March 10, 2023

Greg Linares (Mantis) @Laughing_Mantis

So I've been just been briefed on a very disturbing trend of events that I think everyone should know. Ransomware attackers have been targeting legal firms quite heavily in the last 6 months or so. I thought this was because pretty poor security, but there's much more. A 🧵

12:54 AM ∙ Mar 9, 2023

---

-

DOJ trying to make it seem sus that people are using “encrypted messaging that can’t be read by the government” — WhatsApp. Some good points about how the real concern is actually the pattern of behaviour.

If you use email for years, then right before the crime you’re accused of you use an encrypted messenger, that looks really bad. Lesson learned: always use the strong protection. Make secret secure communications the default and then nothing will stand out as unusual. The old “always use pgp so when you need it it blends in” argument. But now with extra legal justification.

https://grandjurytarget.com/2023/02/28/its-not-what-you-say-its-how-you-say-it-encrypted-messaging-as-a-doj-weapon/

-

Katie Nickels @likethecoins

Great highlight from @mattjay! If you look at various annual reports, I suspect you'll see a similar pattern that a lot of the same TTPs continue to be used year-over-year. This certainly is the case in our soon-to-be-released Red Canary Threat Detection Report.

Matt Jay @mattjay

Currently reading: @TheDFIRReport year in review. "Our data show no significant change compared to our 2021’s “Year in review” report. The tactics, techniques and procedures have mostly stayed the same as the motivations behind the attacks drive the resulting outcomes."

3:24 AM ∙ Mar 8, 2023

---

-

Wojciech Lesicki @WLesicki

The new report from @TheDFIRReport is here! 😺 Great content for both #threat hunters who are looking for something to hunt (😺)or #redteam who want to better represent threat actors. thedfirreport.com/2023/03/06/202…

thedfirreport.com2022 Year in Review - The DFIR ReportAs we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report … Read More

12:49 PM ∙ Mar 6, 2023

---

https://thedfirreport.com/2023/03/06/2022-year-in-review/

-

An in-depth look at the history and culture of 8200. Very interesting.

https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/Cyber-Reports-2019-12-Unit-8200.pdf

-

Ryan Naraine @ryanaraine

Oh wow, this is a bit of a surprise. They're killing off the USENIX Enigma conference

usenix.orgUpdate on the Enigma Conference from the Enigma Steering Committee | USENIX

5:59 PM ∙ Mar 9, 2023

---

-

Xiaoliang Liu @flame36987044

Thanks to @chompie1337 and @FuzzySec for sharing such a good use case，We caught an in-the-wild sample of afd.sys not long ago, it is different from this exploit, it uses the system mechanism and vulnerability features to achieve privilege escalation

chompie @chompie1337

@FuzzySec Shout out to @yarden_shafir who developed the I/ORing primitive we used to obtain arbitrary kernel RW. To our knowledge, this is the first time the primitive has been used in a (public) exploit

2:40 AM ∙ Mar 9, 2023

---

-

Xiaoliang Liu @flame36987044

Thanks to @chompie1337 and @FuzzySec for sharing such a good use case，We caught an in-the-wild sample of afd.sys not long ago, it is different from this exploit, it uses the system mechanism and vulnerability features to achieve privilege escalation

chompie @chompie1337

@FuzzySec Shout out to @yarden_shafir who developed the I/ORing primitive we used to obtain arbitrary kernel RW. To our knowledge, this is the first time the primitive has been used in a (public) exploit

2:40 AM ∙ Mar 9, 2023

---

-

John @Big_Bad_W0lf_

Fresh 🔥 coming out of @Mandiant. New two-part blog post on recent a recent campaign from suspected DPRK espionage actor #UNC2970. mandiant.com/resources/blog…

mandiant.comStealing the LIGHTSHOW (Part One) — North Korea’s UNC2970 | MandiantA campaign from a suspected North Korean espionage group.

7:11 PM ∙ Mar 9, 2023

---

-

raptor@infosec.exchange @0xdea

#PwnAgent: A One-Click WAN-side #RCE in #Netgear RAX Routers with CVE-2023-24749 // by @mahal0z mahaloz.re/2023/02/25/pwn… The bug: _isoc99_sscanf(result + 12, "%255[^\r\n]", v8); sprintf(v9, "pudil -i %s \"%s\"", a4, (const char *)v8); return (char *)system(v9);

mahaloz.rePwnAgent: A One-Click WAN-side RCE in Netgear RAX Routers with CVE-2023-24749A breakdown of a bug SEFCOM T0 and I exploited to achieve a WAN-side RCE in some Netgear RAX routers for pwn2own 2022. The bug is a remotely accessible command injection due to bad packet logging, cataloged as CVE-2023-24749.

6:38 AM ∙ Mar 10, 2023

---

-

nearcyan @nearcyan

pip install -r requirements.txt

1:04 AM ∙ Mar 10, 2023

---

-