I love programs with anti-debuger checks. By definition, the people you're "stopping" from debugging your program are the same ones who have the tools to delete your debugger check.

It's like specifically locking a door to keep lockpickers out

My friends at Ravenfortech wrote an introductory #malwareanalysis post on the INC #Ransomware:

https://translate.kagi.com/https://scribe.rip/@ravenfortech/inc-ransomware-elemz%C3%A9s-a909b5aed114

This gang recently pwned the Hungarian company responsible for military procurement (VBÜ) and now selling the data for $1M.

https://444.hu/2024/12/01/visszakerultek-a-netre-a-vedelmi-beszerzesi-ugynokseg-ellopott-adatai-egymillio-dollarrol-indul-a-licit

Based on the analysis the malware is very simple. INC uses 2023 CitrixBleed (2023) and spear phishing for initial access:

https://www.sentinelone.com/anthology/inc-ransom/

This doesn’t paint a picture of mature security at VBÜ to say the least…

I've started a page listing for many fields (physics, computing, biology, history..) the most Totemic Books. The ones that are central to the field, the books you wished you had learned about earlier. The work no one in a field can do without. Please send me your suggestions so we can share the love more broadly! https://berthub.eu/articles/posts/totemic-books-for-many-fields/

Turbo Pascal turns 41. who here remembers this one?

[RSS] Don't Be a CVE Dummy

https://jericho.blog/2024/11/28/dont-be-a-cve-dummy/

"So please, if you are writing documentation and need to use dummy CVE identifiers, please use one of the ones MITRE designated a decade ago"

No camel can perish on the Hungarian internet

https://translate.kagi.com/https://telex.hu/after/2024/11/29/teveclub-nevelde-jatekok-juhasz-balazs-illovszky-viktor

#neopets #sunday

If you are planning to learn Zig via Advent of Code this year, I highly recommend the tips from @kristoff 's blog post:

https://kristoff.it/blog/advent-of-code-zig/

Can someone send me the (untruncated) output of ioreg on an M4 MacBook/Mac Mini?

In other news, enough RE tool dev for today…

It is just natural that in #Ghidra #Sleigh “The [operand] identifier must appear in the [bit pattern section] as if it were a term in a sequence of constraints but without the operator and right-hand side of the constraint.”, see section 7.4.3:

https://scrapco.de/ghidra_docs/GhidraDocs/languages/html/sleigh_constructors.html

But it seems, you can’t use the identifier in the display of the instruction if it’s part of a constraint.

Error: “wrong type (should be family) in pattern equation”

Why is that?!

(Workaround: define an alias token for the same bits and use that in display)

If a #Ghidra build throws an error similar to:

“No IP found for $slaspec in module: $dir”

You have to extend the certification.manifest file in $dir.

If you use #vim to edit #Ghidra sources, beware that some build scripts try to handle all files in a directory, so .swp’s can cause build errors.

#ProTIp

(Neovim stores swap files under your config directory by default, so the situation is better there)

I've just subscribed to MDN Plus, perhaps the most valuable resource for #WebDev, browser extensions & #developers in general, which I've used for free so many years. Stepped up to paid subscription as a small thanks to @mozilla , and also to unlock the offline premium feature

https://developer.mozilla.org/en-US/

1 little known secret of ShellExec_RunDLL

https://www.hexacorn.com/blog/2024/11/30/1-little-known-secret-of-shellexec_rundll/

#lolbin

[RSS] Assessing the attack complexity of a race condition security vulnerability

https://devblogs.microsoft.com/oldnewthing/20241129-00/?p=110588

Luke and Leia take center stage in this vibrant panel of Budapest’s Star Wars mural by Rawman, CSM, Little Mejo, and Time.

This is the largest breakthrough in Windows / Office piracy ever.
This solution will be available in the coming months—stay tuned for updates!

Sooo Ars, after correcting the original deeply flawed, pure clickbait article, has now doubled down with new info about how "Bootkitty" is actually used.

TL;DR: I was right about Bootkitty only being useful at all for UEFI Secure Boot systems. Turns out there's a separate component that exploits LogoFAIL, a year-old UEFI vulnerability discovered by researchers, to enroll Bootkitty's key into UEFI Secure Boot, which then bypasses the need for user consent for the new bootloader.

So, to recap:

• There is no new vulnerability here. This is not a zero-day.
• Everything in this proof-of-concept attack is just putting things we already knew were possible together.
• Bootkitty is still just PoC level and useless on real production systems, since it still works only on a single Ubuntu kernel.
• Bootkitty is still not a real bootkit, just a component that's part of enabling the Secure Boot bypass, and trivial to remove and detect.
• This whole thing is still not persistent in any way in firmware, and trivial to remove. The LogoFAIL exploit is also stored on disk, not anywhere in firmware.
• This is not a remote exploit, or a local user exploit. You need root to install it, there is no extra OS-level exploit chain anywhere to be seen.

The only news here is that someone decided to use LogoFAIL, which again was discovered a year ago, to create the capability of installing a traditional, old school kernel rootkit on UEFI Secure Boot systems without user consent on reboot. Which, again, is obviously possible when you have something like LogoFAIL. And you still need root access to install any of this.

To reiterate, this only matters if your threat model is an attacker might get root on my system, but they won't be able to install a kernel-level rootkit because I use Secure Boot, oh and also I didn't bother to patch LogoFAIL. Note that under this model an attacker can still install user-level rootkits anyway, so it's... certainly an interesting model. Also note that under this model an attacker can also just install any old known-vulnerable-to-something distro kernel (there is no revocation for those) and then exploit it to add the rootkit on every boot, achieving the same result of a module rootkit on a Secure Boot system without any of the LogoFAIL or Bootkitty nonsense. You could even just kexec into a backdoored newer kernel that way.

So, cute and interesting, yes. Still a PoC and a nothingburger for the security world. If you rely on UEFI Secure Boot's guarantees and you haven't patched LogoFAIL one year later, that's on you.

And if you take the Secure Boot stuff seriously you should probably get an Apple Silicon Mac anyway, because UEFI Secure Boot is Swiss cheese with a massive attack surface and stuff like LogoFAIL is bound to keep happening.

Edit: Aaaand it indeed was a student project.