DNSSEC – why not having a signed zone is…

Firstly, what is DNSSEC?

https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

Ok read all that good. What we are talking about here is signing a DNS zone to “assure” that the client is getting DNS responses from the right ZONE data. DNSSEC does not encrypt the conversation between DNS client and DNS server. It does enable the client to be able to check if the data it gets back is valid. In short what we are doing is validating that the “data” being returned is authorized and not tampered with.

ESXiargs Summary 09-02-2023 10:03

What do we know?

Adversary: Unknown, likely Criminal Actor/s

Initial Access Vector: Unknown/Unproven

Impact: ~3K+ Hosts have had Remote Code Execute and their ESXi logon pages changed (plus had encryption routines run to encrypt virtual machines, with varying success). A Second encryption routine has been deployed to some hosts; the threat actor is expanding/changing capabilities.

Risk: Further impact, Additional Threat Actors Exploit the vulnerability

ESXiARGS Ransomware – Global Incident

Thousands of ESXi hosts around (some of the) globe have been encrypted by cyber criminals. This post is a fast publish showing some of what has occurred, it’s impact and now includes limited remedial advice.

If you have been affected by this ransomware event there is an attempted recovery script by CISA

https://github.com/cisagov/ESXiArgs-Recover/blob/main/recover.sh

Simulating Human Operated Discovery

Did you want to check out some of your detections? This isn’t everything of course but it’s a simple batch file to simulate a range of enumeration techniques used by actors like CONTI or LOCKBIT affiliates/operators:

Royal Mail Cyber Attack! What should you do?

breaking news: Royal mails international tracking services are down and have been for > 24 hours:

The ICO have been contacted! The NCSC and NCA have been contacted! What should you do?

LastPass Breach – The danger of metadata

When an organisation suffers a data breach it’s usually bad. When an organisation that stores 25 million people’s passwords that’s really bad.

There are multiple risks here at play.

Firstly, when we give people our data, it’s our risk and our choice. I’m ok with that, I chose to give lastPass my data.

My vault data might be gone, but I have a strong master password, how we interpreted the theft of the basically cryptographic materials is a bit like when we full disk encrypt a drive.

If you lose a laptop that’s got FDE do you report this as a data loss to the ICO? Or do you say, it’s encrypted so actually I haven’t lost the data per say, I’ve just lost a random (ish) bunch of 0s an 1s so I don’t count that as an incident? I’m not here to be judge or jury.

CLOP Ransomware Group Breaches Water Company and then misattributes…

We’ve all been there haven’t we! We’ve pwn3d a network, pivoted and moved around for months and then accidentally got the wrong company name… oh wait.

Well, this story isn’t fiction, CLOP ransomware group have breached a water company and then written it up as the wrong organisation. Read more “CLOP Ransomware Group Breaches Water Company and then misattributes to THAMES WATER” →

Learn to SOC: Java Webshell via confluence

When running honeypots you never have to wait too long for something to drop!

This moring we had a new hit in the pot, so I decided to invesigate but also to blog and show how we could go about investigating the logs and paylods etc.

CVE-2022-26134 – Confluence Zero Day RCE

We are seeing active exploitation in the wild: MIRAI deployment, coinminer deployments etc.

THIS DOES SHOW IN THE ACCESS LOGS! The comment about “what isn’t in the logs” is about POST request BODY not showing in them, not that nothing is logged

https://www.virustotal.com/gui/file/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d/community

XMRIG, KINSING, MIRAI etc. are being deployed by threat actors after exploiting this vulnerability.

This is a fast publish

POC is in the wild: https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/

https://github.com/jbaines-r7/through_the_wire

keep checking vendor guidance and keep checking this for updates… use at own risk etc.

Workaround/Hotfixes have been published by Atlassian:

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

https://jira.atlassian.com/browse/CONFSERVER-79000

GreyNoise Tag is online: GreyNoise Trends

Also check this out for scanners: GreyNoise

Nice work https://twitter.com/_mattata and all the other people in the cyber community that are working on this!

IT MAY BE WISE TO ASSUME BREACH

The vulnerability appears to be in: xwork-1.0.3-atlassian-10.jar

Background

Velocity discovers a zero-day in confluence 03/06/2022 (GMT)

.@Volexity discovers zero-day exploit impacting all current versions of Atlassian Confluence Server and Data Center. Attackers deploy in-memory Java implant to evade detection. Read more in our latest blog post: https://t.co/aCSwnSUfj8 #DFIR #ThreatIntel #InfoSec
— Volexity (@Volexity) June 2, 2022

KILLNET: Area they really a threat?

This is an evolving post and will likely be updated over time. Online “community” or “criminal gangs” etc. can be fluin and dynamic, thinking of them in rigid structures and trying to compare them to “In Real Life (IRL)” organisationas directly doesn’t really work. They work generally in a collective fashion. No masters and no slaves etc.

“Hacker” Groups

I don’t really like to use the term “hacker” in this sense, perhaps hacktivist or criminal groups is the right fit, however, words aside there is the question: Who is KILLNET, are they a threat and who are they a threat to?

Who is KILLNET?

KILLNET was suposedly formed as a resonse to the IT ARMY of Ukraine (Ukraine Cybe Army) (formed late Feb) which is odd given the first post from KILLNET was on January the 23rd and IT ARMY of UKRAINE setup their telegram on Feb 26th.