#infosec
caption it. I start.
When you realize that you are better off with
#sysmon
+ ELK, than with $2M SIEM license quota filled with firewall log data
Just published a blog explaining the root cause of the recent
#win10
crypto vulnerability (CVE-2020-0601 /
#curveball
?) using some "Load Bearing Analogies" to make it more accessible.
CC:
@tqbf
@grittygrease
@dakami
Yikes!
Tomorrow
@ZenGo
will publish about a vulnerability we had found in
@CoinbaseWallet
and others.
We had responsibly disclosed to CB many weeks ago, they fixed and awarded us multiple bug bounties.
Today we informed them we are going to publish.
This is the reaction we got:
Did Hamas trade on terror and shorted Israeli ETFs before
#7octobermassacre
yielding profit in the Billions?
Very Likely, say the former SEC commissioner
@SECJackson
et al.
via
@haaretzcom
This is NOT the way to treat security researchers.
We conducted this research to increase the security of the ecosystem and not for some bug bounties.
Bug bounties are mostly tokens of appreciation.
So, YES, we will publish.
And, YES, we name CB and share a video of an exploit.
1/ Core issue behind Trust wallet extension vulnerability:
It used a Mersenne Twister (MT19937) pseudo-random number generator (PRNG) for generating private keys, which is not random "enough" and therefore such private keys can be brute forced by attackers
Currently the best
#PetitPotam
TLDR 👇 by
@bojanz
(but still a bit incomplete):
1⃣Attackers provoke NTLM authentication from DC to a machine they control using MS-EFSRPC / MS-RPRN
2⃣NTLM Relay back to DC (reflection) AD CS to get a cert for DC
3⃣Upgrade DC cert to DC TGT
4⃣Win
1/ A technical writeup on
@Meta
’s
@WhatsApp
privacy issue:
WA leaks victim devices’ end-to-end encryption (E2EE) identity information (mobile device + up to 4 linked devices) to any user, by design, even if blocked and not in contacts.
I just published "GlueBall: The story of CVE-2020–1464"
@peleghd
performed the patch diff and reversing.
Some technical answers about Microsoft trust and digital signature verification, but many question marks on
@msftsecurity
response
#GlueBall
One of the most exciting talks today
@BsidesTLV
:
ReDTunnel by
@El3ct71k
&
@realgam3
While DNS Rebinding is an old concept, a tool (only JS on client) that creates a stable generic HTTP(S) tunnel into the internal network of the victim can be a game changer
Crowd sourcing the truth. That will end up well.
"Algorithms that promote or hide speech based on community data are secret admin tools for people with bots"
@pwnallthethings
Going to create a site where the public can rate the core truth of any article & track the credibility score over time of each journalist, editor & publication. Thinking of calling it Pravda …
Someone just lost $2.5M in $Eth fees to send $100 worth of Eth, probably because they confused "value" with "fee".
On the other hand, some miner is very happy now.
Spotted with
@ZenGo
#Ethereum
txpool visualizer
1/ So obviously hacking
@kaspersky
was a well thought operation by an Intelligence Agency (IA).
But why?
What made Kaspersky such a valuable target worth risking and ultimately losing IA's decade+ old Apple exploit chain?
CC:
@pwnallthethings
@ImposeCost
@thegrugq
@0xcharlie
This is more likely work of an intelligence agency, not an APT. APT is contractor service organized or reporting to the intelligence agencies of a nation-state or an OCG and does not have the same level of bureaucracy with payload delivery. The selective targeting gives it away.
I suspect we'd see an outbreak of "big game hunting"
#ransomware
using
#Zerologon
very soon.
Leaping from a simple user to domain admin is the ultimate shortcut.
A new
#mimikatz
🥝release with
#zerologon
/ CVE-2020-1472 detection, exploit, DCSync support and a lots of love inside ❤️
It now uses direct RPC call (fast and supports unauthenticated on Windows)
>
Thank you:
@SecuraBV
The
@MITREattack
table is the periodic table of enterprise network hacking.
Breaking the almost infinite number of possible "Chemical Compounds" into finite number of "Core Elements" is the key to understanding and defending.
#DFIR
#MITRE
#ThreatHunting
I updated to include Also, I updated the public shared file that includes all
@MITREattack
Enterprise in one file in a tabular format 😊🍻💜💜 Useful when preparing for
#ThreatHunting
engagements!! 😉
@TalBeerySec
@ZenGo
@CoinbaseWallet
Hey
@TalBeerySec
, I lead security at Coinbase. We appreciate security researchers from around the world working with us to keep Coinbase products and customers safe. That message doesn't reflect how we want to engage with the security research community. 1/
Briefly looking into
#fireeye
ToC of potentially stolen
#redteam
tools, nothing caught my eye as "ground breaking". (please tell me if I missed anything)
I find it hard to believe that stealing these tools would have been the goal of this risky operation.
