Under the Weather (Taxonomy?), Beating Roulette, Monitoring Macs, & XBMC Glory Days – PSW #781

" we are shifting to a new threat actor naming taxonomy aligned to the theme of weather. The complexity, scale, and volume of threats is increasing, driving the need to reimagine not only how Microsoft talks about threats but also how we enable customers to understand those threats quickly and with clarity. With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data. It will offer a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves. Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name." - I think each one should have a theme song, pulled from popular culture, e.g. Storm should be Thunderstruck, Blizzard is Led Zeppelin "Immigrant Song", etc..

"Despite the devices’ high prices, the one Tabor bought contained just $10 worth of components, the write-up says. These include a chip with CAN hardware and firmware, and another CAN-related chip. " - So $2k for some fancy packaging LOL. I think we all predicted this would happen, that thieves would become more technical and use that expertise to steal cars, then create a market for the tech where even non-tech people could easily steal vehicles.

Very well-written blog series, neat stuff: "Taking a look at signal.h, we see that these SIG names for the signals are really just numbers (as you’ll see, this is the case for many things in the kernel). Here you’ll see for instance that SIGKILL is defined as 9, which is the reason we type kill -9 $PID when we really want a process to die. Notice also that these numbers only go up to 32 (on x86). We are going to implement our own signal handler for number 64 - no one would notice that, right?" - I am still working through the entire series.

This is a pretty amazing story, I blame pip and not Google: "I scanned GitHub repositories for lists of dependencies in common formats and looked for dependencies that were part of a dependency list, but there was no matching package in the public package repository. For example, for Python, I looked at lists matching the output of pip freeze command and for packages that were not present in PyPi. The search space was constrained to repositories that were owned by an organization related to major technology companies, such as Google or Microsoft, and to repositories that were owned by employees of these companies. I considered a GitHub user an employee if they had set their company in GitHub to a large tech company, e.g., they had the @google tag on their profile." - This was also an interesting read: https://github.com/pypa/pip/issues/8606

Interesting research, especially where they cross-referenced different vulnerable conditions in Git with the most popular packages. This is fixable, though as I believe the vulnerabilities stem from poorly configured Github accounts and repos. Seems like we just need to rollout this fix: "GitHub deployed mitigation against repo jacking attacks: the popular repository namespace retirement. We did not discuss this mitigation in this blog post as it only applies to popular GitHub repositories."

"Red Canary Mac Monitor is a feature-rich dynamic analysis tool for macOS that leverages our extensive understanding of the platform and Apple’s latest APIs to collect and present relevant security events. Mac Monitor is practically the macOS version of the Microsoft Sysinternals tool Procmon. Mac Monitor collects a wide variety of telemetry classes, including processes, interprocess, files, file metadata, logins, XProtect detections, and more—enabling defenders to quickly and effectively analyze enriched, high-fidelity macOS security events in a native, modern, and customizable user interface."

Crazy story.

Do you trust Google?

"“Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of remote access trojans (RATs) and other unwanted applications” - Microsoft" - I believe what Microsoft isn't stating is just how many privilege escalation vulnerabilities and methods are available to attackers. While the advice is good security advice, there are many other vectors to consider and monitor for. This is a good start: PayloadsAllTheThings/Methodology and Resources/Windows - Privilege Escalation.md

This stance is from Ubiquity on post-authentication command injection vulnerabilities reported: "NOTE: The vendor position is that post-authentication issues are not accepted as vulnerabilities." - Do you agree or disagree?

"Ghost types will allow for no-harm source augmentation to have more verification-ready language conditions, as opposed to going to some intermediate or non-standard verification-friendly language like Dafny or F. The important part of adding software assurance is to avoid taxing the developer as much as possible. " - Also, this is interesting: *"Verus is a tool for verifying the correctness of code written in Rust. Developers write specifications of what their code should do, and Verus statically checks that the executable Rust code will always satisfy the specifications for all possible executions of the code. Rather than adding run-time checks, Verus instead relies on powerful solvers to prove the code is correct. Verus currently supports a subset of Rust (which we are working to expand), and in some cases, it allows developers to go beyond the standard Rust type system and statically check the correctness of code that, for example, manipulates raw pointers." (https://github.com/verus-lang/verus) -

Use WireGuard without root privs!

"Discover hidden debugging parameters and uncover web application secrets"

"Today, we are excited to announce the release of the Living Off The Land Drivers project. This project aims to consolidate as many vulnerable and malicious drivers as possible into a single location, making it accessible for everyone to find and learn from."

Real-time clipboard monitoring and shenanigans. Scary!

Some interesting analysis of the Genesis market software and related malware, Chrome extensions, etc.

GreyNoise is starting to introduce some REALLY cool features on their platform, using large scale data analysis and ML models. IP Similarity is exactly what it sounds like: "show me other IPs exhibiting the same behavior as this"

A bit disappointed in the limited imagination here, but it's a very practical set of examples. Mostly focusing on the fact that ChatGPT enables a pen tester to 'just-in-time' learn any tool's cli or generate code they need during a pen test. Just-in-time cheatsheets for most anything (as long as it existed before September 2021, that is).

Wondering why mimikatz is still an issue for defenders and a core attacker tool? Check this out.

Do these show notes support facepalm emoji? 1. it has been a best practice for 20+ years not to expose administrative services to the public Internet 2. the vuln being exploited is nearly SIX YEARS OLD 3. come on people