Note:
As part of the analyzed intrusions, public-facing applications and valid accounts were abused for initial access. The state-sponsored hackers targeted Ivanti, Cisco, Fortinet, VMware, and Palo Alto Networks appliances, as well as Apache Struts and other web-facing platforms.
- Are these 100% American products? Buying American doesn’t mean we are safe.
- The tactics used here show exactly how stealthy malware can be. A shell triggered by a particular byte sequence? Something that puts its payload in the 26th byte? Kernel layer BPF? Container components. Traffic that blends in.
- How would you spot this? If you want to learn cybersecurity that’s the kind of thing you need to understand. Even if you know cybersecurity it is not easy!
https://www.securityweek.com/chinese-hackers-caught-deep-within-telecom-backbone-infrastructure/
RE: https://infosec.exchange/@teriradichel/116262937287288024
I just wrote this post about DNS leaks and tunnels. So today I go to visit a web site and my host-based firewall is popping up repeatedly connection attempts to the website like it’s beaconing to maintain a connection. So at first I’m grumbling about whatever on the web site is doing that but…
Then I’m confused when I’m trying to find the related connections and logs. I start to think something is wrong with my firewall.
But then I visit a different website and the same thing is happing. Ping, ping, ping (but it’s not ping)
And then it dawns on me. The reason I’m struggling to find the traffic is because there is no connection to the actual ip address returned by the DNS server. Something is making repeated DNS requests for those website domains.
And it’s every website domain.
I’m looking at my process monitoring script I wrote and the only thing making Internet connections is Google Chrome. I don’t install any extensions. Chrome is up to date.
I check and an Apple update is available. Installed that.
The beaconing is not for some attacker domain but rather for well-known domains. It was happening on an AWS website, a domain used in conjunction with ARIN, a CDN and CloudFlare.
Using CloudFlare DNS servers.
Has anyone seen this before?
What I've Vibe Coded 🤖 In 2.5 Weeks ~ Compared to similar code I tried to implement for years to deploy an AWS environment for running batch jobs (as AI agents or not). How I did it.
https://teriradichel.substack.com/p/what-ive-vibe-coded-in-25-weeks
RE: https://infosec.exchange/@teriradichel/116262937287288024
If you are using AI agents and don’t understand this, better read up.
Where are the Private Bits of FIDO2 Compliant Passkey Stored?
Just because you’re vibe coding doesn’t mean you no longer need to understand how things work. Research for my tool to start a batch job with a Yubikey.
https://teriradichel.substack.com/p/where-are-the-private-bits-of-fido2
All the complicated stuff I do with AI starts here. I still use this method with a few tweaks. Instead of writing a book I publish here. Learn to write good code with AI ~ and secure it.
Implement A Simple Project With Kiro CLI and a READ
https://teriradichel.substack.com/p/implement-a-simple-project-with-kiro
Finally!
AWS Security Hub is expanding to unify security operations across multicloud environments
After talking with many customers, one thing is clear: the security challenge has not gotten easier. Enterprises today operate across a complex mix of environments, including on-premises infrastructure, private data centers, and multiple clouds, often with tools that were never designed to work together. The result is enterprise security teams spend more time managing tools […]
I’m in shock. For the AI 🤖 doubters here’s where I’m at after like three weeks I think. To be fair been working long hours but still.
I spent days in between resolving a lot of other resource issues and blog posts creating a script that creates the default VPC configuration for all the accounts in my organization environments.
An environment is basically an ou with a bunch of standard accounts and resources in it where compute resources and users can access them but not other environments. Like an Azure subscription or GCP project kind of. Standardized deployments, controls, governance, trust boundaries, and in the end -agent (true) sandboxes. More on that later.
The complicated part was the ui - i create a default VPC configuration and using bash allow the user to add, edit, delete each resource.
In the end the VPC configuration is stored to an XML file - one for each VPC, including in which regions to deploy the VPC.
I had Kiro CLI with Opus 4.6 write a Lambda function that deploys everything in the XML file.
Opus seems to be behaving ok again in AWS Kiro, BTW.
As for all the things in my VPCs…
It’s a lot. I listed the resources in prior posts so not going to repeat.
When I ran the Lambda, the biggest issue I had was adjusting key policies and lambda role policies and making sure variable were set and populated with consistent names and values.
When I ran the lambda function it deployed everything up to a VPC endpoint missing a security group. It failed to fix it right the first time.
After that one issue - it deployed everything without error. So like three tries to deploy a super complex networking environment.
I literally thought I would run it a couple of times and troubleshoot tomorrow because it was going to take way too long.
Wow cool. 😎
I hit another KMS bucket policy issue in one account. Why I don’t know they should be all the same.
Beyond that I can start reviewing all the resources tomorrow for any errors and begin testing my Yubikey button push to run a job functionality which is deployed but untested.
Woot! 🎉
After I wrote this I’m seriously doubting it actually worked. It deployed too fast. I did tell it to deploy in parallel. Will Check tomorrow.
Red Global News
