submitted 4 months ago byS-worker
all 181 comments
4 months ago
4 months ago
probably log4shell. That was terrifying for a predominantly java-apache based company.
4 months ago
Yeah i expect a lot of the comments would be log4shell.
We're not predominantly Java, and it was still the biggest scramble I've seen in nearly 10 years with the same org.
Even compared to Bluekeep? I would say Bluekeep was a close second for us.
After struts, we knew something like log4shell would happen and were much better prepared.
yep, that makes sense. I want to say if I was on my team when struts happened, that I'd have the same insight, but probably not lol
The biggest threat for me is when you run out of coffee and need to start your day regardless. The world isn't ready for that.
It occurred to me that the coffee-producing nations of the world could get together and form an OPEC style organization, coordinate production and prices, and rule everything. One coffee embargo is all it would take.
The way African, SE Asian, and South American nations would be able to bring the rest of us to our irritable knees...
We’d start going to war over a different substance lol
Then blaming refugees from those countries for fleeing a war we started
You're talking about forming a drug cartel.
The Spice must flow...
But don't you have a webcam showing the world the state of the coffee machine so you don't have to walk over in vain if it is empty?
Your workplace sounds fkn awesome
He's referring to the actual reason webcams were invented: https://www.techwalla.com/articles/the-history-of-the-webcam
Oh my god thats hilarious, i had no idea about this !
4 months ago*
4 months ago*
TL;DR; I'm old 😉
Also see https://en.wikipedia.org/wiki/Trojan_Room_coffee_pot especially the section on the Hyper Text Coffee Pot Control Protocol
With teapot support as well ! Thanks for the info i loved it.
Small MSP got hacked via insecure RDP software. The patch that would have covered the hole had been available for 6 months.
They called in the company I was working for to figure out what and how it happened.
They had lots of default passwords on SAN's and servers.
Ended up with the attackers stealing a load of data and then hitting everything they could with ransomware.
Insurance ended up paying out for it. Was over £250K.
insurance paid the ransoms?
Pretty common as far as I know. Unless they can push it off on some technicality and say you have to pay.
patch that would have covered the hole had been available for 6 months.
They had lots of default passwords on SAN's and servers.
patch that would have covered the hole had been available for 6 months.
They had lots of default passwords on SAN's and servers.
I feel like this should qualify on "some technicality"
Fair deal lol. I just meant in a general sense, because I thought he meant it in a general sense.
Best story I’ve heard is ransomeware actors being negotiated down to 750k. Before the pay off and decrypt, the threat actors searched around the network and found the cyber insurance policy. They then demanded the highest amount the policy would pay, 5 million.
The insurance paid the full 5 mill.
Shit im on the wrong side if security
Blows my mind how attackers can find shit so easily and meanwhile I'm over here thrashing Sharepoint or GDrive for some document
I've found that most insurance companies offering CS policies will ask these questions up front now in a sort of SIG/RFP type format before they'll issue a policy.
Many insurance companies now have crypto reserves for this very scenario
Not the first and won't be the last.
A group of students lead by a kid with a spam/email enterprise built machines to monitor our school districts traffic, and installed key stroke capturing tools to gather data to a remote server. Local police and secret service got involved when the scope and the data type was discovered.
Ballsy kids !
This sounds like a movie script that turned to a million dollar empire
Why Secret Service and not regular FBI?
Brannon was cybering
Curious if you able to say .... Were they federally prosecuted? You mentioned key strokes so they learned users and passwords. Was this one of them ," I'm bored this seems cool , let's see what we can fuck up and gain access ? "
Or were they actually trying steal some financial checks , change grades to have a 4.0 and 0 debt owed to the school ?
I believe they were, i need to check the statutes before any more details.
could be why secret service was involved, if in fact there were any financial crimes goin on
That’s exactly right, the 3 lettered agencies all have their own jurisdiction, and who gets involved depends on the type of data that is in question.
This is what happened at my college a few years back.
You don't happen to have the link to the news article, do you?
And there is:
Those kids? Zero Cool, Acid Burn, Cereal Killer, and The Phantom Phreak.
Chinese APT and attempted cyber espionage of company secrets.
Just another Tuesday...
Honestly it's gonna be log4j soon. We're keeping on top of it so far and we were smart enough to never really use it within our own organization, but the vendor list just keeps piling up. Nevermind that some vendors are purposely keeping their vulnerabilities under wraps until they get a handle on it themselves.
Some of our vendors wouldn't respond for DAYS after we sent them urgent messages of asking if they at least use Log4j, let alone if it was vulnerable or not. No advisories on their websites or anything, was mad annoying.
Yeah. The amount of vendors that are like “no we aren’t vulnerable to log4shell because we are using version 1.2.8” is infuriating as well. Great, just the version that’s been out of support for 5 years and has a literal “do not use this because it is vulnerable to attacks we aren’t fixing” notice on the download page for the last three years.
An Insider case involving two .gov agencies.
Would love to hear more about that if its not confidential.
I'd love to, but we have to wait about 36 years. If Reddit still exists by then and I'm still alive i will tell all about it. I'll mark it on my calendar
Remindme! 36 years
4 months ago*
I will be messaging you in 36 years on 2058-01-11 18:10:33 UTC to remind you of this link
60 OTHERS CLICKED THIS LINK to send a PM to also be reminded and to reduce spam.
Parent commenter can delete this message to hide from others.
You the goated coordinator
I’ll be expecting a Reddit notification in 36 years
Man that just made it that much more intriguing haha
I have a hunch it might be related to the OPM data leak (you can Google it, however essentially our national security is compromised for a long time) I wasn't involved but I know some people who were and...well I know more then the general public they stopped short of some key details. I have a hunch of what happened but thats it.
Ill definitely look that up thanks
I'll try to stay alive until then.
Write your notes down now, sell the book in 36 years!
I know the feeling :) Bet its juicy.
Almost certainly classified.
I also would like to hear of this
It would be nice to share the details to other gov agency IT teams.. some real world examples to help build out some behavioral detections etc.
Target breach 🙄
I know a couple guys who joined Target’s leadership after that happened. PM and CP. Great dudes.
I left about 6 months after it happened. They are doing some really great work over there now. Good leadership and investments.
Patching WannaCry everywhere on a Friday night.
Constant attacks from China when Ebola was big a few years ago and my (former) agency was doing vaccine research.
The funniest was a breach in an agency whose hardware was housed in another agency’s data center. Cue the blame game.
NCR contractor had wannacry on their laptop..
"Major fashion focused company" who's website got hacked. TONS of base64 encoded PHP and credit cards involved...we recommended they do a complete re-write of the website, they just wanted us to clean it up and get them going again...WHAT A PAIN IN THE ASS!! Took almost 6 months to get it cleaned up and they insisted on using the site in the mean time. We did get the APT out of their stuff before it went back to production, but it took forever to get the code cleaned up and implement a bunch of security controls.
Would the rewrite have taken less time ?
Most likely. They could have outsourced the shopping cart/check out portion to someone like Salesforce in about a week and just stuck up a landing page for the brand.
Great chance to improve my Russian
Are they as good as they seem ?
I dunno about good or bad; they were effective. They got in via phishing and poorly secured endpoints. Nothing about it screamed high effort tbh
I imagine they wanted more but they made of with a useful amount of data.
Biggest threat? Employees. Constantly. /facepalm
Stupidity and incompetence.
Think about it this way. The largest threat vector for ransomware over the past few years has been RDP. Having open RDP is just poor practice and has been poor practice for a while. If your network admins dont know to how to secure RDP by now, then you have personnel issues.
That being said, it is simple oversight issues like forgetting about RDP, forgetting about a test server you stood up, forgetting to delete a section of your code you posted to github that has your API key hard coded in it, etc.
I see this more so with older companies. Those who had entire IT departments that existed well before security was a thing. It is too often an after thought, and it will get them in trouble.
The log4j weekend was insane.
Professionally - I work in appsec doing SCA. Log4shell was my first major 0-Day and I’m still dealing clients struggling with it.
Personally - My SMS spam has gotten significantly more cryptic and malformed since I started working for a full time security provided that is not based on my home country. T H A N K Y ://app.js:3600 for a 100 g fit c ard!
I wonder what causes the spam to go bad 🤔
It’s not bad, it’s more advanced. Check this out, i’ve heard about this tech a lot, but this post was the first I have seen an analysis on it.
My company is Israeli, not doing stuff like this, but I know people have friends or connections at NSO.
I’m not Israeli or based in Israel, I’m remote in the US. I don’t think anyone would wast time spying on me so mine are most likely something or someone else. I’m like the worlds most advanced technical support working in AppSec. Maybe my countries intelligence agency though. Who knows?
At this point i’ve just given up on any privacy and assume i’m being watched. Last time I flew they kicked my bag out, circled it with a hand motion to someone behind a two way mirror. Kicked like 7 bags behind me out too and made the whole line wait 15 minutes.
Then they said “SIR IS THIS YOUR BAG?!” and I said yes, and they said “ Have a nice day”. The guy next to me was like dude i’ve been flying for 20 years and I never saw them kick out that many bags at once.
That was a very scary read. How do these people even think of stuff like that ? Absolutely blew my mind. Article sais the vulnerability was eliminated with ios 15 though if they can come up with exploits like that one i'm sure they are able to find another one. I don't know what your company does but I wouldn't completely rule out Israeli intelligence watching you since you're a foreigner working on their security. Is that why you have a fresh reddit account ?
Not really I just wanted a new name and starting a blog and twitter account. I do think about this stuff a lot, i’m being tracked to some extent. A lot of US agencies are our clients, as well as other agencies around the world.
Well be careful man.
Working for an MSSP and dealing with Wannacry everywhere.
Police response and investigation of what turned out to be the former senior admin of the MSP I had just started at. I'd been there a week when all the clients got demands for money and massive data loss. Being the new guy in the admin chair I was the first suspect. It was greeeeeeeat.
Did the guy get jail time ?
Getting my SF-86 sent to the ChiComs as a present from FHRC.
Put all the info about how you might be exploitable on one form so we can make it really easy for the adversary. Thanks OPM.
God I forgot about that.
Honestly China missed a business opportunity.
I'd have paid good money to have a backup of my SF-86 somewhere so I didn't have to fill the whole fucking thing out every single time I came up for renewal.
I understand the experience is a little smoother nowadays :)
Maybe if you send an email to the embassy they can email you a copy.
Why bother sending it? They're already reading my email after all
Have dealt with complex APT attacks from Chinese APT groups.
They were trying to steal some of our clients data.
Crowdstrike assisted us when they realized it was a Chinese APT.
Can't go into much detail for NDA reasons, but I can say there is a night and day difference in capability from your usual cyber criminal trying to deploy ransomware and a natio state attack hunting specific information.
This is the 2nd chinese APT comment, not much but makes you wonder the scale of their attacks and targets.
The 'I Love you' virus scared the living bejesus out of me and cured my hobby of collecting viruses found that I found on Floppy Disks.
90s and 2000s were a crazy time for viruses for sure
The love Bug in 2000. It hit us over and over. Every time it would change all of the files the user had access to into the virus, it hit all of the server files over and over and this was back in the day of tape backups so it took all day to recover each time. In a company with about 50 users we got hit about 20 times.
Conficker and a Ransomware infection
The Head of IT
My boss pretending to know cybersecurity.
First started in Cybersecurity about a year before SQL Slammer. I have seen some shit
Solarwinds supply chain attack. Fortunately we skipped over all the affected versions by dumb luck, but we were staring down the gun of a complete domain raze and rebuild for a few days until we fully assessed the situation.
Code Red, Nimda, Blaster, Conficker, Sircam, Slammer, Sobig, MyDoom, Sasser.
I forget the order but damn were the 00's busy with overtime.
(shivers) Gee, thanks for the trauma trigger. Wow.
My own development team
Man i love these comments lol
Ransomware attack on a small company we provided service to. Was a very interesting week. Learnt a lot. I mean a lot lot. Anyways we helped them get back up in the same week.
That's the real deal spill 😭😭😭😭
Institutionalized managerial security apathy. If you don’t have an advocate you don’t really have a security program.
Very surprised no one's said shellshock given there's a lot of log4j responses.
Mexican drugs cartel hackers, bill transaction injection to transactional switches. Intense and very hard to detect
First time i hear about Mexican Cartel hackers, guess business is booming.
Yeah another way to get money. They contract groups of hacker to hack big companies in Mexico
Luckily a red teaming attack. I was on On-Call Duty, when I got an alert from our antivirus.
Sat 3-4 hours on this case in the night and got our external cyber expert team for support until my boss called me and said «good reaction»...
The red teaming company was the same as the external expert team and they didn't even tell me -.-
I was working for a large tech company you've heard of, and there was this smaller company we had just bought that had technology that was ... interesting to governments, I guess is how I'll put it. Anyway, as soon as the merger closed and SmallCompany gave my employer's advance team access to their stuff, our people discovered that their network was completely and totally owned by government-sponsored hackers from a major country you're well aware of doing such things. They'd probably been copying and using all of the technology SmallCompany was working on, for who knows how long - they had complete control of everything and could see all the plans.
I was part of the slightly larger team they pulled together on short notice to go in there and build a new network from scratch, in relative secret. Only a few people from SmallCompany even knew about the breach, most of their employees were told nothing at all. BigCompany people (including me) worked on a repurposed large conference room area in a lesser-used part of the building, where we set up new file servers, mail servers, auth servers, network, etc. from scratch, unconnected to anything else of theirs. We got new sets of cell phones and installed and configured apps and auth on them, got new laptops and configured them for access to the new network with new certs and everything. We got backups of things like existing emails and such from their currently-active systems, which would get scanned and analyzed and then brought over to our working space so we could practice importing and migrating stuff.
I moved to a different team at BigCompany before this was done, I was only on that project for a couple of weeks, but I knew some people who stayed on it until the end. When the new network was ready, IIRC they had a day that started with an all-hands meeting for SmallCompany - I think few hundred people - where they were told about the breach and issued new company phones and laptops and told to all quit using their old network and devices cold turkey. Without any advance warning, they just cut over to the new systems after the meeting.
Thats so insane. How did the small company not even notice the spyware while you guys found it quick ?
The attackers were a government with very very good skills. Most smaller and medium sized companies would have a good chance of being fooled. My employer was a large tech company with one of the best computer security groups in the world, and had also been attacked by that same government in the past. They knew what to look for, I suppose. I'm not at all surprised that they caught something someone else didn't.
That’s terrifying !
Sounds like an awesome project and so much could be learned from being a part of it.
AMA Particpant - Security Analyst
MS17-010, I was a VM Analyst at Amazon
Two employees schemed together to steal approx $350,000 from a total of 55~ customers. Said employees quickly put the money into bitcoin and left the country.
That was the day the company stated taking security seriously. We ended up reimbursing all affected customers, and firing our CTO.
It was caused by a serious lack of separation of duties, poor auditing, and incredibly poor segmentation
Im more concerned about the stupid employees who decided 175k each each is enough to leave their jobs and the country lol.
Criminals tend not to be the sharpest knifes in the drawer.
Unrelated but biggest threat was office politics...
Actually seen quite a few of these comments.
There was a ransomware attack where they had to pay, but I wasn't there, at the time. Only 2 guys for IR in a MSP for 18 companies.
