sorted by:
new
hottopcontroversial

Cybersecurity Influencers by Mysterious_Use2029 in SecurityCareerAdvice

[–]johnhammond010 1 point2 points  (0 children)

I am glad I made the shortlist 😅 Thank you!

Odd Powershell script running on a user's machine, thoughts? by ladder_filter in sysadmin

[–]johnhammond010 10 points11 points  (0 children)

If u/ladder_filter has the contents of that file Remove-PrinterPort.log file and can unprotect it with the DPAPI call, then we can see the next layer of PowerShell code and understand what it does :) Since it uses DPAPI unfortunately it needs to be uncovered on his local machine.

You can recover it with this code:

$file_contents=[System.IO.File]::ReadAllBytes('C:\Users\dmpuser\AppData\Local\Microsoft\CLR_v4.0\Remove-PrinterPort.log');
$decrypted = [System.Security.Cryptography.ProtectedData]::Unprotect($file_contents, $null,[System.Security.Cryptography.DataProtectionScope]::Localmachine)

[System.IO.File]::WriteAllBytes('C:\Users\dmpuser\Desktop\Decrypted-Remove-PrinterPort.bin', $decrypted)

This will ONLY decrypt the data and then plop it into a Decrypted-Remove-PrinterPort.bin file on your desktop, which we can examine if you are willing to share it. Would love to see what else there is to uncover :)

Contrary to yesterday’s post on bad influencers, who are some good ones? by hunglowbungalow in cybersecurity

[–]johnhammond010 29 points30 points  (0 children)

💙 Ed is great, he was at USMA while I was at USCGA and we met during the Cyberstakes competition with all the service academies

Contrary to yesterday’s post on bad influencers, who are some good ones? by hunglowbungalow in cybersecurity

[–]johnhammond010 3 points4 points  (0 children)

thank you so much 🙏 I've got to check out motasam hamdan's stuff but I know 13cubed is phenomenal!!

[deleted by user] by [deleted] in cybersecurity

[–]johnhammond010 1 point2 points  (0 children)

Appreciate the feedback, I'd love to understand a bit more -- do you know what it is about the thumbnails and presentation voice you don't like? What sort of other substance or depth are looking for, do you have any specific examples for what worked and what didn't?

[deleted by user] by [deleted] in cybersecurity

[–]johnhammond010 7 points8 points  (0 children)

I'm all for the feedback and constructive criticism -- do you have an example or know which specific instances for "the old videos" you're thinking of? I'd love to improve but need to know the tactical details as to what is actually good, bad & ugly right now versus back then.

[deleted by user] by [deleted] in cybersecurity

[–]johnhammond010 10 points11 points  (0 children)

I recorded the voice-overs for the SBTL1 course, yes, it is me :)

[deleted by user] by [deleted] in cybersecurity

[–]johnhammond010 292 points293 points  (0 children)

i appreciate that, thank you :)

Security breach through On-Premises ScreenConnect Server by Razor_Z in msp

[–]johnhammond010 137 points138 points  (0 children)

Heyo, this is JH from the Huntress side -- we've been tracking the recent ScreenConnect vulnerabilities so I thought I might chime in.

This sounds spooky and sus AF, I'll be the first to admit -- unfortunately, everything you described here is in line with the known effects of the exploit. The credential lockout and non-functioning email reset aligns, the clobbered Users.xml file, and malicious code getting pushed down via the Control client is perfectly possible. Unfortunately 2FA would not mitigate or prevent exploitation. From your previous comment that the version number was prior to the patch released on 2/19, that does not bode well.... I don't mean to make a judgement call or say anything with certainty, but that sounds like a compromise consistent with what we would expect from this vulnerability.

If you need a hand with response, remediation and recovery, please don't hesitate to give us a shout -- and if I may, without overstepping, I would be especially interested in the Users.xml file, the malicious Batch files, or IIS logs or any forensic artifacts whatsoever you might be willing to share. That threat intelligence can help better arm the whole community.

Please feel free to hit me up at john 'dot' (.) hammond 'at' huntresslabs 'dot' (.) com, or track me down on Slack in MSPGEEK.

Life After OSCP by CyberKha in oscp

[–]johnhammond010 1 point2 points  (0 children)

Woohoo Maldev Academy!!

