Mastodawn

Zak Apr 2, 2025

Kevin Beaumont Apr 2, 2025

Compromised credentials continue to drive a majority of incidents. Why? home PCs and infostealers.

MS Recall got the shite kicked out of it because it would have been a disaster for exactly this reason, we don't need to pour petrol on that already raging and unsolved fire.

Bruteforcing of VPNs and exploitation of network border vulnerabilities continues to be a major (and growing) problem.

Bang for buck: Concentrate on MFA everything, patch everything internet facing, monitor bruteforce.

Zak Sep 22, 2023

Threw together a blog post of the common risks / misconfigurations frequently seen in smaller organizations.

The blog includes guides and steps they can take to quickly improve their security posture and make jumps in security with little overhead.

Please check out the article and share with anyone who may benefit!

#smallbusiness #Risk
https://thoresonconsulting.com/cyber-security-blog/5-easy-steps-small-business-can-take-to-massively-improve-security

5 ‘Quick Wins’ Small Business Can Achieve to Massively Improve Security — Thoreson Consulting

‘Quick Wins’ Provide an Impact Thoreson Consulting works with a variety of small and medium businesses in various industries looking to improve their cybersecurity programs. While performing risk assessments and general consulting work, we often find and highlight opportunities for ‘Quick Wins’ to

Thoreson Consulting

Zak Jun 20, 2023

Doing some studying / reviewing for the #Azure #AZ500. Highly recommend John Saville's Study Cram if you're re-certifying or taking it for the first time:

https://www.youtube.com/watch?v=6vISzj-z8k4&

Zak Apr 19, 2023

Ken White Apr 19, 2023

Serious Trouble episode (with a re-recorded section after settlement) about Dominion dropping today. We didn’t talk about:
* No trial result would have had the judge ordering Fox to apologize on air
*No trial result would have resulted in Fox being punished for damage to democracy
*. No trial result could have ”established facts” as true or false for all purposes in America
If your expectations for the legal system are not reality-based you’re going to be consistently disappointed.

Zak Apr 19, 2023

I have had the opportunity to step into a cloud security manager role.

Getting up to speed on #cicd without a developer background has been like drinking from a firehose, but I found this video extremely helpful:

https://www.youtube.com/watch?v=qP8kir2GUgo&ab_channel=TechWorldwithNana

As I keep exploring the world of #cloudsecurity I'll share what I learn. Maybe a blog post or something coming soon.

GitLab CI CD Tutorial for Beginners [Crash Course]

YouTube

Zak Mar 9, 2023

Emotet back still using macros .... but this time the file size is big.

https://www.darkreading.com/threat-intelligence/emotet-resurfaces-yet-again-after-three-month-hiatus

Emotet Resurfaces Yet Again After 3-Month Hiatus

More than two years after a major takedown by law enforcement, the threat group is once again proving just how impervious it is against disruption attempts.

Dark Reading

Zak Mar 9, 2023

Lesley Carhart

Mar 9, 2023

I did a talk on IR tabletop exercises for OT (industrial environments) at S4 https://youtu.be/XobogsaxcUY

Building Great OT Incident Response Tabletop Exercises

YouTube

Zak Mar 9, 2023

Barberousse Mar 2, 2023

#ESETResearch analyzed a new #MustangPanda backdoor. It uses the open-source QMQTT library to communicate with its C&C server over #MQTT so we named it MQsTTang. This library depends on parts of the Qt framework, statically linked in the executable. https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/

A sample of MQsTTang was identified by @[email protected] on 2023-02-17. As stated in that thread, the backdoor uses the legitimate MQTT broker 3.228.54.173. This has the benefit of hiding their actual C&C servers from victims and analysts. https://twitter.com/Unit42_Intel/status/1626613722700472320

This malware family is also tracked as "Kumquat" by @[email protected]: https://twitter.com/aRtAGGI/status/1628067706443374592

Like in previous #MustangPanda campaigns, filenames related to politics and diplomacy are used to lure targets. These include:
- CVs Amb Officer PASSPORT Ministry Of Foreign Affairs.exe
- Documents members of delegation diplomatic from Germany.Exe
- PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE

IoCs:
📄 SHA-1
02D95E0C369B08248BFFAAC8607BBA119D83B95B
430C2EF474C7710345B410F49DF853BDEAFBDD78
0EA5D10399524C189A197A847B8108AA8070F1B1
740C8492DDA786E2231A46BFC422A2720DB0279A
🚨 ESET Detection Name
Win32/Agent.AFBI trojan
🌐 Servers
80.85.156[.]151
80.85.157[.]3
185.144.31[.]86

@ESETresearch

MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT | WeLiveSecurity

ESET researchers tease apart MQsTTang, a new backdoor used by the Mustang Panda APT group, which communicates via the MQTT protocol.

WeLiveSecurity

Zak Feb 23, 2023

Horkos Feb 23, 2023

The Dutch intelligence community has released a wide-ranging report on malicious Russian activities over the last year. The report notably states that significant Russian cyber operations related to Ukraine “have not yet become public knowledge”, owing in part to the sensitivity of the targeting and the means by which the operations were identified.

Before the “MOAR EVIDENCE OF CYBERWAR” crowd gets to this: keep in mind the Dutch specifically caveat all this by saying that the success of such Russian operations remain “limited” and call out that Russia has “found it difficult to synchronize cyber operations with other military operations”. Speed and volume of activity remain salient criteria of whether or not we classify activity as constituting what cyber war truly looks like, but impacts and coordination — taken together to actually support the achievement of objectives (h/t @benmonty) — is much more relevant.
——
This media link contains some translated quotes as well as a link to to report itself, which is in Dutch — https://www-therecord.recfut.com/dutch-intelligence-russia-cyberattacks-many-not-yet-public-knowledge/

Zak Feb 8, 2023

Reading through the Sophos Blog on #QakNote gave some opportunity for some #regex practice:

EmailAttachmentInfo
| join EmailEvents on NetworkMessageId
| where FileName matches regex @'(?:ApplicationReject_)\d{5}.\w{5}.(?:.one)' or
FileName matches regex @'(?:ComplaintCopy_)\d{5}.\w{5}.(?:.one)'

Happy Hunting ~

https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/

Qakbot mechanizes distribution of malicious OneNote notebooks

A large-scale “QakNote” attack deploys malicious .one files as a novel infection vector

Sophos News