![[syndicated profile]](https://www.dreamwidth.org/img/silk/identity/feed.png){kind=small}
bleeping_computer_feedbleeping_computer_feedchicago_crime_feedSo this came out of Los Angeles on Monday:
Los Angeles Mayor Karen Bass released a proposed budget on Monday that would eliminate a nearly $1 billion financial gap by cutting more than 2,700 city positions — about 1,650 of them through layoffs.…
The $14 billion spending plan, which covers the 2025-26 fiscal year, would provide funding for scores of new hires at the fire department, three months after the Palisades fire destroyed thousands of homes and killed 12 people.…
At the Los Angeles Police Department, more than 400 workers would be targeted for layoffs, all of them civilians, according to figures prepared by city budget officials. The number of police officers would continue on its gradual downward trajectory, with new hires failing to keep pace with attrition.
Usually, Chicago steals ideas from New York and implements them here (badly).
Conehead however, is looking at the Los Angeles model:
With a $1.12 billion budget shortfall and $3 billion more in federal funds on the chopping block, Mayor Brandon Johnson on Monday cracked the door open to the prospect of layoffs and service cuts that he has previously ruled out.
“We will have to deal with the realities of the billions of dollars that are being threatened by the federal government. That’s a different scenario than we were under before,” Johnson said as he signed an executive order establishing a working group to advise him on ways to confront the city’s fiscal challenges.
“But I am confident that the collective groups of the city of Chicago will stand firm in our values to ensure that we are investing in people — but we also have to make serious considerations based upon the Trump takeover,” he said.
Maybe he should look at some cost cutting before layoffs?
Hiring isn't keeping up with attrition in any department and maintenance is non-existent - look at the fire apparatus that isn't working and may actually be out of compliance with national standards.
There's plenty of room for cuts before layoffs.
chicago_crime_feedA recruit with dope....
....and this?
Seriously?
And what's this rumor out of 018 about an officer becoming a Jehovah's Witness and claiming she can't carry a gun any more? That's part of the job you applied for, and if you cannot meet that qualification then you need to resign or be separated.
The Department has separated tens of dozens of others who couldn't carry weapons due to medical conditions or legal issues. Allowing someone this "work-around" would open up an entire can of worms.
chicago_crime_feedSpring is here and the geese are headed back north.
And so are some other critters:
SCC,
That bedbug infestation that the Department can't seem to get rid of? The bugs have made it to the 4th floor now. It's only a matter of time before they're up on 5.
This has been going on for how many years now?
chicago_crime_feedThe Slum Times will cover this one for some odd reason:
William Frederick Reed of Hazel Crest was charged Monday with providing false statements to the federal Small Business Administration, bankruptcy fraud, concealment or destruction of bankruptcy records, failure to file a tax return and perjury on tax returns.
PPP was a federal loan program implemented by the SBA to provide financial relief to small businesses and nonprofits during the COVID-19 pandemic.
But they won't look into the dozens of teachers, high ranking CPD exempts, or many dozens of government officials.
incident_handler_feedincident_handler_feedIn the last week I ran into some issues that I hadn't anticipated:
First, an IP address changing for a residential network is not uncommon. Some ISPs may regularly change IP addresses for homes and for most people using their connection for standard usage, it's not a problem. However, it can be challening when this IP address is used to grant special network access to resources. In my case, the local iptables firewall for my honeypots had a rule to allow access from specific IP addresses, including the public IP address for my home. Once the IP address changed, I no longer SSH access to my honeypot over port 12222 and someone else could try to connect if the had my previous IP address, even through they'd need my private SSH key. I thought that I had planned well, giving myself multiple networks I could access my honeypots from. It turns out that I made some mistakes when reusing iptables configurations from different honeypots.
Figure 1: Reusing iptables rules in '/etc/network/iptables' is problematic when interfaces are different between honeypots.
The interface names were different for the primary network connection. The primary interface is often eth0, but this is not always the case. A couple of my honeypots had different interface names, which means that the rules I had created for remote access from other networks didn't function as expected.
Outside of statically assigning these in the /etc/network/iptables file, another way would be to leverage scripting to update this value on a regular basis, using interface data from the honeypot.
# script adds IP addresses that can connect to TCP 12222 for remote admin
# isc.sans.edu first resolved IP
# 172.16.0.0/12
# 192.168.0.0/16
# 10.0.0.0/8
# specify domain of home domain name
domain="isc.sans.edu"
# delete any rule specifying destination port 12222
sed -i "/\b\(dport 12222\)\b/d" /etc/network/iptables
# get primary interface to the internet
interface=$(ip route get 1.1.1.1 | grep -Po '(?<=dev\s)\w+' | cut -f1 -d ' ')
# get remote IP address of my home domain
# only use first result
remoteip=$(host $domain | grep "has address" | cut -d " " -f 4 | head -1)
# enter firewall rule in /etc/network/iptables
# add rule after line 'START: allow access to admin ports for local IPs'
# double quotes used to expand variables while preserving whitespace
sed -i "/START: allow access to admin ports for local IPs/a -A INPUT -i $interface \
-s $remoteip -p tcp --dport 12222 -j ACCEPT" /etc/network/iptables
# add any other ip addresses you may want
# enter firewall rule in /etc/network/iptables
# add rule after line 'START: allow access to admin ports for local IPs'
# double quotes used to expand variables while preserving whitespace
sed -i "/START: allow access to admin ports for local IPs/a -A INPUT -i $interface \
-s 172.16.0.0/12 -p tcp --dport 12222 -j ACCEPT" /etc/network/iptables
# add any other ip addresses you may want
# enter firewall rule in /etc/network/iptables
# add rule after line 'START: allow access to admin ports for local IPs'
# double quotes used to expand variables while preserving whitespace
sed -i "/START: allow access to admin ports for local IPs/a -A INPUT -i $interface \
-s 192.168.0.0/16 -p tcp --dport 12222 -j ACCEPT" /etc/network/iptables
# add any other ip addresses you may want
# enter firewall rule in /etc/network/iptables
# add rule after line 'START: allow access to admin ports for local IPs'
# double quotes used to expand variables while preserving whitespace
sed -i "/START: allow access to admin ports for local IPs/a -A INPUT -i $interface \
-s 10.0.0.0/8 -p tcp --dport 12222 -j ACCEPT" /etc/network/iptables
Figure 2: Scripted update of iptables rules for honeypot.
This can get updated with variables to allow for some easier updating. In addition, some loops save some space and also allow for DNS names that may return multiple IP addresses.
# specify file name to modify
file="/etc/network/iptables"
# specify domain of home domain name
domain="isc.sans.edu"
# delete any rule specifying destination port 12222
sed -i "/\b\(dport 12222\)\b/d" $file
# specify ip addresses to allow for admin access
# space delimited
custom_ips="213.233.1.23 43.212.322.32 324.23.2.12"
private_ips="172.16.0.0/12 192.168.0.0/16 10.0.0.0/8"
# get primary interface to the internet
interface=$(ip route get 1.1.1.1 | grep -Po '(?<=dev\s)\w+' | cut -f1 -d ' ')
# get remote IP address(es) of my home domain
remoteips=$(host $domain | grep "has address" | cut -d " " -f 4)
# add rule after line 'START: allow access to admin ports for local IPs'
# double quotes used to expand variables while preserving whitespace
for item in $remoteips; do
sed -i "/START: allow access to admin ports for local IPs/a -A INPUT -i $interface \
-s $item -p tcp --dport 12222 -j ACCEPT" $file
done
# add any other ip addresses you may want
# add rule after line 'START: allow access to admin ports for local IPs'
# double quotes used to expand variables while preserving whitespace
for item in $custom_ips; do
sed -i "/START: allow access to admin ports for local IPs/a -A INPUT -i $interface \
-s $item -p tcp --dport 12222 -j ACCEPT" $file
done
# add any other ip addresses you may want
# add rule after line 'START: allow access to admin ports for local IPs'
# double quotes used to expand variables while preserving whitespace
for item in $private_ips; do
sed -i "/START: allow access to admin ports for local IPs/a -A INPUT -i $interface \
-s $item -p tcp --dport 12222 -j ACCEPT" $file
done
Figure 3: Firewall rules entered through new script.
This works well for me since I'm using a Dynamic DNS service through AWS [2] on my pfsense [3] firewall. When my home IP address changes, an A record for my domain will get updated. That DNS entry will be used to retrieve my new IP address and the /etc/network/iptables files will get updated. It'll take about a day and I'll regain access to my honeypot. Why a day? The /etc/network/iptables file is only processed on boot and the honeypot automatically reboots once per day.
Figure 4: Example configuration from pfsense router for Dynamic DNS.
Now, there's a workaround in place for my infrequent IP address changes. Now onto my Zeek logging issues.
After rebuilding my DShield-SIEM ELK instance at home, I noticed I wasn't receiving Zeek logs in my dashboards. While troubleshooting, I learned how to use some helpful troubleshooting tools within Elastic, particularly Dev Tools [4].
Figure 5: Dev Tools link highlighted in Management area of Elastic.
Troubleshooting steps given in many guides reference commands that can be run against Elasticsearch APIs. This can be done using other tools like Curl, but the Console was much easier. I ended up going through a lot of troubleshooting since I had some errors about "missing replica shards". The console was easy to use and I was able to resolve the Health issue, but that ended up not being my problem.
The version of filebeat [5] on my honeypot (8.15.1) was not the same as on my ELK instance (8.17.3).
filebeat version
filebeat version 8.15.1 (amd64), libbeat 8.15.1 [88cc526a2d3e52dcbfa52c9dd25eb09ed95470e4 built 2024-09-02 08:36:21 +0000 UTC]
Figure 6: Version 8.17.3 of filebeat pipelines shown for Zeek.
The easiest option here was to update my honeypot filebeat version to the same version of the pipelines.
# install version 8.17.3 of filebeat
sudo apt-get install filebeat=8.17.3
# hold version at 8.17.3
# automatic updates without updating the pipelines in Elastic would cause ingestion issues
sudo apt-mark hold filebeat
# verify installed version
filebeat version
filebeat version 8.17.3 (amd64), libbeat 8.17.3 [3747d0eb6c26247477dd62ca51535cff8d6338b7 built 2025-02-28 08:55:42 +0000 UTC]
After updates, data started coming in normally.
Figure 7: DShield-SIEM [1] dashboard of Zeek data.
There is some inconsistency with my honeypot deployments since they were all deployed at different times and may have different versions of software, such as filebeat. Upgrades to the DShield-SIEM may require updates to honeypots that are forwardings logs, although I only had issues with Zeek logs. The main honeypot logs forwarded without any issue with mismatched versions of filebeat.
[1] https://github.com/bruneaug/DShield-SIEM
[2] https://repost.aws/questions/QUjMLngFHpSuG7oz6pXieUuA/how-route-53-and-other-dns-system-works
[3] https://www.pfsense.org/
[4] https://www.elastic.co/docs/explore-analyze/query-filter/tools/console
[5] https://www.elastic.co/beats/filebeat
--
Jesse La Grew
Handler
bleeping_computer_feedbleeping_computer_feedbleeping_computer_feedbleeping_computer_feedbleeping_computer_feedcwb_feedNewly released video shows intense moments as Chicago police officers confronted an armed man who had been restraining and physically attacking his girlfriend in Pullman. The nerve-wracking footage shows split-second decision-making by an officer who fatally shot the gunman, 43-year-old Devon Smith, an instant after the woman bolted out the bedroom door.
The post Video shows Chicago cop fatally shooting gunman who held girlfriend captive appeared first on CWB Chicago.
bleeping_computer_feedbleeping_computer_feedmalwarebytesblog_feedCybercriminals are abusing Google’s infrastructure, creating emails that appear to come from Google in order to persuade people into handing over their Google account credentials.
This attack, first flagged by Nick Johnson, the lead developer of the Ethereum Name Service (ENS), a blockchain equivalent of the popular internet naming convention known as the Domain Name System (DNS).
Nick received a very official looking security alert about a subpoena allegedly issued to Google by law enforcement to information contained in Nick’s Google account. A URL in the email pointed Nick to a sites.google.com page that looked like an exact copy of the official Google support portal.
As a computer savvy person, Nick spotted that the official site should have been hosted on accounts.google.com and not sites.google.com. The difference is that anyone with a Google account can create a website on sites.google.com. And that is exactly what the cybercriminals did.
Attackers increasingly use Google Sites to host phishing pages because the domain appears trustworthy to most users and can bypass many security filters. One of those filters is DKIM (DomainKeys Identified Mail), an email authentication protocol that allows the sending server to attach a digital signature to an email.
If the target clicked either “Upload additional documents” or “View case”, they were redirected to an exact copy of the Google sign-in page designed to steal their login credentials.
Your Google credentials are coveted prey, because they give access to core Google services like Gmail, Google Drive, Google Photos, Google Calendar, Google Contacts, Google Maps, Google Play, and YouTube, but also any third-party apps and services you have chosen to log in with your Google account.
The signs to recognize this scam are the pages hosted at sites.google.com which should have been support.google.com and accounts.google.com and the sender address in the email header. Although it was signed by accounts.google.com, it was emailed by another address. If a person had all these accounts compromised in one go, this could easily lead to identity theft.
Analyzing the URL used in the attack on Nick, (https://sites.google.com[/]u/17918456/d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/edit) where /u/17918456/ is a user or account identifier and /d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/ identifies the exact page, the /edit part stands out like a sore thumb.
DKIM-signed messages keep the signature during replays as long as the body remains unchanged. So if a malicious actor gets access to a previously legitimate DKIM-signed email, they can resend that exact message at any time, and it will still pass authentication.
So, what the cybercriminals did was:
no-reply@accounts.google.comCreating the application containing the entire text of the phishing message for its name, and preparing the landing page and fake login site may seem a lot of work. But once the criminals have completed the initial work, the procedure is easy enough to repeat once a page gets reported, which is not easy on sites.google.com.
Nick submitted a bug report to Google about this. Google originally closed the report as ‘Working as Intended,’ but later Google got back to him and said it had reconsidered the matter and it will fix the OAuth bug.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
secure_list_feed
As we were looking into a cyberincident in April 2025, we uncovered a rather sophisticated backdoor. It targeted various large organizations in Russia, spanning the government, finance, and industrial sectors. While our investigation into the attack associated with the backdoor is still ongoing, we believe it is crucial to share our preliminary findings with the community. This will enable organizations that may be at risk of infection from the backdoor to take swift action to protect themselves from this threat.
Our investigation revealed that the backdoor targets computers connected to ViPNet networks. ViPNet is a software suite for creating secure networks. We determined that the backdoor was distributed inside LZH archives with a structure typical of updates for the software product in question. These archives contained the following files:
The ViPNet developer confirmed targeted attacks against some of their users and issued security updates and recommendations for customers (page in Russian).
After analyzing the contents of the archive, we found that the action.inf text file contained an action to be executed by the ViPNet update service component (itcsrvup64.exe) when processing the archive:
[ACTION] action=extra_command extra_command=lumpdiag.exe --msconfig
As evident from the file content above, when processing extra_command, the update service launches lumpdiag.exe with an --msconfig argument. We mentioned earlier that this is a legitimate file. However, it is susceptible to the path substitution technique. This allows attackers to execute the malicious file msinfo32.exe while lumpdiag.exe is running.
