I thought the peek at the tool and how it was wrapped to the point of a moron could hold a system for ransom once they did achieve access was kind of cool. Had not seen the other side of that.

On Mon, Aug 8, 2022 at 9:57 AM <saclug@garymcglinn.com> wrote:
That was a big disappointment for me when I went to a security/black hat
conference 10 years ago in Las Vegas.  All the talks started with the
attacker already knowing so much that yes, they could do almost
anything.  Not a single talk was about how the attacker got themselves
into that position. 

I didn't attended any more of these, figuring it was a waste of time.
But, an unfortunate side affect was that perhaps it gave me a false
sense of security.  I figured the victum had to have done something
'stupid'.

Where can I go to find standard 'textbook' examples of gaining access
(other than brute force) and privilege escalation? I don't care if the
vector has been addressed, but it would be nice if it was through
something commonly run.  Also, it is easy to see how if someone has
access to the host they could mess up the VM's.  But how hard is the
opposite?

-Gary

On Sun, Aug 07, 2022 at 11:06:42AM -0700, Rick Moen wrote:
> Quoting Linus Sphinx (sphinxtar@gmail.com):
>
> > https://www.bleepingcomputer.com/news/security/new-gwisinlocker-ransomware-encrypts-windows-and-linux-esxi-servers/
>
> There are only two (closely related) questions about "malware" that are
> even remotely interesting, and this Bleepingcomputer article is typical
> in being a bit unclear on, and failing to emphasise, those questions and
> their answers:
>
> 1.  How does the code get executed?
> 2.  How (if this happens) does process privilege then get escalated?
>
> The article's _extremely_ vague about key question #1.  Just an
> "encryptor" gets run.  How and by whom and why?  The article
> has zero to say about that.
>
>   For the Linux version analyzed by ReversingLabs, the encryptor
>   focuses strongly on encrypting VMware ESXi virtual machines, including
>   two command-line arguments that control how the Linux encryptor will
>   encrypt virtual machines.
>
> One gathers that this particular "malware" doesn't bother to escalate to
> system privilege -- or is assumed to have been run as root.
>
> The implication of this rather shoddily written article is that
> GwisinLocker is not an attack vector at all.  It is a post-attack
> tool used by bad guys who have entered and cracked root on your machien
> through other means entirely.
>
> So, the gist of this article is:  _If_ bad guys can find a way to enter
> your machine and crack root authority, _they_ can do bad things with root
> authority.  Here's an article about one of the myriad variety of bad
> things they can then do.
>
> For _that_, we need an _article_?
>
> On the other hand, Ahnlab and ReversingLabs got some free publicity, by
> writing a report that Bill Toulas of Bleepingcomputer copied-and-pasted
> into an alleged IT news article.  Everybody wins, except the reader.
>
> _______________________________________________
> Lug-nuts mailing list -- lug-nuts@bigbrie.com
> To unsubscribe send an email to lug-nuts-leave@bigbrie.com
_______________________________________________
Lug-nuts mailing list -- lug-nuts@bigbrie.com
To unsubscribe send an email to lug-nuts-leave@bigbrie.com