| 00:02:33 | | le0n quits [Ping timeout: 252 seconds] |
| 00:07:45 | | sralracer quits [Quit: Ooops, wrong browser tab.] |
| 00:58:17 | <@JAA> | 'Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization' https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a |
| 00:58:21 | <@JAA> | > the red team (also referred to as ‘the team’) gained initial access through a web shell left from a third party’s previous security assessment. |
| 00:58:24 | <@JAA> | *facepalm* |
| 01:01:24 | <that_lurker> | I wonder if there is/was an investigation to the reason a "backdoor" was left |
| 01:09:20 | <that_lurker> | s32 unix clock https://retr0.id/stuff/2038/ |
| 01:35:47 | <nicolas17> | JAA: damn, lots more fun stuff in that report |
| 01:36:27 | <nicolas17> | they ran a simulated ransomware on user machines (probably showing the scary screen but not encrypting anything) and only 2 out of 9 users reported it to IT |
| 01:37:29 | <kpcyrd> | JAA: I wish we could eventually stop clowning around with the kind of computer security that web shells are a part of |
| 01:37:51 | <kpcyrd> | you need to approach computers in a very specific way to have this kind of problem |
| 01:39:41 | <kpcyrd> | stuff like this is simply not a thing if the service was written in go/rust for example |
| 01:42:09 | <nicolas17> | kpcyrd: keep reading for more facepalms :P |
| 01:42:40 | <nicolas17> | "stuff like this is simply not a thing if you update your Windows Server 2012" |
| 01:44:08 | <kpcyrd> | > to fully compromise the organization’s domain |
| 01:44:17 | <kpcyrd> | ah yes, windows |
| 01:47:55 | <nicolas17> | and EDRs are for decoration |
| 01:48:42 | <@JAA> | nicolas17: Thanks, will give the rest a read tomorrow. :-) |
| 01:58:22 | <kpcyrd> | the full report does not mention what kind of tech stack was used for web shells to be a problem, if it was php this bug class could be killed with https://snuffleupagus.readthedocs.io/config.html#readonly-exec (or not using php in the first place) |
| 02:02:00 | <kpcyrd> | essentially your web app has no business writing into files that may get picked up for execution. this is like the silly brother of https://en.wikipedia.org/wiki/Weird_machine |
| 02:04:05 | <kpcyrd> | they don't seem to be listing this as a finding however |
| 02:11:32 | | jacksonchen666 quits [Client Quit] |