Notices by cR0w :cascadia: (cr0w@infosec.exchange)

@ryanc @SecurityWriter Operations or Operational Technology. It's mostly used as a way to keep IT's hands off gear they have no business touching.

@SecurityWriter I would literally post it here at this point. I learned my lesson with OT vendors. Fuck them.

It's maddening to hear from people that the ransomware problem must be getting better because they don't hear about the big publicly-traded companies getting hit as much and apparently that means that the impact to people who only give a fuck about money is less now.

@ryanc Damn. And here I thought the 1000dB I saw the other day was absurd ( audio though so obviously different ). But I found a thread on Reddit for that one: https://www.reddit.com/r/theydidthemath/comments/1dqpwjj/request_say_this_was_a_real_db_level_what_would/

@mochabeau @soatok Wait, there are silly gay flurries here?!

Publicly disclosed memory leak in objdump.

https://sourceware.org/bugzilla/show_bug.cgi?id=32716#c0

sev:MED 4.8 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.

https://nvd.nist.gov/vuln/detail/CVE-2025-3198

Go hack some more Ivanti shit. Someone else already has been.

https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US

sev:CRIT 9.0 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.

https://nvd.nist.gov/vuln/detail/CVE-2025-22457

Edit to add:

We are aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 or earlier) and End-of-Support Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure. Pulse Connect Secure 9.1x reached End-of-Support on December 31, 2024, and no longer receive code support or changes.

#ivanti #groundhogDay

@buherator That's so far down on questions I have at this point. 😆

Random reminder that if you ever accidentally enter your password in a username field, please immediately rotate your password. Thank you.

@buherator @GossiTheDog @cisakevtracker CISA has been skeptical about this one too, from what I've heard, and has wanted to confirm that any exploitation was both successful and specifically this vulnerability.

@wdormann Endless loop of "It's a feature, not a bug. Ticket closed. Buy Copilot."

@wdormann Next time put EICAR in the EXIF when you load it on OneDrive.

@wdormann Depending on your quota and the size of the video.

@wdormann I know it shouldn't trigger any action that way, but I'd be curious.

@buherator @wdormann Didn't Microsoft stuff start doing that too? Guessing "infected" or using the context of emails or attachments to guess passwords for archives?

@wdormann @buherator I guess that makes sense if it's password protected but not encrypted, right?

@hrbrmstr @greynoise Since it's already 1 April in parts of the world, I feel like need to assure you that the links are real text lists and not ASCII anuses or anything. This time.

Following up on the scanning and password spraying that @hrbrmstr and @greynoise have posted about today, I combined a list of IPs I'm seeing going after Palo Alto GlobalProtect with the Greynoise lists:

https://cascadiacrow.com/globalprotectips.txt

I also have a list of usernames attempted by those various IP addresses:

https://cascadiacrow.com/globalprotectusernames.txt

#threatIntel #gayInt

There's another browser getting uninstalled then: https://social.vivaldi.net/@Vivaldi/114233355595486502

Cyclone warnings and hail potentially up to 1" diameter in Western Washington? Sure, why not? It's 2025.