April 2, 2024

                            April 2, 2024

                April 2, 2024

                        April 2, 2024
I am currently helping my wife look for the Lindt chocolate bunny I ate on Thursday.
— Douglas Cheape (@CheapeDouglas) March 31, 2024

A day where I am reminded that threat intelligence is like being a sports commentator for a game where you only see a small piece of the game pitch, and don't know the score.
— Halvar Flake (@halvarflake) April 1, 2024

Documentation on the xz backdoor message format

GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)
notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) - amlweems/xzbot

Public reverse engineering:

[WIP] XZ Backdoor Analysis and symbol mapping · GitHub
[WIP] XZ Backdoor Analysis and symbol mapping. GitHub Gist: instantly share code, notes, and snippets.

Strings from the object file:

liblzma backdoor strings extracted from 5.6.1 (from a built-in trie) · GitHub
liblzma backdoor strings extracted from 5.6.1 (from a built-in trie) - hashes.txt

POC command line client to reach the RCE function

modify_ssh_rsa_pubkey.py · GitHub
GitHub Gist: instantly share code, notes, and snippets.

Reverse engineering by @amlweems reveals 3 flaws that allows attackers to use the backdoor without the private key, using only a captured message signed for the target host:

1. Lack of replay protection

2. Symmetric encryption with a hardcoded key, 

3. Partially signed commands https://t.co/ShQO05yuX6 pic.twitter.com/oC36WlNlAw
— Juliano Rizzo (@julianor) April 1, 2024

I've been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so I patched my own key into the backdoor for testing. :-)https://t.co/CvKo3xPRkP pic.twitter.com/HDrFYCHoqp
— Anthony Weems (@amlweems) April 1, 2024

So apparently the xz backdoor used an Ed448 signature to sign a RCE payload. I’m fascinated by the decision to toss away 48 bytes of payload space on a > 128-bit secure signature.

Someone is being very smart or pretty dumb.
— Matthew Green (@matthew_d_green) March 31, 2024

Intriguing detail. Perhaps attackers considered breaking all sign algorithms inside SSHD to bypass pub key auth entirely by providing a valid Ed448 for their key instead. Using a less common algo may have been key to that rootkit approach. But then they decided a somple system()
— Juliano Rizzo (@julianor) April 1, 2024

I just made llamafile 1.3x - 5x faster than llama.cpp on CPU for many prompt / image evaluation use cases and hardware. https://t.co/7duNJBAbMF
— Justine Tunney (@JustineTunney) April 1, 2024

A friend once told me he believed that WU-FTPD was written by a visionary. A man who foresaw every possible security bug that you could ever make, and he put it all in one FTP daemon. I though my friend was joking, but maybe it was real.
— ivs (@ivansprundel) March 31, 2024

Great series by @IntezerLabs for learning ELF file format internals

Part 1: https://t.co/KNFUXdWnnc

Part 2: https://t.co/ZQMrfmelT8

Part 3: https://t.co/QqZaOn9bZ6

Part 4: https://t.co/liIW0CnqGa#elf #cybersecurity pic.twitter.com/ccVnXcQwEM
— 0xor0ne (@0xor0ne) April 1, 2024

One of my favorite scientific findings: 

Some languages are very information dense and some less so. Some languages are spoken fast and some slow. 

And it turns out that people around the world speak at about the same information rate (~39 bps) regardless.
— Sumner L Norman (@SumnerLN) March 31, 2024

Vitalii Kovalev, the man arrested in Key West, as seen on @60Minutes, is a technical officer for the GRU as well as a member of the FSB cyber unit called the 16th Directorate, a former senior U.S. counterintelligence official said. https://t.co/PIXa3FMDTg
— Michael Weiss (@michaeldweiss) April 1, 2024

Exclusive: Wanted narco boss, Christopher Kinahan Sr, has exposed his movements and whereabouts by leaving hundreds of online reviews for hotels, restaurants and luxury shops, an investigation by Bellingcat and @ST__Ireland finds: https://t.co/YRQ2vH04QP
— Bellingcat (@bellingcat) March 31, 2024

