Google is now sending a warning about loading 3rd party JS from domains like polyfill​.​io bootcss​.​com bootcdn​.​net & staticfile​.​org that may do nasty things to your users if your site uses JS from these domains. I've already seen ads disapproved by Google after they detected malicious code being served by one these domains but of course that may not be the biggest problem here.

Possibly the best known case is the polyfill​.​io domain. Sold to a Chinese company some time ago, contributors have warned us to stop using it https://x.com/triblondon/status/1761852117579427975 Cloudflare and Fastly both set up their own mirrors. https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk + https://polykill.io/

This security issue is called a supply chain attack, and it's not fun. There are solutions for that problem, like the SRI (Subresource Integrity) hashes (the `integrity` HTML attribute) but sometimes they can't be used, like with the polyfill lib, because the response changes depending what the browser supports.

In an unbelievable act of corporate vandalism, Paramount completely erased the entire archives of MTV dot com, wiping out more than 30 years and hundreds of thousands of pages https://www.showbiz411.com/2024/06/25/paramount-shuts-down-mtv-website-wipes-history-after-20-plus-years

Don’t sleep on this; I am pretty sure 100k is an undercount. https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/

#ThreatIntel

GitHub Artifact Attestations is generally available #github #sigstore #supplychainsecurity | https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available

New assessment for topic: CVE-2024-25641

Topic description: "Cacti provides an operational monitoring and fault management framework ..."

"Cacti versions prior to 1.2.27 are [vulnerable](https://karmainsecurity.com/KIS-2024-04) to arbitrary file write that could lead to RCE ..."

Link: https://attackerkb.com/assessments/07c9b36e-09e6-4af9-bcee-447510ffbcdb

[RSS] IPC Fuzzing with Snapshots

https://blog.mozilla.org/attack-and-defense/2024/06/24/ipc-fuzzing-with-snapshots/

Wasn't this posted earlier? o.O Anyway, very interesting topic!

[RSS] Fuzzer Development 4: Snapshots, Code-Coverage, and Fuzzing

https://h0mbre.github.io/Lucid_Snapshots_Coverage/

PSA: My notifications have been broken for some time, your message may not reach me.

Michael Coppola: Google: Stop Burning Counterterrorism Operations
Michael Coppola writes about Google Project Zero and Threat Analysis Group's In-the-Wild Series from 2021, and the alleged harm caused to U.S and western-led counterterrorism efforts. It is not so farfetched to think that a discovered nation-state actor's servers and exploits "belong to the good guys" (cue are we the baddies? meme).

Counterterrorism is one of the clearest examples of this. Cyber is a pivotal component of modern counterterrorism operations, and these campaigns have life-and-death implications that place them in a distinct category from “routine” espionage acts. When governments deploy cyber capabilities for this purpose, they are directly using these tools to thwart potential attacks on civilians, provide vital intelligence to soldiers on the ground, and deny technological resources to terrorists – all conducted while risking fewer U.S. and allies’ lives in the process.

He gave specific examples where offensive cyber operations (OCO) aided in counterterrorism operations in identifying/capturing ISIS/Al Qaeda members or caused them to break OPSEC. He also wrote: "It’s crucial to make this point clear: Cyber operations keep people out of harm’s way while enabling them to collect critical intelligence for our national security."

He quoted @maddiestone, and @tiraniddo left a comment as well.

#counterterrorism #nationalsecurity #cybersecurity #OCO #terrorism #projectzero #threatanalysisgroup #google

Julian Assange Reaches Plea Deal With US, Allowing Him To Go Free https://yro.slashdot.org/story/24/06/24/2319232/julian-assange-reaches-plea-deal-with-us-allowing-him-to-go-free?utm_source=rss1.0mainlinkanon

You can find my talk about Offensive VBA here => https://github.com/X-C3LL/congresos-slides/blob/master/Offensive%20VBA.pdf

Added a command to dump HVPT (HLAT) protected regions to hvext.js for our talk at #Recon Montreal on this coming Saturday. If you want to study details by yourself, have a look.
https://github.com/tandasat/hvext

Now that browsers are *upgrading* some mixed content (instead of loading it insecurely), I wrote a tiny article which what I believe is sane and updated advice for the web of 2024. https://frederikbraun.de/mixed-content.html

Kaspersky: XZ backdoor: Hook analysis
Do you remember the XZ Utils incident? 29 March 2024 was a long time ago. The XZ Utils backdoor was discovered through miraculous troubleshooting by a PostgreSQL Developer (@AndresFreundTec) who noticed that SSH was taking 500ms longer in liblzma. He reported to OSS-Security that XZ Utils data compression library (used in major Linux distros) and its tarballs have been backdoored, and would lead to ssh server compromise.

Kaspersky previous provided the initial analysis of the XZ Utils backdoor, and then covered the threat actor Jia Tan’s social engineering tactics. This is a detailed analysis focusing on the backdoor’s behavior inside OpenSSH portable version 9.7p1. These are their key findings:

• The attacker set an anti-replay feature to avoid possible capture or hijacking of the backdoor communication.
• The backdoor author used a custom steganography technique in the x86 code to hide the public key, a very clever technique to hide the public key.
• The backdoor hides its logs of unauthorized connections to the SSH server by hooking the logging function.
• The backdoor hooks the password authentication function to allow the attacker to use any username/password to log into the infected server without any further checks. It also does the same for public key authentication.
• It has remote code execution capabilities that allow the attacker to execute any system command on the infected server.

#xzutils #xzbackdoor #liblzma #malwareanalysis #threatintel

Introducing Decree by @trailofbits: A new tool that helps devs define, enforce, and understand their Fiat-Shamir transcripts. Check it out!
https://buff.ly/3KUnALC

When building a x86 lifter, the first 1000 instructions are the hardest. After that all that's left is another 1000 or so SSE instructions.

🧵 In 2020, I nearly died from mysterious industrial chemical exposure at my apartment. Later, in 2023, I discovered my employer was dumping toxic waste into the apartment windows from their Skunkworks semiconductor fab next-door. I tipped off the US EPA, who sent their env cops to raid Apple's plant in Aug of 2023. The US EPA finally released the report of their enforcement inspections & sent me a copy on Friday. 💀 ⬇️

I have just discovered that a function's comment added to a MSVC well known runtime function added by IDA's Lumina Server was generated using an AI tool for IDA.

Please don't. I fucking hate it.

BTW: The code for the function that the LLM model is trying to explain *is hallucinated* and does not even correspond to the real function.

I mentioned the other day that I don't really like video content.

Now I realized I'd love to watch a good tutorial video(series) on #IPv6.

Any recommendations?

[RSS] plORMbing your Django ORM

https://www.elttam.com/blog/plormbing-your-django-orm/