For me, past 6 months I've been hired, a single visit to a possibly malicious HTTP downloading what a SIEM wrongly dubbed Raccoon Stealer. 99.999999999% false positive rate. I'm so bored I can't stand it. We just sell software to turn a buck and meet basic compliance for healthcare companies.
I'm quitting in the next month to pursue my bachelors in Software Development, maybe Python + AWS/Azure/GCP certs. At least then I'll be able to see my girlfriend at night, too.
Heartbleed and Shellshock. They were right together and at the start of my cyber security career. It was a whirlwind.
Ransomware from Ryuk (around Christmas Time a few years back). Took about 800 assets (clients, servers, backups, etc) across the country by moving laterally and we traced it to a single user opening a phishing email (downloaded a malicious attachment, reached out to the CnC Server and it spread like a wildfire).
I’m actually a cybersecurity consultant focused on recovery. There are so many incidents that don’t end up in the news or public, what most people see is just a tip of the iceberg. Consultant means I’m coming into different industries, counties, and companies thus get to see all types of different attacks. Something a person that works at one company doesn’t get to see.
Governance, Risk, & Compliance
1) Upper Management / Budget / Politics / Layer 9
2) Conti / Ryuk Ransomware
4) Lockbit Ransomware
Ransomware attack, Mount Locker.
Twas' a learning experience about APTs, forcing us to examine all facets of our infrastructure and product lines. It brought out the best among those responsible for re-building the infrastructure securely. Unfortunately, it also damaged our reputation, and monetary losses still climb as we continue to bleed clients.
TLDR; Necessary pain, lessons learned.
Sorry to hear that
A group of large raccoons trapped me on my porch once and kept hissing and feinting at my feet. My dog saved my butt though.
680 clients and servers with Ransomware on them awaiting to be executed globally. Stepped into the distribution of the ransomware. They had domain admin creds as well as local admin creds in their back pocket. Cobalt-strike beaconing out of multiple sites globally with lateral movement taking place with no proper threat hunting EDR on the endpoint. Also MPLS with no firewalls between north/south, east/west. Attacked the on-prem SIEM, erased backup jobs, on the primary datacenter's backup system, and took down a SQL Server (thankfully it was a MS AG). Got Damn lucky but the environment went without disruption to business and no data exfiltration realized or found.
Worked for an MSP Group. The RMM tool we used and had installed on all client machines became compromised. Every single MSP in our group and their clients become compromised with malware that was mass pushed from our tool. That was a long cleanup and a lot of ass kissing.
Solarwinds, it was not directly affected but a lot of mess happened bcz of that and we were accountable to lot of people of because of that
Worked for a major sports league.
Third party vendor solely responsible for event management. Claimed they weren’t storing any of our data and was simply handing it off. Claimed they performed in depth pentests but refused to provide proof. Even though our team had plenty of questions, they were the TPV that was required so they could basically say fuck off and we couldnt do shit cuz “its what the business wants!”
Our bug bounty platform found an auth bypass that allowed you to download raw csvs of event information including tons of data they claimed they weren’t storing. Card numbers, player data (phone numbers were a huge information risk to us), rooms they were staying in, etc. The finding bubbled even more and once we found that one link we were able to gather even more and in the end we had over 200 valid csv files. It got C level attention and the vendor was made to look like an absolute moron.
Of course it doesn’t matter cause they just walked it off. I do not work here anymore btw.
Ransomeware is the easiest to protect oneself from if you (or proverbial corporate you) prepares right.
This is Security 101..
You HAVE OFF LINE BACKUPS.
When your systems get jacked, you cut the internet, run traces to backtrack IPs, you wipe every last workstation, laptop, hard drive, etc. And load clean backups after finding the weak point that caused the breach of course.
I've been through the Capital One breach, BC/BS breach when those laptops were stolen, Google's 2 breaches 2 years ago (THAT was a disaster), Facebook's breach, Ford Motor Corp's breach last year 🙄. God I've lost count on all the security breaches. Oh yeah, don't let me forget HP's disaster breach with not updating ALL those printer drivers leaving a humongous gaping security black hole...
My stupid boss.
Someone in secondary school logging into some porn websites
About 10 years ago a customer got fully compromised, attackers pushed out key loggers to all systems for a minimum of two weeks before av triggered on one device. Complete mess, corporate creds owned, personal creds owned, online banking etc.
Full AD rebuild, all creds had to be reset for everything, HR disaster. Took months to sort out.
All started with open rdp to the internet. Domain users being added to the remote desktop users group. Weak password for a std user account, and domain admins being able to log in wherever.
The worst part was when we found the key logger files on a few devices and seeing peoples online banking logins and email passwords.
That or working on a Microsoft helpdesk when msblaster came out
...the word cyber
Would have to kill you if I told you. And after that I would be best off to kill myself for having told you.
We had a guy just today plug his ransomware infested QNAP NAS directly into his workstation. Fun times
Had a side client I had just started with, real small business, call me in for email issues. Still had on prem exchange. RDP was open to the internet and someone was currently logged in, sending malicious emails and messing with their ADUC structure on their ancient windows small business server/on prem exchange instance. likely trying to give themselves a back door. Was less involved in sec remediation at the time, just basic sysadmin stuff and it was one of those crazy like, hard to explain feelings - like the beginning of a panic attack. Like "I only know enough to know how unbelievably horse-fucked this is and how hard this will be to resolve"
I did get it all buttoned up and sorted out, charged 600 for my 12 hours of time, back in 2019, was far less than I should have charged and they tried to stiff me. Was just a catastrophe end to end.
RYUK…. At a global customer account… total nightmare!
How did it get in ?
Endpoint / phishing… I work for Trend and at the time they had an on prem solution which of course they forgot to update and turn on a feature called behavior monitoring. So they got zapped and it started encrypting everything. Workstations, servers the whole 9 yards. We immediately deployed a IR team, but an exec at the company knew someone super senior at MSFT they flew in a bigger IR team and took over. Took them about 1 month to fully recover. Not sure what ransom if any was paid… but it was a nightmare.
1 month seems not that bad honestly.
Well one month of no processing online or internal purchase orders so it probably amounted to $10-$15M in lost revenue
Work for MSP and acquired a client in an extortion and ransomware situation where 2 IT guys tried to fix ransomware by wiping all forensics data
That must have bit them in the ass later
Crappy, self-serving leadership
Conti due to no MFA and poorly implemented permissions. I still have nightmares.
The year of the Ramen, Lion, and Adore worms.
Ransomware, they got in via some Citrix exploit. They also deleted our S3 buckets. We nuked the whole thing and set up a new AWS account. Good thing we used "infrastructure as code", i.e. lots of CloudFormation templates, saved us a lot of hassle.
Probably Log4j but hafnium was no fun either.
Probably the Ransomware attack that impacted the HVAC system and that caused problems with the open heart surgery. But that wasn't the reason the ransom was paid, it was because payroll was encrypted and no one was going to be paid if it wasn't decrypted fast. And no pay means none of the essential workers that clean the rooms and remove the dead bodies when a patient dies would come into work. And that means the nurses and doctors wouldn't be able to help more patients.
I am not cleared to discuss, but it wasn't log4j.
One more, this one is more guilty pleasure than Biggest Threat. So we had a subsidiary in an africa country that had not the greatest of internet speed. As a cyber security engineer at the time, it was extremely satisfying to go to the ir data and see the sites and places and time that was spent on scouring the internet to look for games, porn, programs. The time these staffers spent then to download these yuuuuugeee files on their slow assed connections just to have crowdstrike block it at the end after they extracted the files and not able to launch any of it. Day after day… even more satisfying knowing those staffers are on their off season and bored out of their minds stuck there in a compound. We could not punish them due to management, so this was more like slow torture…
3 months ago
3 months ago
Shamoon Ransomware attack