Those who have known me for a long time will know I’ve been banging on about ransomware for years. On here, on Twitter, in person. Here, I documented things like the emergence of Locky 7 years ago, one of the first big single endpoint ransomware incidents. I worked with the…

Back in February 2022, Mykhailo Fedorov — Ukraine’s Deputy Prime Minister — launched the IT Army of Ukraine: The army, which has grown to 300,000 people at peak, has been fighting a digital war with the Russian government and private enterprise. It has been incredibly successful — I have…

Thousands of small to medium size businesses are suffering as Rackspace have suffered a security breach on their Hosted Exchange service. Rackspace have now confirmed this is a ransomware incident. Yesterday, 2nd December 2022, Rackspace announced an outage to their Hosted Exchange Server: Updated followed through the day, but were…

Yesterday, cybersecurity vendor GTSC Cyber Security dropped a blog saying they had detected exploitation of a new Microsoft Exchange zero day: Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server | Blog | GTSC — Cung cấp các dịch vụ bảo mật toàn diện (gteltsc.vn) …

Two days ago, on May 27th 2022, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus. This turned out to be a zero day vulnerability in Office and/or Windows. This caught my attention, as Defender for Endpoint missed execution: The…

Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to Red Menshen, a Chinese threat actor group. You can read more in PwC’s great, yearly threat intelligence brief, here. PwC plan to present their findings in June: BPFDoor is interesting. It…

For nearly a month, I have been watching mass in the wild exploitation of ProxyShell, a set of vulnerabilities revealed by Orange Tsai at BlackHat. These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March — they are more exploitable, and organisations largely haven’t patched. This post goes…

This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on various flavours of Windows 10. It appears this vulnerability has existed for years, and nobody noticed. …

Kaseya VSA is a commonly used solution by MSPs — Managed Service Providers — in the United States and United Kingdom, which helps them manage their client systems. Kaseya’s website claims they have over 40,000 customers. Four hours ago, an apparent auto update in the product has delivered REvil ransomware. …