CISA, the Federal Bureau of Investigation (FBI), the Department of Treasury, and the Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory (CSA) to provide information on the Karakurt data extortion group. Karakurt actors steal data and threaten to auction it off or release it to the public unless they receive payment of the demanded ransom.
If you are like me the industry standard has turned to MFA (Multi Factor Authentication) for Administrative Accounts or connecting via VPN.
I like and use Fortinet and the FortiGate's NGFW Systems. I was having issues with using LDAP accounts being able to bypass vpn connections with just the standard Windows Account. To be honest it would allow them to connect without a token never even prompting them for the token.
You have to turn set username-sensitivity disable under the users profile in the CLI.
Here is an example.
Hope this helps some admins it was kind of a head scratcher for me.
Microsoft warned customers today that it will start disabling Basic Authentication in random tenants worldwide on October 1, 2022.
This reminder comes after the company's September announcement and after seeing that there are still lots of customers who haven't yet moved their clients and apps to Modern Authentication.
Since the whole political thing has happened, Cloud
computing companies have flexed their muscles. If you do not agree with them,
they “do the woke thing” and turn your account off and businesses/lifestyle must
change.
Well yes, they are a private company and can control user
information they processed to what you see. At the same time, they listen or
record keywords in your conversations though the microphones, searches to
solicitate products to you. Then sell that information to advertisers to create
a data pool for them to focus on you.
So, they as big tech data warehouses sell your information as
the Dark Web sells your personal information. I can go buy a credit card on the
Dark Web if your credit score is above what I choose.
Now let us reverse this, I own a drugstore, and a young lady
comes in to buy a morning after pill, and I refuse to sell it to her because I
think it is wrong to do so and I say to that person I am not going to sell this
to her because of just a made-up story I thought she was creating. (I am not
agreeing either way just an example the person could have been raped) No matter
what it is an over-the-counter drug now. No questions asked. Then she goes and
complains that she did not get it because someone at a pharmacy said no.
While being wrong “the drugstore” gets huge number of bad
reviews and then the cloud company that hosted the site kills the businesses
website and communication with the customers. While at the same time it was one
employee that created the issue and was fired, they cannot correct or
communicate what happened.
What I am saying is do not put your eggs in one simple
basket. Your convenience might lead to your downfall.
First of use a computer system just for the recovery and not an everyday used computer. After each use of research wipe the computer with Eraser or Minitool with a low-level destruction algorithm (DoD Complaint).
Next sandbox the computer from any network or internet connection.
Depending on the device I use Autopsy with plug-ins from Video Triage and the LEO Version of BIN Recovery and a few others. I copy them to a usb drive and install them on the newly reloaded computer.
Judging from the data or type of device I am having to analyze it from, I create an image of it or a backup of the data type.
Then I process all plug-ins in Autopsy the following is mostly pay more attention too; Keyword Search, Deleted Files, Video Triage, Image Processor, and the Law Enforcement plug-in.
Depending on the case I would suggest getting a copy of Recuva to also process recovery files.
Autopsy will provide you with really reporting tools. Such as meta-data, (Time, Locations) Also you can generate a detailed report of information down to a single day, month, time.
Then I run the reporting tools finalize the case move all information to external drive and encrypt it, to be handed over to the customer.
The source code for Windows XP SP1 and other versions of the operating system was allegedly leaked online today.
The leaker claims to have spent the last two months compiling a collection of leaked Microsoft source code. This 43GB collection was then released today as a torrent on the 4chan forum .
Microsoft has confirmed that a bug in Windows 10 version 1607 and Windows Server 2016 is causing the Group Policy Editor to display errors.
In our September 2020 Windows health report, we reported that Windows 10 1607 and Windows Server 2016 users were experiencing errors when opening the the Security Options MMC in the group policy editor.
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of CVE-2020-1472, anelevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. Applying patches from Microsoft’s August 2020 Security Advisory forCVE-2020-1472can prevent exploitation of this vulnerability.
CISA has released a patch validation script to detect unpatched Microsoft domain controllers. CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable. Review the following resources for more information:
I ran into a small issue the other day. I upgraded our network connections speed from our host, and I was not getting the speed I was suppose too. Turns out my ip-based switch port speed was throttled.
If you ever run into this change around the port speed on your router.
interface GigabitEthernet0/0 switchport access vlan 2 switchport mode access speed 100 duplex full
Notice the highlighted speed in the config.
corerouter#config t Enter configuration commands, one per line. End with CNTL/Z. corerouter(config)# corerouter(config)#interface GigabitEthernet0/0 corerouter(config)#speed auto ctrl+z corerouter#wr corerouter#reload
First off Windows Domain Admins need to get really familiar with the Powershell Administration.
Let's start off with a couple examples. By the way you can install the Windows PowerShell ISE in add and remove Windows options.
Knowing what FSMO Roles about you AD environment.
Here is the script.
