RIP "Within this assessment, the red team (also referred to as ‘the team’) gained initial access through a web shell left from a third party’s previous security assessment." www.cisa.gov/news-events/... - ThreadSky

hackinglz.hackpwn.net • 99 days ago

RIP "Within this assessment, the red team (also referred to as ‘the team’) gained initial access through a web shell left from a third party’s previous security assessment."

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a

Comments

forst.dev•92 days ago

lol, classic

hackers exploiting hackers... last darkent diaries, the aussie guy talks about this as well, getting into places because there was already someone before and forgot to close the door

statictear.bsky.social•98 days ago

adrestias.bsky.social•99 days ago

What the actual script kiddie bull shit is that.

winterknight.net•99 days ago

This made me so mad to read.

winterknight.net•99 days ago

Not the report as a whole, just the “Leaving the webshell behind whoopsie” part

techbytom.bsky.social•98 days ago

Story time.

I once got in for similar reasons, and it was my own web shell that we found on the server. Let me explain why this wasn’t me being a sloppy attacker though!

techbytom.bsky.social•98 days ago

I had previously compromised the host and dropped a webshell for persistence. The shell was authenticated, and used only as a fallback (beachheads get special treatment).
No, there wasn’t a big risk of someone else discovering the webshell because of uri and authentication, but it lived for MONTHS.

techbytom.bsky.social•98 days ago

Fast forward, the Operation was read out, reporting and post-mortem discussions talked extensively about the impact that this long standing beachhead allowed. We provided (and even coached through) removal instructions. I personally watched the sysadmin clean up our webshell, and verified removal.

techbytom.bsky.social•98 days ago

I’ve been a bit paranoid in the past about monitoring access, and had some mechanisms to track long standing access. I have a policy of maintaining ownership of domains used in prior Ops for years after they’re burned.

techbytom.bsky.social•98 days ago

One day, I got a message in my monitoring channel. We had a fresh callback… from a known burned webshell. This is usually an indicator that someone in the SOC is onto my team. But reviewing some documentation, we had discussed this shell… WTF?

techbytom.bsky.social•98 days ago

I pulled up documentation on the with and URI…
Spun up a fresh IP to connect, and yep. We have a shell again. HOW!? It was 100% removed. I’ve even got documentation of the removal verification.

m19o.bsky.social•99 days ago

I guess some bad guys got inside already

foxinsocks5.bsky.social•98 days ago

I skimmed over the post and didn't see it explicitly calling the web shell artifact as being unauthenticated but assuming that was the case, that 3rd party should have their business license revoked for doing what they've done. This is just plain recklessness.

shiftysheep.bsky.social•99 days ago

I don't know whether to be upset the previous third party left artifacts or they didn't go and do remediation.

paulbeckwith.bsky.social•99 days ago

lordcat.bsky.social•98 days ago

I saw this a couple of hours and I keep coming back to it. What the actual fuck.

Comments

Posting Rules

Reply