It was an honor to present our #IBMi exploits at #TROOPERS24 today! You'll have to wait until @WEareTROOPERS releases the recordings for the full show (incl. live demos), until then you can find our slides here:

https://silentsignal.hu/docs/S2-TROOPERS24-IBM_i_for_Wintel_Hackers.pdf

A few notes on this GrimResource .MSC thing from Elastic.

For starters, there are not one but THREE security warnings from Windows before opening a .MSC file from the internet.

Just kidding. Nobody still has Smart App Control enabled after using Windows for a day and realizing what doesn't work. 😂 So two security warnings that clearly state that you're about to do something bad. Or maybe just one if you've received the file in a ZIP or ISO or the like. But in the end, this is convincing the user to do something dangerous, and there are PLENTY of ways to accomplish this on a fully-patched system.

But perhaps more interestingly, the issue being leveraged was discovered by GPZ over 6 years ago by GPZ. Microsoft fixed it in Edge as one of CVE-2018-8463 CVE-2018-8468 and CVE-2018-8469. (Nobody can tell exactly what is what from MSRC publications). But Microsoft apparently neglected to recognize that it affects things other than Edge (e.g. MMC.EXE)
https://bugs.chromium.org/p/project-zero/issues/detail?id=1598

The fact that Microsoft Teams 🤮 contains a feature called "Teams" where actual teams can create a Team, and at Microsoft the teams working on that feature probably have a Team to discuss the Teams feature, suggests that there exists a Microsoft Microsoft Teams Teams Teams' Microsoft Teams Team.

I gave an "unusual” keynote at Troopers today:
https://speakerdeck.com/ange/a-question-of-time

🦀 Hello Rust reversers! If you're at @recon in Montreal this year, come check out my workshop, Reversing Rust Binaries: One Step Beyond Strings! It will be Friday June 28th, at 2:30 pm, in Soprano B.

https://cfp.recon.cx/recon2024/talk/QCA37X/

For pre-workshop setup instructions, including a prebuilt VM, prebuilt binaries, and sample code, see https://github.com/cxiao/rust-reversing-workshop-recon-2024

Hope to see many of you there!

#REcon2024 #reconmtl #rustlang #reverseengineering #reversing #malwareanalysis

Good find by Elastic - possibly North Korean based threat actors using an unfixed bug in Windows to execute code, undetected across all vendors until that point (and as of writing only Elastic detect still)

They’ve named it GrimResource https://www.elastic.co/security-labs/grimresource

#threatintel

Why nested deserialization is harmful: Magento XXE (CVE-2024-34102) https://www.assetnote.io/resources/research/why-nested-deserialization-is-harmful-magento-xxe-cve-2024-34102

This dumb password rule is from E-Trade.

Causes:
* Your two-factor authentication code must be appended to the end of the password
* Passwords have a limit of 32 characters

Effect:

If your account has a 32-character password and has two-factor authentication,
their system appears to cut off the token, making it impossible to login.
Yo...

https://dumbpasswordrules.com/sites/e-trade/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Google is now sending a warning about loading 3rd party JS from domains like polyfill​.​io bootcss​.​com bootcdn​.​net & staticfile​.​org that may do nasty things to your users if your site uses JS from these domains. I've already seen ads disapproved by Google after they detected malicious code being served by one these domains but of course that may not be the biggest problem here.

Possibly the best known case is the polyfill​.​io domain. Sold to a Chinese company some time ago, contributors have warned us to stop using it https://x.com/triblondon/status/1761852117579427975 Cloudflare and Fastly both set up their own mirrors. https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk + https://polykill.io/

This security issue is called a supply chain attack, and it's not fun. There are solutions for that problem, like the SRI (Subresource Integrity) hashes (the `integrity` HTML attribute) but sometimes they can't be used, like with the polyfill lib, because the response changes depending what the browser supports.

In an unbelievable act of corporate vandalism, Paramount completely erased the entire archives of MTV dot com, wiping out more than 30 years and hundreds of thousands of pages https://www.showbiz411.com/2024/06/25/paramount-shuts-down-mtv-website-wipes-history-after-20-plus-years

Don’t sleep on this; I am pretty sure 100k is an undercount. https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/

#ThreatIntel

GitHub Artifact Attestations is generally available #github #sigstore #supplychainsecurity | https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available

Michael Coppola: Google: Stop Burning Counterterrorism Operations
Michael Coppola writes about Google Project Zero and Threat Analysis Group's In-the-Wild Series from 2021, and the alleged harm caused to U.S and western-led counterterrorism efforts. It is not so farfetched to think that a discovered nation-state actor's servers and exploits "belong to the good guys" (cue are we the baddies? meme).

Counterterrorism is one of the clearest examples of this. Cyber is a pivotal component of modern counterterrorism operations, and these campaigns have life-and-death implications that place them in a distinct category from “routine” espionage acts. When governments deploy cyber capabilities for this purpose, they are directly using these tools to thwart potential attacks on civilians, provide vital intelligence to soldiers on the ground, and deny technological resources to terrorists – all conducted while risking fewer U.S. and allies’ lives in the process.

He gave specific examples where offensive cyber operations (OCO) aided in counterterrorism operations in identifying/capturing ISIS/Al Qaeda members or caused them to break OPSEC. He also wrote: "It’s crucial to make this point clear: Cyber operations keep people out of harm’s way while enabling them to collect critical intelligence for our national security."

He quoted @maddiestone, and @tiraniddo left a comment as well.

#counterterrorism #nationalsecurity #cybersecurity #OCO #terrorism #projectzero #threatanalysisgroup #google

Julian Assange Reaches Plea Deal With US, Allowing Him To Go Free https://yro.slashdot.org/story/24/06/24/2319232/julian-assange-reaches-plea-deal-with-us-allowing-him-to-go-free?utm_source=rss1.0mainlinkanon

You can find my talk about Offensive VBA here => https://github.com/X-C3LL/congresos-slides/blob/master/Offensive%20VBA.pdf

Added a command to dump HVPT (HLAT) protected regions to hvext.js for our talk at #Recon Montreal on this coming Saturday. If you want to study details by yourself, have a look.
https://github.com/tandasat/hvext

Now that browsers are *upgrading* some mixed content (instead of loading it insecurely), I wrote a tiny article which what I believe is sane and updated advice for the web of 2024. https://frederikbraun.de/mixed-content.html

Kaspersky: XZ backdoor: Hook analysis
Do you remember the XZ Utils incident? 29 March 2024 was a long time ago. The XZ Utils backdoor was discovered through miraculous troubleshooting by a PostgreSQL Developer (@AndresFreundTec) who noticed that SSH was taking 500ms longer in liblzma. He reported to OSS-Security that XZ Utils data compression library (used in major Linux distros) and its tarballs have been backdoored, and would lead to ssh server compromise.

Kaspersky previous provided the initial analysis of the XZ Utils backdoor, and then covered the threat actor Jia Tan’s social engineering tactics. This is a detailed analysis focusing on the backdoor’s behavior inside OpenSSH portable version 9.7p1. These are their key findings:

• The attacker set an anti-replay feature to avoid possible capture or hijacking of the backdoor communication.
• The backdoor author used a custom steganography technique in the x86 code to hide the public key, a very clever technique to hide the public key.
• The backdoor hides its logs of unauthorized connections to the SSH server by hooking the logging function.
• The backdoor hooks the password authentication function to allow the attacker to use any username/password to log into the infected server without any further checks. It also does the same for public key authentication.
• It has remote code execution capabilities that allow the attacker to execute any system command on the infected server.

#xzutils #xzbackdoor #liblzma #malwareanalysis #threatintel

Introducing Decree by @trailofbits: A new tool that helps devs define, enforce, and understand their Fiat-Shamir transcripts. Check it out!
https://buff.ly/3KUnALC