https://arstechnica.com/security/2024/05/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading/

Kernel.org folks never provided the postmortem they promised in 2011 after finding their infrastructure had been rooted. They also didn't bother to respond to my email earlier this week seeking comment on new information that, in fact, their servers had been rooted 2 years earlier by a 2nd, even more sophisticated piece of malware.

While no one responded to me, here's Linux Foundation member Konstantin Ryabitsev responding elsewhere to my post that the breach was the subject of an FBI investigation, and later of a lawsuit. This says lots about the obligation kernel.org, an organization entrusted with huge responsibility, feels toward transparency. If Microsoft did this, people would be apoplectic.

lmaooooo https://vxtwitter.com/yifever/status/1790941768617439339

Tornado Cash developer sentenced to more than five years imprisonment in the Netherlands

May 14, 2024
https://www.web3isgoinggreat.com/?id=alexey-pertsev-sentencing

  

Cool, cool, #Slack now uses your workspace data to train its #AI. Gotta hoover up all that juicy data. Surely there's no copyrighted or otherwise sensitive content on any of the corporate instances, and leaking that is totally impossible, pinky-promise.

https://slack.com/intl/en-gb/trust/data-management/privacy-principles

(You still have the option to opt out. For now...)

A friend of a friend is looking for a junior exploiter position (N days). Can you recommend me some place for that person?

PS: I guess the person would be more interested in Europe (or remote) positions than somewhere else and doesn't want to work for defence contractors.

The second episode (Season #1 Episode #2) of The Road to InfoSec podcast with Jason Jordaan (@dfs_jasonj ) is out! Check it out on YouTube: https://www.youtube.com/watch?v=MxRuTMpFt7Y&list=PL6gjzgWlMnWNtp3xC5O46Cw__ssVLk0CV&index=2 Spotify: https://open.spotify.com/episode/3j8h8WL0SVm1cHlGE2JCfM Apple Podcasts: https://podcasts.apple.com/us/podcast/jason-jordaan-the-road-to-infosec-season-1-episode-2/id1745343010?i=1000655667408 Amazon Music: https://music.amazon.com/podcasts/ea2db15a-d9a2-4e03-ba95-fd42bd262c04/episodes/fa624008-1e7e-4736-81c6-327efaf5e7d8/jason-jordaan-the-road-to-infosec-season-1-episode-2

Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now

https://gitlab.com/fdroid/fdroidclient/-/merge_requests/889

Microsoft out-of-band zero-day: CVE-2024-30060 - Security Update Guide
CVE-2024-30060 (7.8 high, disclosed 16 May 2024 by Microsoft) Azure Monitor Agent Elevation of Privilege Vulnerability with CWE-59: Improper Link Resolution Before File Access ('Link Following')
Is marked publicly disclosed, but Not Exploited, Exploitation LESS likely.

What privileges could be gained by an attacker who successfully exploited this vulnerability?
An authenticated attacker would be able to delete targeted files on a system which could result in them gaining SYSTEM privileges.

What actions do customers need to take to protect themselves from this vulnerability?
We released CVE-2024-30060 to help keep customers protected. Customers who have installed the latest updates, or have automatic updates enabled, are already protected. Customers who have disabled Automatic Extension Upgrades or would like to upgrade an extension immediately must manually update their Azure Monitor Agent to the latest version. For more information on how to perform a manual update, see Manage Azure Monitor Agent.

cc: @serghei @campuscodi @mttaggart @GossiTheDog

#CVE_2024_30060 #zeroday #vulnerability #Microsoft

🦀 Hello! I will be hosting a workshop on Reversing Rust Binaries this upcoming Friday, at @NorthSec in Montréal!

https://nsec.io/session/2024-reversing-rust-binaries-one-step-beyond-strings.html

This workshop focuses on some practical skills for reversing Rust binaries, and using strings in Rust binaries as an entry point to exploring reversing them!

The workshop will be on Friday, May 17th, from 9am-12pm EDT (UTC -4). The conference and workshops will be streamed; here's the link for the Workshop 1, Day 2 stream, which is my timeslot: https://www.youtube.com/live/VH7ID5S7_pI

Edit: A repository with pre-workshop setup instructions, and the sample code for the workshop, is now available here: https://github.com/cxiao/rust-reversing-workshop-northsec-2024/

Edit 2: That repository now has a link to a preconfigured Ubuntu VM image with all necessary tools and files for the workshop, to make setup for the workshop easier!

#rustlang #reverseengineering #reversing #malware #MalwareAnalysis #NorthSec

I like that this independent news organization puts the effort into publishing in English too:

Internal documents prove that Hungarian Foreign Ministry knew about Russian cyber attacks on its systems

16 May 1944 | The main phase of the extermination of Hungarian Jews began at the German camp Auschwitz. Three trains arrived on that day: ca. 9,000 people were murdered in gas chambers. Until 9 July, 142 trains brought ca. 420,000 Hungarian Jews.

See our online lesson: lekcja.auschwitz.org/en_6_dep_zydow/

The "EventLogCrasher" 0day For Remotely Disabling Windows Event Log, And a Free Micropatch For It
https://blog.0patch.com/2024/01/the-eventlogcrasher-0day-for-remotely.html

the way that the feds put shoutouts to all their fed agency friends at the bottom of their seizure pages is appropriation of hacker culture

Our contributions to the LLVM project have improved AddressSanitizer's (ASan) bug detection capabilities. Bootstrap ASan to better protect codebases against memory issues. https://buff.ly/44Gm3BP

Happy hunting!

Infrastructure used to maintain and distribute the Linux operating system kernel was infected for two years, starting in 2009, by sophisticated malware that managed to get a hold of one of the developers’ most closely guarded resources: the /etc/shadow files that stored encrypted password data for more than 550 system users, researchers said Tuesday.

The unknown attackers behind the compromise infected at least four servers inside kernel.org, the Internet domain underpinning the sprawling Linux development and distribution network, the researchers from security firm ESET said. After obtaining the cryptographic hashes for 551 user accounts on the network, the attackers were able to convert half into plaintext passwords, likely through password-cracking techniques and the use of an advanced credential-stealing feature built into the malware. From there, the attackers used the servers to send spam and carry out other nefarious activities. The four servers were likely infected and disinfected at different times, with the last two being remediated at some point in 2011.

An infection of kernel.org came to light in 2011, when kernel maintainers revealed that 448 accounts had been compromised after attackers had somehow managed to gain unfettered, or “root,” system access to servers connected to the domain. Maintainers reneged on a promise to provide an autopsy of the hack, a decision that has limited the public’s understanding of the incident.

In 2014, ESET researchers said the 2011 attack likely infected kernel.org servers with a second piece of malware they called Ebury. The malware, the firm said, came in the form of a malicious code library that, when installed, created a backdoor in OpenSSH that provided the attackers with a remote root shell on infected hosts with no valid password required. In a little less than 22 months, starting in August 2011, Ebury spread to 25,000 servers. Besides the four belonging to the Linux Kernel Organization, the infection also touched one or more servers inside hosting facilities and an unnamed domain registrar and web hosting provider.

A 47-page report summarizing Ebury's 15-year history said that the infection hitting the kernel.org network began in 2009, two years earlier than the domain was previously thought to have been compromised. The report said that since 2009, the OpenSSH-dwelling malware has infected more than 400,000 servers, all running Linux except for about 400 FreeBSD servers, a dozen OpenBSD and SunOS servers, and at least one Mac.

https://arstechnica.com/security/2024/05/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading/