Academy of Public Administration (Belarus) - Revision history

Amongomous at 01:53, 26 January 2022

2022-01-26T01:53:05Z

← Older revision		Revision as of 01:53, 26 January 2022
Line 5:		Line 5:
	== Explanation of the Hack ==		== Explanation of the Hack ==

	According to an incident report leaked by the hackers themselves during the second hack, they gained initial access using the CVE-2019-0708 BlueKeep exploit on an unpatched Windows 2008 server that had RDP exposed to the internet ~~(on a non-standard port~~.) They proceeded to dump local user credentials using [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/87be30d3b286677d878f98b7f49b81844fb7f474/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md mimikatz], tunneled out using [https://github.com/jpillora/chisel chisel] and [https://github.com/3proxy/3proxy 3proxy] to use RDP and [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/1a3058f40c145a7c97fc71444cf3f1f38e3b4614/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md#psexecpy--smbexecpy--wmiexecpy psexec.py] for lateral movement on the internal network until landing on and taking over the domain controller. They then deleted data from both live and backup systems.		According to an incident report leaked by the hackers themselves during the second hack, they gained initial access using the CVE-2019-0708 BlueKeep exploit on an unpatched Windows 2008 server that had RDP exposed to the internet. They proceeded to dump local user credentials using [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/87be30d3b286677d878f98b7f49b81844fb7f474/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md mimikatz], tunneled out using [https://github.com/jpillora/chisel chisel] and [https://github.com/3proxy/3proxy 3proxy] to use RDP and [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/1a3058f40c145a7c97fc71444cf3f1f38e3b4614/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md#psexecpy--smbexecpy--wmiexecpy psexec.py] for lateral movement on the internal network until landing on and taking over the domain controller. They then deleted data from both live and backup systems.

	https://www.curatedintel.org/2022/01/hacktivist-group-shares-details-related.html		https://www.curatedintel.org/2022/01/hacktivist-group-shares-details-related.html

	[[Category:Hacks]]		[[Category:Hacks]]

Amongomous: /* Explanation of the Hack */

2022-01-26T01:51:31Z

Explanation of the Hack

← Older revision		Revision as of 01:51, 26 January 2022
Line 5:		Line 5:
	== Explanation of the Hack ==		== Explanation of the Hack ==

	According to an incident report leaked by the hackers themselves during the second hack, they gained initial access using the CVE-2019-0708 BlueKeep exploit in an unpatched Windows 2008 server that had ~~its~~ RDP ~~port~~ exposed to the internet. They proceeded to dump local user credentials using [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/87be30d3b286677d878f98b7f49b81844fb7f474/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md~~#mimikatz---mini-dump~~ mimikatz], tunneled out using [https://github.com/jpillora/chisel chisel] and [https://github.com/3proxy/3proxy 3proxy] to use RDP and [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/1a3058f40c145a7c97fc71444cf3f1f38e3b4614/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md#psexecpy--smbexecpy--wmiexecpy psexec.py] for lateral movement on the internal network until landing on and taking over the domain controller. They then deleted data from both live and backup systems.		According to an incident report leaked by the hackers themselves during the second hack, they gained initial access using the CVE-2019-0708 BlueKeep exploit on an unpatched Windows 2008 server that had RDP exposed to the internet (on a non-standard port.) They proceeded to dump local user credentials using [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/87be30d3b286677d878f98b7f49b81844fb7f474/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md mimikatz], tunneled out using [https://github.com/jpillora/chisel chisel] and [https://github.com/3proxy/3proxy 3proxy] to use RDP and [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/1a3058f40c145a7c97fc71444cf3f1f38e3b4614/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md#psexecpy--smbexecpy--wmiexecpy psexec.py] for lateral movement on the internal network until landing on and taking over the domain controller. They then deleted data from both live and backup systems.

	https://www.curatedintel.org/2022/01/hacktivist-group-shares-details-related.html		https://www.curatedintel.org/2022/01/hacktivist-group-shares-details-related.html

	[[Category:Hacks]]		[[Category:Hacks]]

Amongomous: Created page with "Two hacks wiping and encrypting the internal network of the Academy of Public Administration in Belarus, by Cyber Partisans. * Video of the second hack: https://www.youtube.com/watch?v=8l4etG0YKKQ == Explanation of the Hack == According to an incident report leaked by the hackers themselves during the second hack, they gained initial access using the CVE-2019-0708 BlueKeep exploit in an unpatched Windows 2008 server that had its RDP port exposed to the internet. T..."

2022-01-26T00:37:00Z

Created page with "Two hacks wiping and encrypting the internal network of the Academy of Public Administration in Belarus, by Cyber Partisans. * Video of the second hack: https://www.youtube.com/watch?v=8l4etG0YKKQ == Explanation of the Hack == According to an incident report leaked by the hackers themselves during the second hack, they gained initial access using the CVE-2019-0708 BlueKeep exploit in an unpatched Windows 2008 server that had its RDP port exposed to the internet. T..."

New page

Two hacks wiping and encrypting the internal network of the Academy of Public Administration in Belarus, by [[Cyber Partisans]].

* Video of the second hack: https://www.youtube.com/watch?v=8l4etG0YKKQ

== Explanation of the Hack ==

According to an incident report leaked by the hackers themselves during the second hack, they gained initial access using the CVE-2019-0708 BlueKeep exploit in an unpatched Windows 2008 server that had its RDP port exposed to the internet. They proceeded to dump local user credentials using [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/87be30d3b286677d878f98b7f49b81844fb7f474/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md#mimikatz---mini-dump mimikatz], tunneled out using [https://github.com/jpillora/chisel chisel] and [https://github.com/3proxy/3proxy 3proxy] to use RDP and [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/1a3058f40c145a7c97fc71444cf3f1f38e3b4614/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md#psexecpy--smbexecpy--wmiexecpy psexec.py] for lateral movement on the internal network until landing on and taking over the domain controller. They then deleted data from both live and backup systems.

https://www.curatedintel.org/2022/01/hacktivist-group-shares-details-related.html

[[Category:Hacks]]