Per
@WIRED
#FIN7
story ()
EVERY organization has a least a few persons REQUIRED to "open attachments from strangers". HR open CVs from strangers, Sales open RFIs from strangers, etc.
Storm-0558: The non-expiry of the stolen Microsoft certificate in nit getting enough attention 🧵
1. if the cert was expired in time, no damage would have happened. Instead, Microsoft choose to "renew" it with the same private key which defeats the purpose of renewal.
Prediction: We will have a "how to visually extract typing data from
@Apple
Vision Pro using AI" talk in this year's
@BlackHatEvents
.
The attack will have a stupid name ("eyesdropping"?).
It's inevitable.
#VisionPro
An actual "in-the-wild"
#Zerologon
story (buried in blog):
1⃣Initial penetration with an older
#SharePoint
vulnerability (CVE-2019-0604)
2⃣implant a web shell to gain persistent
3⃣Cobalt Strike-based payload
4⃣targeting Domain Controllers with the
#Zerologon
exploit.
This is probably the end of the Israeli/non-US western offensive cyber security industry.
I believe the threat of denying entrance to the US for workers & investors of such companies and their families would be enough to make them choose other career opportunities
"The State Department is implementing a new policy today that will allow the imposition of visa restrictions on individuals involved in the misuse of commercial spyware."
This includes engineers working for spyware vendors.
1/ Account Abstraction and MPC: Frens with benefits!
What started as an unpopular opinion quickly became mainstream: Anyone in the know believes that AA and MPC are not enemies, but actually better together
Our
@ZenGo
research just helped a user (not our user) get almost $2M back. What a way to start the day!
Thanks
@Mudit__Gupta
for your help.
More details
#soon
A testing site for
#curveball
by
@KudelskiSec
(has some availability issues)
Results for Chrome on an unpatched win10 vs non-vuln Mac (when you boldly move past warning messages)
1/2 I call BS.
I see no positive evidence that deepfake AI was used. But it's nicer to all parties involved to say they were hacked by "deepfake AI hint of a german accent" than to say: "someone said on the phone 'send me zi money', so we sent".
First crime involving Deepfaked AI. Won't be the last.
Scammer Successfully Deepfaked CEO's Voice To Fool Underling Into Transferring $243,000 via
@gizmodo
"CurveBall’s Additional Twist: The Certificate Comparison Bug" shedding some light on the bug in
#Windows10
that allowed it to accept
#CurveBall
“evil twin” certificates as valid.
For years, Firmware wallets (previously known as HW wallets) were riding, if not spreading, this false narrative of HW magical powers to eliminate software related issues.
Now that it backlashed, I find their take of "It's always has been that way" to be extremely hypocritical.
Weaponized
#Meltdown
is a very powerful Local Privilege Escalation technique. It will be soon incorporated in standard hacking tools. Another good reason for EVERYONE to patch ASAP (IT guys, I hear you, P stands for Possible)
1/ Thank you
@CertiK
for your assessment of our
@ZenGo
wallet 🧵:
"We firmly consider ZenGo to be a highly secure consumer wallet solution on the market today."
and for helping us making it even better!
#SIGred
nightmare exploitation, unpatched environments are one email away from full compromise:
1. victim opens an email from attacker
2. pic link in email makes victim DNS server (on DC) resolve name against attacker's DNS server.
1/ Seems like someone (probably more than one) was lurking for this address, as the incoming transaction was "intercepted in mid-air" when it was in the mempool and immediately sent elsewhere, all in the same block (see same times)
NSO employee accused of stealing their main espionage tool (Pegasus) and trying to sell it over the "dark net" for $50M
CC:
@pwnallthethings
@ILDannyMoore
@RidT
(Hebrew, but juicy stuff)
1/7 While the exact technical details of the new
#Ledger
's recovery feature are yet a mystery, we
@zengo
can already share some important insights and lessons on Firmware wallets (previously known as h̶a̶r̶d̶w̶a̶r̶e̶ wallets) and Recovery
#ledgerrecovery
1/ TLDR:
#NTLM
is a pig.
Outdated protocol with inherent insolvable problems. Due to backward compatibility Microsoft wasn't able to get rid of it. So they had to put on lipstick, makeup and mascara. But it is still a pig.
Details of the attacks below (&
@BlackHatEvents
I assume)
We have discovered 3 critical NTLM vulnerabilities allowing RCE against any domain machine which were all fixed in the latest MS security update. Check out
@YaronZi
blog to get all the technical details:
@preemptsecurity
Call me conservative, but I don't think
#wfhsetup
is a good
#opsec
move and I'd expect security companies to know better.
Can expose the exact computer model, peripherals, operating system, installed programs (including email client, browser) etc.
1/
#TURLA
installed an Outlook backdoor for persistence, exfiltration and C&C channel over emails.
Cool research by
@ESET
.
h/t
@GelosSnake
for the link