I'm also on Bluesky now: bsky.app/profile/bad.pe

I hate logging in. I HATE LOGGING IN. I log in to my password manager so I can login to my SSO account so I can login to the service so I can enter a 2FA for which I login to my phone so I login to the authenticator so I can get a 2FA code so I can finally login. GOD DAMNIT.

We report certificates for revocation when they sign malware. What about before they sign malware? I've started adding certificates to Cert Graveyard that are being used to "warm" the certificate and improve it's score before being sign malware. 1/4

Download our 142-page #EasterBunny report (open access): EasterBunny: advanced espionage artifacts attributed to APT29 lab52.io/blog/easterbunny/ #APT29

We investigated a CN #APT that targeted multiple governments and companies with government contracts in Asia. In half of the targets we found a second group with different malware toolkit but sharing the infection vector and some post-exploitation tools trendmicro.com/en_us/researc…

We didn't know how an actor was using EV Certificates issued to Lenovo and others. We now do. From DigiCert's incident report: "the threat actor used a compromised analyst endpoint to access DigiCert's internal support portal. The threat actor used a limited function within the customer-support portal which allows authenticated DigiCert support analysts to access customer accounts from the customer's perspective to facilitate support tasks. The threat actor was able to use this function to access initialization codes for orders that were approved but pending delivery for EV Code Signing certificate orders across a finite set of customer accounts." "Possession of the initialization code, combined with an approved order, is functionally sufficient to generate and retrieve the corresponding certificate." The full report can be found here and explains the incident in great detail: bugzilla.mozilla.org/show_bu… The report mentions "Where we got lucky: A community member involved in security research reported the evolving pattern of misused certificates and engaged in dialogue with our support team. Without that report, the undetected compromise of ENDPOINT2 and the associated mis-issuance might have remained undiscovered for a longer period." Special thanks goes to the regular contributors to the Cert Graveyard; @g0njxa , @malwrhunterteam , and others. Also special thanks to DigiCert: this report has a high level of transparency, which is warranted, and also well executed.

Europe is building stronger systems to report vulnerabilities, but it risks overlooking the people who discover the flaws first: independent security researchers, write @eubenincasa and Max van der Horst. Read the article: bindinghook.com/europe-forge… #EUcybersecurity

YARA rule to filter for zips in which all files are newer than some date gist.github.com/usualsuspect…

None of this is true. DailyDarkWeb is not conducting good faith journalism or research, there are no hard questions, no challenging of their responses - all this does is give a platform to threat actors to proliferate false-information.

Signed (revoked) AnyConnect installer with free credential stealer: virustotal.com/gui/file/e357… C2: 5.149.253[.]235 stealer in boost_stream.dll (0 AV detection) aligns with ZScaler reporting: zscaler.com/blogs/security-r…

Looks like I missed it since, but Strela / StrelaStealer returned on Feb 6, with some new nifty tricks: - checks mouse movements - shows a CAPTCHA you have to correctly enter before the download button is shown dropped JS sample: bazaar.abuse.ch/sample/90f5b…

Useful for #idapro - you can add custom xrefs very easily, e.g. if you know a `call eax` references some function, you can manually add an edge: add_cref(here(),get_name_ea_simple("some_func"),XREF_USER) Then reanalyze the binary and get func parameter propagation for free!

Unk. C malware targeting Afghan users (decoy is in Pashto) Hosted by 'afghanking777000' on Github "Afghanistan Islami Emirates.iso" IoCs C2 IP 207.244.230[.]94 C2 theepad0loc93x.ddns[.]net Appears to steal *.pdf, *.ppt(x), *.doc(x), *.csv and others virustotal.com/gui/file/63f6…

Couldn't find a _pure_ Python implementation of PowerShell's SecureStringToBSTR, used in some malware samples, so I wrote one: gist.github.com/usualsuspect…

🔎Our CERT is releasing a new technical report on 🇰🇵Operation #DreamJob, focusing on recent evolution in its tooling. Following an IR engagement at a large manufacturing client based in 🇪🇺, we investigated artefacts we attribute to #UNC2970. ➡️Full blog: ow.ly/V4mr50Xug1l

Multiple members of the German parliament received suspicius thumb drives, urged not to plug them in (GER): spiegel.de/politik/deutschla…