February 20, 2024

                            February 20, 2024

                February 20, 2024

                        February 20, 2024
Lockbit ransomware groups website has been seized by EUROPOL. pic.twitter.com/Z4UTRy25z6
— vx-underground (@vxunderground) February 19, 2024

Background on the Chinese company that was leaked
Background on the company subject to the leaks https://t.co/fEfwJoAUZL
— Dakota Cary (@DakotaInDC) February 19, 2024

Archive of the leaks, just in case
tl;dr archived stuff, see link below

Earlier today a GitHub titled "I-S00N" leaked supposedly sensitive Chinese government data - specifically related to offensive cyber security.

The initial discovery, and documentation of the documents, derive from @AzakaSekai_. We have…
— vx-underground (@vxunderground) February 19, 2024

https://x.com/vxunderground/status/1759703708785365068
Lockbit ransomware group administration claims that law enforcement agencies compromised them by exploiting CVE-2023-3824

More information: https://t.co/28v1Yz4L7t
— vx-underground (@vxunderground) February 20, 2024

Lockbit when they're compromised pic.twitter.com/rSfeJfMRFp
— vx-underground (@vxunderground) February 20, 2024

No one can do patch management. 
Some pushback on the CVE 2023 3824 claim
skeptical about this claim.. I quickly looked at the diff for CVE-2023-3824 and I think it only allows for a single off-by-two(?) NULL byte write to memory that is adjacent to a php_stream_dirent->d_name[]. also it would require some PHAR data upload+parse primitive? https://t.co/DjY2rFKwFj
— blasty (@bl4sty) February 20, 2024

perhaps lockbit is somehow unaware of the whole PHAR deserialization class of vuln^H^H^H^Hfeatures PHP offers, found some PHAR data artifact and wrongly concluded CVE-2023-3824 to be the culprit?
— blasty (@bl4sty) February 20, 2024

I'd be very surprised if it was not exploitable. The biggest difficulty are the preconditions (file upload, directory listing routine with controlled path prefix), but they are not so unlikely.
— Charles Fol (@cfreal_) February 20, 2024

Last year I discovered multiple bugs in virtio-net for VirtualBox (CVE-2023-22098, CVE-2023-22099, CVE-2023-22100) and wrote a 100% reliable VM escape using an out-of-bounds write (with ASLR defeat). Published the exploit code: https://t.co/qx1SxppYhw
— Andy Nguyen (@theflow0) February 20, 2024

Bug is fun, they checked "uVlanId > VIRTIONET_MAX_VLAN_ID" instead of "uVlanId < VIRTIONET_MAX_VLAN_ID"
— Andy Nguyen (@theflow0) February 20, 2024

Seems that folks successfully achieved working RCE w/ a previous RTF/Win exploit! This is expected as #MonikerLink is a powerful attack vector (delivering exp) on Outlook - it bypasses Protected View too!

Now u have more reasons to PATCH & GET PROTECTED!https://t.co/esPv5KUJpd
— Haifei Li (@HaifeiLi) February 18, 2024

Interestingly, this "!" trick has been used before in a CVE-2021-40444 exploit as noticed by @wdormann back in 2021 https://t.co/XusZBcFxFX
— Mitja Kolsek (@mkolsek) February 19, 2024

Thread by @mkolsek on Thread Reader App – Thread Reader App
@mkolsek: I don't see why a possibility for chaining this with an old, already patched RCE would suffice for qualifying as RCE itself. I mean, @xaitax video shows coupling with Follina (CVE-2022-30190), and couples i...…

https://x.com/wdormann/status/1443566732694654984

I wrote down some thoughts on that "LLM Agents can Autonomously Hack Websites" paper thats been going around. TLDR; no data, lack of transparency, no knowledge of existing traditional tools.https://t.co/is1bGAeuGY
— chrisrohlf (@chrisrohlf) February 19, 2024

Haibo used his personal email address, shutdown@139.com, to register i-soon[.]net in 2010 pic.twitter.com/SThXK3a8X4
— Nathan Patin (@NathanPatin) February 19, 2024

Not very opsec friendly for an APT dude 😅 https://t.co/NrkDvG79Y3 pic.twitter.com/7qp39ToyLg
— Soufiane (@S0ufi4n3) February 19, 2024

🚗 Perhaps the first vulnerability in #Automotive  Security Product. #ProductSecurity #CyberSecurity https://t.co/OXgdXq9eq6
— delikely (@delikely) February 20, 2024

So here's my understanding of one of the groq tricks (the paper is really easy to read):  

Since a neural network's computational graph is known at compile time, they also know at compile time how data will flow between computational units.  

As a result, they can do away with…
— Nathan Odle (@mov_axbx) February 19, 2024

This is big! New original Xbox exploit has been released, working on stock consoles with just a save. 

Can be triggered from the Dashboard and used as an entrypoint for unsigned code, no exploit games or swaps needed!!

🥳https://t.co/7EbRZSpSud
— MrMario2011 (@MrMario2011) February 19, 2024

I wrote this week on how Russian intelligence services have learnt from their mistakes & adapted. The GRU has changed its organisation & tradecraft. We publish exclusive details of a forthcoming RUSI report, which draws on Ukrainian & other docs & sources. https://t.co/zFYQF778Wh
— Shashank Joshi (@shashj) February 20, 2024

                            Don't miss what's next. Subscribe to the grugq's newsletter: