Serious Discussion odd overnight dual pc "event" or attack??

[simmerskool]

a curious overnight mutual event coincidence or attempted attack My mac_mini is mostly used to display security cameras, while my win10 is my primary pc and also runs VMware. First thing I noticed this morning, Edge was left open overnight with 3 tabs weather related, but a new tab was open to a Bing search regarding Toucans. I rarely use Bing and have never searched for Toucans. win10 OS was not rebooted, and nothing to indicate that Edge updated overnight as when it does it usually opens with a screen about new Edge stuff... The running VM seemed undisturbed and was online via vpn. I then noticed that my mini was not displaying cameras, and was on a macOS login screen. When I logged in I saw mac popup: "Your computer was restarted because of a problem" The only obvious point of connection is both pc go online thru the same Ubiquity router. Any reason for concern requiring eg a deep analysis of macOS report related to mini reboot? Or just a coincidence.
Posted here because it seems too lame to be a security forum question.

 

[Victor M]

I rarely use Bing and have never searched for Toucans.

If you didn't open Bing, and never searched for Toucans, then I'd say that your attackers left you a note.

 

[simmerskool]

If you didn't open Bing, and never searched for Toucans, then I'd say that your attackers left you a note.

yes, unfortunately that is exactly what I was thinking, but unclear how they got in or why they'd want to... maybe I'm being invited into the Matrix, but I'm no Neo...
but I'm still also thinking (hoping) that this was non-nefarious event
maybe I'll copy & post the macOS event report to chatgpt and MT Bot to see what they make of the Apple side of this...

 

[ForgottenSeer 103564]

They were researching frootloops cereal with Sam.

Sounds like you either have guests, ghosts or a need of firewall traffic filtering/logging.

 

[simmerskool]

I've been accused of being a little loopy. The Ubiquity UDMPro has traffic filtering and logging. I'll dig into that after a 2d cup of coffee.

 

[simmerskool]

UDMPro logs do not show *me* anything unusual, no threats, etc. Best guess the Bing Toucans tab was a MS Edge "thing" & mini macOS was unrelated, but I am open to the idea it was more than that, but as oldschool says, don't be paranoid (paraphrase).

 

[ForgottenSeer 103564]

UDMPro logs do not show *me* anything unusual, no threats, etc. Best guess the Bing Toucans tab was a MS Edge "thing" & mini macOS was unrelated, but I am open to the idea it was more than that, but as oldschool says, don't be paranoid (paraphrase).

You can cross reference in history of the browser to establish a time frame when the tabs opened and the search for toucans was performed .

Didn't know much about udm until just now, it seems you can activate suricata ids/IPS in it, it's a bit daunting but worth the effort to set the IPS mode which will drop or reject malicious traffic.

Edit: take a look over at Ubiquity community forums, they will help you configure it.

 

[Captain Holly]

I am no expert so can't really offer any suggestions but I do know the Bing homepage yesterday was a picture of two colorful toucans. This sounds to me like it may have been some sort of MS restart happened overnight and when it was done it showed the Bing page with the toucans.

C.H.

 

[ForgottenSeer 103564]

I am no expert so can't really offer any suggestions but I do know the Bing homepage yesterday was a picture of two colorful toucans. This sounds to me like it may have been some sort of MS restart happened overnight and when it was done it showed the Bing page with the toucans.

C.H.

That's quite possible it's just covering all variables to make sure, but as he stated no need to be paranoid. Most hackers are not going to breach a system, look up a bird, leave a tab or two open and split. Generally they try to remain stealthy and unnoticed. Enabling IPS will resolve that issue though to drop or reject malicious traffic with logging and alerts. Taking the guess work out of most of it.

 

[simmerskool]

You can cross reference in history of the browser to establish a time frame when the tabs opened and the search for toucans was performed .

Didn't know much about udm until just now, it seems you can activate suricata ids/IPS in it, it's a bit daunting but worth the effort to set the IPS mode which will drop or reject malicious traffic.

Edit: take a look over at Ubiquity community forums, they will help you configure it.

UDMPro was originally tweaked with help of IT friend, in fact he was the person who suggested Ubiquity to me. It is tweaked with all its security settings ON, although I'm sure a knowledgeable person could add more. THANKS for reminding about browser history, yes I do see Toucan - Search at 12:12 PM Sunday, one minute after I checked some weather data. I think Edge was not open, then at 12:11 PM I opened it to check weather and Bing tab opened to Toucans. Based on this, it seems less suspicious, and more like MS_Edge_Bing push or fat fingers caused Toucan tab and I did not see it until hours later. (mini_macOS event was most likely unrelated)
I will look into suricata ids/IPS. I had seen you mention this the other day in different context or thread.

 

[ForgottenSeer 103564]

UDMPro was originally tweaked with help of IT friend, in fact he was the person who suggested Ubiquity to me. It is tweaked with all its security settings ON, although I'm sure a knowledgeable person could add more. THANKS for reminding about browser history, yes I do see Toucan - Search at 12:12 PM Sunday, one minute after I checked some weather data. I think Edge was not open, then at 12:11 PM I opened it to check weather and Bing tab opened to Toucans. Based on this, it seems less suspicious, and more like MS_Edge_Bing push or fat fingers caused Toucan tab and I did not see it until hours later. (mini_macOS event was most likely unrelated)
I will look into suricata ids/IPS. I had seen you mention this the other day in different context or thread.

I was wondering, it's good at least not an issue. Stop by my profile for a quick glimpse at a spoiler I posted on suricata in ids mode running in a terminal , I performed a quick attack test to show alert. It's very much worth learning, a next gen IDS/IPS.