Psychz mail system seems to be hacked....

serv_ee

@deank said:
A provider admits a possible fault. Thus, eliminating the need of responsibility from his customers.

Then, LE user argues back, stating that users should bear some responsibility.

Cannot please everyone.

To be far, it is Psychz's responsibility that these kind of emails shouldn't go out.

And it is the end users responsibility not to open every attachment in every single email sent, no matter how "legit" it looks like.

Just how I see things, don't think different opinions are now bad.

jar

@deank said:
A provider admits a possible fault. Thus, eliminating the need of responsibility from his customers.

Then, LE user argues back, stating that users should bear some responsibility.

Cannot please everyone.

There are no coincidences. I called out a bad support reply from a provider who had a compromise and someone tried to turn it on to me soon after. Events like that are noteworthy when observing motives for behavior and connections between anonymous users.

If you can't control the narrative, attack the person sharing useful information. Maybe Psychz bought @alexvolk some red bull.

This post was my attempt at a drama parody today. Thanks, I'm here all night.

deank

Let's all agree on a simple universal fact that JarLard is stupid.

WilliamProfuse

We've sent an email alerting everyone not to open attachments. If your windows systems were up to date the CVE should effectively render the exploit useless.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882

seriesn

@WilliamProfuse said:
Hi All -

We're still investigating the situation and will know more about the extent of the damage once we conduct a full investigation with our vendors.

At the moment we can see the what is compromised is what ever the entry level tech had access to. Essentially his workstation was compromised with a virus thus giving the hacker access to our portal system. They then used his personal email account to send emails out to those seen above.

This is one of the challenges with the pandemic when techs are working from home instead of the office. Policies were in place to prevent this such as running Ubuntu or self wipe system when working on windows system. Unfortunately that was not followed thus we need to re-visit the policies internally for all employees.

From what we can see so far is 5% of our of our clients were emailed the email seen above. Right now we have shutdown his workstation and doing a full forensics on his machine.

We're sending emails to those that were sent an email to ensure they did not open the attachment.

In terms of billing information being compromised those are highly unlikely.

1. Our database server is locked down and show no evidence of entry or downloads.
2. Server credentials are required to be changed at the first provision of server. (Thus server compromised / data are highly unlikely)
3. Router/Switches are not provided to entry level techs
4. IPMI/Router/Switches are all private networks there is no way to connect it via entry points

Right now the concern is to those who receive those emails and not to open them. While we conduct further investigation we'll know the extent of the damage.

Those that were sent the email and have concerns please reach out to our support team or DM me and we'll do the best we can to assist.

All the best my dude!

jar

Mostly well handled @WilliamProfuse but I do want to toss out a question that I'm not asking you to answer here: how did they get customer emails if all data is safe? Would be good to detail what they did get access to, as it was obviously more than just an SMTP session. That way customers can feel safe that it was all understood and covered.

WilliamProfuse

@jar said:
Mostly will handled @WilliamProfuse but I do want to toss out a question that I'm not asking you to answer here: how did they get customer emails if all data is safe? Would be good to detail what they did get access to, as it was obviously more than just an SMTP session.

The workstation was compromised and the user effectively use the portal system to grab the emails. Since the employee was entry level the access is pretty limited on what his portal has access to. We're working with Ubersmith to grab all access obtained in mean time.

Our email servers we were able to track all the emails sent and email those that were notified of the exploited emails. Roughly ~5% of our customers got contacted.

We're re-visiting all workstations policies again. Just get you an idea we already had policies in place of workstation being on ubuntu or self wiped windows machines. Its obvious this employee didn't follow procedures.

deank

I don't like it.

You sound too professional.

ahnlak

@jar said:
MXroute is a managed service provider, I am not hands-off.

For which we thank you!

DP

@deank said:
I don't like it.

You sound too professional.

Yes, the dude probably suited up and put on a tie prior to logging on LET and posting that update.

Piece of work.

chihcherng

@serv_ee said:
I rarely see eye to eye with @alexvolk but in this case I do, don't think telling people that you're actually checking emails is the best way to go. Just imho. Some of that responsibility must stay on the end user as well.

From the command Jar ran, he was checking the main log (about mail sending & receiving) of exim, which is not the same as reading his customers' email.

jar

@chihcherng said:

@serv_ee said:
I rarely see eye to eye with @alexvolk but in this case I do, don't think telling people that you're actually checking emails is the best way to go. Just imho. Some of that responsibility must stay on the end user as well.

From the command Jar ran, he was checking the main log (about mail sending & receiving) of exim, which is not the same as reading his customers' email.

Everyone wants a steak, not everyone likes to watch the cow get slaughtered. I noticed long ago that every choice at every junction in this industry creates a disagreement.

Daniel15

@jar said:
I would also propose that psychz.unixbsd.info is owned by Psychz. Possibly an old staging server. The unixbsd.info domain has some connection to them (ex. https://ipinfo.io/108.171.246.252), someone else might notice more connection than I do.

Yeah I think unixbsd.info is their whitelabel domain. I've had VPS services with some of their brands (like PhotonVPS and YardVPS) and the SolusVM control panel was on a subdomain of unixbsd.info.

Daniel15

delete

pierre

Welp, luckily I check and open items on a VM of mine. Was anyway time to update it from Windows Server 2016 to 2019. Wiped and reinstalled, and changed all passwords I have. Thanks for getting me on top of my shit

taizi

i receive 6 phishing mail and a spam mail from a week ago, now i know the reason,thx

hypsin

Pour some out for the former junior tech

alexvolk

@jar said: If you can't control the narrative, attack the person sharing useful information. Maybe Psychz bought @alexvolk some red bull.

Hey, @jar it's actually you who got that red bull from delimiter when they fucked up.

It's not drama - it's your reality that will be with you forever.

Saying that you take a look at your customer emails then oh, sorry, it's just a simple command.

@chihcherng said:
From the command Jar ran, he was checking the main log (about mail sending & receiving) of exim, which is not the same as reading his customers' email.

Yeah, after realizing that he fucked up again sharing the command lol.

Makes sense!

NDTN

We are a customer of Psychz but have not received the phishing emails. Normally all official emails from Psychz are sent via Amazon SES so I think the issue is limited to a hacked staff's machine/account.

jar

@alexvolk said:

@jar said: If you can't control the narrative, attack the person sharing useful information. Maybe Psychz bought @alexvolk some red bull.

Hey, @jar it's actually you who got that red bull from delimiter when they fucked up.

It's not drama - it's your reality that will be with you forever.

Saying that you take a look at your customer emails then oh, sorry, it's just a simple command.

@chihcherng said:
From the command Jar ran, he was checking the main log (about mail sending & receiving) of exim, which is not the same as reading his customers' email.

Yeah, after realizing that he fucked up again sharing the command lol.

Makes sense!

I'm gonna need you to add some protein and potassium to this diet. All that salt intake alone is not good for your body.

alexvolk

@jar said:
I'm gonna need you to add some protein and potassium to this diet. All that salt intake alone is not good for your body.

I think need some Red Bull diet then:
Protein 0.3 g
Potassium 3 mg

default

@thedp said:

@deank said:
I don't like it.

You sound too professional.

Yes, the dude probably suited up and put on a tie prior to logging on LET [...]

I do this. Is it bad?

Maounique

You can pipe the mail through an antivirus which will strike down the attachments when they are infected. Clam can do that and is free.
Would that mean that the provider reads the mails? I don't think so, the antivirus does and looks for some strings.

TimboJones

@jar said:

@chihcherng said:

@serv_ee said:
I rarely see eye to eye with @alexvolk but in this case I do, don't think telling people that you're actually checking emails is the best way to go. Just imho. Some of that responsibility must stay on the end user as well.

From the command Jar ran, he was checking the main log (about mail sending & receiving) of exim, which is not the same as reading his customers' email.

Everyone wants a steak, not everyone likes to watch the cow get slaughtered. I noticed long ago that every choice in this industry life creates a disagreement.

FTFY

alphardbr

By the way, Photon is 504'ing for me