Hypervisor-Enforced Kernel Integrity, powered by KVM! This is a new implementation that leverages hardware virtualization, and especially MBEC, to harden a Linux guest kernel. Please reach out if you want to contribute to this project! RFC: lore.kernel.org/all/2023050515

matteyeux Retweeted

Christian Werling

@_cwerling

May 2

Disk encryption is critical in securing your data when you lose your device or an attacker gets physical access. But we found that if you don't use a BitLocker passphrase on an AMD system (before Windows even comes up), your data is not adequately secured:

arxiv.org

faulTPM: Exposing AMD fTPMs' Deepest Secrets

Trusted Platform Modules constitute an integral building block of modern security features. Moreover, as Windows 11 made a TPM 2.0 mandatory, they are subject to an ever-increasing academic...

153

Show this thread

matteyeux Retweeted

Joxean Koret (@joxean@mastodon.social)

@matalaz

May 2

#Diaphora CVE-2023-28231. As explained in the linked blog from

@thezdi

, the fix checks that the number of relay forward messages in "ProcessRelayForwardMessage()" is not bigger or equal than 32 (0x20), as shown in the following pseudo-code diffing: zerodayinitiative.com/blog/2023/5/1/

Two years ago the SolarWinds hack made history as the boldest, most sophisticated supply chain hack ever pulled off. I dug into the detailed story about the ingenious way the hackers pulled it off - and then got caught - in this tale for WIRED magazine

wired.com

The Untold Story of the Boldest Supply-Chain Hack Ever

The attackers were in thousands of corporate and government networks. They might still be there now. Behind the scenes of the SolarWinds investigation.

258

630

«The Road to Zero» How to develop your own zero day vulnerabilities for XNU faisalmemon.github.io/the-road-to-ze

OH YOU HAVE TO BE JOKING ME

0:12

12.4K views

122

577

In the spotlight today is the Time Travel Debugging plugin (ttddbg), developed by Simon Garrelou (

@citronneur

) and Sylvain Peyrefitte. Learn what makes this plugin so useful 🌐 hex-rays.com/blog/plugin-fo #IDAPro #IDAPython #IDAPlugin #ttddbg

read image description

ALT

Someone needs to stop the web devs

Quote Tweet

Wes Bos

@wesbos

Apr 18

Node 20 allows you to compile your app into a single executable along with the entire Node.js core so you can run your apps on systems where node isn't installed, or your don't trust the system version.

Show this thread

121

492

3,975

🚨NEW REPORT: NSO Group’s #Pegasus #Spyware returns in 2022 with a trio of iOS 15 and iOS 16 zero-click exploit chains. The report finds NSO group clients deployed exploits against civil society members including two human right defenders in #Mexico

citizenlab.ca

Triple Threat: NSO Group’s Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16...

In 2022, the Citizen Lab gained extensive forensic visibility into new NSO Group exploit activity after finding infections among members of Mexico’s civil society, including two human rights defend...

268

349

Put out a blog post on some reversing I've been doing on the side of the AMD Platform Security Processor / PSP. Part 1 is an overview of the design and memory-mapped I/O (MMIO), part 2 will be on the Crypto Co-Processor MMIO.

dayzerosec.com

Reversing the AMD Secure Processor (PSP) - Part 1: Design and Overview

AMD's Secure Processor (formerly known as Platform Security Processor or "PSP") is a very interesting piece of technology that is critical to the operation of all modern-day AMD CPUs. There's also...

319

Worth stressing, as LockBit macOS sample though *compiled* for macOS really isn't (yet) designed for macOS. 1. Unsigned (won't easily run on macOS) 2. Doesn't appear to take into account TCC/SIP, so won't be able to encrypt much of anything So (in current form) macOS impact: ~0

Quote Tweet

Azim Khodjibaev

@AShukuhi

Apr 16

“Cisco Talos researcher Azim Khodjibaev told BleepingComputer that based on their research, the encryptors were meant as a test and were never intended for deployment in live cyberattacks.” twitter.com/BleepinCompute…

122

NEW REPORT: SWEET QUADREAMS: A first look at #spyware vendor QuaDream’s spy tools, victims and customers. We identified traces of suspected exploit deployed against iOS versions 14.4 and 14.4.2 and possibly other versions as zero-day vulnerability.

citizenlab.ca

Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers - The...

At least five civil society victims of QuaDream’s spyware and exploits were identified in North America, Central Asia, Southeast Asia, Europe, and the Middle East. Victims include journalists,...

193

217

linux virtual memory fun fact of the day: after a fork+exec to run a subshell, a parent process will page fault on every first write to every single writable page in its address space

561

New video: 3CX SmoothOperator analysis of ffmpeg with Binary Ninja 🦔📹 #MalwareAnalysisForHedgehogs #3CX #SmoothOperator

youtube.com

Malware Analysis - 3CX SmoothOperator ffmpeg.dll with Binary Ninja

We analyze the trojanized ffmpeg.dll that was used in the supply chain attack called SmoothOperator. Me mark up the decompiled code in Binary Ninja and decry...

matteyeux Retweeted

Lorenzo FB / @lorenzofb@infosec.exchange

@lorenzofb

Apr 2

Eight years later and I stil stumble upon gems in the Hacking Team leak. This one is... * chef's kiss *

😶

Looks like my plugin is in the top 5 this month 👀

Quote Tweet

Hex-Rays SA

@HexRaysSA

Mar 31

It looks like #Gepetto, developed by @JusticeRage is taking the lead for downloads in March! Publish your plugin in our Repository, and let’s see if it will make it to the top

plugins.hex-rays.com//?utm_source=S #IDAPlugin #PluginRoundup #IDAPro #IDAPython

Plugin Repository Monthly Roundup: March 2023

read image description

ALT

Our team published a post about the #3cx supply chain attack. We describe the Windows & the MacOS backdoors. The timeline: the GitHub repo on December 7 & the infrastructure in November... Few months later a malicious update was sent to the customers :

volexity.com

3CX Supply Chain Compromise Leads to ICONIC Incident

[Update: Following additional analysis of shellcode used in ICONIC, in conjunction with other observations from the wider security community, Volexity now attributes the activity described in this...

121

I'd like to publicly introduce BinSync, a cross-decompiler collaboration tool and suite. With BinSync, you can finally share reversing data, like Types, across all your favorite decompilers (IDA, Binja, Ghidra, angr) on-the-fly. github.com/binsync/binsync. See thread for demos.

github.com

GitHub - binsync/binsync: A collaborative reversing plugin for cross-decompiler collaboration,...

A collaborative reversing plugin for cross-decompiler collaboration, built on git. - GitHub - binsync/binsync: A collaborative reversing plugin for cross-decompiler collaboration, built on git.

270

Replying to

But why would you boot into doom when you can have it in firmware:

github.com

GitHub - Cacodemon345/uefidoom: Port of Doom to UEFI.

Port of Doom to UEFI. Contribute to Cacodemon345/uefidoom development by creating an account on GitHub.

118

#redteam tip:

self protection bypass Fortinet is using minifilter to prevent copying or deleting files in the app's installed location. If you Reverse engineer the responsible driver, You will notice that there are some exceptions

102

340

Success!

used a TOCTOU bug to escalate privileges on Apple macOS. They earn $40,000 and 4 Master of Pwn points. #Pwn2Own #P2OVancouver

GIF

252

New blogpost by

and I! Patch Tuesday -> Exploit Wednesday: Pwning Windows afd.sys in 24 Hours. We reverse engineer a bug + write an exploit using a cool new primitive. We also find out that it's been exploited in the wild (previously unknown).

securityintelligence.com

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys)...

Dive into the analysis and exploitation of a vulnerability in the Windows Ancillary Function Driver for Winsock for Local Privilege Escalation on Windows 11. More from X-Force Red experts.