The msinfo32.exe file is a loader that reads the encrypted payload file. The loader processes the contents of the file to load the backdoor into memory. This backdoor is versatile: it can connect to a C2 server via TCP, allowing the attacker to steal files from infected computers and launch additional malicious components, among other things. Kaspersky solutions detect this threat as HEUR:Trojan.Win32.Loader.gen.
The complexity of cyberattacks carried out by APT groups has significantly increased over the years. Attackers can target organizations in highly unusual and unexpected ways. To prevent sophisticated targeted attacks, it is essential to employ multi-layered, defense-in-depth security against cyberthreats. This is the type of security architecture implemented in our Kaspersky NEXT product line, capable of protecting businesses from attacks similar to the one described in this article.
The full list of indicators of compromise is available to subscribers of our Kaspersky Threat Intelligence service.
Hashes of msinfo32.exe
018AD336474B9E54E1BD0E9528CA4DB5
28AC759E6662A4B4BE3E5BA7CFB62204
77DA0829858178CCFC2C0A5313E327C1
A5B31B22E41100EB9D0B9A27B9B2D8EF
E6DB606FA2B7E9D58340DF14F65664B8
Paths to malicious files
%TEMP%\update_tmp*\update\msinfo32.exe %PROGRAMFILES%\common files\infotecs\update_tmp\driv_*\*\msinfo32.exe %PROGRAMFILESx86%\InfoTeCS\ViPNet Coordinator\ccc\update_tmp\DRIV_FSA\*\msinfo32.exe
cwb_feedA 19-year-old father has been jailed on allegations that he kidnapped his two-month-old baby and tossed her over a fence in Edgewater.
The post Father kidnapped his own 2-month-old, tossed her over a fence during getaway attempt: prosecutors appeared first on CWB Chicago.
cwb_feedChicago police are conducting a death investigation after a newborn baby was found inside a freezer in Back of the Yards. Official information released by CPD conflicts with details provided by the medical examiner's office and a law enforcement source.
The post Baby found dead inside freezer in Back of the Yards appeared first on CWB Chicago.
bleeping_computer_feed - Microsoft fixes Remote Desktop freezes caused by Windows updatesbleeping_computer_feed - Microsoft fixes Windows Server 2025 blue screen, install issueschicago_crime_feed - Blue City $hitholeschicago_crime_feed - What the ?!??!chicago_crime_feed - Migration Underway!chicago_crime_feed - Wheels Grind Slowlyincident_handler_feed - ISC Stormcast For Wednesday, April 23rd, 2025 https://isc.sans.edu/podcastdetail/9420, (Wed, Apr 23rincident_handler_feed - Honeypot Iptables Maintenance and DShield-SIEM Logging, (Wed, Apr 23rd)bleeping_computer_feed - Marks & Spencer confirms a cyberattack as customers face delayed ordersbleeping_computer_feed - Active! Mail RCE flaw exploited in attacks on Japanese orgsbleeping_computer_feed - Hackers abuse Zoom remote control feature for crypto-theft attacksbleeping_computer_feed - Windows 10 KB5055612 preview update fixes a GPU bug in WSL2bleeping_computer_feed - SK Telecom warns customer USIM data exposed in malware attackcwb_feed - Video shows Chicago cop fatally shooting gunman who held girlfriend captivebleeping_computer_feed - Ripple's recommended XRP library xrpl.js hacked to steal walletsbleeping_computer_feed - Cookie-Bite attack PoC uses Chrome extension to steal session tokensmalwarebytesblog_feed - All Gmail users at risk from clever replay attacksecure_list_feed - Russian organizations targeted by backdoor masquerading as secure networking software updatescwb_feed - Father kidnapped his own 2-month-old, tossed her over a fence during getaway attempt: prosecutorscwb_feed - Baby found dead inside freezer in Back of the Yards![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
timeasmymeasure