I mostly do #DFIR, #bugbounty #thrunting Views are my own. :donor:
#HugOps to the folks at GitHub, who are having a terrible, horrible, no good, very bad weekend, between the tj-actions thing and the unusual access attempts
https://pulse.latio.tech/p/understanding-and-re-creating-the
https://github.com/search?q=security+alert+unusual+access+Reykjavik%2C+Iceland&type=issues
#TransportForLondon #TFL reported a data breach
For those who don't know (which is most of you), this project has been the intense focus of my work, taking up a huge amount of my time, energy, and investigative effort for the past 14 months - while still helping others at Sophos publish their research; running an election campaign where I was a candidate for school board; speaking at Blue Hat, @defcon #Saintcon, #VirusBulletin and other conferences; guest lecturing to classes at CU Boulder; volunteering my time canvassing for political candidates; serving as a docent at the @mediaarchaeologylab; working as a poll worker during the current US election cycle; and starting up the Elect More Hackers (electmorehackers.com) organization.
Whew. It's actually kind of daunting just to read that. I also sometimes sleep and eat.
@SophosXOps has been, at its core, an institution that values radical transparency, and this story (and the earlier research investigations into the Operation Pacific Rim threat actors and incidents) demonstrates Sophos' commitment to truth and journalistic integrity, following a story wherever it leads.
I hope our publication today starts a larger conversation and collaboration within the cybersecurity industry - inside and outside the Cyber Threat Alliance, which Sophos actively supports and where I am proud to represent my employer - to work together to thwart the ambitions of nation-state threat actors such as the perpetrators of Operation Pacific Rim, in order to protect the privacy and safety of everyone, everywhere.
#PacificRim #OperationPacificRim #malware #china #hacking #hacks #infosec #firewalls #intrusiondetection
@GossiTheDog This was fascinating, how common is this in the industry where attackers use bug bounty to burn their vulns after their objectives are met?
"On one occasion, for instance, the exact vulnerability used in a hacking campaign was reported to Sophos by a researcher with a Chinese IP address just after it was first used in an exploitation campaign—Sophos paid the researcher $20,000 for their findings."
Tons of great Sophos research is dropping today which I’ll link in thread. China goes brrr.
I want to give them particular credit for directly talking about the cyber industry elephants in the room, both in the research and during media interviews
e.g. insecurity in appliances, need for industry change, monitoring threat actors through telemetry etc etc.
It’s really refreshing as they’re talking about what is *actually happening* - not all vendors do this.
https://www.wired.com/story/sophos-chengdu-china-five-year-hacker-war/
Sophos detailed to me its 5-year cat-and-mouse game with Chinese hackers repeatedly exploiting its firewalls. The company resorted to installing spy "implants" on devices the hackers were testing on—and traced them to a university and contractor in Chengdu. https://www.wired.com/story/sophos-chengdu-china-five-year-hacker-war/
@thepacketrat.net wonder if your mutual friend is aware 😬
Sophos X-Ops was recently called in to investigate a #spearphishing attack targeting our own employees. The attackers used a technique called #quishing - a portmanteau of "#QR code" and "#phishing.” Our latest blog from @threatresearch and Amit Panjawani of the Sophos Security Operations team.
@JayLittle haha I’ll play and call, cos its so tempting. Making silly snd baseless assumptions about an entire industry is definitely the way to uncover the 'truth.' Bravo on your misguided crusade.
I wish my salary depended on this, but I am sure you make millions with your suggestions of not deploying any EPP.
@JayLittle I amd gona stop replying to you after this, since its clearly gaslighting when you say crowdstrike is snakeoil. You are free to have your opnions about this but this is exactly what I meant in my initial post that many just dont understand the issue or are not at the level yet.
@JayLittle it certainly did, there is no denying the impact it has caused.
Its super easy to point fingers that way, I am sure there are ton of lessons they will learn on testing, but know that “test in significant way” is arbitrary. I dont have any incentive with $CRWD but i know that all good vendors would test their content before releasing wide scale, its an industry norm, if they didnt this wouldnt be first time.
IMHO stop using endpoint protection in general is a terrible advice.
I am assuming by “high privilged epp” you mean the one that access to kernerl which is what #crowdstrike and most good #epp are
@JayLittle thanks for your insight.
You think they deployed thousands of agents world wide with multiple large orgs and no one including the orgs did QA or smoke test?
If you know anything about kernel drivers you would know working with them is a known risk and has happened several times in past, though at isolated and smaller levels.
You have all the right to shout and make noise about it thought i really think you should scrutinize all the vendors and microsoft kernel security architecture similarly.
I’d be keen to learn which vendors you think deserve your trust in this context or were immune to something like this.
As we head in to the weekend, I just want to say #hugops to #crowdstrike. Folks that routinely deal with this/kernal land, already know that this could happen to anyone/vendor.
So just want to say to crowdstrike team, ignore the memes and know that there are people who are rooting for you and we understand your pain, keep at it. I am sure there are few lessons learned and you will quickly bounce back.
For vendors/sales folks that are taking this as opportunity, know that either you dont clearly understand the issue or you are not at that level yet where you can claim “our agent would never do this”
P.S: shout out to #dogfood teams across the world
@Mer__edith this is why I love signal. Thank you for fighting the good fight 🫡
Missed to cc: @briankrebs
@CapraObscura thats the mindset change we need, security incidents will cost you, so CISOs should have a final say in comms.
@CapraObscura 💯but why does PR have higher priority say on a security incident than say a CISO’s org 🤔
#Sisense latest comms say “company information affected in the incident relates to certian customers in Sisense Fusion (cloud-based) product. At this time we have no evidence that company information related to customers of the Sisense Fusion (on-prem) or Sisense CDT (also known as Periscope) products was affected.”
Do we tell them that “no evidence” means many things:
1) We dont have logs, therefore no evidence
2) We have logs but have not investigated “at this time” so we have no evidence
3) Attackers have done what they need to, cleared logs and therefore now we have “no evidence” “at this time”
#infosec really need to understand having evidence something is not affected should be the priority to communicate than communicating there is no evidence that something is affected.
Following the disclosure of the Sisense security incident, our team @censys took a quick look at some Sisense instances visible to our scanners to better understand what industries might be affected:
https://censys.com/sisense-a-look-at-industry-and-geography/
