Fun little story about @wiz. For several years (or so it seemed), I watched Wiz kicking the crap out of Azure, finding and reporting on vulnerabilities in Azure’s services. I even talked about some of that on the DefSec podcast.

Then I became the CISO of IBM Cloud. One fine day after I had been in place for a while, I was made aware that our security tools had taken action against a malicious customer trying to find a way to move around in the multi-tenant environment. I then got a request to speak with Wiz security researchers who I found out where the people we shut down. Before I got on the phone with them, I remembered the ongoing saga between Wiz and Azure and thought “here we go, they’re coming after us now”.

That turned out not to be the case at all. Wiz asked for permission to continue testing because they had an intuition that some issues existed. We set them up in a fenced off environment and let them have at it. Wiz did end up finding some issues, but it became clear to me that Wiz was most interested in keeping cloud customers safe - even those they have no relationship with. Now certainly there’s a marketing aspect to a security company finding and reporting on security vulnerabilities, but I will tell you that they were super professional and coordinated well with us.

Behind the scenes, that wasn’t an easy sell for me. Everyone could see what was going on with Azure and many thought I was insane for wanting to entertain Wiz, but I shared Wiz’s view of wanting to ensure the safety of customers, even if it meant discomfort.

The title of Wiz’s report is “Hell’s Keychain” and you can google it easy enough, and it has a quote from me.

I’ve never used their product and have no affiliation with them beyond being on their podcast once and getting some swag from them.

Regarding the CEO assassin, I'm noticing a pattern regarding folks' reactions to the assassin...

...it's a positive reaction.

They're calling him The Adjuster, Robin Hoodie, The Hero We Need, The Batman. The Joker. The Riddler. etc.

They're asking "who will he hit next" and "finally someone is standing up to the Health Care Industry". "Do oil and gas and the banks next!" etc et al.

We saw similar reaction to Jack Smith, Robert Mueller, & Fani Willis. It's the same as people that hoped Elon Musk would save us. Or Bernie Sanders, or Kamala Harris, or Trump.

Look.

No one person is going to save you.

Not the CEO Assassin. Not Trump. Not Jack Smith. Not Elon Must. Not Robert Mueller.

The issues are systemic. No one "batman" superhero is going to change everything.

All of that leads to a mentality that celebrates strongmen and demagogues.

Without giving a call for violence (don't ban me @jerry !!!) ...

...be the change you want to see. Get into your local town and work with your neighbors to accomplish change. Pick a thing, any thing, and start working on it as you can.

No gods.

No heroes.

#ceo #assassin #unitedHealthCare #mutualAid #solarPunk

CVE-2023-48365 (9.8 critical, disclosed 15 November 2023) Qlik Sense Enterprise for Windows unauth remote code execution is being reported as exploited in the wild by @catc0n:

Personally observed in an environment: Rapid7 MDR has observed exploitation of this vulnerability in one or more customer environments

cc: @todb @ntkramer @dreadpir8robots @hrbrmstr @wvu

#vulnerability #CVE_2023_48365 #qlik #eitw #activeexploitation #threatintel #infosec #cyberthreatintelligence #CTI

This was kind of a funny bug (though by luck it is hard to reach): https://project-zero.issues.chromium.org/373391951

A tree structure containing pointers needs to be deep-copied (the objects pointed to by the tree need to be duplicated too), but as an optimization, the tree is first shallow-copied, and then, in the copied tree, the pointers to the original objects are replaced with pointers to copied objects. But the copying of objects can fail midway through, and in that case, there is special cleanup code that can properly tear down the not-fully-set-up copied tree... but between failure and cleanup, a lock is dropped, and some other codepath can do a lookup in the copied tree, causing UAF if the lookup happens in a shallow-copied part of the tree and the corresponding element in the original tree has been freed since.

We've released 35 new Semgrep rules targeting infrastructure, supply chain, and Ruby security issues. Plus, learn how to leverage regex mode and HCL support for better infrastructure-as-code security.

https://blog.trailofbits.com/2024/12/09/35-more-semgrep-rules-infrastructure-supply-chain-and-ruby/

Dual_EC_DRBG with Justin Schuh and Matthew Green

https://www.youtube.com/watch?v=i0eon3xZAro

#frombsky #cryptography #backdoor

New assessment for topic: CVE-2024-1708

Topic description: "ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker ..."

"CVE-2024-1708 is a path traversal vulnerability affecting ConnectWise ScreenConnect ..."

Link: https://attackerkb.com/assessments/1b849988-c20e-4489-b536-148cd9c60645

[RSS] DOM Purify - dirty namespace bypass

https://blog.slonser.info/posts/dompurify-dirty-namespace-bypass/

Here's a link to today's AI slop #curl #hackerone report. Freshly disclosed: https://hackerone.com/reports/2887487

The #curl CVE we will publish on Wednesday addresses an issue that has existed in source code for almost twenty-five years.

severity low though, so the sky might not fall this week either

New Project Zero issue:

Linux >=v6.8-rc1: VMA UAF when nascent MM is accessed through forked userfaultfd or khugepaged after aborted fork

https://project-zero.issues.chromium.org/issues/373391951

CVE-2024-50263, CVE-2024-50220

I published an Advanced Persistent Threat (APT) profile on Gamaredon, a Russian state-sponsored cyberespionage group. Gamaredon (Group) is also known as Aqua Blizzard/ACTINIUM, and BlueAlpha, but most vendors do refer to them as Gamaredon. In 2021, they were publicly attributed by the Security Service of Ukraine (SSU) to Russia's Federal Security Service (FSB) Centers 16 and 18.

#gamaredon #russia #cyberespionage #fsb #bluealpha #aquablizzard #infosec #cybersecurity #cyberthreatintelligence #CTI #threatintel

New Project Zero issue:

Windows Kernel registry security descriptor refcount may overflow when referenced by too many transacted operations

https://project-zero.issues.chromium.org/issues/42451732

CVE-2024-43641

New assessment for topic: CVE-2024-9474

Topic description: "A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. ..."

"[CVE-2024-9474](https://security.paloaltonetworks.com/CVE-2024-9474) was exploited in the wild as part of an exploit chain, paired with the authentication bypass [CVE-2024-0012](https://attackerkb.com/topics/MLL6c2Y4Oo/cve-2024-0012), to allow for unauthenticated RCE ..."

Link: https://attackerkb.com/assessments/83a9c0f2-2ff0-4b7a-ab52-a8f4897d148b

CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle #Django

https://www.djangoproject.com/weblog/2024/dec/04/security-releases/

Mandiant's Thibault Van Geluwe de Berlaere demonstrates a novel technique that can be used to circumvent all three current types of browser isolation (remote, on-premises, and local) for the purpose of controlling a malicious implant via C2. https://cloud.google.com/blog/topics/threat-intelligence/c2-browser-isolation-environments/

itch.io is reporting on bsky that their domain has been taken down due to ...well.

#BOFH excuse #415:

Maintenance window broken

Lies, damned lies, and photodiodes: https://lcamtuf.substack.com/p/lies-damned-lies-and-photodiodes