Red Threat

Red Threat

Computer and Network Security

Oklahoma City, Oklahoma 469 followers

About us

Red Threats core principle is Don’t Forget to Have Fun. Cyber Security isn’t a job for us, it’s an obsession. We aren’t looking to get rich or retire early. Red Threat was created to satisfy the hunger of our engineers to apply the years of dedication and expertise against some of the best Defenders in the industry. Red Threat was born out of a passion for delivering the highest quality of service and integrity in everything we do.

Website
redthreatsec.com
Industry
Computer and Network Security
Company size
2-10 employees
Headquarters
Oklahoma City, Oklahoma
Type
Privately Held
Founded
2022
Specialties
Penetration Testing and Red Teaming

Locations

Updates

  • View organization page for Red Threat, graphic

    469 followers

    If you’re coming to Information Warfare Summit stop by our booth, bring your HackRF and Capture the Crane.

    View profile for Andrew Lemon, graphic

    Top 77% TryHackMe

    Proof of concept demonstration exploiting an Industrial Crane Remote. A customer had a number of these connected to gantry cranes in a production environment. We purchased the exact hardware online and recreated their setup. We found that communication between the remote and controller could be captured and replayed using a HackRF. Upon further investigation we found that the majority of controllers for sale were knockoffs of the 2016 TeleCrane controller. While we hoped for another CVE, the vulnerability was reported 6 years ago as CVE-2018-17935 and was patched in the legitimate product but not the counterfeits. This is a good argument for buying name brand and how trying to save a few bucks using counterfeit products can put you and other individuals at risk. Full blog post on the build and process coming soon.

  • View organization page for Red Threat, graphic

    469 followers

    Threat actors make mistakes too. This talk is a deep dive into exploiting those mistakes and exposing the tradecraft we learned along the way. We'll be sharing all the TTPs and zerodays we uncovered.

    View profile for Andrew Lemon, graphic

    Top 77% TryHackMe

    If you're coming to BSides Oklahoma make sure you don't miss this talk. I'll be sharing stories ranging from disrupting ransomware operations to accidentally stumbling into more than one active Nation State CyberOP.

    • No alternative text description for this image
  • View organization page for Red Threat, graphic

    469 followers

    Just because you aren't doing attack surface monitoring doesn't mean your adversaries aren't.

    View profile for Andrew Lemon, graphic

    Top 77% TryHackMe

    OOPSsec - Exposing your attacker infrastructure to the internet and leaving clear text creds in log files. Just because you aren't doing attack surface monitoring doesn't mean your adversaries aren't. We stumbled across a login portal for Asset Lighthouse System that allows end users to configure domains and assets to monitor for vulnerabilities and misconfigurations. The adversary in question here has set up multiple alerts and scans across 100s of websites. We typically see this kind of configuration with bug bounty hunters and nation states with bad opsec. Link to the github repo for the tool in the comments.

    • No alternative text description for this image
  • View organization page for Red Threat, graphic

    469 followers

    Knowing your attack surface and your systems is the first step to securing them. The worst time to update your documentation is during a breach.

    View profile for Andrew Lemon, graphic

    Top 77% TryHackMe

    Do you know how to kill your network? After taking care of people, the next question I ask customers on a breach is if they have network maps and if not we whiteboard it out. This will determine where we put our network monitoring sensors and make sure we shutdown unauthorized access. Here are 2 examples of times customers thought they killed their network only to be surprised in the middle of a rebuild. Incident #1 Customer said they shut down the firewall, but weren’t so sure after getting ransomed again halfway through their rebuild. Turns out the Mssp disabled the inbound and outbound firewall rules but left the VPN up allowing the attackers unrestricted access. Incident #2 Customer physically disconnected the firewall. After deploying EDR we were still seeing attacker activity. The customer had a forgotten “branch office” connected by mpls and the attackers had gained entry through rdp open to the internet on that system.

    • No alternative text description for this image

Similar pages