Notices by VessOnSecurity (bontchev@infosec.exchange)

@GossiTheDog This from Telegram again? How many times have they been kicked out of there?

@rbairwell @GossiTheDog By putting explosives inside?

@rimu @RezzaBuh @campuscodi Uh, no, that's not at all what I meant. I meant, a platform specifically designed to facilitate criminal activities - like the on-line drug markets. Not something the criminals happen to use because it's not adequately moderated.

@campuscodi Right. Threat with jail time is pretty effective at cooling down any free speech fervor, as some Russian dissidents can attest.

When even that doesn't work, the governments could try poisoning the offenders - I'm told that's even more effective...

@RezzaBuh @campuscodi I have no problem with the police going after the offenders. I have a big problem with the police going after the communication platform that the offenders happened to use, especially when it's a general communication platform; not something that specifically caters to the needs of the offenders.

Also, I was making the point that there is no substantial difference in the actions undertaken by the governments of Russia and France. Saying stuff that contradicts the government's claims about the war in Ukraine is illegal in Russia. Posting child porn is illegal in France. In both cases the local law is broken. You might disagree with the law (i.e., can view one as totalitarian and the other as just) but the job of the police is to enforce the law, not judge it, and in both countries they've done the same thing.

@patrickcmiller Generative AI is one big flaw all by itself.

@horse @Sempf No. Besides, anyone detecting that string under such circumstances is doing it wrong. The string must be detection only if residing in the first 68 bytes of a file that is no larger than 128 bytes.

Among other things, this attack shows why detecting malware based on scan strings alone is a bad idea. What is this, year 1988? Honestly, I expected better from Kaspersky.

@patrickcmiller I liked it better then Microsoft had a US Government problem...

The cat is not allowed to climb the dining table.

The cat is absolutely not allowed to climb the dining table.

The cat knows perfectly well that it is not allowed to climb the dining table.

The cat is on the dining table.

#caturday #catsofmastodon

@GossiTheDog Starship troopers. The book, not the movie. Many people who have only seen the movie don't realize it, but the original Heinlein work was satire too.

@GossiTheDog

Analyzing BPFDoor with strace and ltrace:

https://dfir.ch/posts/strace/

@malwaretech @mttaggart I agree with the general sentiment - when your country is attacked, no matter how, you respond appropriately and proportionally, no matter how.

The thing I have a problem with is trusting a bunch of bureaucrats with military ranks to determine correctly that (a) it was an attack, (b) who attacked them, and (c) what exactly "appropriately and proportionally" is in this case.

@malwaretech @mttaggart Let us consider an, ahem, hypothetical scenario.

North Korea sends a bunch of kids to study in China and tells them "make X mount of dollars annually for the Party or else".

Kid starts writing a ransomworm. In mid-development, worm escapes, gets to the USA, and due to a lack of any kill switches in it, causes billions of dollars of damage. Worm's origin is traced to China.

Was this an attack? Did China attack the USA? Did North Korea? Was it an operation of the North Korean government? Should the USA nuke either or both of these countries?

@malwaretech @mttaggart Maybe but the official narrative is still "North Korea unleashed WannaCry" and "NotPetya was the work of the Russian intelligence agencies".

Neither of which is true or, more exactly, the truth is much more nuanced than this.

The WannaCry case was pretty close to the hypothetical scenario I described (except some British security researcher prevented it from causing major damage to the USA 😀 ) and NotPetya was the Russian intel agencies giving the tools and access to some retarded cyber criminals, along with the general direction to "cause grief to Ukraine" and then not bothering to supervise the operation because, hey, it's the Russians we're talking about.

Maybe someone with better access to classified info in the US intel community does know better (e.g., they were careful enough to say that "the Russian intel agencies are *responsible* for NotPetya" - which is true - and not that they actually did it) but they never bothered to correct the official narrative, so we don't know for sure that this is the case.

Mistakes are very easy to make in this area and I dread to think what the results will be if the generals' first thought is to look for the "nuke 'em" button every time somebody port scans their secretary's PC...

@malwaretech @mttaggart It was a *very* sloppy job. If they were pros and wanted to *disguise* a destructive attack as ransomware, they would have made a real ransomware and just not deliver the keys once ransom was paid.

No, it was some retarded guy patching incompetently known ransomware. And only part of it; there was also a different, file-encrypting part that wasn't destructive - meaning you could decrypt, if you had the key. The only explanation for both parts to exist (i.e., it was neither obviously destructive, nor real ransomware) is that whoever did it, didn't know what they were doing.

@GossiTheDog BTW, www.liverpool.gov.uk is definitely not reachable from here right now - neither via HTTP, nor via HTTPS.

Maybe they have started filtering foreign IPs?

@ryanc @GossiTheDog No, it works just fine.

I don't know why it shows "timed out" errors for them but they are definitely using it incorrectly, LOL.

They are using the "HTTP" button which, for an HTTPS site, will show "301 Moved Permanently" error (well, at least if the site is properly configured).

They should be using the "TCP Port" button which will try to access the site over port 443.

That said, I don't know why it times out on the e.g., Liverpool government site. I tested it on our Lab's site and it connected just fine.

@GossiTheDog You mean, they drop webshells?

The reason I asked is because I haven't seen stats of how many devices are compromised - only how many are vulnerable or how many are trying to exploit.

If the only way to detect a compromised device is to access it via the webshell, this could explain this lack of statistics - it would be essentially hacking into the device, which would be illegal.

@GossiTheDog Is there a way to find remotely if an Ivanti setup has been compromised? Not just vulnerable but actually compromised?