Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114242192451652129">Will Dormann (wdormann@infosec.exchange)'s status on Sunday, 30-Mar-2025 06:49:08 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a></section><article><p>A MAR for ITW Ivanti Connect Secure malware planted by exploiting CVE-2025-0282 has been released by CISA:<br><a href="https://www.cisa.gov/news-events/analysis-reports/ar25-087a" rel="nofollow">https://www.cisa.gov/news-events/analysis-reports/ar25-087a</a></p><p>Given the kernel and coreboot activity done by this malware, this is probably a good time to remind you again that if your Ivanti ICS device has successfully been compromised:<br>1) You won't be able to tell with the (internal or external) ICT.<br>2) A "factory reset" will not return the device to the state that it was in when it left the factory.<br>3) If you really want to check the integrity of an ICS device, you'll want a <a href="https://infosec.exchange/@wdormann/113805254385223581">second opinion</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4814116#notice-9430031">In conversation</a><time datetime="2025-03-30T06:49:08+09:00" title="Sunday, 30-Mar-2025 06:49:08 JST">about a month ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114242192451652129" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114242192451652129">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4385372">/bin/dsmain -d /tmp/data/root/${kerndir}/coreboot.img /tmp/new_img/coreboot.img.1.gz $key
Executes dsmain with the -d argument to decrypt 'coreboot.img' using the extracted $key and stores the output as
'coreboot.img.1.gz'
/bin/mkdir /tmp/coreboot_fs
Makes a new directory '/tmp/coreboot_fs'.
/bin/dsmain gunzip /tmp/new_img/coreboot.img.1.gz -c &gt; /tmp/coreboot_fs/coreboot.img.1
Executes dsmain to decompress 'coreboot.img.1.gz' into 'coreboot.img.1' within the new directory.
cd /tmp/coreboot_fs
Changes into the '/tmp/coreboot_fs' directory.
/bin/dsmain cpio -idvm &lt; coreboot.img.1
Executes dsmain with cpio -idvm to extract the compressed 'coreboot.img.1'.
/bin/rm coreboot.img.1
Deletes 'coreboot.img.1'.
cp /bin/dsmain /tmp/coreboot_fs/bin/dsmain
Copies dsmain into the 'coreboot_fs' directory.
cp /lib/%s /tmp/coreboot_fs/lib/%s
Copies itself into the 'coreboot_fs' directory.
cp /home/venv3/lib/python3.6/site-packages/scanner-0.1-py3.6.egg /tmp/coreboot_fs/bin/scanner-0.1-py3.6.egg
Copies the python package 'scanner-0.1-py3.6.egg' into the 'coreboot_fs' directory.
/bin/sed -i rollback_on_error $? "Extracting Package"
Modifies the boot process by adding the below commands to the file '/tmp/coreboot_fs/bin/init' below the line 'rollback_on_error
$? "Extracting Package".</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/242/188/922/476/711/original/bc28aff67a556af7.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/242/188/922/476/711/original/bc28aff67a556af7.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4385374">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Sunday, 30-Mar-2025 06:49:08 JST Will Dormann
A MAR for ITW Ivanti Connect Secure malware planted by exploiting CVE-2025-0282 has been released by CISA:
https://www.cisa.gov/news-events/analysis-reports/ar25-087a
Given the kernel and coreboot activity done by this malware, this is probably a good time to remind you again that if your Ivanti ICS device has successfully been compromised:
1) You won't be able to tell with the (internal or external) ICT.
2) A "factory reset" will not return the device to the state that it was in when it left the factory.
3) If you really want to check the integrity of an ICS device, you'll want a second opinion
In conversationabout a month ago from infosec.exchangepermalink
Attachments
1. /bin/dsmain -d /tmp/data/root/${kerndir}/coreboot.img /tmp/new_img/coreboot.img.1.gz $key Executes dsmain with the -d argument to decrypt 'coreboot.img' using the extracted $key and stores the output as 'coreboot.img.1.gz' /bin/mkdir /tmp/coreboot_fs Makes a new directory '/tmp/coreboot_fs'. /bin/dsmain gunzip /tmp/new_img/coreboot.img.1.gz -c > /tmp/coreboot_fs/coreboot.img.1 Executes dsmain to decompress 'coreboot.img.1.gz' into 'coreboot.img.1' within the new directory. cd /tmp/coreboot_fs Changes into the '/tmp/coreboot_fs' directory. /bin/dsmain cpio -idvm < coreboot.img.1 Executes dsmain with cpio -idvm to extract the compressed 'coreboot.img.1'. /bin/rm coreboot.img.1 Deletes 'coreboot.img.1'. cp /bin/dsmain /tmp/coreboot_fs/bin/dsmain Copies dsmain into the 'coreboot_fs' directory. cp /lib/%s /tmp/coreboot_fs/lib/%s Copies itself into the 'coreboot_fs' directory. cp /home/venv3/lib/python3.6/site-packages/scanner-0.1-py3.6.egg /tmp/coreboot_fs/bin/scanner-0.1-py3.6.egg Copies the python package 'scanner-0.1-py3.6.egg' into the 'coreboot_fs' directory. /bin/sed -i rollback_on_error $? "Extracting Package" Modifies the boot process by adding the below commands to the file '/tmp/coreboot_fs/bin/init' below the line 'rollback_on_error $? "Extracting Package".
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/242/188/922/476/711/original/bc28aff67a556af7.png
2. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice