Thousands of small to medium size businesses are suffering as Rackspace have suffered a security breach on their Hosted Exchange service. Rackspace have now confirmed this is a ransomware incident. Yesterday, 2nd December 2022, Rackspace announced an outage to their Hosted Exchange Server: Updated followed through the day, but were…

Yesterday, cybersecurity vendor GTSC Cyber Security dropped a blog saying they had detected exploitation of a new Microsoft Exchange zero day: Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server | Blog | GTSC — Cung cấp các dịch vụ bảo mật toàn diện (gteltsc.vn) …

Two days ago, on May 27th 2022, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus. This turned out to be a zero day vulnerability in Office and/or Windows. This caught my attention, as Defender for Endpoint missed execution: The…

Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to Red Menshen, a Chinese threat actor group. You can read more in PwC’s great, yearly threat intelligence brief, here. PwC plan to present their findings in June: BPFDoor is interesting…

For nearly a month, I have been watching mass in the wild exploitation of ProxyShell, a set of vulnerabilities revealed by Orange Tsai at BlackHat. These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March — they are more exploitable, and organisations largely haven’t patched. This post goes…

This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on various flavours of Windows 10. It appears this vulnerability has existed for years, and nobody noticed. In this post I made an exploit to test…

Kaseya VSA is a commonly used solution by MSPs — Managed Service Providers — in the United States and United Kingdom, which helps them manage their client systems. Kaseya’s website claims they have over 40,000 customers. Four hours ago, an apparent auto update in the product has delivered REvil ransomware. …

zhiniang peng tweeted out a proof of concept exploit and explainer recently, and then quickly deleted it. This exploit and discussion contained an unpatched zero day in all supported and Extended Security Update verrsions of Windows OS. Unfortunately by this had already been forked on Github by then… and…

I’ve talked about ransomware and extortion attacks on organizations for about a decade. I recently spent a year at Microsoft in Threat Intelligence in Redmond, which included tracking ransomware gangs. …