Ivanti security advisory: September 2024 Security Update
Happy #PatchTuesday from Ivanti. There are some serious vulnerabilities. I want to emphasize that Ivanti stated they "have no evidence of these vulnerabilities being exploited in the wild." See the following advisories:

• Security Advisory EPM September 2024 for EPM 2024 and EPM 2022
• Security Advisory Ivanti Cloud Service Appliance (CSA) (CVE-2024-8190)
• Security Advisory Ivanti Workspace Control (IWC)

The big ones:

• CVE-2024-29847 (perfect 10.0 critical 🥳 cc: @cR0w) deserialization in the agent portal of Ivanti EPM before 2022 SU6/September 2024 update allows unauth RCE
• CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34783, CVE-2024-34785: unspecified SQL injection in Ivanti EPM before 2022 SU6/September 2024 update allow remote authenticated attacker with admin privileges to RCE

#ivanti #vulnerability #cve #epm #iwc #csa

It is shocking that after moving from Google workspace to Proton as the back office for our professional email adresses etc, all the major Dutch institutions are blocking us as spam. All our contacts have to whitelist us individually. So I think we are forced to go back to Google, where we had this problem occasionally but not as massively as now. It seems the reason is that Microsoft, used by almost all institutions in NL, simply blocks all Proton mail .😈 ( DNS=OK configured)

I would like to impress upon product managers that a code security review does not consist of me sitting down with the files in alphabetical order and reading each and every line exactly once in order and checking off whether it is or isn’t secure

This widely shared infographic uses a trick to make its message appear much stronger than it actually is. It seems to show a strong correlation between energy consumption and the wealth of a country. By using a logarithmic scale, the correlation appears much stronger than it actually is. I covered this before in articles, and now have also uploaded a short video ⚡💸🎥 https://www.youtube.com/watch?v=2xZ6CihdKu0 🧵

There is a known issue in the latest stable 4.1.5902 we wanted to make folks aware of. If you save a bndb while debugging, the database can get into an improper state and it may appear to lose user changes. The issue is resolved in the latest dev builds.

For those who are using the latest stable, you can either switch to dev or avoid saving during debugging (saving after debugging is unaffected). Impacted users can contact support (https://binary.ninja/support/) or see: https://github.com/Vector35/debugger/issues/612

watchTowr: Veeam Backup & Response - RCE With Auth, But Mostly Without Auth (CVE-2024-40711)
Reference: CVE-2024-40711 (9.8 critical, disclosed 04 September 2024 by Veeam) Veeam Backup & Replication: A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE). This vulnerability was reported by reported by Florian Hauser @frycos with CODE WHITE Gmbh @codewhitesec.

watchTowr doing what they do best, root cause analysis of vulnerabilities and breaking it down Barney style. Veeam Backup and Replication's CVE-2024-40711 has an authenticated RCE with a 9.8? watchTowr does patch-diffing (a lot of code and rambling). They name drop James Forshaw @tiraniddo in referencing “Stupid is as Stupid Does When It Comes to .NET Remoting”

Okay in reading through this, CVE-2024-40711 is actually comprised of two separate bugs. Veeam silently patched an improper authorization bug, then the deserialisation bug 3 months later. watchTowr claims that there is a way to bypass CVE-2024-40711 (details are still under embargo). They do not release a proof of concept due to the current situation and proclivity for ransomware actors to go after Veeam backups.

#cve_2024_40711 #vulnerability #rootcauseanalysis #cve #veeam #infosec #cybersecurity

Data-Oriented Design Revisited: Type Safety in the Zig Compiler

https://www.youtube.com/watch?v=KOZcJwGdQok

Discussions: https://discu.eu/q/https://www.youtube.com/watch?v=KOZcJwGdQok

#programming #ziglang

3 more weeks before my Windows Kernel Exploitation training at #HEXACON2024
Don't miss out! More info on contents -> https://www.hexacon.fr/trainer/halbronn/

I finally got my copy of #Phrack71!

Impressive work by the new @phrack staff 💚

Greetings, Myth Lovers! In celebration of #BeerLoversDay Monday's theme is beer an other inebriating beverages! Do you know a myth that features beer or a similar drink? Is the beer helpful or a hindrance? Tell us the myth and use the hashtag #MythologyMonday for boosts.

