🌟New report out today!🌟

Navigating Through The Fog

In December 2024, The DFIR Report's Threat Intel Group uncovered an open directory linked to a Fog ransomware affiliate, revealing their operational toolkit.

Key takeaways from our analysis:

➡️ Initial Access: Compromised SonicWall VPN credentials were used.

➡️ Toolkit: Included tools for reconnaissance, exploitation (Certipy, Zer0dump), credential theft (DonPAPI), persistence (AnyDesk automated via PowerShell), and C2 (Sliver, Proxychains tunneling).

➡️ Targets: Victims spanned technology, education, and logistics sectors across Europe, North America, and South America.

➡️ Persistence: AnyDesk RMM tool was leveraged for maintaining access.

➡️ Command & Control: Sliver C2 executables were hosted alongside Proxychains for traffic tunneling.

Read the full analysis here: https://thedfirreport.com/2025/04/28/navigating-through-the-fog/

#cti #cyberthreatintelligence #dfir

Like others, Rapid7 MDR has observed in-the-wild exploitation of SAP NetWeaver Visual Composer CVE-2025-31324 in customer environments. Webshells being dropped with random 8-character names. Earliest confirmed EITW on our side currently is late March, but I'd expect that may change (i.e., move earlier). Manufacturing is overwhelmingly the most affected vertical, mostly in the U.S.

https://www.rapid7.com/blog/post/2025/04/28/etr-active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324/

Fuzzing Windows ARM64 binaries with a DBI and LLVM?
Here we go: https://www.romainthomas.fr/post/25-04-windows-arm64-qbdi-fuzzing/

Random rant re: claiming your online space as a creator of any stripe.

Create connections with your people, not corporate platforms. As in:

"My online shop" *not* "My Etsy shop"

"My newsletter" *not* "My Substack" (or Ghost, etc)

I get that for some people, Substack is currently their only viable option. They do not need the marketing boost.

And I've seen so many times, for two decades now, "Oh look at the cute thing I found on Etsy!" with zero mention of the person who made it. Zero. Reinforce your name, not theirs.

Repetition = recognition. You bust your ass to build your thing. Make sure people remember you, not a corporate platform that could turn on a dime. You deserve better.

Rant over.

SIGBOIVK 2025 [PDF, p170]: https://sigbovik.org/2025/proceedings.pdf

`ccdoom` is a standards-compliant C23 C compiler that has "program-agnostic compilation model" and "advanced whole-program dead-code elimination" that always outputs doom.exe.

> ccdoom adopts a more user-centric approach to safety: the output contains significantly more monsters than the output of most C compilers, but the user is provided sufficient ammunition to defeat them.

Presenting "Unveiling RIFT: Advanced Pattern Matching for Rust Libraries" at RECON Montreal 2025!
Sharing research on discovering Rust dependencies in compiled binaries.
See you there! 🚀
#RECON2025 #RustLang #ReverseEngineering

RUMOURS are TRUE 🤷‍♀️

PHRACK will be releasing a SPECIAL #71.5 👉HARDCOVER👈
at https://www.offensivecon.org/
BERLIN ("The 𞅀-Day Edition").

Main #72 release THIS SUMMER at MULTIPLE conferences (main release at WHY2025). ❤️

If you've discovered a potential vulnerability in Firefox, please see our way to get rewarded for your work. We do not require exploits. Just a bug description is enough.

Of course, we reward and encourage sending us more details (PoC, detailed report, regression range, potential fix). But to qualify for a bug bounty, all you need is a bug.

Please check our bounty FAQ at https://www.mozilla.org/en-US/security/bug-bounty/faq/

If you've discovered vulnerabilities in major browsers like Chrome, Safari, or Firefox, our program offers a fast, efficient way to get rewarded for your work. We focus exclusively on browsers with a large market share, ensuring your findings have real impact.

Our process is designed for efficiency—eliminating the usual delays and bureaucratic hurdles. You can submit vulnerabilities in minutes, receive detailed feedback within 72 hours, and be compensated with quick payouts within 15 days after validation.

We handle the full disclosure process, including vendor communications and paperwork, so you can focus on what matters: your research. Plus, you can maintain anonymity while receiving fair compensation for your contributions.

Check out the list of supported browsers and get started here: https://ssd-disclosure.com/product-index/

[RSS] Symbol Database for Reverse Engineers

https://symbol.exchange/grep?q=apr_

#ReverseEngineering

UVB-76 operator talking with a pirate - YouTube
https://www.youtube.com/watch?v=jKrNyPnTucQ

"Your call is so important to us, we have fired all the humans and replaced them with a terrible automated system that cannot understand you.

Please hold while we pay our executives another bonus for some reason.

Did you know you can use the Internet to discover our website can't answer your question?"

That SAP NetWeaver bug is pretty ouchy:

https://x.com/gothburz/status/1915755189019017411

#sap, #threatintel

IP fragmentation is a still unsolved problem of humankind
https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/007_pffrag.patch.sig

Sent by Remington from Seattle, Washington, U.S.A. on October 16, 1995. https://postcardware.net/?id=27-70

this seems fun
https://www.fixbrowser.org/blog/fixproxy

"Back in 2018, [hyp3rlinx] reported a '.library-ms' File NTLM information disclosure vulnerability [...] this security flaw was finally deemed important by Microsoft and it received CVE-2025-24054"

https://seclists.org/fulldisclosure/2025/Apr/28

Original post:
https://web.archive.org/web/20190106181024/https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.LIBRARY-MS-FILETYPE-INFORMATION-DISCLOSURE.txt

It's kinda been raised, but its nuts that (according to Mandiant/M-Trends) in 2025:

- vulnerabilities/exploits are the most frequently observed initial vector;

- the top 4 exploited vulns belong to security vendors.

What are we doing here? 🤯😱

Understanding the classical model for linking series by Raymond Chen

The algorithm:
https://devblogs.microsoft.com/oldnewthing/20130107-00/?p=5633

You can override an LIB with another LIB, and a LIB with an OBJ, but you can’t override an OBJ:
https://devblogs.microsoft.com/oldnewthing/20130109-00/?p=5613

Using the classical model for linking to provide unit test overrides:
https://devblogs.microsoft.com/oldnewthing/20250416-00/?p=111077

“Going to the cloud” can mean renting services/servers that you could get from anywhere. There’s little lock-in. The same four words “going to the cloud” might also mean locking your operations to a specific cloud provider, forever. This difference is vital, yet often ignored: https://berthub.eu/articles/posts/beware-cloud-is-part-of-the-software/