home.social

#queuejumper — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #queuejumper, aggregated by home.social.

  1. Just checking in on all the MSMQ vulnerabilities in 2023 including #QueueJumper - from honeypots, I didn’t see a single exploitation attempt, just scanning.

    There also still isn’t a proof of concept exploit that reaches remote code execution still. #threatintel

  2. Just checking in on all the MSMQ vulnerabilities in 2023 including #QueueJumper - from honeypots, I didn’t see a single exploitation attempt, just scanning.

    There also still isn’t a proof of concept exploit that reaches remote code execution still. #threatintel

  3. Just checking in on all the MSMQ vulnerabilities in 2023 including #QueueJumper - from honeypots, I didn’t see a single exploitation attempt, just scanning.

    There also still isn’t a proof of concept exploit that reaches remote code execution still. #threatintel

  4. Just checking in on all the MSMQ vulnerabilities in 2023 including #QueueJumper - from honeypots, I didn’t see a single exploitation attempt, just scanning.

    There also still isn’t a proof of concept exploit that reaches remote code execution still. #threatintel

  5. Just checking in on all the MSMQ vulnerabilities in 2023 including #QueueJumper - from honeypots, I didn’t see a single exploitation attempt, just scanning.

    There also still isn’t a proof of concept exploit that reaches remote code execution still. #threatintel

  6. Four months passed since the publication of #MSMQ #QueueJumper.

    Has anyone seen any in-the-wild exploitation yet?

    #vulnerability #threatintel

  7. Four months passed since the publication of #MSMQ #QueueJumper.

    Has anyone seen any in-the-wild exploitation yet?

    #vulnerability #threatintel

  8. Four months passed since the publication of #MSMQ #QueueJumper.

    Has anyone seen any in-the-wild exploitation yet?

    #vulnerability #threatintel

  9. Four months passed since the publication of #MSMQ #QueueJumper.

    Has anyone seen any in-the-wild exploitation yet?

    #vulnerability #threatintel

  10. Four months passed since the publication of #MSMQ #QueueJumper.

    Has anyone seen any in-the-wild exploitation yet?

    #vulnerability #threatintel

  11. Still seen no in the wild exploitation of CVE-2023-21554 aka #QueueJumper, from a wide variety of telemetry. Turns out not publishing an RCE exploit helps prevent exploitation.

  12. Still seen no in the wild exploitation of CVE-2023-21554 aka #QueueJumper, from a wide variety of telemetry. Turns out not publishing an RCE exploit helps prevent exploitation.

  13. Still seen no in the wild exploitation of CVE-2023-21554 aka #QueueJumper, from a wide variety of telemetry. Turns out not publishing an RCE exploit helps prevent exploitation.

  14. Still seen no in the wild exploitation of CVE-2023-21554 aka #QueueJumper, from a wide variety of telemetry. Turns out not publishing an RCE exploit helps prevent exploitation.

  15. Still seen no in the wild exploitation of CVE-2023-21554 aka #QueueJumper, from a wide variety of telemetry. Turns out not publishing an RCE exploit helps prevent exploitation.

  16. Pretty funny easy query to know if #QueueJumper request is internet scanning or malicious - filters out internet scanning. A month since publication, I haven't seen any in the wild exploitation (even just crashing the service, which is ridiculously easy).

    VMConnection
    | where ProcessName == "mqsvc"
    | where BytesSent <> 572
    | where BytesSent <> 0

    MDE AHQ for exploitation: github.com/GossiTheDog/ThreatH

  17. Pretty funny easy query to know if #QueueJumper request is internet scanning or malicious - filters out internet scanning. A month since publication, I haven't seen any in the wild exploitation (even just crashing the service, which is ridiculously easy).

    VMConnection
    | where ProcessName == "mqsvc"
    | where BytesSent <> 572
    | where BytesSent <> 0

    MDE AHQ for exploitation: github.com/GossiTheDog/ThreatH

  18. Pretty funny easy query to know if #QueueJumper request is internet scanning or malicious - filters out internet scanning. A month since publication, I haven't seen any in the wild exploitation (even just crashing the service, which is ridiculously easy).

