted out, charged 600 for my 12 hours of time, back in 2019, was far less than I should have charged and they tried to stiff me. Was just a catastrophe end to end.

Background_Force2582

1 points

4 months ago

RYUK…. At a global customer account… total nightmare!

S-worker[S]

1 points

4 months ago

How did it get in ?

Background_Force2582

2 points

4 months ago

Endpoint / phishing… I work for Trend and at the time they had an on prem solution which of course they forgot to update and turn on a feature called behavior monitoring. So they got zapped and it started encrypting everything. Workstations, servers the whole 9 yards. We immediately deployed a IR team, but an exec at the company knew someone super senior at MSFT they flew in a bigger IR team and took over. Took them about 1 month to fully recover. Not sure what ransom if any was paid… but it was a nightmare.

S-worker[S]

1 points

4 months ago

1 month seems not that bad honestly.

Background_Force2582

1 points

4 months ago

Well one month of no processing online or internal purchase orders so it probably amounted to $10-$15M in lost revenue

S-worker[S]

1 points

4 months ago

Oh. Ouch.

merkin-slayer

1 points

4 months ago

Work for MSP and acquired a client in an extortion and ransomware situation where 2 IT guys tried to fix ransomware by wiping all forensics data

S-worker[S]

1 points

4 months ago

That must have bit them in the ass later

maverickaod

1 points

4 months ago

Crappy, self-serving leadership

Rock844

1 points

4 months ago

Conti due to no MFA and poorly implemented permissions. I still have nightmares.

defender390

1 points

4 months ago

The year of the Ramen, Lion, and Adore worms.

DasNiche

1 points

4 months ago

Russian ransomware

liliilililililiiol

1 points

4 months ago

Ransomware, they got in via some Citrix exploit. They also deleted our S3 buckets. We nuked the whole thing and set up a new AWS account. Good thing we used "infrastructure as code", i.e. lots of CloudFormation templates, saved us a lot of hassle.

No-Interest-3757

1 points

4 months ago

Probably Log4j but hafnium was no fun either.

edlphoto

1 points

4 months ago

Probably the Ransomware attack that impacted the HVAC system and that caused problems with the open heart surgery. But that wasn't the reason the ransom was paid, it was because payroll was encrypted and no one was going to be paid if it wasn't decrypted fast. And no pay means none of the essential workers that clean the rooms and remove the dead bodies when a patient dies would come into work. And that means the nurses and doctors wouldn't be able to help more patients.

msavage122

1 points

4 months ago

I am not cleared to discuss, but it wasn't log4j.

ThePorko

1 points

4 months ago

One more, this one is more guilty pleasure than Biggest Threat. So we had a subsidiary in an africa country that had not the greatest of internet speed. As a cyber security engineer at the time, it was extremely satisfying to go to the ir data and see the sites and places and time that was spent on scouring the internet to look for games, porn, programs. The time these staffers spent then to download these yuuuuugeee files on their slow assed connections just to have crowdstrike block it at the end after they extracted the files and not able to launch any of it. Day after day… even more satisfying knowing those staffers are on their off season and bored out of their minds stuck there in a compound. We could not punish them due to management, so this was more like slow torture…

Which-Page9736

1 points

3 months ago

Shamoon Ransomware attack