LividPanda

Kryptos Logic has a working DoS proof of concept that they demo'd on Twitter/Vimeo. They are purportedly going to release a blog post etc explaining some of the technical details now that Microsoft has released a patch. This will likely accelerate this being weaponized and used out in the wild. They've also done an internet wide scan. https://twitter.com/kryptoslogic Update: Technical description of the vulnerability by 360 Core Security http://blogs.360.cn/post/CVE-2020-0796.html Update: There is a PoC on Github that results in a DoS, BSOD's your computer. I've been unable to get it to work. Struggling with the python implementation of the LZNT1 compression algorithm.

Exploitable with an SMB Client or an SMB Server but there is an additional hoop to jump through to get RCE on an SMB client, which is good for those at home. It is rated critical by Microsoft. More information in the link below along with workarounds but still no patch. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005

It is still unclear if a file server like a NAS needs to be involved at all. I realize the tweet in my post makes it sound that way but after further research it is really unclear. I would actually lean towards you just have to have SMBv3 enabled on your computer, exactly how EternalBlue worked. Which on some home computers on a network 445 could be open for any number of reasons and you throw in a person who likes to open up all their email attachments, you're going to have a bad time. It is worth noting EternalBlue was the method that was used to spread most of that cryptolocker malware. This could easily do the same thing. By the middle of next week I bet there will be some proof of concept exploit code on Github/Twitter.

A "potentially wormable" vulnerability exists in SMBv3 and specifically the compression. Information was accidentally released by Microsoft and then by Cisco Talos Intelligence on the below page but then taken down. The Microsoft page is now blank. Screenshot below the link. Due to its similarity to EternalBlue Twitter is already trying to call it CoronaBlue. Microsoft did not include a patch for it in the latest March 2020 Patch Tuesday. https://blog.talosintelligence.com/2020/03/microsoft-patch-tuesday-march-2020.html Microsoft's blank page that will probably have helpful information at some point. This page now has a patch available. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796 Additional information on FortiGuard Labs and Twitter. https://fortiguard.com/encyclopedia/ips/48773 https://twitter.com/search?q=CVE-2020-0796&src=typed_query Temporary remediation is to either disable SMBv3 or disable compression. Use common sense when following directions off Twitter to edit your registry or run PowerShell. More better article: https://www.bleepingcomputer.com/news/security/microsoft-leaks-info-on-wormable-windows-smbv3-cve-2020-0796-flaw/ Upadate - Security Advisory from Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005

First off, I wouldn't make any purchasing decisions based off these results and definitely not if I was evaluating AV for an enterprise. There methodology is far from comprehensive even when it comes to their Enhanced Real-World Test 2019 – Enterprise. That test leaves tons of TTP's (Tactic's Techniques & Procedures) off the MITRE ATT&CK Framework. They use a subset of 15 different TTP's, this is terrible coverage, especially since it's all they do - compare AV solutions. I would expect a systematic comprehensive evaluation of as many TTP's as possible when it comes to the enterprise. There are free tools on Github like the Atomic Red Team that will test more TTP's then they do. It will also do it in an automated fashion that you can do at home. There are also pay for enterprise tools they could be using that test a lot more then 15 TTP's, like Scythe. Any enterprise making a purchasing decision off their methodology is deeply misguided. Windows Defender isn't at the bottom of their list at least not their Real-World Protection Test July-October 2019 or Real-World Protection Test February-May 2019. In fact in both it is basically in the middle of pack next to a bunch of other turds. Did you actually read their reports? July-October 2019 followed by February-May 2019 In terms of protection rate Defender actually comes in 3rd out of 11. It does have a high false positive rate. I don't think any of this actually matters though. Again, I'd call their methodology into question. How? By what means? Out of the malware they tested what was the coverage of the MITRE ATT&CK Framework? How many of them had duplicate TTP's? These are only some of the questions I have that they don't really explain. Why? I understand they are a very common attack vector but there are tons of other ways to infect a box not involving drive-by downloads. This scope seems extremely narrow. Fundamentally how you evaluate a home AV solution and an enterprise AV solution are the same, against the MITRE ATT&CK Framework. Why do they use a small portion of MITRE for the enterprise test but not for the consumer stuff? It really shouldn't make a difference. While real world samples should certainly play into the calculus of picking AV software, it shouldn't be the primary one. Rather then testing live samples, testing the individual techniques that any given commodity malware would try and do is much more effective, hence the MITRE ATT&CK Framework.

