EternalBlue Exploit Actively Used to Deliver Remote Access Trojans
On May 16th we started experiencing mail flow issues on our unsupported Exchange 2007 environment hosted on Server 2003 OS’s. Mail was coming in over SMTP and being delivered to users as normal, however internal emails, and outgoing emails appeared to be going into $null. I could not see them in any Exchange logs, there was no trace of what was happening to them.
After some investigating, another engineer found two ports were blocked, 135 and 445 or RPC and MS Directory Services. The Windows firewall on all machines is disabled by default so we double checked that and moved on. First stop, our antivirus, we disabled and then completely uninstalled on what servers still had it running, wait how was AV missing on these servers? Next we checked our other fancy AI machine learning super advanced security application, Cylance, that was missing as well… hmm…
The workday had ended and myself and the other engineer were at home for the evening, i was VPN’ed in, determined to find what was blocking this traffic. I had seen a few event logs referencing IPsec and a GUID but I hadnt thought much on those, i did a quick google search on IPsec rules and SErver 2003, loaded up the IPsec Management Console and noticed there was a new rule created, last modified a few hours earlier, the rule was simply called ‘win’. Upon entering the rule I noticed there was a deny list, and sure enough, ports 135 and 445 were listed, unassigned the win IPsec rule, and mailflow started up again. I checked the 3 other 2003 servers, same rule, unassigned, mailflow issues resolved.
Also during investigation, in event logs, i found an MSI trying to install when the other admins were logging in. js.mykings.top was the name, and I found this in registry, scheduled tasks, and startup.
I was tasked with looking into setting up a PKI for an organization. I have not worked with PKI much at all, so I spent an hour or so and put together a quick document. The organization was looking to utilize a PKI to keep mobile devices from connecting to the corporate WLAN.
Click Here brings you to a website
Fill out form and click Update Password
I installed Exchange 2016 in a test environment and used a SSL cert from namecheap.com for securing OWA. Upon loading OWA in Firefox I got the following error:
Firefox will throw this error when its using an inferior encryption protocol such as SSL 3.0, TLS 1.0, TLS 1.1
I wanted to force the server and clients to use TLS 1.2 for best security. The following article below from Exchange Team Blog goes into more detail and the required changes to get it working. I did have to reboot the Exchange server after making the registry changes, an IIS reset was not enough.
Exchange TLS & SSL Best Practices
I started a new job about 6 months ago. Most passwords were unknown when I arrived and had to be reset. Our security camera system needs the date/time adjusted, but the default username and password is no longer valid and nobody has an admin user, only viewer access.
I can view the 5 or so usernames by physically hooking up to the console of the system, and the password is most likely all numeric based on that you have to use a remote control to put in your password, and numbers are default.
The default username and password is ADMIN/1234 so i will be trying to crack the numeric password for ADMIN user. Fortunately there is a web interface, and it does not lock out after so many failed attempts, or throttle at all.
Downloaded Kali Linux and booted up into Live. Extracted the builtin wordlist in /usr/share/wordlists/rockyou.txt.gz
gzip -d /usr/share/wordlists/rockyou.txt.gz
hydra -l ADMIN -P rockyou.txt http://192.168.1.1:8080
Took less than 2 minutes and I had my password, 7 numeric digits