February 28, 2023

Feb 28, 2023

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

The hacked DevOps engineer was one of only four LastPass employees with access to the corporate vault. Once in possession of the decrypted vault, the threat actor exported the entries, including the “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

Plex Media Server -> DevOps engineer’s laptop -> cloud credentials -> LastPass database

Nice! That’s a really cool supply chain exploit chain. This sort of attack vector has been discussed for decades. It’s exciting to see it finally discovered in the wild.

I’m very curious how they located the engineer to hit his Plex. As it opportunistic? They were hacking Plex servers and happen to get into this one, and when they dug deeper they got lucky? Was the engineer discovered via some extreme reconnaissance OSINT-fu? I’m so curious!

https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/

The camera shy hoodie

Use strobing IR LEDs embedded in a hoodie to stop CCTVs from capturing your face.

https://www.macpierce.com/the-camera-shy-hoodie

Similar concept, but using a baseball cap

https://beccaricks.space/Unidentified-Halo

Brendan Dolan-Gavitt @moyix

This ICSE 2023 paper from @cestlemieux et al. looks like a promising approach for using LLMs to boost fuzzing! Basically, when you get stuck– have the LLM look at the code and tell you how to make a test case that reaches under-covered code. carolemieux.com/codamosa_icse2…

CODAMOSA: Escaping Coverage Plateaus in Test Generation with Pre-trained Large Language Models
Caroline Lemieux, Jeevana Priya Inala, Shuvendu K. Lahiri, and Siddhartha Sen

Search-based software testing (SBST) generates high-coverage test cases for programs under test with a combination of test case generation and mutation. SBST’s performance relies on there being a reasonable probability of generating test cases that exercise the core logic of the program under test. Given such test cases, SBST can then explore the space around them to exercise various parts of the program. This paper explores whether Large Language Models (LLMs) of code, such as OpenAI’s Codex, can be used to help SBST’s exploration. Our proposed algorithm, CODAMOSA, conducts SBST until its coverage improvements stall, then asks Codex to provide example test cases for under-covered functions. These examples help SBST redirect its search to more useful areas of the search space. On an evaluation over 486 benchmarks, CODAMOSA achieves statistically significantly higher coverage on many more benchmarks (173 and 279) than it reduces coverage on (10 and 4), compared to SBST and LLM-only[...]

Pedram Amini @pedramamini

New @InQuest blog post covering the recent rise of Microsoft OneNote as a malware carrier: inquest.net/blog/2023/02/2… We cover the timeline, campaigns, and tools. You can find downloadable samples and YARA detection logic at: github.com/InQuest/malwar… github.com/InQuest/yara-r…

Jamie Dobson @JamieDobson

An old program tape with two clearly visible patches, on sections 250 and 260. The punch card's error, as manifested by the punches, was patched in just the same way a bike tire is patched. This is why we call it patching when we fix existing software.

🔎Julia Evans🔍 @b0rk

bases

cts @gf_256

credit: dippedrust @ kolektiva dot social (Elon plz dont ban me) https://t.co/XmvLhP9bFt

Austin Hudson @ilove2pwn_

BOOTLICKER: A continuation of my original bootdoor replication, extended to inject a usermode shellcode into the target process. Works fine, but I won't be showing how to modify it for usage. Have fun. Mostly intended to be readable. Adding x86 is easy

github.comGitHub - realoriginal/bootlicker: A generic UEFI bootkit used to achieve initial usermode execution. It works with modifications.A generic UEFI bootkit used to achieve initial usermode execution. It works with modifications. - GitHub - realoriginal/bootlicker: A generic UEFI bootkit used to achieve initial usermode execution...

b33f | 🇺🇦✊ @FuzzySec

I quickly wrote some notes for this bug on 🔪🧥 to explain a little bit about what is happening and how the vulnerability works ✌️ knifecoat.com/Posts/CVE-2022…

b33f | 🇺🇦✊ @FuzzySec

For science and profit I wrote an exploit for CVE-2022-21882. It works on 10 and 11. It's a really good case-study on win32k callbacks, more details in thread 🧵 https://t.co/XPCTRRsgNY

Lup Yuen Lee 李立源 @MisterTechBlog

Can we emulate Arm64 #PinePhone with @unicorn_engine ... To automate the testing of Apache #NuttX Real-Time Operating System with #RustLang? Let's find out! Article: lupyuen.github.io/articles/unico…

Joseph Cox @josephfcox

New: found that top professional fighters were advertising Exclu, an encrypted phone network allegedly used by organized crime, and which Dutch authorities recently hacked and then shut down. Shows the sort of pitch these companies go for

vice.comTop Kickboxers Advertised Encrypted Phones Used by Organized CrimeDutch police hacked and shutdown Exclu, a phone network used by alleged criminals. A promotional video shows professional fighters promoting the phones.

Joseph Cox @josephfcox

Here is Exclu's promotional video showing the professional fighters. Their kickboxing league, Glory, told me it wasn't aware of its fighters' endorsement of Exlcu until we showed them

youtube.comExclu adSubscribe to MOTHERBOARD: http://bit.ly/Subscribe-To-MOTHERBOARDFollow MOTHERBOARDFacebook: http://www.facebook.com/motherboardtvTwitter: http://twitter.com/...

Anneli Ahonen @ahonen_anneli

Now it is out – a report on the “Ghostwriter” campaign, the countermeasures and their limitations. Proud of having had the chance to work on this for the @cardiffuni @resetdottech cardiff.ac.uk/__data/assets/… cardiff.ac.uk/news/view/2699…

Electrospaces @electrospaces

Former Wikileaks associate Andy Müller-Maguhn found an eavesdropping device (with yellow border on the left) inside the GSMK CryptoPhone (regular version on the right) which he used to call Julian Assange as well as journalists from all over the world: spiegel.de/ausland/mutmas…

qdot @qDot

Presenting the newest ADHD meme: The Awareness Gap "I forgot about the appointment because there was an awareness gap between my executive function and linear time" "I didn't do dishes because of the awareness gap between me and the kitchen sink"

Zhuowei Zhang @zhuowei

You... got arbitrary code execution... on your monitor... so you can change its settings without pressing a button?! I... just... what

Shiny Quagsire @ShinyQuagsire

My display hackery is pushed to GitHub now https://t.co/jA5Zp8INO0 https://t.co/xvtXzebMQs

The problem with physicists is that they tend to cheat in order to get results.

The problem with mathematicians is that they tend to work on toy problems in order to get results.

The problem with program verifiers is that they tend to cheat at toy problems in order to get results.

Chinese defence boffins ponder microwaving Starlink satellites to stop surveillance

The thrust of the paper is simple: Starlink's already huge constellation of satellites means it has occupied plenty of orbital and spectrum resources without detailing the disposition of its fleet, and China needs to get its own satellites up there ASAP if it wants to enjoy the same strategic advantages the USA derives from having SpaceX based on its soil.

https://www.theregister.com/2023/02/27/china_defence_research_starlink_countermeasures/?td=rt-3a