I created a threat actor profile for the Chinese state-sponsored APT41: https://infosec.press/screaminggoat/apt41 aka Earth Baku, RedGolf, Wicked Panda/Spider, Winnti Group, BARIUM, Brass Typhoon, Double Dragon, Bronze Atlas, Axiom, BlackFly, GreyFly...

THIS IS WHY WE NEED ONE SINGLE COMMON NAME. Winnti/APT41 activity spans so far back (2010) that some of the links are dead or the reporting companies got bought out. Remember FireEye? Their reports were rebranded as Mandiant after 2021, who got bought by Google Cloud in 2022.

Just FYI, Intrusion Truth is an unknown blog who's scarily accurate. They might be a Western hack and leak intelligence operation. EDIT2: Also the possibility of a disgruntled insider, or even a competitor like i-SOON.

I hope you find this useful. Let me know what other information you'd want to see in a threat actor profile. I'm nowhere close to being done collecting references. It's 3:53am so I'll work on it some more later.

EDIT: 5:30pm and I am tentatively done. A few links are dead and I used web.archive.org to display the archived copy. This is the most comprehensive list that I know of, pooling information from malpedia, MITRE, EDTA, Wikipedia and elsewhere. It even contains a list of exploited CVEs, some of which will be reported to CISA to add to the KEV Catalog.

#china #threatintel #cyberespionage #apt41 #winnti #IOC #chengdu404 #brasstyphoon #infosec #cybersecurity #mss

Frida 16.5.0 adds native breakpoint and watchpoint APIs. There was some attempts to implement those in DWARF and #r2frida already, but having them in the stock SDK makes them way more comfortable to use and stable https://frida.re/news/2024/09/06/frida-16-5-0-released/ #frida

NSA's No Such Podcast: How We Found Bin Laden: The Basics of Foreign Signals Intelligence
Current and former senior NSA officials, who were involved in the search for Osama bin Laden after the September 11, 2001 terrorist attacks, describe NSA's role in the foreign signals intelligence to help find him. You can read the transcript as a 15 page PDF

#nsa #september11 #sigint #intelligence #osamabinladen

Zig's Memcpy, CopyForwards and CopyBackwards

https://www.openmymind.net/Zigs-memcpy-copyForwards-and-copyBackwards/

Discussions: https://discu.eu/q/https://www.openmymind.net/Zigs-memcpy-copyForwards-and-copyBackwards/

#programming #ziglang

Hmm, "apps" in #Outlook what could go wrong?!

My talk on Webkit's JIT compilation at Off-By-One con is up! https://www.youtube.com/watch?v=9rt9ErQKnf8

https://bird.makeup/@offbyoneconf/1830604853573562638

IDA Pro is moving to a subscription model on 30 Sep 2024.

NOW is the time to obtain or renew your perpetual (non-subscription) license.

IDA Pro 8.x will be the last non-subscription version.

#IDAPro #reversing #infosec

Had to verify. And yes. Kernighan and Ritchie really did this. TIL :)

The Internet Archive lost its appeal in the Hachette case. What a huge, devastating loss for all of us.

#InternetArchive

I always wanted to have IDA's graph-overview for source-code.
So I created a small VS-Code extension to do that for me.

https://marketplace.visualstudio.com/items?itemName=tamir-bahar.function-graph-overview

It currently supports Go and C; adding more languages should be relatively straightforward.

#vscode #golang

This must be the ultimate #C64

Dual SID chips, tube amp, full mechanical keyboard.

Cisco security advisories includes a zero-day:

• Cisco Meraki Systems Manager Agent for Windows Privilege Escalation Vulnerability
  CVE-2024-20430 (7.3 medium) incorrect handling of directory search paths (CWE-427: Uncontrolled Search Path Element) to EoP
• Cisco Smart Licensing Utility Vulnerabilities
  • CVE-2024-20439 (9.8 critical) Cisco Smart Licensing Utility Static Credential Vulnerability
  • CVE-2024-20440 (9.8 critical) Cisco Smart Licensing Utility Information Disclosure Vulnerability
• Cisco Identity Services Engine Command Injection Vulnerability
  CVE-2024-20469 (6.0 medium) insufficient validation of user-supplied input to authenticated command injection (the attacker must have valid Administrator privileges)
  • The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory.
• Cisco Expressway Edge Improper Authorization Vulnerability
  CVE-2024-20497 (4.3 medium) inadequate authorization checks for Mobile and Remote Access (MRA) users could allow an attacker to intercept calls or make phone calls spoofing another phone number
• Cisco Duo Epic for Hyperdrive Information Disclosure Vulnerability
  CVE-2024-20503 (5.5 medium) improper storage of an unencrypted registry key could allow an authenticated, local attacker to view sensitive information in cleartext

EDIT: What @BleepingComputer took away out of this is that CVE-2024-20439 is a backdoor admin account: Cisco warns of backdoor admin account in Smart Licensing Utility

#zeroday #cisco #patchtuesday #vulnerability #CVE_2024_20469 #cve #CVE_2024_20439

(indistinctly yelling at the computer)

this is a series expansion of a natural logarithm