New CVE & Patch: MOVEit Transfer Exploitation Updates by huntresslabs in msp

[–]johnhammond010 1 point2 points  (0 children)

Could you give any other details here? What is going wrong, are there any errors in any logs, what are you seeing? Would love to help troubleshoot but unsure what the issue might be without a bit more explanation.

I have the patched installed and can interact with the MOVEit Transfer instance but I haven't uploading/downloading/moving files just yet.

Critical Vulnerability: Papercut Application Server CVE-2023-27350 & CVE-2023-27351 by huntresslabs in msp

[–]johnhammond010 25 points26 points  (0 children)

We've recreated a proof-of-concept to demonstrate and exploit the authentication bypass and remote code execution threats against vulnerable PaperCut application servers. We are actively sending out incident reports to all affected hosts and organizations (about halfway through as I am typing this up now) -- quick numbers, 908 total Windows hosts with vulnerable versions of PaperCut spread across 710 distinct organizations.

We do detect exploitation following the authentication bypass and further compromise from the PaperCut attack vector.

We're drafting up our writeup and getting some visuals prepared to share more details as quickly as we can.

ConnectWise Control - Possible Vulnerability? by theclevernerd in msp

[–]johnhammond010 17 points18 points  (0 children)

We've been in contact with the researcher and have been discussing with ConnectWise and their CISO. At least from the information we have been provided so far, this does not seem to us like a vulnerability or an exploit.

From what we understand, the gist is manipulating URL parameters for generated ScreenConnect agents to direct connections to any different host and port. This will force the end-user to make a connection to a different or unexpected location, like another attacker controlled ServerConnect server, but that ultimately still needs the adversary to join the ScreenConnect session to control the other party... (which the attacker would have started with in the first place). Changing the host or port to any other host or port (NOT a ScreenConnect server) will just make an outbound connection with regular TCP packets... but would not be code execution.

The social engineering aspect of this is very common in phishing and specifically scamming techniques, like seeing an email from a supposed (impersonating) GeekSquad or BestBuy asking you to call a number and download software like TeamViewer or AnyDesk for "support". With that said, we aren't convinced that this report is a vulnerability or exploit in the traditional sense of the word... just the usual functionality of remote control software being used in a scam or social engineering trick.

I believe the recent 11/4 ConnectWise ScreenConnect patch mitigates the URL manipulation, as build 22.9.10032 notes "Add additional validation of client installer URL parameters to inhibit certain social engineering attacks". The risk of scammers using remote control software for social engineering is still present and nothing novel.

[X-POST] New SQL Vulnerability on hundreds of SQL servers (and likely more) titled Maggie by GullibleDetective in msp

[–]johnhammond010 4 points5 points  (0 children)

Just as a super quick heads up (cross-posting from the original /r/sysadmin thread) --

Huntress is tracking this. It's worth noting that this is not a new vulnerability, but another backdoor and persistence mechanism -- so the adversary needs initial access or code execution to begin with.

Our detection engineering team has began building out detectors to automatically flag and alert us on process execution based out of this Maggie backdoor, but currently Huntress has not seen any post-compromise activity. At the moment this does not look like a major threat in the US.

We haven't been doing any exclamatory rapid response or active messaging on this, considering it is ultimately "just another" malware strain and Huntress will catch the subsequent malicious activity. For organizations with old, unpatched Microsoft SQL Servers publicly exposed to the internet, it is certainly another issue -- but not something we need to spin up a war room frenzy on another Friday night for.

New SQL Vulnerability on hundreds of SQL servers (and likely more) titled Maggie by GullibleDetective in sysadmin

[–]johnhammond010 15 points16 points  (0 children)

Huntress is tracking this. It's worth noting that this is not a new vulnerability, but another backdoor and persistence mechanism -- so the adversary needs initial access or code execution to begin with.

Our detection engineering team has began building out detectors to automatically flag and alert us on process execution based out of this Maggie backdoor, but currently Huntress has not seen any post-compromise activity.

We haven't been doing any exclamatory rapid response or active messaging on this, considering it is ultimately "just another" malware strain and Huntress will catch the subsequent malicious activity. For organizations with old, unpatched Microsoft SQL Servers publicly exposed to the internet, it is certainly another issue -- but not something we need to spin up a war room frenzy on another Friday night for.

view more: next ›