255

664

Couple of bugs I reported to

@msftsecresponse

got patched today. The most severe is classified as unauthenticated network RCE! #cve202323415 #cve202323426 Demo:

GIF

101

343

Cool, iOS 16.4 beta introduces more adaptations of C++ annotations, such as `intrusive_shared_ptr` (already open source in oss xnu github.com/apple-oss-dist ) For example, see below iOS 16.3 (left) vs iOS 16.4 beta (right):

Disambiguating Arm, Arm ARM, Armv9, ARM9, ARM64, Aarch64, A64, A78, ... nickdesaulniers.github.io/blog/2023/03/1

Last year, during

USA 2022, we demonstrated an attack to bypass the Secure Boot and Flash Encryption features of the original #ESP32 by corrupting its OTP Data Transfer with an EM glitch! Read more about it in our latest blog post: raelize.com/blog/espressif

Change your host computer name to make attackers and malware think that they are in a sandbox. Follow me for more terrible tips

158

1,291

Show this thread

matteyeux Retweeted

dmnk@infosec.exchange

@domenuk

Mar 6

Cool binary analysis framework, backed by Ghidra's Sleigh processor definitions, in #rust by

@xorpse

et al 🦀🦀🦀

github.com

GitHub - fugue-re/fugue-core: A binary analysis framework written in Rust.

A binary analysis framework written in Rust. Contribute to fugue-re/fugue-core development by creating an account on GitHub.

matteyeux

@matteyeux

Mar 6

Recovered some SEP/OS symbols 😶‍🌫️

My analysis of Brute Ratel is now up on my blog. protectedmo.de/brute.html

143

426

Part 4 of Lord Of The Ring0 is out! This part covers and explains different types of kernel callbacks and giving use cases for each one of them. As a bonus, we will write a mini registry protector driver. Check it out at: idov31.github.io/2023/02/24/lor #infosec #CyberSecurity

175

matteyeux Retweeted

Joxean Koret (@joxean@mastodon.social)

@matalaz

Mar 5

I have written a brief article explaining how compilation units matching work in #Diaphora: github.com/joxeankoret/di

My 2c on the #BlackLotus UEFI bootkit (thanks,

@ESETresearch

): - "Exploitation Less Likely" is proven wrong, hope for a new DBX revocation list. - not trusting UEFI CA saves the day yet again. - having a single NV+BS variable as a gateway to booting whatever is a bad idea.

#ESETResearch analyze first in-the-wild UEFI bootkit bypassing UEFI Secure Boot even on fully updated Windows 11 systems. Its functionality indicates it is the #BlackLotus UEFI bootkit, for sale on hacking forums since at least Oct 6, 2022.

@smolar_m

welivesecurity.com/2023/03/01/bla 1/11

welivesecurity.com

BlackLotus UEFI bootkit: Myth confirmed | WeLiveSecurity

ESET researchers are the first to publish an analysis of BlackLotus, the first in-the-wild UEFI bootkit capable of bypassing UEFI Secure Boot.

282

469

Make your iOS kernel exploration on

@HexRaysSA

's IDA easier using PPLorer a plugin to resolve PPL calls to the underlying function.

github.com

GitHub - cellebrite-labs/PPLorer: IDA plugin that resolves PPL calls to the actual underlying PPL...

IDA plugin that resolves PPL calls to the actual underlying PPL function. - GitHub - cellebrite-labs/PPLorer: IDA plugin that resolves PPL calls to the actual underlying PPL function.

146

FaultyUSB: exploiting a TOCTOU race condition bug in recovery to get root on Huawei devices by emulating a malicious USB flash drive

labs.taszk.io

[BugTales] REUnziP: Re-Exploiting Huawei Recovery With FaultyUSB

Huawei Recovery Update Zip ToC-ToU Vulnerability

127

315

Microsoft is officially supporting Windows 11 on Apple M1 and M2 Macs. A new partnership with Parallels will allow Mac users to officially install Windows 11 as a VM. Details here:

theverge.com

Microsoft to support Windows 11 on Apple M1 and M2 Macs through Parallels partnership

Microsoft has partnered with Parallels to support an Arm version of Windows on M1 and M2.

508

3,461

I just published a video: The secrets of Apple's Lightning - Part 1 youtube.com/watch?v=p5tMaW

181

1,156