Retrieving Active Directory FSMO roles with PowerShell $dom = [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain() $dom | Format-List * Transferring Active Directory FSMO roles with PowerShell $dom = [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain() $dc = $dom.FindDomainController() $dc.TransferRoleOwnership(’PdcRole’) $dc.TransferRoleOwnership(’InfrastructureRole’) Raising Active Directory Domain and Forest functionality to Windows 2003 with PowerShell $dom = [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain() $dom.RaiseDomainFunctionality(’Windows2000NativeDomain’) $dom.RaiseDomainFunctionality(’Windows2003Domain’) Enabling and disabling a Global Catalog server with PowerShell $for = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() $gc = $for.FindGlobalCatalog() $gc.DisableGlobalCatalog() $gc.EnableGlobalCatalog()
Also if you are like me, I am always looking to clean up unneeded data on your WSUS server.
# Cleanup Parameters: # Decline updates that have not been approved for 30 days or more, are not currently needed by any clients, and are superseded by an aproved update. [Boolean]$supersededUpdates = $True # Decline updates that aren't approved and have been expired my Microsoft. [Boolean]$expiredUpdates = $True # Delete updates that are expired and have not been approved for 30 days or more. [Boolean]$obsoleteUpdates = $True # Delete older update revisions that have not been approved for 30 days or more. [Boolean]$compressUpdates = $True # Delete computers that have not contacted the server in 30 days or more. [Boolean]$obsoleteComputers = $True # Delete update files that aren't needed by updates or downstream servers. [Boolean]$unneededContentFiles = $True
You will learn most information on your Cisco device will easy to gather from simple show commands. Everything from sessions to configs. Also Traffic Statistics for errors, or DDoS Attacks.
ciscorouter#en
ciscorouter#config t
ciscorouter#ip http server
ciscorouter#ip http authentication local
ciscorouter#ip http secure-server
Ctrl+z
wr
On Another Note if you have not removed SSL V2 and V3
You need to disable it so you can do this by the following commands
ciscorouter#en
ciscorouter#config t
ciscorouter#no ip http server
ciscorouter#no ip http authentication local
ciscorouter#no ip http secure-server
Ctrl+z
wr
I see way to many of these lately so I am going to start posting the reoccurring ones for other engineers to reference by on attack type and if they just want to start blocking these IP's for there own firewalls/routers.
corerouter#show run
Building configuration...
!
!
! ADTRAN, Inc. OS version R11.8.0
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number ******
!
!
hostname "corerouter"
enable password encrypted 323ab2216eb4ffgghhb25bcc426298ddfggba2625f57
!
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip default-gateway 192.168.1.1
ip routing
ipv6 unicast-routing
!
!
domain-name "gnet.local"
domain-proxy
name-server 208.67.222.222 208.67.220.220
!
!
no auto-config
auto-config authname adtran encrypted password 383e4bc8685e2bf8b1350b96da4ae62fc205
!
event-history on
no logging forwarding
logging forwarding priority-level info
logging email on
logging email receiver-ip 192.168.0.1 auth-username usrname auth-password encrypted 43lkmfdmskm454
logging email address-list glangston@ksbankinc.com
logging email ip urlfilter top-websites address-list glangston@knrgnetworksinc.com
logging email sender glangston@nrgnetworksinc.com
!
service password-encryption
!
username "admin" password encrypted "4048f6b33g249c127e28ac48fdd3452203161619f745"
!
banner motd #
#
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
ip security monitor stats-filter web-stats-filter
threat 201
!
ip security monitor
stats-filter web-stats-filter
!
!
!
!
!
!
!
!
ip urlfilter Web_Http_Filter http
!
!
!
!
!
!
!
!
!
no ethernet cfm
!
interface eth 0/1
ip address 10.207.177.97 255.255.255.248
no shutdown
!
!
interface eth 0/2
no ip address
shutdown
!
!
!
!
interface t1 1/1
clock source internal
fdl att
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
!
interface fr 1 point-to-point
frame-relay lmi-type ansi
no shutdown
!
interface ppp 1
ip address 12.124.191.18 255.255.255.252
ip mtu 1500
ip urlfilter Web_Http_Filter in
ip urlfilter Web_Http_Filter out
no shutdown
cross-connect 1 t1 1/1 1 ppp 1
!
interface hdlc 1
no ip address
no shutdown
!
!
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended wizard-remote-access
remark do not hand edit this ACL
permit tcp any any eq telnet log
permit icmp any any echo log
permit ip host 192.168.10.1 any log
!
!
!
!
ip policy-class Private
allow list self self
!
ip policy-class Public
allow list wizard-remote-access self
!
!
!
ip route 0.0.0.0 0.0.0.0 12.114.121.217
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
line con 0
login
password encrypted 2821704d6ad1dde8ac0fdfdfdbe6a02f3aa429fcbe
!
line telnet 0 4
login
password encrypted 3e36e4defd8afdfd26bnb3c7edb47d0117a42bb7952
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
sntp server time-b.nist.gov
!
!
!
!
end
corerouter#
