The Mushroom Policy

Is Obstructing Security Obstructing Justice?

by Dominic Alvieri

June 13th, 2023

@AlvieriD

 

What does a mushroom have to do with cybersecurity?

Let's put a name to what has been going on in the corporate world regarding ransomware attack communications. Yes, I said ransomware. The Schneier Blog just put out an excellent short blog on some of the legal tactics behind some of the recent delays for incident responders and security efforts.

How does one grow mushrooms? 

If you know how to nurture mushrooms you're wanted in corporate public relation departments around the globe. In most cases to grow mushrooms you to keep them in the dark and feed them a lot of crap. Literally that's all you have to do. Very much like the lawyer-fed communication orders given to PR rooms to disseminate lately.

"to grow mushrooms you keep them in the dark and feed them a lot of crap."

In many cases I don't believe that every company would come forward if samples, flashes or exfiltrated data itself didn't leak out. Many companies wouldn't say a word about it. After being confronted several companies have come forward with vague crafted statements months after the fact. Truth be told sometimes it does take some time to do a complete forensic investigation. 

Don't mention or use the word ransomware, say cyber incident. It sounds better. They didn't name names.

The Ostrich Policy

You could just bury your head in the sand and hope it goes away.

Employees of Highland Homes in Texas have reached out in April saying that their bosses kept denying the Alphv BlackCat posts claiming that they breached the company. BlackCat finally dumped alleged company data a few weeks ago in late May.

Accountability

If you are going to make money off of my data you have to protect it better. Stand up a be the good corporate citizen we always hear about.

Stay safe. 

Dominic Alvieri 

@AlvieriD

Is Leaked Data on the Dark Web Difficult or Easy to Access?

 Lawyers in Oakland and Minnesota are Worlds Apart

By Dominic Alvieri

June 8th, 2023

Twitter @AlvieriD

The distance between Oakland, California and Minneapolis, Minnesota is approximately 1,968 miles but they are going to be worlds apart in the coming courtroom battles stemming from the recent cyber incidents involving the City of Oakland and the Minneapolis Public School District. 

Play Ransomware breached the City of Oakland and Medusa Team hacked the Minneapolis Public School District. 

Is Accessing Dark Web Data Leaks Easy or Difficult?

I have a great respect for the legal profession but also believe it is one of the most abused professions. The current silencing and obstruction of security incidents is evidently not obstruction of justice. 

Some things are black or white.

In Minnesota lawyers are going to argue that accessing their dark web data leak is difficult to for the normal person.

In Oakland offensive lawyers are going to argue that their leaked data is very easy to access.

Lawyers take note of the recent examples of the dangers online including Medusa Team loading the MPS breached data and new Akira Ransomware has just been caught trying to fingerprint users. 

Truth be told it is fairly easy to access the dark web and get in trouble for the unsuspecting or unaware. What I think doesn't really matter, I'm just a random guy on the internet. 

Nearly any person with access to a computer can be shown fairly quickly how to access ransomware group leak sites and data but I would not suggest it. You need to know how to safely traverse online.

Stay safe online and off.

Dominic Alvieri

The Cyber Show

@AlvieriD

Cracking the Connected Floor

Analytics and Cybersecurity 

By Dominic Alvieri

May 23rd, 2023

@AlvieriD

This KPI Isn't Pointing in the Right Direction

Fortune 500 companies are expanding their attack surfaces in a new data analytics push.

Cybersecurity takes a back seat for data analytics in a manufacturing executives dream which is turning out to be a security nightmare. It's called the connected shop floor and in this current version isn't going to end well. Corporate executives are unintentionally and unnecessarily exposing themselves to unnecessary risks. 

"This is largely driven by connecting machines using IoT and enabling Ai to digitize the results"

Apple iPads and Microsoft Bi along with several outsourced apps and technologies are involved.

100's of new endpoints and unrestricted devices 

All employees who have access to these new IoT devices running the backbone of this technological shop floor had open browser access and email capabilities. Personal emails as well as corporate and a host of new apps and software.

Oops, an employee just clicked on one of their personal emails and got phished.

Before drilling deeper into the technologies and possible exploits available for a starter there are hundreds of new IoT devices with an unrestricted browser able to view porn, YouTube or TikTok videos. A small time phisherman with a low grade infostealer may unknowingly get access to a Fortune 500 company employee and not even know it. 

The good news

Executives are starting to learn about cybersecurity. The bad news? They are slow and stubborn.

Here is a no brainer-restricting employee browser access.

App Avalanche

Once again executives are slow in embracing cybersecurity. They need the numbers to crunch to squeeze every last ounce of shareholder value that you can. Security often takes a back seat.

"Cybersecurity does not add revenue" one executive told me on the condition of anonymity. 

Exploitable

Querying one of the apps being used in one version of the connected floor returned an interesting response resulting in an error in my SQL syntax. Input sanitation issues are red flags indicating injection flaw exploits. 

Obviously I am unable to mention the firm or app until the issue is resolved. 

There are other exploitable alleys in this project.

The Deeper I Drill...

I have not received  any responses to my questions regarding the above mentioned security issues along with an uncovered topic. 

I am offensive in nature even in a defensive posture.

...

There are more holes in the floor.

Top 10 All Time Active Ransomware Groups

 The Current Top 10 Active Ransomware Group Post Count

By Dominic Alvieri

April 23rd, 2023

@AlvieriD

Quantifying ransomware group activity over the past few years there is no doubt that LockBit is the numerical leader all credibility issues aside. LockBit averages posting over one company per day since their initial formation as ABCD. No one else comes close. 

Conti members are still around but this list comprises of active groups with quantifiable active leak sites.

@AlvieriD

Posts that are somewhat quantifiable...

What is included in the numbers? Posts like the recent LockBit Dark Trace-Dark Tracer fiasco or their goofball post that was removed are not included. Neither are posts like the BlackCat NCR flash cyber incident that is still ongoing. 

Up and Coming Groups

The top groups to watch gaining traction are Royal and Play Ransomware. Play will be in the top 10 within the next month if current trends continue. Royal should be in the top 5 by summer.

New groups in 2023

Several new groups have arrived and in the case of Trigona, re-arrived. Money Message sans logo or not should be near the top of the new groups to watch list. Here are a few other new groups to watch:

Money Message

Trigona Ransomware

Cipher Locker

Akira Ransomware

Cross Lock Ransomware

Dunghill Leak...

Dunghill Leak is literally named after a pile of shit. What will they think of next.

Most Dangerous Groups

In my view Alphv BlackCat Ransomware and LockBit are fairly close in the top of this category. BlackCat has the ability to pivot quickly once in a network and LockBit is always trying to improve to stay on top but they have been getting sloppy while Alphv looks like it added another producing affiliate.

Black Basta, BlackByte, Royal and Play Ransomware deserve mention here as do a few others but my time is limited.

Stay safe.

SpaceX Contractor Allegedly Breached

 LockBit leaves a message for Elon Musk

By Dominic Alvieri

March 17, 2023

Twitter @AlvieriD

To breach a contractor. That is in one sense a back door into a companies product or service without hacking into the company itself. This perfect example is the alleged breach of Maximum Industries from Texas. Maximum is a precision manufacturer and AS-9100 certified meaning their parts can be and are supplied to the aerospace industry. AS-9100 is a management standard for manufacturers in the aerospace industry supply chain.

LockBit posted Maximum Industries earlier in the week with an explicit message to Elon Musk. Last night LockBit posted alleged evidence composing of a mutual non-disclosure agreement and "certified" SpaceX drawings. 

LockBit message to Elon in the post below.

Elon Musk is possibly the number one target in the world. So are his companies and their suppliers.

LockBit claims upwards of 3,000 SpaceX drawings. Catching up with several in the know each one product may have 100 or more drawings with variations and modifications fit to scale so the actual number of products compiled in any LockBit claim would have to be reduced significantly.

What is it worth?

Hard to say without additional evidence, and I'm not in the rocket parts market but there has to be some value to any and all competitors. The part in question does not seem high tech per se but neither is a pencil until you need to write something down. Remember writing?

Is that a 2019 model rocket in your garage?

Mutual non-disclosure agreement

This is tricky. Under normal business disclosure by either side would void the agreement. What are the legal ramifications? I am not a lawyer but did speak with one under the condition of anonymity and was advised not to comment on this. So much for hindsight.

Anyone could have made that copy of the alleged NDA btw. The alleged document is cutoff, unsigned and unverified at the moment. If it was authentic copies would be available to forensically match what was shown including handwriting analysis if needed. 

What happens when a ransomware group discloses an NDA?

This is the current situation. Once again I am not a lawyer and you a reading a free cybersecurity blog so no legal advice. This one is playing out live now.

"...SpaceX contractors were more talkative"

Analyzing this statement would lead one to believe that LockBit might have contractor emails. Take that with a bit of salt. A bit of salt. Cyber dork.

Neither company has made any comment as of this writing and I don't expect Elon Musk to respond to my tweet. Oh well, cyber goes on.

The deadline is Monday pending further drama this weekend.

The Cyber Show

Happy Saint Patrick's Day

@AlvieriD

Who Hacked Atlassian?

The Wolf in Sheep's Clothing

Ghosts of SeigedSec

By Dominic Alvieri

@AlvieriD

February 22nd, 2023

One of the largest companies breached to date this year was carried out by a relatively unknown group, SiegedSec. "Little is known about the Hacking Crew" an analyst said as Envoy and Atlassian blamed each other initially last week. I had questions so I decided to reach out.

The SiegedSec Hacking crew? 

Story by Carley Page and Zack Whittaker

Where did SiegedSec come from?

The leader of the new group called SiegedSec likes to be called Wolf and he came from and still is a member of GhostSec. The leader of GhostSec goes by Seb. Why the separate group? That was one of my first questions besides "the Furry Hackers" comments.

The Wolf in Furry Hacker Clothing insists on maintaining the controversial furry angle through the conversations and updates. Personally I think it is an act to draw attention to important matters like freedoms which have been curtailed all across the globe in the past few years.

It is tough to take this seriously and I have no idea how long it will last but neither group is leaving the scene anytime soon. Hacking Atlassian no matter how will still draw attention to whatever your cause is. This feels like an attempt to capitalize on a situation which other groups have tried to make a huge splash and then pivoting from that initial buzz into the actual or real group.

The Wolf in Furry Hacker Clothing

The Wolf in Furry Clothing

The leader of the new pack

Making a splash after a controversial United States Supreme Court decision last year, little known SiegedSec is back with a breach of giant Atlassian. I caught up with GhostSec to ask why the post was released through their channel and continued to drill down,

Here are some of the specific questions asked and answered over this past week. 

Q-Who is SiegedSec?

A-Seb (GhostSec) SiegedSec was one of my members who decided to do his own thing. He still is a member of GhostSec as well.

Q-Still a member?

A-Yes.

The questions I wanted to know that I can share...

Q-Wolf-The state hacks last year...and why active again now?

A-...not as easy as it seems to quit hacking. That's the way I would put it, hat's why SiegedSec came back

Q-How did you breach Atlassian?

A-Honestly answered and redacted for security and breach confirmed by Atlassian.

Q-Was Atlassian a target?

A-No...

Q-Did you ask Atlassian for a ransom or was it just for shits and giggles?

A-Just for shits and giggles

Q-Any other victims or lateral movement?

A-No answer or evidence was provided.

SiegedSec will be posting on their own Telegram channel

To both Seb and Wolf

Q-Did either of you breach anyone this week?

A-Both "No comment." 

I got the feeling that they both may have.

Q-Wolf or Seb, Is the UWU what I think it is along with the "Furry Hackers"

A-Yes

UWU is slang and loosely described a furry loving or friendly. Lets leave that be for now.

Throughout Wolf insisted upon being and going with the Furry Hacker theme. 

Anything SiegedSec wants to say? Shortened answer

"Just represent yourself and be yourself, be a furry hacker who cares."

GhostSec

Leaving out the basic get-to-know-you hacker exploit talk and the like, I asked questions to both like is either group thinking of setting up a leak site. 

Both have thought about it but not now in the works, at least not officially. 

Speaking with Seb from GhostSec he struck me as being honest in answering  my questions of which I already knew some of the answers. I obviously cannot release some questions asked and answered here but might be conversed...

 qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq

...at a bar and not online.

GhostSec Seb

Q-Why Maine?

A-We have nothing against the State of Maine of their people we just happened to breach them.

Q-Any specific targets or breaches you can share?

A-Not at the moment.

Q-What are the odds that LockBit or Black Cat will post while we are chatting?

A-Highly likely lol

LockBit did post a company during the interview.

Q-I wish I could post more of this conversation, Do you have a statement?

A-Shortened Answer-Hack the Planet, if there is no path, create it. Fight against injustice.

Stay safe

 Dominic Alvieri

Twitter @AlvieriD

I Can Name That Exploit in One Note

 Another New Day and Another New Way...

By Dominic Alvieri

February 3rd, 2023

@AlvieriD

Do your steganographic skills suck? Never fear 2023 is here. I guess I wasted years practicing the dark art of stego now with so many new ways to discretely infect, compromise and take over your target. 

How? Hiding your malicious file in an empty element is one way recently disclosed by researchers. Needless to say there are several other ways to play around with elements.

Another popular choice... embedding a malicious file within One Note. 

You can't hard code all of your website. It's just not practical. Now that Microsoft has disabled macros threat actors are finding new ways to infiltrate networks. One Note has taken center stage and Microsoft Visual Studio just joined the fray. 

Here is a short list of files to closely examine or block that are being abused by TAs

.msha

.htm

.lnk

.js

You can do this with many different files and ways.

Ill leave you with this partial...

c:\ encrypt files

\"what?"\ attrib -h (?) -r  ("nice-try")

Redacted