GossiTheDog

GossiTheDog, 1 year ago

I had forgot how big Capita are. It's like 492304932 different business units. Shodan Safari is like looking into the sun.

It looks like some of the plc centrally use Okta for authentication.. I hope they enabled Number Verification.

GossiTheDog, 1 year ago

The Times just filed a piece saying the #Capita outage is ongoing and hitting "every division" (only one source, not sure I buy it), with staff getting verbal 'round robin' updates. https://www.thetimes.co.uk/article/2a6270b8-cfbd-11ed-9a00-73fd2b90e22e?shareToken=1df09835bc32a38e9b8ae2b0e7556097

GossiTheDog, 1 year ago

The Times reporter is being verbally briefed as #Capita still don't have email (almost 10 hours in).

They're told: 'There appears to be no risk to personal data processed by the business. The outage seems to be is hitting Office365 programmes including Outlook, Excel and Teams rather than client systems...'

GossiTheDog, 1 year ago

Financial Times have a new article up about #Capita, saying two people familiar with the matter say cyber incident cannot be ruled out.

Curiously all the media articles about it this evening talk about the IT incident in the past tense - but it is still ongoing, it hasn't been resolved.
https://www.ft.com/content/00f9591f-e07a-4339-ba3e-413818602515

GossiTheDog, 1 year ago

#Capita are still working to restore service.

GossiTheDog, 1 year ago

Verbal update from #Capita - they’re still restoring internal service, “there is no evidence that any data has been compromised."

They won’t discuss what is happening.

GossiTheDog, 1 year ago

#Capita has been in contact with people at the NCSC and NCA. Interesting an IT supplier would rather talk about a 3 day ongoing IT incident than mention the cyber word.

GossiTheDog, 1 year ago

Latest statement from #Capita - 3 days in they have restored their Office 365 access, and are now trying to restore their customer’s services. “Working in collaboration with our specialist technical partners, we have restored Capita colleague access to Microsoft Office 365 and we are making good progress restoring remaining client services in a secure and controlled manner.”

GossiTheDog, 1 year ago

I had a quick look at the Defender/WSL (Windows Subsystem for Linux) thing at lunch.

It's pretty comical, it looks like the WSL team have unfortunately undercut Defender. E.g. you don't even need to port a backdoor to Linux to maintain access on isolation -- you can just run a Windows trojan in Wine (works in WSL) & the network traffic isn't inspected, logged in Advanced Hunting Query or blocked on isolation. Also WSL can access any local or network files. And it ships built into Windows OS.

GossiTheDog, 1 year ago

#DISH #outage - everything in dishnetwork.com doesn’t exist DNS wise. They have the name servers pointed at ns-01.dish.com, ns-02.dish.com which also don’t exist.

GossiTheDog, 1 year ago

The evidence with #DISH points less towards ransomware and more towards this.

GossiTheDog, 1 year ago

I’ve been looking at the #DISH #outage situation some more. Based on network boundary, domain name changes and various other artefacts, it appears they may have experienced a destructive attack. Even their business services are MIA. They have a series of sites hosted directly by Wordpress.com, and even those have been deleted.

GossiTheDog, 1 year ago

I would highly recommend Okta customers enable Number Challenge via Okta support on their accounts (similar to Number Matching in Azure MFA, see also LAPSUS$, NewGen, WorstGen, SS etc attacks). https://support.okta.com/help/s/article/Number-Challenge-for-Okta-Verify?language=en_US

GossiTheDog, 1 year ago

The #DISH situation looks bad. They haven’t recovered services 5 days later, and haven’t provided any transparency at all around what has happened. Their share price dropped 8% yesterday.

GossiTheDog, 1 year ago (edited 1 year ago)

The #DiSH “internal system outage”, as they described to shareholders on results day, turns out to be due to a #ransomware attack they’re still recovering from, with data exfiltrated. We only know as they were legally required to disclose to regulators.

https://techcrunch.com/2023/02/28/dish-cyberattack-personal-data-theft/

GossiTheDog, 1 year ago

#DISH are still trying to recover from their ransomware/destruction incident. Their share price has not recovered either.

image/jpeg

GossiTheDog, 1 year ago

#DISH did have a webpage up about their “system issues” (read: NotLapsus style destructive attack), but now it has basically replaced its front page banner with ‘we fucked, yo’. Nightmare fuel incident clearly, most of their boundary systems appear to still to be missing.