#mythology @mythology @folklore @TarkabarkaHolgy @juergen_hubert @curiousordinary @wihtlore @FairytalesFood @bevanthomas @FinnFolklorist @Godyssey @GaymerGeek @starrytimepod @ljwrites

Sometimes when people don't want an idea interrogated they arrange words around it like a moat. Construct intricate vocabularies that make it so you can only approach it from certain directions, never from the directions where it is weak to attack. Insist you use their vocabulary, debate on their terms. Sometimes I like to just walk directly into the moat. See, it's only ankle deep. This makes people upset. You're ignorant of the theory! No, I'm standing in the middle of it. It's just water dude

Team #Hashcat is pleased to present our much anticipated write-up for this year's #CrackMeIfYouCan contest at #Defcon32

📕 Read it here:
https://raw.githubusercontent.com/hashcat/team-hashcat/8a72d338660cc6d8f4f8014bd8e3236f8c59cd6e/CMIYC2024/CMIYC2024TeamHashcatWriteup.pdf

#password #passwordcracking #redteam #ctf #defcon #hacking #infosec #cybersecurity

ublock origin is great and so don't take this the wrong way but I've never understood why it doesn't have a they-live mode where instead of removing the ads altogether they get rendered as greyscale messages like "OBEY" / "CONSUME" / "DO NOT QUESTION AUTHORITY"

Crypto is holding Texas' independent electricity grid hostage for ransom, while the conservatives who run the state realize they've been duped by the big businesses they sidle up to.
https://www.economist.com/united-states/2024/08/27/why-texas-republicans-are-souring-on-crypto

Someone sent me a note the other day that a funeral service for their late friend was being used to start a new Meta group that claimed to offer live streaming of the service.

But of course, those who clicked the link were sent to fake video streaming websites that try to collect payment information before supposedly letting you watch the service.

A little digging showed that not only are there hundreds of these fake funeral streaming groups, but all of them are tied back to some brainiacs in Bangladesh who naturally exposed their identities and operation by trojaning their own PCs.

What's crazy is how the fake funeral streaming groups on Meta are just one tiny microcosm of the scams these dudes in Bangladesh are doing.

Also, now I feel like showering after spending a few hours back on Meta. Eww.

It's been a while since HyperDbg's first release, and we realized our initial assumptions for the command parser won’t fully meet new demands. After redesigning and extensive testing, HyperDbg v0.10.1 now comes with a brand-new parser! 💫😼

Check it out:
https://github.com/HyperDbg/HyperDbg/releases/tag/v0.10.1

Can anyone help me understand why the Linux kernel sets the SS register segment on x86-64/amd64? The architecture doesn't seem to require it, but it does anyway. I have seen some issues with DOSEMU, signals, and even the sysret not working properly regarding SS, but I didn't see a clear explanation.

"Google, Amazon, and Microsoft control seventy-five percent of the cloud computing market. Meta and Google own half of the fiber optic cables supplying internet services across continents."

…

"So what did GAMM do? They convinced us that our notetaking apps require an internet connection and forty thousand dollar GPUs located on a server three hundred miles away."

https://www.fromjason.xyz/p/notebook/any-technology-indistinguishable-from-magic-is-hiding-something/

I created a threat actor profile for the Chinese state-sponsored APT41: https://infosec.press/screaminggoat/apt41 aka Earth Baku, RedGolf, Wicked Panda/Spider, Winnti Group, BARIUM, Brass Typhoon, Double Dragon, Bronze Atlas, Axiom, BlackFly, GreyFly...

THIS IS WHY WE NEED ONE SINGLE COMMON NAME. Winnti/APT41 activity spans so far back (2010) that some of the links are dead or the reporting companies got bought out. Remember FireEye? Their reports were rebranded as Mandiant after 2021, who got bought by Google Cloud in 2022.

Just FYI, Intrusion Truth is an unknown blog who's scarily accurate. They might be a Western hack and leak intelligence operation. EDIT2: Also the possibility of a disgruntled insider, or even a competitor like i-SOON.

I hope you find this useful. Let me know what other information you'd want to see in a threat actor profile. I'm nowhere close to being done collecting references. It's 3:53am so I'll work on it some more later.

EDIT: 5:30pm and I am tentatively done. A few links are dead and I used web.archive.org to display the archived copy. This is the most comprehensive list that I know of, pooling information from malpedia, MITRE, EDTA, Wikipedia and elsewhere. It even contains a list of exploited CVEs, some of which will be reported to CISA to add to the KEV Catalog.

#china #threatintel #cyberespionage #apt41 #winnti #IOC #chengdu404 #brasstyphoon #infosec #cybersecurity #mss