Bart

@bartblaze

Threat Intel and more. Opinions are my own, unless retweeted. Open DMs.

bartblaze.blogspot.com
Joined December 2009
602 Photos and videos Photos and videos

Tweets

You blocked @bartblaze

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @bartblaze

  1. Pinned Tweet
    8 Feb 2018

    I've published my slides on the workshop I gave about Malware Analysis, Threat Intelligence and Reverse Engineering. Blog: Direct link:

    17 replies 200 retweets 414 likes
    Show this thread
    Show this thread
    Undo
  2. Retweeted
    Sep 10

    After testing another CVE-2021-40444 sample that works with html+cab payload on a remote web server, I can now confirm that "mhtml:" and "x-usc:" are not needed in the remote OLE URL for the exploit to work. But the double URL http:...!http:... seems required.

    Bad news about CVE-2021-40444 detection: after some tests, I can confirm that the remote object URL can be a simple URL, no need for mhtml, x-usc or even the double URL. So no way to detect CVE-2021-40444 just by looking at the URL, you need to get the remote object to find out.
    Show this thread
    4 replies 46 retweets 91 likes
    Undo
  3. Retweeted
    Sep 9

    CVE-2021-40444 is so bad🤦‍♂️

    24 replies 530 retweets 1,521 likes
    Undo
  4. Retweeted
    Sep 9

    Kusto hunting query for the vulnerability in MSHTML, CVE-2021-40444:

    11 retweets 24 likes
    Undo
  5. Retweeted
    Sep 10

    Chinese hackers have breached the internal networks of at least ten Indonesian government ministries and agencies, including computers from Indonesia’s primary intelligence service, the Badan Intelijen Negara (BIN) Only on

    9 replies 82 retweets 141 likes
    Undo
  6. Retweeted
    Sep 9

    Bad news about CVE-2021-40444 detection: after some tests, I can confirm that the remote object URL can be a simple URL, no need for mhtml, x-usc or even the double URL. So no way to detect CVE-2021-40444 just by looking at the URL, you need to get the remote object to find out.

    oleobj (from ) can be used to detect CVE-2021-40444: if there is a remote OLE object with an URL starting with "mhtml:", it's probably an exploit for that vulnerability.
    8 replies 112 retweets 259 likes
    Show this thread
    Show this thread
    Undo
  7. Retweeted
    Sep 9

    Facebook sent reporters covering their glasses launch a list of supposed "third-party" privacy and consumer groups that it consulted for the product. So I did some digging. FB funds at least 4 of the 5 groups. Future of Privacy Forum is one.

    So the privacy expert that Facebook is having defend its new Wearable Glasses works for an organization that is funded by Facebook.
    Show this thread
    36 replies 1,478 retweets 2,560 likes
    Show this thread
    Show this thread
    Undo
  8. Retweeted
    Sep 9

    Some context to that Fortinet VPN creds leak from Tuesday

    1 reply 34 retweets 73 likes
    Show this thread
    Show this thread
    Undo
  9. Retweeted
    Sep 9

    New blog post! 🔥🚒 Title: Kusto hunting query for CVE-2021-40444 | by Bart Parys () Link:

    9 retweets 6 likes
    Undo
  10. Retweeted
    Sep 9

    Tickling VMProtect with LLVM: Part 1-3 by

    1 reply 89 retweets 199 likes
    Show this thread
    Show this thread
    Undo
  11. Sep 9

    Kusto hunting query for the vulnerability in MSHTML, CVE-2021-40444:

    11 retweets 24 likes
    Undo
  12. Retweeted
    Sep 9

    Three great days in 🇫🇷, at , sharing ’s commitment in boosting 🇪🇺 capabilities and resilience. Thanks to the EU funded cyber community hosted in our booth:

    10 retweets 18 likes
    Undo
  13. Retweeted
    Sep 9

    Great to see CAPE's config extraction showcased in 'Difesa e Sicurezza' today ❤️ Molte grazie a e 🙏

    6 retweets 17 likes
    Undo
  14. Retweeted
    Sep 8

    Some -2021-40444 Samples uploaded to 🔽 ⬆️

    , , and 7 others
    5 replies 75 retweets 143 likes
    Show this thread
    Show this thread
    Undo
  15. Sep 9

    Great blog post by on the anatomy of Metasploit shellcode and how to abuse its import resolution:

    2 retweets 11 likes
    Undo
  16. Retweeted
    Sep 7

    Three of the most common issues finds, their impacts, and how you can use FOSS to find and fix these issues yourself, today: 🧵

    2 replies 71 retweets 182 likes
    Show this thread
    Show this thread
    Undo
  17. Retweeted
    Sep 8

    oleobj (from ) can be used to detect CVE-2021-40444: if there is a remote OLE object with an URL starting with "mhtml:", it's probably an exploit for that vulnerability.

    Replying to @rimpq @cyb3rops and 2 others
    oleobj doing a pretty good job -2021-40444
    3 replies 49 retweets 137 likes
    Undo
  18. Retweeted
    Sep 8

    Not sure if Microsoft fixed this (my VM is unpatched). But it works in explorer preview mode via RTF:

    9 replies 56 retweets 186 likes
    Show this thread
    Show this thread
    Undo
  19. Retweeted
    Sep 8

    Popping calc with CVE-2021-40444 (MS Office exploit) Thanks to for collaborating 😀 Not planning to release but my bet is with itw exploits, it won't be long..

    20 replies 334 retweets 938 likes
    Undo
  20. Retweeted
    Sep 7

    Microsoft identified a limited number of targeted attacks. To protect customers, please see for mitigation guidance.

    6 replies 128 retweets 239 likes
    Undo
  21. Retweeted
    Sep 7

    This one is legit and is going to be worse than the Equation Editor CVEs (which make up almost all endpoint exploitation still), so strap in.

    CVE-2021-40444 - Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. Rick Cole (MSTIC) Dhanesh Kizhakkinan of Mandiant Haifei Li of EXPMON Bryce Abdo of Mandiant
    Show this thread
    21 replies 250 retweets 602 likes
    Show this thread
    Show this thread
    Undo

@bartblaze hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·