Thread by @bellingcat on Thread Reader App â Thread Reader App
@bellingcat: Exclusive: Wanted narco boss, Christopher Kinahan Sr, has exposed his movements and whereabouts by leaving hundreds of online reviews for hotels, restaurants and luxury shops, an investigation by Bellin...â¦

A few weeks ago some batteries thrown overboard from the International Space Station crashed into someone’s house in Florida. Great reporting here by @StephenClark1. https://t.co/D1oCPUJwPz
— Eric Berger (@SciGuySpace) April 2, 2024

Write up by @Google TAG on commercial surveillance vendors (CSVs) and spyware

Very interesting reading.https://t.co/XjW7baBMAW#cybersecurity pic.twitter.com/Mb3p4jnIPd
— 0xor0ne (@0xor0ne) April 1, 2024

Quoting @silascutler “Open Source is Schrödinger's Critical Infrastructure. Its not critical until it is. “
— Marc Rogers (@marcwrogers) April 2, 2024

https://www.semanticscholar.org/paper/The-Ethnography-of-Infrastructure-Star-Becker/5731cd74c7b594504f7acf98637417baccee7fc7

GitHub - karcherm/xz-malware: Stuff discovered while analyzing the malware hidden in xz-utils 5.6.0 and 5.6.1
Stuff discovered while analyzing the malware hidden in xz-utils 5.6.0 and 5.6.1 - karcherm/xz-malware

Here's a fun AI story: a security researcher noticed that large companies' AI-authored source-code repeatedly referenced a nonexistent library (an AI "hallucination"), so he created a (defanged) malicious library with that name and uploaded it. 

1/ pic.twitter.com/EJelC9wt5h
— Cory Doctorow @pluralistic@mamot.fr (@doctorow) April 1, 2024

Thread by @doctorow on Thread Reader App – Thread Reader App
@doctorow: Here's a fun AI story: a security researcher noticed that large companies' AI-authored source-code repeatedly referenced a nonexistent library (an AI "hallucination"), so he created a (defanged) malicious...…

                            Don't miss what's next. Subscribe to the grugq's newsletter:

April 2, 2024

April 2, 2024

GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)

notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) - amlweems/xzbot

[WIP] XZ Backdoor Analysis and symbol mapping · GitHub

[WIP] XZ Backdoor Analysis and symbol mapping. GitHub Gist: instantly share code, notes, and snippets.

liblzma backdoor strings extracted from 5.6.1 (from a built-in trie) · GitHub

liblzma backdoor strings extracted from 5.6.1 (from a built-in trie) - hashes.txt

modify_ssh_rsa_pubkey.py · GitHub

GitHub Gist: instantly share code, notes, and snippets.

Thread by @bellingcat on Thread Reader App â Thread Reader App

@bellingcat: Exclusive: Wanted narco boss, Christopher Kinahan Sr, has exposed his movements and whereabouts by leaving hundreds of online reviews for hotels, restaurants and luxury shops, an investigation by Bellin...â¦

GitHub - karcherm/xz-malware: Stuff discovered while analyzing the malware hidden in xz-utils 5.6.0 and 5.6.1

Stuff discovered while analyzing the malware hidden in xz-utils 5.6.0 and 5.6.1 - karcherm/xz-malware

Thread by @doctorow on Thread Reader App – Thread Reader App

@doctorow: Here's a fun AI story: a security researcher noticed that large companies' AI-authored source-code repeatedly referenced a nonexistent library (an AI "hallucination"), so he created a (defanged) malicious...…

Thread by @bellingcat on Thread Reader App â Thread Reader App

@bellingcat: Exclusive: Wanted narco boss, Christopher Kinahan Sr, has exposed his movements and whereabouts by leaving hundreds of online reviews for hotels, restaurants and luxury shops, an investigation by Bellin...â¦