October 2, 2022

TSD #009: The Friday Morning Madness.

Hello friend 👋

All was calm. All was quiet. Until I woke up on Friday morning.

60+ notifications on my iPhone. Perfect. Something big.

Just in time for the weekend 🫠

Before I had even rubbed my eyes, my iPhone was in my hand; my thumb was scrolling:

...two zero-days...

...remote code execution...

...Microsoft Exchange.

Beautiful. Just what we need.

iPhone locked and I'm hitting the morning routine:

Breakfast with the family.

Walking the dog whilst listening to Johannes on the SANS podcast to catch the latest on this bug.

Then we're logged on and into the thick of it to figure out the impact of these zero-days in Exchange. Multiple team calls with teams across the world. Consuming open and closed source reporting to create multi-source intelligence. All to ultimately end up with a deeper understanding of 'where we are' and 'if we are affected’.

If you're new to things like zero-days and remote code execution, here's the link to the original reporting on the bug, found by a Vietnamese cyber-security team. Great work from them!

This bug isn't as bad as the recent ProxyShell one in Exchange. Why? This new one requires authentication. ProxyShell was pre-authenticated remote code execution. One of the worst kinds of bugs. Bad guys can just take over. Period. With this new one, they need to get a hold of some credentials first. That's easily enough done, but it's a barrier nonetheless.

Some of you are already cyber pros (I'm in the trenches with you) and many of you are just starting your journey. This is very much a day-in-the-life of a cyber person in any big organisation. It doesn't happen every day, but usually at least once a month. Many of you know, I served in the military. And being in cyber is a lot like that. It's mostly calm, administrative work. And then BANG 💥

It all kicks off! It's great work.

You can get in touch with me by simply hitting reply. I respond to every email that hits my inbox.

Until next week,

Gary ✌️

Fun Things This Week

📽 My New Video

Things to Do After Setting Up Kali Linux: Once you set up Kali, you might be tempted to just start hacking. STOP RIGHT THERE. Do these things first!

🎙Podcasts

Johannes covered the Microsoft Exchange bug in this episode of the SANS Internet Storm Centre podcast. Worth a listen so that you have a baseline knowledge of the topic. The reporting will probably evolve a little bit as we find out more in the coming days and weeks.

📸 Products

I picked up a new hard drive for my Synology NAS that lives alongside my networking gear. Another 8TB will give me more storage for all this new YouTube content that I'm creating. That 4k footage takes up some serious space! But I must say, both the Synology NAS and these IronWolf drives, have worked without error for years. A great piece of equipment if you need it.

👾 Cool Tools
  • psudohash is a password list generator for orchestrating brute force attacks. It imitates password creation patterns commonly used by humans, like substituting a word's letters with symbols or numbers, using char-case variations, and adding common padding before or after the word.
  • PSAsyncShell is an Asynchronous TCP Reverse Shell written in PowerShell. Unlike other reverse shells, all the communication and execution flow is done asynchronously, allowing communications to bypass some firewalls and some countermeasures against these kinds of remote connections.

P.S. Some of the links in this newsletter are affiliate links and help support my content. Thank you for your support! ✌️

More Articles
Subscribe to The Sunday Download

Receive weekly news and insights in your inbox. Don't miss out!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.