March 10, 2023

                March 10, 2023

            March 10, 2023

Greg Linares (Mantis) @Laughing_MantisSo I've been just been briefed on a very disturbing trend of events that I think everyone should know.

Ransomware attackers have been targeting legal firms quite heavily in the last 6 months or so.

I thought this was because pretty poor security, but there's much more.

A 🧵12:54 AM ∙ Mar 9, 2023
1,175Likes435Retweets-
DOJ trying to make it seem sus that people are using “encrypted messaging that can’t be read by the government” — WhatsApp. Some good points about how the real concern is actually the pattern of behaviour. 
If you use email for years, then right before the crime you’re accused of you use an encrypted messenger, that looks really bad. Lesson learned: always use the strong protection. Make secret secure communications the default and then nothing will stand out as unusual. The old “always use pgp so when you need it it blends in” argument. But now with extra legal justification.

https://grandjurytarget.com/2023/02/28/its-not-what-you-say-its-how-you-say-it-encrypted-messaging-as-a-doj-weapon/

-
Katie Nickels @likethecoins
Great highlight from @mattjay! If you look at various annual reports, I suspect you'll see a similar pattern that a lot of the same TTPs continue to be used year-over-year. This certainly is the case in our soon-to-be-released Red Canary Threat Detection Report. 
Matt Jay @mattjay
Currently reading: @TheDFIRReport year in review.

"Our data show no significant change compared to our 2021’s “Year in review” report. The tactics, techniques and procedures have mostly stayed the same as the motivations behind the attacks drive the resulting outcomes."
3:24 AM ∙ Mar 8, 2023
30Likes5Retweets
-
Wojciech Lesicki @WLesickiThe new report from @TheDFIRReport is here! 😺
Great content for both #threat hunters who are looking for something to hunt (😺)or #redteam who want to better represent threat actors.

thedfirreport.com/2023/03/06/202…thedfirreport.com2022 Year in Review - The DFIR ReportAs we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report … Read More12:49 PM ∙ Mar 6, 2023
41Likes9Retweets

https://thedfirreport.com/2023/03/06/2022-year-in-review/

-
An in-depth look at the history and culture of 8200. Very interesting. 

https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/Cyber-Reports-2019-12-Unit-8200.pdf

-
Ryan Naraine @ryanaraine
Oh wow, this is a bit of a surprise.  They're killing off the USENIX Enigma conference usenix.orgUpdate on the Enigma Conference from the Enigma Steering Committee | USENIX5:59 PM ∙ Mar 9, 2023
32Likes14Retweets
-
Xiaoliang Liu @flame36987044
Thanks to @chompie1337 and @FuzzySec for sharing
 such a good use case，We caught an in-the-wild sample of afd.sys not long ago, it is different from this exploit, it uses the system mechanism and vulnerability features to achieve privilege escalation  
chompie @chompie1337@FuzzySec Shout out to 
@yarden_shafir who developed the I/ORing primitive we used to obtain arbitrary kernel RW. To our knowledge, this is the first time the primitive has been used in a (public) exploit2:40 AM ∙ Mar 9, 2023
66Likes7Retweets
-
Xiaoliang Liu @flame36987044
Thanks to @chompie1337 and @FuzzySec for sharing
 such a good use case，We caught an in-the-wild sample of afd.sys not long ago, it is different from this exploit, it uses the system mechanism and vulnerability features to achieve privilege escalation  
chompie @chompie1337@FuzzySec Shout out to 
@yarden_shafir who developed the I/ORing primitive we used to obtain arbitrary kernel RW. To our knowledge, this is the first time the primitive has been used in a (public) exploit2:40 AM ∙ Mar 9, 2023
66Likes7Retweets
-
John @Big_Bad_W0lf_Fresh 🔥 coming out of @Mandiant. New two-part blog post on recent a recent campaign from suspected DPRK espionage actor #UNC2970. mandiant.com/resources/blog…
mandiant.comStealing the LIGHTSHOW (Part One) — North Korea’s UNC2970 | MandiantA campaign from a suspected North Korean espionage group.7:11 PM ∙ Mar 9, 2023
130Likes76Retweets
-
raptor@infosec.exchange @0xdea
#PwnAgent: A One-Click WAN-side #RCE in #Netgear RAX Routers with CVE-2023-24749

// by @mahal0z 

mahaloz.re/2023/02/25/pwn…

The bug:
_isoc99_sscanf(result + 12, "%255[^\r\n]", v8);
sprintf(v9, "pudil -i %s \"%s\"", a4, (const char *)v8);
return (char *)system(v9);
mahaloz.rePwnAgent: A One-Click WAN-side RCE in Netgear RAX Routers with CVE-2023-24749A breakdown of a bug SEFCOM T0 and I exploited to achieve a WAN-side RCE in some Netgear RAX routers for pwn2own 2022. The bug is a remotely accessible command injection due to bad packet logging, cataloged as CVE-2023-24749.6:38 AM ∙ Mar 10, 2023
31Likes15Retweets
-
nearcyan @nearcyan
pip install -r requirements.txt 
1:04 AM ∙ Mar 10, 2023
692Likes98Retweets
-

Don't miss what's next. Subscribe to the grugq's newsletter: