o7 another paper rejection
=> More informations about this toot | View the thread
We had previously suspected several Chinese and North Korean APTs utilize LLMs for generating scripting-language-based payload, but it looks like they were doing much more than that - with Gemini of all things.
https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai/
=> View attached media | View attached media
=> More informations about this toot | View the thread
Sometimes I think I'm really bad at everything I do
I've been making covers for 3+ years, and it doesn't feel like it's going anywhere with the views or recognition
I don't feel like I'm advancing much at work either or pretty much everything I do
Same thing with streaming, I've been streaming for 2+ years and the CCVs pretty much stayed the same throughout... I have peers who stream about the same hours as I do and they constantly average at several dozens CCVs when they stream
It's not even about clout or wanting to be famous or whatever, but it just feels very defeating when I feel like I'm not going anywhere with everything I do
At work, many of my peers have had multiple talks and appearances at large scale conferences, and I'm the only one who hasn't really done anything like that beyond some confs in Taiwan. I've had papers rejected numerous years in a row. I just feel very mediocre
=> More informations about this toot | View the thread
Also a lot of researchers and or companies rely on certain providers for their source of samples and or intel - what happens after the lead is just gone one day? What do you do then as a researcher?
=> More informations about this toot | View the thread
I feel like the way some CTI research are done are fundamentally flawed sometimes. A lot of the times people treat each clue at face value. I think it's better to reserve judgment sometimes before confidently saying this or this must be X.
"Where is the sample submitted from? UK? The victim must be from UK then!" whilst ignoring the possiblity that the victim might have a VPN on since they're so prevelant these days, or even the possibility that the actor was the one who submitted it in the first place.
You can deduce and come to the conclusion that UK is a possible targeted country by checking if there has been a healthy stream of samples coming from the country, but at the same time who's to say a TA isn't poisoning the sample pool by submitting fake samples from the proposed country?
Similar things can be said about malware family attribution as well - a lot of the times CTI researchers use code overlap as a strong argument for relating one TA to the other, but who's to say someone didn't just read an OSINT report and decided hey that'd be a fun thing to implement in my loader, and or use the same RAT while they're at it?
Idk just food for thought when I'm just lying in bed thinking about things
=> More informations about this toot | View the thread
I feel like I've been seeing a lot of repos that do keyword spams like this. Anyone knows what's the deal with these repos?
=> More informations about this toot | View the thread
This "Prince Ransomware" just showed up on my GitHub recommendation feed, and the disclaimers are kinda diabolical.
You can't claim that you're "providing researchers with valuable insights into techniques used by TAs" when you're not bringing anything "insightful" to the table.
You're not doing anything new besides using a different encryption scheme. You're just creating yet another ransomware snippet that TAs can lazily modify from.
It sounds like whoever wrote this just slapped on the disclaimer to make themselves feel better.
With some open-source C2 frameworks, you can argue that they do provide valuable alternatives to both the TAs and the researchers, because they do use something new and not readily detectable, sometimes even innovative.
If your project doesn't do any of that - that's fine, you could say it's a fun little side project that you wanted to do to learn how things work or oh I just thought it's a fun weekend project, but making stupid disclaimers like the ones listed in the README genuinely make you sound like you're looking for excuses.
=> View attached media | View attached media
=> More informations about this toot | View the thread
HAHAHA THE COVER I WORKED TWO MONTHS ON
=> More informations about this toot | View the thread
lmao Facebook is dead
=> More informations about this toot | View the thread
what did they do to the new virtualbox logo
=> More informations about this toot | View the thread
possible hot take: Microsoft's threat actor naming scheme is the worst in the industry ever since they rebranded them. what the hell is a Salt Typhoon
Like the idea is fine, grouping the actor region by natural disaster names, but in practice they are not memorable AT ALL. I can remember names like Tropical Trooper, Stately Taurus because they sound rad as heck, but what is the difference between... Salt Typhoon and Twil Typhoon?
=> More informations about this toot | View the thread
I spent the entirety of today in agony trying to configure OpenWRT - still not done yet after an entire afternoon
=> More informations about this toot | View the thread
I love my GAMING computer with my GAMER internet through the use of my GAMING PORT
=> More informations about this toot | View the thread
hi we are live investigating captcha-styled delivery stealer campaigns
https://twitch.tv/azakasekai
https://youtube.com/live/r2XIx-HHn0I?feature=share
=> More informations about this toot | View the thread
stupid question does anyone know how to select a range of bytes and export them from IDA so I don't have to bring up 010 every time
=> More informations about this toot | View the thread
also apparently Firefox stores cookies in plaintext? I assumed Firefox stores everything with 3DES creds stored in key4.db, but no, only stored passwords are encrypted this way...
=> More informations about this toot | View the thread
okay! we figured out how to dump App-bound-encryption-encrypted master key by using snovvcrash's PoC as a guidance and decrypt the relevant data using the key.
Apparently all you have to do is talk to the elevation service through COM (with the appropriate CLSID; we used Chrome Dev's) and start the process under the relevant Chrome path (possible workaround via injection/hollowing via any of the executables under the child directories; if you do not do this Chrome will raise Event ID 257 with "Failed to authenticate caller process").
With all that, pass the encrypted master key under app_bound_encrypted_key from Local State, throw the encrypted key to the elevated service, retrieve the 32-byte AES-256 key, decrypt the v20 prefixed secrets, take the 32nd to last 16th byte and there's your decrypted value!
=> More informations about this toot | View the thread
we're live!! come explore Chrome's App-bound Encryption with us and figure out how infostealers work
https://twitch.tv/azakasekai
https://youtube.com/live/eL337anOkZg?feature=share
=> More informations about this toot | View the thread
So apparently this is a re-implementation of ElliotKillick's LdrLockLiberator being used in-the-wild to prior to loading a Cobalt Strike Beacon. VT search yields fewer than 5 samples.
=> More informations about this toot | View the thread
wow I didn't know you can't do these in DllMain
=> More informations about this toot | View the thread
=> This profile with reblog | Go to still@infosec.exchange account This content has been proxied by September (3851b).Proxy Information
text/gemini
