Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 26-Sep-2024 17:18:57 JST Kevin Beaumont

   Telent have suffered a security breach of their managed internet and cyber unit, leading to misuse of the captive portal across UK train stations, NHS hospitals etc.

   They’ve contained their network for now. Thread to track situation.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 26-Sep-2024 17:37:20 JST Kevin Beaumont

     in reply to

     Pulled reference to network being contained as, well, it super isn’t.

     They have everything from Outlook Web App facing the internet to a Cisco AnyConnect box without MFA to Juniper management interfaces to documentation servers etc.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 26-Sep-2024 19:32:21 JST Kevin Beaumont

     in reply to

     The Telent incident is a simple web page defacement. The portal was internet facing on an Amazon EC2 box, which got owned.

     It was changed to far right propaganda.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 26-Sep-2024 20:06:08 JST Kevin Beaumont

     in reply to

     Here’s the Telent portal hack. The web page was public, along with the web server - it was a simple defacement. https://urlscan.io/result/fa1363df-f64b-474c-8223-21ecf310b4b5/

   • Embed this notice
     Fritz Adalis (fritzadalis@infosec.exchange)'s status on Thursday, 26-Sep-2024 20:44:19 JST Fritz Adalis

     in reply to

     @GossiTheDog
     Who's still using Telent when OpenSHS is free?

   • Embed this notice
     Fritz Adalis (fritzadalis@infosec.exchange)'s status on Thursday, 26-Sep-2024 21:06:46 JST Fritz Adalis

     @GossiTheDog
     Sorry, just making a joke at the expense of Telent because it sounds like Telnet. I shouldn't post while undercaffeinated.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 26-Sep-2024 23:25:54 JST Kevin Beaumont

     in reply to

     Telent have issued a statement saying somebody changed the captive portal page (just a website) using a legitimate administrator account, and police are investigating. I’m going to guess staff or former staff member.

     https://www.bbc.co.uk/news/articles/cr75znv47xpo

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 26-Sep-2024 23:29:26 JST Kevin Beaumont

     in reply to

     • Graham Cluley

     How the media in the UK have been covering this, fuelled by cyber vendor outreach to media.

     For the record it never impacted departure boards.

     Here’s one of the press pitches somebody tried sending me: "UK train stations hit by 'Nightsleeper' cyber attack as chilling terror threat issued"

     HT @gcluley

     Ryan Castellucci :nonbinary_flag: repeated this.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 27-Sep-2024 16:47:19 JST Kevin Beaumont

     in reply to

     The train station WiFi captive portal defacement incident has lead to the arrest of somebody who works at the provider of the service. https://news.stv.tv/scotland/man-arrested-after-wifi-at-scotlands-busiest-train-stations-displays-islamophobic-messages