ElizabethNoir

@[email protected]
61 Followers
76 Following
41 Posts
Sysadmin and Infosec Professional, learning something new every day. Linux, retro computing and retro gaming enthusiast. She/her
Twitterhttps://twitter.com/NoirElizabeth
ElizabethNoirJul 29, 2024
Kevin BeaumontJul 29, 2024

Great research for Microsoft here - Black Basta and Akira ransomware deployment using a logic flaw in VMware ESXi, using a zero day (which they don't mention).

If you get domain admin in Windows, you can make an Active Directory group called "ESX Admins", and then you can log into ESXi - this allows you to encrypt non-Windows systems (and everything else in VMware)

https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/

#threatintel

Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption | Microsoft Security Blog

Microsoft Security researchers have observed a vulnerability used by various ransomware operators to get full administrative access to domain-joined ESXi hypervisors and encrypt the virtual machines running on them. The vulnerability involves creating a group called “ESX Admins” in Active Directory and adding an attacker-controlled user account to this group. This manipulation of the Active Directory group takes advantage of a privilege escalation vulnerability (CVE-2024-37085) in ESXi hypervisors that grants the added user full administrative access to the ESXi hypervisor. The vulnerability was fixed by VMware in their June release and ESXi administrators should install this security update.

Microsoft Security Blog
ElizabethNoirFeb 17, 2024
Nina KalininaFeb 6, 2024

What if I told you there is an immensely popular operating system that you likely used it at least once, but did not realise what it was?

In fact, it is so popular and important there is an IEEE standard based on it.

It is uncanny how immensely popular AND immensely obscure this system is.

It is scary that until today I have never even heard of its reference desktop implementation.

The system is called "TRON".

🧵 thread~

p.s. thanks @fkinoshita for the pointer!

ElizabethNoirOct 13, 2023
BleepingComputerOct 13, 2023

Microsoft announced earlier this week that the NTLM authentication protocol will be killed off in Windows 11 in the future.

https://www.bleepingcomputer.com/news/security/microsoft-plans-to-kill-off-ntlm-authentication-in-windows-11/

Microsoft plans to kill off NTLM authentication in Windows 11

Microsoft announced earlier this week that the NTLM authentication protocol will be killed off in Windows 11 in the future.

BleepingComputer
ElizabethNoirMar 10, 2023
Kevin BeaumontMar 10, 2023

PSA: If you use #Veeam Backup & Replication (very common), upgrade. Especially if you face server to internet.

Screenshot from Code White, the API lets you remotely request Windows admin credentials for some reason, no auth request.

In their advisory Veeam claimed these are encrypted... it's base64 (lololol)

#CVE202327532 https://www.veeam.com/kb4424

KB4424: CVE-2023-27532

Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. This may lead to an attacker gaining access to the backup infrastructure hosts.

Veeam Software
ElizabethNoirMar 7, 2023
Kevin BeaumontMar 6, 2023

Keep an eye on CVE-2023-21716 aka MS Word vulnerability from February 2023 in RTF files.

There's a public proof of concept: https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md

Where it gets more interesting - you can embed RTF files in email, Microsoft Outlook renders them with no clicks, by just reading the email. There's a decent chance this could become problematic combination.. although not yet as the PoC is vague enough to require a clue to exploit. HT @fellows

#CVE202321716

ElizabethNoirFeb 3, 2023
Kevin BeaumontFeb 3, 2023
I obviously don’t have my tweet thread any more to add to it, but somebody is doing automated destructive attacks on VMware ESXi with 2021 vulns. At the time, to their credit, VMware were very clear in customer comms that not patching could lead to ransomware. #ESXiArgs https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/
Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide

Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware.

BleepingComputer
ElizabethNoirFeb 1, 2023
metlstormNov 29, 2022
Also found while cleaning the office
ElizabethNoirJan 18, 2023
SwiftOnSecurityJan 18, 2023

A great overview of what Windows Services are, how they work, and what weaknesses or abilities they can provide attackers. This is basic sysadmin must-know stuff, not just security.

@jsecurity101 @v3r5ace

https://posts.specterops.io/the-defenders-guide-to-windows-services-67c1711ecba7

The Defender’s Guide to Windows Services - Posts By SpecterOps Team Members

This is the second installment of the Defender’s Guide series. In keeping with the theme, we are discussing Windows Services, the underlying technology, common attack vectors, and methods of…

Posts By SpecterOps Team Members
Show threadElizabethNoirJan 17, 2023

A good comparison case is Need for Speed II: SE from 1997, 3dfx Glide is the only developer intended hardware accelerated option. Here’s software rendering vs the added 3dfx Glide support.

Disclaimer that I grabbed these screenshots from Google Images, credit goes to the original author.

ElizabethNoirJan 17, 2023

My 1999 Pentium III retro gaming PC has ascended! I installed a 3dfx Voodoo 3 3000 and I’m extremely happy with the results.

Increased game compatibility even with DirectX and OpenGL games, but I’ve got a whole new world of 3dfx Glide games to enjoy!