    VMConnection
    | where ProcessName == "mqsvc"
    | where BytesSent <> 572
    | where BytesSent <> 0

    MDE AHQ for exploitation: github.com/GossiTheDog/ThreatH

  19. Pretty funny easy query to know if #QueueJumper request is internet scanning or malicious - filters out internet scanning. A month since publication, I haven't seen any in the wild exploitation (even just crashing the service, which is ridiculously easy).

    VMConnection
    | where ProcessName == "mqsvc"
    | where BytesSent <> 572
    | where BytesSent <> 0

    MDE AHQ for exploitation: github.com/GossiTheDog/ThreatH

  20. Pretty funny easy query to know if #QueueJumper request is internet scanning or malicious - filters out internet scanning. A month since publication, I haven't seen any in the wild exploitation (even just crashing the service, which is ridiculously easy).

    VMConnection
    | where ProcessName == "mqsvc"
    | where BytesSent <> 572
    | where BytesSent <> 0

    MDE AHQ for exploitation: github.com/GossiTheDog/ThreatH

  21. My #MSMQ #honeypot is extreeeemly advanced 😆​

    `ncat -vlkp 1801 > /dev/null -c 'cat msmq.out.raw'`

    Then a #tshark capturing the traffic.

    #QueueJumper

  22. My #MSMQ #honeypot is extreeeemly advanced 😆​

    `ncat -vlkp 1801 > /dev/null -c 'cat msmq.out.raw'`

    Then a #tshark capturing the traffic.

    #QueueJumper

  23. My #MSMQ #honeypot is extreeeemly advanced 😆​

    `ncat -vlkp 1801 > /dev/null -c 'cat msmq.out.raw'`

    Then a #tshark capturing the traffic.

    #QueueJumper

  24. My #MSMQ #honeypot is extreeeemly advanced 😆​

    `ncat -vlkp 1801 > /dev/null -c 'cat msmq.out.raw'`

    Then a #tshark capturing the traffic.

    #QueueJumper

  25. My #MSMQ #honeypot is extreeeemly advanced 😆​

    `ncat -vlkp 1801 > /dev/null -c 'cat msmq.out.raw'`

    Then a #tshark capturing the traffic.

    #QueueJumper

  26. Accidentally deleted my #QueueJumper toots, but so far no sign of any in the wild exploitation, no technical write up and no public exploit. Monitoring with real world MSMQ, all quiet too.

    Credits to CheckPoint for not providing exploitation details, has given orgs time to patch. Also kudos to not branding it a “cyber pandemic” this time.

  27. Accidentally deleted my #QueueJumper toots, but so far no sign of any in the wild exploitation, no technical write up and no public exploit. Monitoring with real world MSMQ, all quiet too.

    Credits to CheckPoint for not providing exploitation details, has given orgs time to patch. Also kudos to not branding it a “cyber pandemic” this time.

  28. Accidentally deleted my #QueueJumper toots, but so far no sign of any in the wild exploitation, no technical write up and no public exploit. Monitoring with real world MSMQ, all quiet too.

    Credits to CheckPoint for not providing exploitation details, has given orgs time to patch. Also kudos to not branding it a “cyber pandemic” this time.

  29. Accidentally deleted my #QueueJumper toots, but so far no sign of any in the wild exploitation, no technical write up and no public exploit. Monitoring with real world MSMQ, all quiet too.

    Credits to CheckPoint for not providing exploitation details, has given orgs time to patch. Also kudos to not branding it a “cyber pandemic” this time.

  30. Accidentally deleted my #QueueJumper toots, but so far no sign of any in the wild exploitation, no technical write up and no public exploit. Monitoring with real world MSMQ, all quiet too.

    Credits to CheckPoint for not providing exploitation details, has given orgs time to patch. Also kudos to not branding it a “cyber pandemic” this time.

  31. It's been a heck of a week, with tonnes of great research and tooling that I'm sure you're going to get a kick out of - check out our wrap-up for all the news!:

    opalsec.substack.com/p/soc-gou

    Kaspersky researchers shone a light on the Dark Web trade in Google Play Loaders - a service to help inject malware into legitimate, and supposedly vetted apps, with guarantees of >1 week up-time and the option to boost your spread with targeted Ads.

    #Nokoyawa ransomware have clearly got some talent on their team, having abused a #CLFS 0-day prior to Microsoft patching it last week - one of 5 different exploits they've used, mind you - and they appear to have a new, distinct ransomware strain in rotation, too.

    There's heaps more great threat reporting, including a report that #FIN7 and former #Conti (#FIN12/#WizardSpider) members are collaborating on a new backdoor, and a crypto-mining campaign that may be the canary in the coal mine, indicating broader uptake of BYOVD and IPFS by low-level operators.

    The #QueueJumper vulnerability from last week looks primed to explode in coming days, with a no-fix vulnerability in Microsoft Intune capping off a lousy week for Windows admins struggling to keep their networks secure.

    TOOLING. Ooooh boy, this was a good week for tooling and tradecraft, ladies and gentlemen.

    The #redteam have a new port of the SharpHound AD enumeration tool for Cobalt Strike; a great reference piece on leveraging stolen Office tokens to bypass MFA and access cloud workloads, and a list of keywords to avoid when crafting stealthy PowerShell scripts.

    The #blueteam have a script to help tweak VM settings to circumvent malware anti-analysis checks; Procmon for macOS, and a lightweight bastion host to help redirect and record traffic sent to honeypots in your network.

    This was a fun one to write up, with heaps of interesting reads and takeaways to be had. Get amongst it!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #darkweb #microsoft #azure #mfa #mfabypass #cobaltstrike #bloodhound #sharphound #byovd #ipfs #intune #GooglePlay #Android #zeroday #0day

  32. It's been a heck of a week, with tonnes of great research and tooling that I'm sure you're going to get a kick out of - check out our wrap-up for all the news!:

    opalsec.substack.com/p/soc-gou

    Kaspersky researchers shone a light on the Dark Web trade in Google Play Loaders - a service to help inject malware into legitimate, and supposedly vetted apps, with guarantees of >1 week up-time and the option to boost your spread with targeted Ads.

    #Nokoyawa ransomware have clearly got some talent on their team, having abused a #CLFS 0-day prior to Microsoft patching it last week - one of 5 different exploits they've used, mind you - and they appear to have a new, distinct ransomware strain in rotation, too.

    There's heaps more great threat reporting, including a report that #FIN7 and former #Conti (#FIN12/#WizardSpider) members are collaborating on a new backdoor, and a crypto-mining campaign that may be the canary in the coal mine, indicating broader uptake of BYOVD and IPFS by low-level operators.

    The #QueueJumper vulnerability from last week looks primed to explode in coming days, with a no-fix vulnerability in Microsoft Intune capping off a lousy week for Windows admins struggling to keep their networks secure.

    TOOLING. Ooooh boy, this was a good week for tooling and tradecraft, ladies and gentlemen.

    The #redteam have a new port of the SharpHound AD enumeration tool for Cobalt Strike; a great reference piece on leveraging stolen Office tokens to bypass MFA and access cloud workloads, and a list of keywords to avoid when crafting stealthy PowerShell scripts.

    The #blueteam have a script to help tweak VM settings to circumvent malware anti-analysis checks; Procmon for macOS, and a lightweight bastion host to help redirect and record traffic sent to honeypots in your network.

    This was a fun one to write up, with heaps of interesting reads and takeaways to be had. Get amongst it!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #darkweb #microsoft #azure #mfa #mfabypass #cobaltstrike #bloodhound #sharphound #byovd #ipfs #intune #GooglePlay #Android #zeroday #0day

  33. It's been a heck of a week, with tonnes of great research and tooling that I'm sure you're going to get a kick out of - check out our wrap-up for all the news!:

    opalsec.substack.com/p/soc-gou

    Kaspersky researchers shone a light on the Dark Web trade in Google Play Loaders - a service to help inject malware into legitimate, and supposedly vetted apps, with guarantees of >1 week up-time and the option to boost your spread with targeted Ads.

    #Nokoyawa ransomware have clearly got some talent on their team, having abused a #CLFS 0-day prior to Microsoft patching it last week - one of 5 different exploits they've used, mind you - and they appear to have a new, distinct ransomware strain in rotation, too.

    There's heaps more great threat reporting, including a report that #FIN7 and former #Conti (#FIN12/#WizardSpider) members are collaborating on a new backdoor, and a crypto-mining campaign that may be the canary in the coal mine, indicating broader uptake of BYOVD and IPFS by low-level operators.

    The #QueueJumper vulnerability from last week looks primed to explode in coming days, with a no-fix vulnerability in Microsoft Intune capping off a lousy week for Windows admins struggling to keep their networks secure.

    TOOLING. Ooooh boy, this was a good week for tooling and tradecraft, ladies and gentlemen.

    The #redteam have a new port of the SharpHound AD enumeration tool for Cobalt Strike; a great reference piece on leveraging stolen Office tokens to bypass MFA and access cloud workloads, and a list of keywords to avoid when crafting stealthy PowerShell scripts.

    The #blueteam have a script to help tweak VM settings to circumvent malware anti-analysis checks; Procmon for macOS, and a lightweight bastion host to help redirect and record traffic sent to honeypots in your network.

    This was a fun one to write up, with heaps of interesting reads and takeaways to be had. Get amongst it!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #darkweb #microsoft #azure #mfa #mfabypass #cobaltstrike #bloodhound #sharphound #byovd #ipfs #intune #GooglePlay #Android #zeroday #0day

  34. It's been a heck of a week, with tonnes of great research and tooling that I'm sure you're going to get a kick out of - check out our wrap-up for all the news!:

    opalsec.substack.com/p/soc-gou

    Kaspersky researchers shone a light on the Dark Web trade in Google Play Loaders - a service to help inject malware into legitimate, and supposedly vetted apps, with guarantees of >1 week up-time and the option to boost your spread with targeted Ads.

    #Nokoyawa ransomware have clearly got some talent on their team, having abused a #CLFS 0-day prior to Microsoft patching it last week - one of 5 different exploits they've used, mind you - and they appear to have a new, distinct ransomware strain in rotation, too.

    There's heaps more great threat reporting, including a report that #FIN7 and former #Conti (#FIN12/#WizardSpider) members are collaborating on a new backdoor, and a crypto-mining campaign that may be the canary in the coal mine, indicating broader uptake of BYOVD and IPFS by low-level operators.

    The #QueueJumper vulnerability from last week looks primed to explode in coming days, with a no-fix vulnerability in Microsoft Intune capping off a lousy week for Windows admins struggling to keep their networks secure.

    TOOLING. Ooooh boy, this was a good week for tooling and tradecraft, ladies and gentlemen.

    The #redteam have a new port of the SharpHound AD enumeration tool for Cobalt Strike; a great reference piece on leveraging stolen Office tokens to bypass MFA and access cloud workloads, and a list of keywords to avoid when crafting stealthy PowerShell scripts.

    The #blueteam have a script to help tweak VM settings to circumvent malware anti-analysis checks; Procmon for macOS, and a lightweight bastion host to help redirect and record traffic sent to honeypots in your network.

    This was a fun one to write up, with heaps of interesting reads and takeaways to be had. Get amongst it!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #darkweb #microsoft #azure #mfa #mfabypass #cobaltstrike #bloodhound #sharphound #byovd #ipfs #intune #GooglePlay #Android #zeroday #0day

  35. It's been a heck of a week, with tonnes of great research and tooling that I'm sure you're going to get a kick out of - check out our wrap-up for all the news!:

    opalsec.substack.com/p/soc-gou

    Kaspersky researchers shone a light on the Dark Web trade in Google Play Loaders - a service to help inject malware into legitimate, and supposedly vetted apps, with guarantees of >1 week up-time and the option to boost your spread with targeted Ads.

    #Nokoyawa ransomware have clearly got some talent on their team, having abused a #CLFS 0-day prior to Microsoft patching it last week - one of 5 different exploits they've used, mind you - and they appear to have a new, distinct ransomware strain in rotation, too.

    There's heaps more great threat reporting, including a report that #FIN7 and former #Conti (#FIN12/#WizardSpider) members are collaborating on a new backdoor, and a crypto-mining campaign that may be the canary in the coal mine, indicating broader uptake of BYOVD and IPFS by low-level operators.

    The #QueueJumper vulnerability from last week looks primed to explode in coming days, with a no-fix vulnerability in Microsoft Intune capping off a lousy week for Windows admins struggling to keep their networks secure.

    TOOLING. Ooooh boy, this was a good week for tooling and tradecraft, ladies and gentlemen.

    The #redteam have a new port of the SharpHound AD enumeration tool for Cobalt Strike; a great reference piece on leveraging stolen Office tokens to bypass MFA and access cloud workloads, and a list of keywords to avoid when crafting stealthy PowerShell scripts.

    The #blueteam have a script to help tweak VM settings to circumvent malware anti-analysis checks; Procmon for macOS, and a lightweight bastion host to help redirect and record traffic sent to honeypots in your network.

    This was a fun one to write up, with heaps of interesting reads and takeaways to be had. Get amongst it!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #darkweb #microsoft #azure #mfa #mfabypass #cobaltstrike #bloodhound #sharphound #byovd #ipfs #intune #GooglePlay #Android #zeroday #0day

  36. Still all quiet on the western front when it comes to #QueueJumper. Had one connection that didn't appear to be an obvious (known) security researcher, from 216.250.119.94 - but benign.

    btw Shodan has the best scanning hostnames

  37. Still all quiet on the western front when it comes to #QueueJumper. Had one connection that didn't appear to be an obvious (known) security researcher, from 216.250.119.94 - but benign.

    btw Shodan has the best scanning hostnames

  38. Still all quiet on the western front when it comes to #QueueJumper. Had one connection that didn't appear to be an obvious (known) security researcher, from 216.250.119.94 - but benign.

    btw Shodan has the best scanning hostnames

  39. Still all quiet on the western front when it comes to #QueueJumper. Had one connection that didn't appear to be an obvious (known) security researcher, from 216.250.119.94 - but benign.

    btw Shodan has the best scanning hostnames

  40. Still all quiet on the western front when it comes to #QueueJumper. Had one connection that didn't appear to be an obvious (known) security researcher, from 216.250.119.94 - but benign.

    btw Shodan has the best scanning hostnames

  41. Done! Submitted a pull request to the #nmap project to add a #MSMQ service probe. Hope it gets accepted and helps everyone once merged.

    github.com/nmap/nmap/pull/2632

    Paging @shodan, you may find this useful. It's different from the one I posted yesterday.

    #QueueJumper #CVE202321554 #vulnerability #vulnerabilityManagement

  42. Done! Submitted a pull request to the #nmap project to add a #MSMQ service probe. Hope it gets accepted and helps everyone once merged.

    github.com/nmap/nmap/pull/2632

    Paging @shodan, you may find this useful. It's different from the one I posted yesterday.

    #QueueJumper #CVE202321554 #vulnerability #vulnerabilityManagement

  43. Done! Submitted a pull request to the #nmap project to add a #MSMQ service probe. Hope it gets accepted and helps everyone once merged.

    github.com/nmap/nmap/pull/2632

    Paging @shodan, you may find this useful. It's different from the one I posted yesterday.

    #QueueJumper #CVE202321554 #vulnerability #vulnerabilityManagement

  44. Done! Submitted a pull request to the #nmap project to add a #MSMQ service probe. Hope it gets accepted and helps everyone once merged.

    github.com/nmap/nmap/pull/2632

    Paging @shodan, you may find this useful. It's different from the one I posted yesterday.

    #QueueJumper #CVE202321554 #vulnerability #vulnerabilityManagement

  45. Done! Submitted a pull request to the #nmap project to add a #MSMQ service probe. Hope it gets accepted and helps everyone once merged.

    github.com/nmap/nmap/pull/2632

    Paging @shodan, you may find this useful. It's different from the one I posted yesterday.

    #QueueJumper #CVE202321554 #vulnerability #vulnerabilityManagement

  46. If the byte at offset 18 is set to 0x02 instead of 0x12, that connection request was actually accepted.

    Ouch if you find this on the Internet I guess!

    #MSMQ #nmap #QueueJumper

  47. If the byte at offset 18 is set to 0x02 instead of 0x12, that connection request was actually accepted.

    Ouch if you find this on the Internet I guess!

    #MSMQ #nmap #QueueJumper