Micah Lee 🫡

@micahflee ↗

Deleted No

Hibernated Yes

Last Checked Jan. 16, 2022

Created

Tue Dec 22 20:57:49 +0000 2020

Likes

Retweets

Source

Twitter Web App

View Raw Data

JSON Data

View on Twitter

Likely Available

Micah Lee 🫡 @micahflee

Berserk Bear's campaign works like this: - Hackers get a foothold in target network by exploiting a VPN - Once in, they use CVE-2020-1472, a brutal Netlogon vuln that takes over Active Directory - Once AD is owned, they extract legit credentials for anyone on the network — PolitiTweet.org

Posted Dec. 22, 2020 Hibernated

Preceded By

Micah Lee 🫡 @micahflee

The list of IOCs included an IP owned by the city of Austin. (The next day MSTIC then updated their IOCs to remove this IP.) In other words, it looks like Microsoft saw this IP, part of Austin's network, being used as infrastructure in this massive hacking campaign. — PolitiTweet.org

Posted Dec. 22, 2020

Followed By

Micah Lee 🫡 @micahflee

While connected to the VPN, they then, for example, can use legit creds to login to anyone's Office 365 email account (CISA says they were observed doing this). Basically, they can login to anything on the entire network and could place backdoors anywhere — PolitiTweet.org

Posted Dec. 22, 2020