CVE-2022-26809 – Critical Windows RPC Vulnerability

Vulnerability Information

Rating	Critical
CVE	cve-2022-26809
MITRE	CVE – CVE-2022-26809 (mitre.org)
CVSS	CVSS:3.1 9.8
Impact	Remote Code Execution (RCE)
Exploit in the wild	Currently not observed
Difficulty to Exploit (if PoC available)	Very Low
Network Position	TCP/IP Routable or Network Adjacent
Authentication Required to Exploit	No
Affected	Windows Client/Server OS
Typical Service Ports	TCP 135,139,445
Vendor Patch Available	Yes
Exploitable in Default OOB (out of the box) configuration	Unknown
Exploitable Client/Server	Believed to be client and server side exploitable

Rapid Active Directory Hardening Checklist

Ok this is not a small subject areas and it’s not a HOW TO guide but it should at least give you some ideas for tools to deploy and areas to check that are abused by Ransomware gangs and ATPs etc. Thanks to people who contributed!

This is not everything but it’s some common low hanging weaknesses:

Log4Shell exploitation and hunting on VMware Horizon (CVE-2021-44228)

TLDR

Go and run this on the connection servers:

https://github.com/mr-r3b00t/CVE-2021-44228

It’s crude so also look for the modified timestamps, recent unexpected blast service restarts and if you have process logging go and check for suspicious child processes over the period. Once you have checked, run a backup, then if they aren’t patched, patch the servers! (i know patching isn’t as simple as just patch!)

Post Business Email Compromise actions for Office 365 Users

If you have a business email compromise incident and you haven’t deteced it in a timely manner your fist notification might be a bad experiance, the threat actors may have commited fraud, attemped fraud or simply launched a phishing If you have a business email compromise incident and you haven’t detected it in a timely manner your fist notification might be a bad experience, the threat actors may have committed fraud, attempted fraud, or simply launched a phishing campaign from your environment. If you are in this position, there are some steps you can take from a technical point of view to limit impact and reduce risk of a re-occurrence. This blog is a high-level view at some of the tactical and longer-term activities you can conduct.

I’m the CEO why do I care about phishing…

Introduction

This is part of a series I’m writing which is focusing on some of the core fundamentals of why cyber security is a business issue, why business leadership should care and invest in a good security posture and I’m looking at common security threats and ways you can combat these. Read more “I’m the CEO why do I care about phishing threats?” →

I’m the CEO, why should I care about Cyber…

Introduction

First and foremost, I’m going to start by saying if I include any cliché quotes it’s probably in an ironic context or used to show how they aren’t practically useful. Why are we here? Well, based on the title, it’s because you are either a CEO/MD or you are in a leadership position and want to learn a little more about cyber security.

I’m sure you have read the news, I’m sure you have seen vendor adverts explaining something like:

Zero Trust
The Security Skills Gap
How phishing can be solved through security awareness training (pro tip: it can’t)

And I’m sure someone on your LinkedIn feed you have seen people exclaim all kinds of crazy things like:

TLS Weaknesses Lead to Ransomware
Security is Simple (it, I’m afraid, is not)
Managed Security Service Providers ensure security

Phishing your own people – path to eroding trust…

Introduction

“Security education and awareness darling, it’s all the rage! It’s simply to hot right now.” Ok stop, let’s take a minute to get some context. It’s the year 2021, organisations are taking a battering round the globe from cyber criminals who are deploying ransomware, extortion, and fraud via a range of methods but one you can’t not have heard of is phishing.

In this post today, I’m going to look at realities of initial access, phishing and some questions I think people should be asking themselves about the idea of phishing their own userbase. I try and look at this from multiple perspectives because I think it’s a complex subject. Let’s start with initial access methods!

Common Patterns of Access

If we look at the world of technology and cyber security, you will see logs of references to frameworks and language that is enough to send even the committed to sleep! However, let’s abstract from our TTPs, our MITRE ATT&CK frameworks and our “threat actors” and let’s talk in normal English. Read more “Phishing your own people – path to eroding trust or a useful tool?” →

Apache Access Logs Rotation

By default, at least on Ubuntu apache2 is set to rotate logs every 14 days.

It will rotate logs held here: /var/log/apache2/*.log

Using the rotate configuration, you can specify a value: Read more “Apache Access Logs Rotation” →

Fast Monitoring Deployment with Datadog

Imagine the scenario where you have an endpoint or server running and you don’t have centralised logging or visualisation of log data and you need to perform some rapid analysis without wanting to stand up a new set of VMs or services, well this is where cloud really can come into it’s own.

Very rapidly we can setup a Datadog account. (this blog will be updated as I deploy and configure) Read more “Fast Monitoring Deployment with Datadog” →

HID Attacks using OMG Cables

Human Interface Devices is the science way of saying (in this case) keyboard! Now that doesn’t sound amazing but then we look at the details. What we are talking about here is a wireless remote controlled programable keyboard emulator disguised as a USB cable or a cable between a real USB keyboard (must be detachable). This provides attack opportunities to both key log and hijack inputs to PC devices covertly and remotely (within WIFI range). Just imagine what you could do with one of these.