Notices by Mr. Bitterness (wdormann@infosec.exchange), page 5

The prior CISA Cybersecurity Advisory minces words a bit less than the recent MAR.

The ICT (internal or external) may not detect compromise. The threat actor may retain persistence after "factory reset".

A MAR for ITW Ivanti Connect Secure malware planted by exploiting CVE-2025-0282 has been released by CISA:
https://www.cisa.gov/news-events/analysis-reports/ar25-087a

Given the kernel and coreboot activity done by this malware, this is probably a good time to remind you again that if your Ivanti ICS device has successfully been compromised:
1) You won't be able to tell with the (internal or external) ICT.
2) A "factory reset" will not return the device to the state that it was in when it left the factory.
3) If you really want to check the integrity of an ICS device, you'll want a second opinion

I mean, bypassnro.cmd just does:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v BypassNRO /t REG_DWORD /d 1 /f

So what Microsoft is saying is that they want to make it more work to install Windows without a Microsoft Account? 🤔

Upcoming Windows 11 builds won't have the ability to to install without internet connectivity and a Microsoft Account.
https://blogs.windows.com/windows-insider/2025/03/28/announcing-windows-11-insider-preview-build-26200-5516-dev-channel/

Great job, folks.

I simply cannot. even.

"Don't make vulnerability reporters angry" is not high on anybody's list, it seems.

I get it that kids these days can't comprehend anything that doesn't live in TikTok. But for MSRC to not accept a clearly worded vulnerability report that doesn't have an associated video with it...

Fine. You want compliance? (Malicious) compliance is what you'll get.
https://www.youtube.com/watch?v=fI84ATvG_xw

MSRC to me just now:

As requested, please provide clear video POC (proof of concept) on how the said vulnerability is being exploited? We are unable to make any progress without that. It will be highly appreciated.

Time to make a 10-minute-long video of me pressing enter in CMD.EXE...

Me to MSRC: Words clearly describing a vulnerability, with supporting screenshots of the commands I typed and the response that Windows gives.

MSRC: Can you please provide a video showing the behavior you are seeing?

Me: ...

I get that people doing grunt work have mostly-fixed workflows that they go through with common next steps.
But to request a video that now captures (beyond my already-submitted screenshots) the act of me typing, and the Windows response being painted on the screen adds what of value now?

Another large vendor to me, after providing a working PoC to them:

How can an attacker create this PoC?

Me: I dunno, it comes to them in a dream, like with Mendeleev?

How does this even matter?

A yet-another large vendor, after having received the vulnerability report through the mechanism of their choice (PGP email):

would be possible provide .zip attachment with password protected?

Me to Tend Micro ZDI:
Trend Micro Antivirus fails to detect viruses in a mounted VHD/VHDX file at all. You should probably fix this.

Trend Micro ZDI:

we are not interested in this vulnerability type.

This truly is a thankless job. 🤦♂️

Ah, lovely.
Between this and Mozilla recently admitting that they sell your personal data...

What browsers to folks use these days?

A different vendor (Broadcom):

We encourage finders to use encrypted communication channels to protect the confidentiality of vulnerability reports. Our PGP public key is available at the following link:

The PGP key:

Me to a major vendor, in a PGP-encrypted email (their request):
Describes vul in their software. Here's an animated GIF showing exploitation of the vul. Please let me know how I can get a large file to you so I can get the PoC to you.

Vendor (in cleartext): Please send us a GIF and the PoC.

Me: I already sent the GIF. Are you saying you didn't get it? Also, please tell me how to get a large file to you.

Vendor: We have not received the GIF. Please send us a PoC.

Me: table_fip.gif
I fully understand why people go the full disclosure route.

Twitter is blocking Signal links.

Rumor has it that the reason is that Signal is being used by federal workers to blow the whistle on DOGE.

Obviously I cannot confirm the rationale, but I can (and have) confirm that such links are indeed being blocked on Twitter.

https://www.disruptionist.com/p/elon-musks-x-blocks-links-to-signal

With the release of ICS 22.7R2.6, Ivanti has apparently discovered the value of compiling in exploit mitigations. (many of which have been around for 22 years)

With R2.6, the web server, despite still being 32-bit, has stack canaries, full relro, and some fortify.

Baby steps, I suppose...

For folks still running Ivanti stuff for some reason, you've got work to do.
Again.

CVE-2025-22467 is a CVSS 9.9 stack buffer overflow RCE.

https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs

The list of calendar entries that Google chose to remove from their calendar:
• Pride Month
• Black History Month
• Holocaust Remembrance Day
• Jewish Heritage
• Hispanic Heritage
• Indigenous People Month

HOLOCAUST. REMEMBRANCE. DAY.
😱