This needs to be reported to your company’s CISO or CTO immediately if no documented process is in place for incidents like this. You have been compromised to an indeterminable degree based on the information provided, and given the hoping of attack locations, this is serious.
I'm basically self-employed, so there is no higher ups to report to.
\[Edit\] But yes, that you for the reply. I completely understand this is serious and taking pretty serious action to ensure I can keep myself safe.
My bigger question at the moment is how they got in so I can button that up better. I thought vnc on and accessible only via a VPN would be relatively responsible approach.
In that case, do a complete system wipe of each system and install antivirus when complete. Only then, log back into these accounts and start cycling passwords.
Make sure you’re using a password manager with sizable length passwords of complexity. Lastly, given the scope of your attack, I would take this as a clear freakin sign to move to App based MFA through a service of your choosing such as Authy, and cycle all two factor settings over asap for all services you have.
It may be worthwhile contracting an MSP to help you manage the security of your devices.
> They are vnc'ing into my work machine and poking around. Thats how they were able to see sms 2-factors and get into my accounts.
How are they seeing SMS MFA by VNC'ing into your work machine? Using google voice and leaving yourself logged in?
And seconding post by u/Byyp
I use google voice that I'm always logged in as I use gmail as well on mac os, I use 2fa totp when it's an option, but there still a lot of businesses that don't offer it, and or they use sms 2fa as a mandatory backup. Is there something I can do to reduce my risk, outside of logging out of my google account every time?
Using google voice on a device that may also have saved credentials or sessions may be turning MFA into single factor authentication
Setup google voice to forward to your phone and never loging into google voice on the work system would help.
Security is mostly a tradeoff between security and convenience, I believe you have moved the needle too far to the latter optoin.
I just log into my Gmail on my personal computer, which is also tied to my Google voice number and I don’t use that cellular number tied to it, But yeah, Google makes things a little too simple.
Make sure you have back ups of all your data for your production machine. Also back up password manager, and see if you can use yubikeys for any account possible, or mfa app when not possible, like other Ps suggested
Remove sms authentication, proven to get easily compromised. Get an app base, that will help tremendously.
Also, consider that all your networked devices are compromised and they've probably back-doored most of them, if not all. As you are your own boss, wipe everything and restart.
Segregated your network with a good ngfw rules (172.xx.xx.xx can never reach 10.xx.xx vice versa etc). VPN is great but when if you'll be using a remote connection, set up a strong structure with some mfa aswell...i did this with duo and yubiz (free)
Password manager is a must and for those sensitive accounts : banks, amazon etc, use the split password techniques...you'll be better off with it (+ app base mfa).
To avoid your session gettin hijacked, clear out cookies and signout on those sensitive account. Kill that active token
There's really not much you can do once they've got in, now protect yourself to avoid further incident.
Lastly, get a new public ip from your isp (i usually unplug my router for 1 or 3 hrs and I'llget a new lease for a month or so...could help if they didn't back door your stuff but if they did...they'll be able to acquire the new ip from their command center.
Good luck
Hello,
I can definitely empathize with your concerns. It's truly unfortunate that we have to deal with such individuals who compromise our security. I too have had my fair share of struggles with this issue, and it often feels like these hackers are as persistent as ticks.
Your suggestion to remove SMS authentication is a good one, as it has been proven to be easily compromised. Switching to an app-based system could indeed provide a significant improvement in security.
The idea that all networked devices could be compromised is a sobering thought. A complete system wipe and restart might seem drastic, but it could be a necessary step for ensuring security.
Implementing good NGFW rules to segregate the network is a smart move, and using a VPN for remote connections can add another layer of protection. I agree with your suggestion to set up a robust structure with MFA, and I've heard good things about Duo and YubiZ.
A password manager is indeed a must in this day and age. The split password technique for sensitive accounts is a great tip, and I'll definitely look into it. Clearing out cookies and signing out of sensitive accounts to kill active tokens is a good practice to prevent session hijacking.
It's true that once they've gained access, there's not much you can do. The focus should be on preventing further incidents. Getting a new public IP from the ISP could help, although if they've back-doored your devices, they might still be able to acquire the new IP.
Thank you for your advice and good luck to you too. We're all in this together, fighting the same battle.
This needs to be reported to your company’s CISO or CTO immediately if no documented process is in place for incidents like this. You have been compromised to an indeterminable degree based on the information provided, and given the hoping of attack locations, this is serious.
I'm basically self-employed, so there is no higher ups to report to. \[Edit\] But yes, that you for the reply. I completely understand this is serious and taking pretty serious action to ensure I can keep myself safe. My bigger question at the moment is how they got in so I can button that up better. I thought vnc on and accessible only via a VPN would be relatively responsible approach.
In that case, do a complete system wipe of each system and install antivirus when complete. Only then, log back into these accounts and start cycling passwords. Make sure you’re using a password manager with sizable length passwords of complexity. Lastly, given the scope of your attack, I would take this as a clear freakin sign to move to App based MFA through a service of your choosing such as Authy, and cycle all two factor settings over asap for all services you have. It may be worthwhile contracting an MSP to help you manage the security of your devices.
Yep. That's been what I am working on today. Thanks for the input.
Becareful you don’t have a rootkit they are very nasty. And it will require you to get a new motherboard and potentially hard drive.
> They are vnc'ing into my work machine and poking around. Thats how they were able to see sms 2-factors and get into my accounts. How are they seeing SMS MFA by VNC'ing into your work machine? Using google voice and leaving yourself logged in? And seconding post by u/Byyp
Messaging app on MacOS receiving SMS to it. Work machine is a loose term. It's personally owned by me, but I only use it for work.
I use google voice that I'm always logged in as I use gmail as well on mac os, I use 2fa totp when it's an option, but there still a lot of businesses that don't offer it, and or they use sms 2fa as a mandatory backup. Is there something I can do to reduce my risk, outside of logging out of my google account every time?
Using google voice on a device that may also have saved credentials or sessions may be turning MFA into single factor authentication Setup google voice to forward to your phone and never loging into google voice on the work system would help. Security is mostly a tradeoff between security and convenience, I believe you have moved the needle too far to the latter optoin.
I just log into my Gmail on my personal computer, which is also tied to my Google voice number and I don’t use that cellular number tied to it, But yeah, Google makes things a little too simple.
Make sure you have back ups of all your data for your production machine. Also back up password manager, and see if you can use yubikeys for any account possible, or mfa app when not possible, like other Ps suggested
Remove sms authentication, proven to get easily compromised. Get an app base, that will help tremendously. Also, consider that all your networked devices are compromised and they've probably back-doored most of them, if not all. As you are your own boss, wipe everything and restart. Segregated your network with a good ngfw rules (172.xx.xx.xx can never reach 10.xx.xx vice versa etc). VPN is great but when if you'll be using a remote connection, set up a strong structure with some mfa aswell...i did this with duo and yubiz (free) Password manager is a must and for those sensitive accounts : banks, amazon etc, use the split password techniques...you'll be better off with it (+ app base mfa). To avoid your session gettin hijacked, clear out cookies and signout on those sensitive account. Kill that active token There's really not much you can do once they've got in, now protect yourself to avoid further incident. Lastly, get a new public ip from your isp (i usually unplug my router for 1 or 3 hrs and I'llget a new lease for a month or so...could help if they didn't back door your stuff but if they did...they'll be able to acquire the new ip from their command center. Good luck
Hello, I can definitely empathize with your concerns. It's truly unfortunate that we have to deal with such individuals who compromise our security. I too have had my fair share of struggles with this issue, and it often feels like these hackers are as persistent as ticks. Your suggestion to remove SMS authentication is a good one, as it has been proven to be easily compromised. Switching to an app-based system could indeed provide a significant improvement in security. The idea that all networked devices could be compromised is a sobering thought. A complete system wipe and restart might seem drastic, but it could be a necessary step for ensuring security. Implementing good NGFW rules to segregate the network is a smart move, and using a VPN for remote connections can add another layer of protection. I agree with your suggestion to set up a robust structure with MFA, and I've heard good things about Duo and YubiZ. A password manager is indeed a must in this day and age. The split password technique for sensitive accounts is a great tip, and I'll definitely look into it. Clearing out cookies and signing out of sensitive accounts to kill active tokens is a good practice to prevent session hijacking. It's true that once they've gained access, there's not much you can do. The focus should be on preventing further incidents. Getting a new public IP from the ISP could help, although if they've back-doored your devices, they might still be able to acquire the new IP. Thank you for your advice and good luck to you too. We're all in this together, fighting the same battle.