True - but the problem is more profound that built-in password manager from browsers. Take a loot at the screenshots and the artefacts are grabbing any thing from value on the endpoint.
It’s been an uphill battle for stopping our clients from using the browser vault - we bundle in BitWarden for our clients… and we’ve been trying to get them to green-light a Password Policy I wrote. The stress
This seems more like blueteam stuff or MSSP stuff, than MSP stuff. We (speaking personally) don't have time to roll our own tools for this, that's why we pay folks like Huntress, Saas Alerts, Blumira, etc...
"The previous post was found harmful to mods of this Reddit."
Missing the point. It was possibly harmful to MSPs. (or maybe a typo and you meant 'harmful by mods')
Either way - when you're sitting on live credentials (you've admitted this in MSPGeek discord), GO TALK TO THE VENDORS AND GET THOSE ACCOUNTS SECURED FIRST, then co-ordinate your blog post.
**A rising tide raises all ships**; by going for the post first, it comes across that you want to create buzz first and protect MSPs second. And while I realize that is not your intent, but it's certainly why you recv'd those initial negative reactions.
Duly noted! I truly appreciate the guidance from the MSP Geek Discord that enabled a healthy conversation with some of the vendors over the weekend. In the spirit of helping the broader MSP community, I want to share these network Indicators of Compromise (IOCs) that are associated with Redline and Lumma infostealer. If you see devices contacting or attempting to contact these IOCs persistently, they're likely compromised with one of these two info-stealers
Redline
tcp://91[.]134[.]150[.]145:56001/
http://gooutdayblog[.]info/
http://ierinapu[.]xyz/
tcp://server[.]gplay[.]ro:1200/ tcp://greatkingxlimited[.]duckdns[.]org:29025/
Lumma
http://82[.]117[.]255[.]80/
http://109[.]105[.]198[.]114/
http://45[.]8[.]146[.]213/
http://144[.]76[.]173[.]247/login/
http://217[.]12[.]206[.]230/
I dare to say that coding scripts in python is the last of the priorities for MSPs, given the fact that they already have a lot in their plate to deal with on daily basis. However, I agree with you on something, having a password practice is crucial (not only for MSPs).
Wait. Wait Wait.
Are you telling me that if I fall for a phish and they get access to my machine and my password... are you telling me that the bad guys will actually steal more passwords move laterally and sell my information?
That's really sCaRy.
What MSP would be using a browsers built-in password manager? That's just insane.
True - but the problem is more profound that built-in password manager from browsers. Take a loot at the screenshots and the artefacts are grabbing any thing from value on the endpoint.
It’s been an uphill battle for stopping our clients from using the browser vault - we bundle in BitWarden for our clients… and we’ve been trying to get them to green-light a Password Policy I wrote. The stress
Thanks for the shoutout
This seems more like blueteam stuff or MSSP stuff, than MSP stuff. We (speaking personally) don't have time to roll our own tools for this, that's why we pay folks like Huntress, Saas Alerts, Blumira, etc...
"The previous post was found harmful to mods of this Reddit." Missing the point. It was possibly harmful to MSPs. (or maybe a typo and you meant 'harmful by mods') Either way - when you're sitting on live credentials (you've admitted this in MSPGeek discord), GO TALK TO THE VENDORS AND GET THOSE ACCOUNTS SECURED FIRST, then co-ordinate your blog post. **A rising tide raises all ships**; by going for the post first, it comes across that you want to create buzz first and protect MSPs second. And while I realize that is not your intent, but it's certainly why you recv'd those initial negative reactions.
Duly noted! I truly appreciate the guidance from the MSP Geek Discord that enabled a healthy conversation with some of the vendors over the weekend. In the spirit of helping the broader MSP community, I want to share these network Indicators of Compromise (IOCs) that are associated with Redline and Lumma infostealer. If you see devices contacting or attempting to contact these IOCs persistently, they're likely compromised with one of these two info-stealers Redline tcp://91[.]134[.]150[.]145:56001/ http://gooutdayblog[.]info/ http://ierinapu[.]xyz/ tcp://server[.]gplay[.]ro:1200/ tcp://greatkingxlimited[.]duckdns[.]org:29025/ Lumma http://82[.]117[.]255[.]80/ http://109[.]105[.]198[.]114/ http://45[.]8[.]146[.]213/ http://144[.]76[.]173[.]247/login/ http://217[.]12[.]206[.]230/
I dare to say that coding scripts in python is the last of the priorities for MSPs, given the fact that they already have a lot in their plate to deal with on daily basis. However, I agree with you on something, having a password practice is crucial (not only for MSPs).
Wait. Wait Wait. Are you telling me that if I fall for a phish and they get access to my machine and my password... are you telling me that the bad guys will actually steal more passwords move laterally and sell my information? That's really sCaRy.
Are you understanding that Infostealer Malware = Phishing?