Kevin Beaumont Profile Banner
Kevin Beaumont Profile
Kevin Beaumont

@GossiTheDog

Followers
98,794
Following
970
Media
12,728
Statuses
70,785

cybersecurity pleb 🐿 my tweets are severely limited by my lack of understanding of what I am doing.

Joined January 2009
Don't wanna be here? Send us removal request.
Pinned Tweet
@GossiTheDog
Kevin Beaumont
2 months ago
I realise this was a long read and almost nobody read it, but I do feel like a career in cybersecurity is basically standing on a bridge watching it burn down, which feels like being quite a lonely voice. The situation is not sustainable.
Tweet media one
53
320
953
Kevin Beaumont Retweeted
@HaifeiLi
Haifei Li
an hour ago
Yeah, you may do A LOT of "weird things" on Office with the gifts from COM/OLE/ActiveX! My BH2015 talk explored this a bit. :-)
@wdormann
Will Dormann
2 hours ago
@HaifeiLi @GossiTheDog @EXPMON_ It seems that COM objects that present a propertybag all seem to be safe for initialization with persistent data. However the ability for Word to use whatever CLSID it wants still doesn't sit well with me. e.g. If you opened a doc and Windows said disk full, would you believe it?
1
4
18
@GossiTheDog
Kevin Beaumont
an hour ago
I had to Google this first to check it wasn’t fake.
@therealcliffyb
Cliff Bleszinski
an hour ago
Uh so graphics have come a looooong way since I was a kid. Damn.
9
1
30
@GossiTheDog
Kevin Beaumont
an hour ago
@ffforward
TheAnalyst
an hour ago
Today I got both #SquirrelWaffle and #Qakbot from the same TR distro (payload URL). Downloads at as usual. #qbot config: #SquirrelWaffle config: 👏 @hatching_io
Tweet media one
Tweet media two
Tweet media three
0
1
10
Kevin Beaumont Retweeted
@Andrew___Morris
Andrew Morris
2 hours ago
👀
Tweet media one
Tweet media two
Tweet media three
Tweet media four
10
32
159
Kevin Beaumont Retweeted
@TheDFIRReport
The DFIR Report
6 hours ago
#Qbot (#Qakbot) still dumping emails (and then deleting the dump from disk): ParentCommandLine: C:\Windows\system32\ping.exe -t 127.0.0.1 CommandLine: cmd.exe /c rmdir /S /Q "C:\Users\REDACTED\EmailStorage_REDACTED-REDACTED_REDACTED" msra.exe->ping.exe->cmd.exe
@TheDFIRReport
The DFIR Report
6 hours ago
#Qbot (#Qakbot) process tree: regsvr32.exe->msra.exe⬇️ (We've also seen regsvr32.exe->explorer.exe⬇️ recently) schtasks.exe whoami.exe cmd.exe arp.exe ipconfig.exe net.exe route.exe netstat.exe
Tweet media one
0
16
34
@GossiTheDog
Kevin Beaumont
3 hours ago
One more, that also removes the need for users to have admin rights.
0
0
4
Kevin Beaumont Retweeted
@dreadphones
Emily Hacker
4 hours ago
Investigated the recent ZLoader campaign delivered from malicious ads. If you want to hunt for this in your own environment, I wrote some hunting queries at .
@MsftSecIntel
Microsoft Security Intelligence
4 hours ago
While analyzing ZLoader campaigns in early September, we observed a notable shift in delivery method: from the traditional email campaigns to the abuse of online ad platforms. Attackers purchased ads pointing to websites that host malware posing as legitimate installers.
Tweet media one
2
6
30
Kevin Beaumont Retweeted
@CryptoWhale
Mr. Whale
18 hours ago
BREAKING: #Bitcoin foundation website has been hacked, with a “double your money” scam now appearing on the front page.
Tweet media one
216
463
1K
@GossiTheDog
Kevin Beaumont
4 hours ago
Lmao BlackMatter fixed it by adding multi factor authentication. If you’re reading this is too strong, the average victim isn’t going to know this detail, especially when they can’t log in.
@ddd1ms
𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘
5 hours ago
#BlackMatter implemented additional verification steps to access the victims' landing 👀 I thought it was time to rebrand again
Tweet media one
2
0
21
Kevin Beaumont Retweeted
@TeenageStepdad
Teenage Stepdad
a day ago
Tweet media one
91
4K
23K
@GossiTheDog
Kevin Beaumont
6 hours ago
oh dear lord don't send boris abroad
@mikegalsworthy
Dr Mike Galsworthy
11 hours ago
Stop. Just… stop. 🤦‍♂️ #KermitTheFrog
3
0
12
@GossiTheDog
Kevin Beaumont
7 hours ago
With that one above, you can use things other than RAR - e.g. do an RTF file and stick the WSF (Windows Scripting Host file) code at the end. WSF will open any file type and run it, negates need for an untrusted ActiveX control.
2
7
16
@GossiTheDog
Kevin Beaumont
7 hours ago
How to abuse CVE-2021-40444 without a new ActiveX control - defeats the original MS workaround. Video:
@wirehack7
𝖒𝖆𝖗𝖐𝖚𝖘
8 hours ago
Using chimera technique to abuse #CVE-2021-40444. File path with ?.wsf as suffix and manipulated RAR archive: #mirosoft #security #CVE202140444 #exploit
2
9
27
Kevin Beaumont Retweeted
@NSACyber
NSA Cyber
a day ago
Protect against the #Conti #ransomware threat using the #cybersecurity guidance from @CISAgov, @FBI and NSA. Understand Conti group TTPs and take immediate action:
Tweet media one
11
143
274
@GossiTheDog
Kevin Beaumont
8 hours ago
Here is the Autodiscover issue 5 years ago, which Microsoft now claim they were unaware. It was reported many, many times and has been through SSIRP process before, too. Fix the problem for customers instead of failing them and blaming others.
Tweet media one
2
9
30
@GossiTheDog
Kevin Beaumont
8 hours ago
This is why Microsoft response is completely unacceptable - LinkedIn is full of this crap. Press need to properly investigate Microsoft responses to security issues, to check they aren't deliberately misleading.
@lancewmccarthy
🇱​​​​​🇦​​​​​🇳​​​​​🇨​​​​​🇪​​​​​ ツ 👨‍💻
9 hours ago
@Guardicore publishing Amit's article without using responsible disclosure caused you to loose credibility as a legitimate security research institution. I'd pull your marketing team's publish rights, only post after C level or Director approval.
1
2
34
@GossiTheDog
Kevin Beaumont
8 hours ago
It also reliably drops a shell every time. Haven't checked if it's on Github. People have toys.
0
0
12