Stick with Windows Defender, Microsoft has been doing a surprisingly great job with it as of late, at least in my testing. Decent malicious PowerShell detection's, not the best but it is free and a lot better than McAfee Pretty remarkable MSBuild.exe, CSC.exe, or other trusted developer utilities running malicious code. It does a pretty good job detecting stock payloads out of something like Koadic. I would say excellent detection's of any stock Meterpreter payload, an attacker is going to have to heavily modify their payload to sneak it past Defender. In the past I've had to do some work to get MSHTA.exe to load my malicious HTA files with Defender. Again, stock payloads off tools on Github aren't going to work. Surprisingly good detection's of payloads generated by Cobalt Strike, not great but seeing as it is free, not terrible. You wouldn't expect it to be amazing because it is also a pay for red team tool. Webshells achieved through the browser or command and control over lesser known protocols like HTTP/2 with something like Merlin, Defender does a pretty bad job but almost everything does a piss poor job of this until you get into the enterprise solutions and they are still at best mediocre. You always need to be careful what you click. Windows does a decent job of protecting your credentials, make sure you have LLMNR turned off and other antiquated DNS-like protocols. Stock mimikatz is going to get lit up by Defender. An attacker is going to have to modify it to dump your creds, here's a video on what is involved in doing that. Things like an Internal Monologue attack will still work. Not allowing unsigned executable's to run is really your best bet. Windows Defender combined with some sort off application whitelisting solution is a powerful combination. Applocker, Software Restriction Policies, some third party tool etc. Every A/V vendor does a piss poor job of protecting your clipboard. People copy and paste out of their password managers. I don't know how paranoid you are so I mention this. Defender has good detection's with things like WMIC and WMI, close to the best I've seen period. Certainly better than McAfee. Defenders in memory detection's are precisely meh but generally so is everybody else. This is a whole other rabbit hole of links that I won't go into. McAfee is worse in almost every way. Windows has made some big strides in the last two years. I deal with bypassing AV regularly at work, it has gotten harder in that AV overall has gotten better but the state of AV generally speaking is still pretty bad and it is certainly not a silver bullet. I wrote this response making no assumptions about what data you have or where the computer is etc so some of this might not be relevant. I can tell you this is demonstrably not true. I'm not saying Defender is good, or even in the top 5, not even close, but there are a lot of AV's that would rank worse than it. Symantec, there is little difference from having Symantec on your computer and not in terms of detection's. BitDefender, really not a good product. A lot of stock/generic malicious PowerShell will sail right through. There would probably be another 5 or 6 maybe more that I'd rank below Defender, including McAfee.

A website should only ever use HTTPS, there are no excuses. That site is a liability. That site may be hosted safely but it is going through many corporate, state, and government owned pieces of equipment. Should they be able to inject scripts, ads, modify pages, or add images onto a HTTP page so it looks like the creator of the site did it? No. Attackers have used HTTP sites to attack other sites, this happens all the time. HTTPS ensures content integrity and also give the person the ability to detect tampering. If you only ever encrypt your secrets they stand out like a sore thumb, encrypt everything. Even if your site doesn't collect any user information HTTPS provides confidentiality for header information, contents, and URLs. Even internal corporate sites or VPN only sites should be using HTTPS. Also just because a sites ads are over HTTP doesn't change the fact that that site should still be using HTTPS. They should figure out a way out of that ad publishing contract and ask why they are serving ads over HTTP.

Your explanation and ultimately theirs ignores an entirely separate attack vector. Impersonation of a trusted web server once you have the private keys. Imagine you're running a phishing campaign and the malicious site you set up now isn't just using any old valid TLS certificate but is using NordVPN's valid certificate. That would be an unsophisticated simple attack to harvest credentials from a service that largely trades in fear, uncertainty, and doubt with its customers. Imagine the certificate wasn't expired in the screenshot below and I copied the NordVPN site automatically with the Social Engineering Toolkit and then started sending out emails that have been gathered from previous breaches. How about a dump of users from a private torrent tracker breach? They'd likely be using a VPN service, right? I agree the MitM attack would of been a stretch but I think it is burying the lead and isn't what an attacker would actually do at all, they'd go phishing. If you used NordVPN on your phone when this occurred in combination with the link in my first post about a Use-After-Free attack affecting Android phones you now have a very real sophisticated attack chain that isn't purely academic. People are acting like having an out-of-band management solution you don't know about is a get out of jail free card. NordVPN is ultimately responsible for knowing what is and isn't plugged into their servers. Critical Security Control number one is Inventory of Authorized and Unauthorized Devices. If they failed at doing number 1, what makes you think they're doing 2 through 20? Not to mention the at best dubious ethics of waiting this long to notify people.

Here is the source https://share.dmca.gripe/hZYMaB8oF96FvArZ.txt if you want to test it out for yourself. Looks like it was floating around for quite a while before anybody noticed it. If the key was used before it had expired, there would be no warnings. Impersonating a trusted web server would be a gold mine for a sophisticated attacker especially after what Google Project Zero discovered being used out in the wild, potentially leading to full device compromise of a Pixel or Galaxy device. Also VikingVPN and TorGuard were hacked. This tweet aged well:

It is strange to me that they went through the trouble of reinventing the wheel for a malicious implant with commodity post exploitation functions. All of these features exist in multiple free command and control frameworks already. I mean I haven't gone through the code myself but the post-exploitation features are probably better implemented in Empire or Meterpreter, in that they evade detection's better. People seem to think that really the only way they would get malware on a Linux box would be through something malicious involving their package manager, this is far from the case. A legitimate website that has been compromised through JavaScript, XSS, or iFrames, could easily download something like this without your knowledge. If you have any public facing services, or unintentionally public facing services, is your home firewall configured correctly? Are you immune to spearphishing links and attachments? I can tell you an attacker learning something as seemingly innocuous as a software version number can lead to full system compromise. ClamAV is a joke, it is better than nothing, but not by much. You would almost be better off dragging and dropping files into VirusTotal. The endpoint protection space on the Linux/Unix side of things is atrocious and way further behind than where it stands with Windows, which also isn't in a good place. A few vendors in the Windows space are at best doing a questionable job with fileless malware, PowerShell, csc.exe, MSBuild.exe, VBScript. These attacks occasionally get picked up now (an improvement from 2 or 3 years ago.) This is not the case with Linux/Unix generally speaking. I think they are adding some of the same type of security features that PowerShell has implemented into Python3 but I think that has a long way to go still. The fact of the matter is most Windows/Linux/Unix machines and their users wouldn't know if they had a malicious PowerShell or Python one-liner ran on them. When was the last time you went through your PowerShell logs in Event Viewer? Who has sophisticated logging setup for Python, and actually checks it?

Ignore them. I work in the infosec field as a penetration tester, which is what the job is called and is being incorrectly identified as a security analyst. Generally a security analyst and a penetration tester will have wildly different responsibilities. You should stick with it (hacking) because it is in super high demand and pays very well, it is also incredibly challenging and interesting. The quickest way into the penetration testing field is by getting a certification called the Offensive Security Certified Professional. It is technically an introductory level certification but penetration testing is not a introductory level field. The OSCP is a grueling 24 hour long hands-on only exam. It is best to start out as a system administrator or help desk, move to a Jr Security Analyst position, then a Security Engineer position, and then finally Penetration Tester. A good place to get some experience for free is https://www.hackthebox.eu/ which has a network you VPN into with machines to hack very similar to the OSCP.

Why does everything have to be "actually pretty cool?" Why is something "actually pretty cool" when there was little to no debate as to if that feature was cool? Its cool was widely accepted. Why can't something just be cool?

http://wooaudio.com/products/wahps2.html The reason they aren't selling is because these are much nicer (I actually don't know that) . I own both a Woo Audio and Silverstone. The Woo Audio one doesn't require a screw driver to put together like some mechanical trollop (strumpet?) ergo it's easier to disassemble as well, in my opinion looks nicer but not by much, feels nicer, and has adjustable height, also you don't have to take the first pair off to get to the 2nd pair depending on what you do with your cables.

My sister was an only child. A cat will blink when hit with a hammer. Linus uses a step stool to make these videos, he never knew his real stool.

Brandon always has this cool wind burned look, like the shuttle lost a few heat tiles on reentry.