I monitor (in an amateur, clueless way) ransomware groups in my spare time, to see what intelligence can be gained from looking at victim orgs and what went wrong.
Basically, I’m a giant big dork with too much free time.
I’ve discovered two organisations with ransomware incidents, where the entry point appears to have been Exchange Server 2013 with Outlook Web Access enabled, where all available security updates were applied.
Credit union technology firm Trellance own Ongoing Operations LLC, and provide a platform called Fedcomp — used by double digit number of other credit unions across the United States. This Fedcomp…
Recently, I’ve been tracking LockBit ransomware group as they’ve been breaching large enterprises:
I thought it would be good to break down what is happening and how they’re doing it, since LockBit are breaching some of the world’s largest organisations — many of whom have incredibly large security budgets.
Through data allowing the tracking of ransomware operators, it has been possible to track individual targets. Recently, it has become clear they have been targeting a vulnerability in Citrix Netscaler, called CitrixBleed. Prior reading:
You have have read about the hack of the Electoral Commission recently. In this piece we take a look at what happened, show they were running Microsoft Exchange Server with Outlook Web App (OWA) facing the internet, and the unpatched vulnerability that presented.
Thousands of small to medium size businesses are suffering as Rackspace have suffered a security incident on their Hosted Exchange service.
Yesterday, 2nd December 2022, Rackspace announced an outage to their Hosted Exchange Server:
Yesterday, cybersecurity vendor GTSC Cyber Security dropped a blog saying they had detected exploitation of a new Microsoft Exchange zero…
Two days ago, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus...