Michael Grafl

Sie haben auch erstmals ein AI-generated Video aus den vorher nachher Bildern online gestellt, was das Ausmaß finde ich nochmal deutlicher macht. Die Gletscher Österreichs sind in der Endphase.

@SwiftOnSecurity Have they?

It turned out there are many more payloads used in the Notepad++ attack! To stay undetected, its masterminds were COMPLETELY changing execution chains about every month. Here are more IPs used in the attack: 45.76.155[.]202 45.32.144[.]255 Read below for many other IoCs! [1/8]

Non-malware schizos asking about why the Notepad++ malware payload was so interesting. Okay, we'll discuss it without getting too schizo. First, Rapid7 (and other various Cyber Threat Intelligence vendors) seem to generally attribute the Notepad++ compromise to Chinese APT group "Lotus Bloom". They attribute it to Lotus Blossom because they tend to recycle code segments to save time. Basically, fingerprints. Lotus Blossom is the invented name intelligence organizations have assigned to a group of Chinese government sponsored hackers. Their true identity is unknown, but speculative. It is not one person, it is likely a group of unknown size, it could two people, it could 15 people. Lotus Blossom has been active since 2009 (or so they speculate). Lotus Blossom are not noobs who do hacker noob stuff. Lotus Blossom is assigned high-profile tasks. Lotus Blossom does extremely specific targets, most notably they are instructed by the Chinese government to hack government institutions, telecom companies, aviation companies, and critical infrastructure (nuclear power plants, electrical power grids, hydroelectric dams, etc) in Southeast Asia and Central America. When Lotus Blossom targeted Notepad++, and users in specific regions (presumably Southeast Asia and Central America) attempted to do an update it delivered "Chrysalis Backdoor". Chrysalis Backdoor is the name intelligence companies invented and now call this malware. Chrysalis Backdoor used a lot of really common malware techniques which truthfully I won't go too much into (API hashing, custom implementations of GetProcAddress, malware nerd stuff). However, what makes this malware very special is it's usage of Microsoft Warbird. Microsoft Warbird is a proprietary technology which is rarely discussed. It is an internal library Microsoft uses to obfuscate it's instruction set in-memory. In other words, it's Microsoft really fancy custom way of preventing people from reverse engineering what Windows is doing when it's running. Unknown to me personally (and a lot of people apparently), in the past few years (2023) some security researchers have discovered ways to discretely use Microsoft Warbird and use it as a weapon. Basically, you can use undocumented APIs in Windows to use Warbird for your malware. This provides a way to hide what your malicious code is doing while it's running without needing any external tooling or custom implementations. They're weaponizing Microsoft's anti-tampering and/or anti-reverse engineering technology for malicious purposes. This is extremely impressive because it shows: 1. Lotus Blossom pays close attention to really talented security researchers or... 2. Lotus Blossom has really good security researchers on payroll Both are totally possible. The remainder of the Lotus Blossom tooling is fairly generic malware stuff and isn't too terribly impressive. Lotus Blossom (unironically) did a very good job hijacking Notepad++ update infrastructure and weaponizing Microsoft's anti-tampering technology (Warbird).

@cyb3rops Fingers crossed

This is bad. Putty level bad. notepad-plus-plus.org/news/hijacked-…

Ambitioniert, liebe Post, ambitioniert.

you have got to be kidding me.

Might need some help from @WorldBollard.

Nicht der Bohne aussetzen?

@i_am_fabs 'Cause one ratio'ed tweet ain't enough. x.com/buffys/status/…

@i_am_fabs Buffys keeps slaying them. x.com/buffys/status/…

Das ist die schlechteste Krisenkommunikation die ich je gesehen habe. 💀😭😭😭😭

@KurtBronko @gertikovski @PETADeutschland ... und nicht für Kegel-Übungen.

@gertikovski hallo @PETADeutschland bitte kurz aufklaeren robben sind zum kuscheln da 😡😡😡😡

Suche sowas in Wien West

What version of Spring Boot are you using?

When asking coding questions

@brunoborges @java @BillyKorando @nipafx Do not mix with System.in - what could possibly go wrong? 🫠

The class java.lang.IO got added in #Java25 without a JEP. But Java Swing's JDatePicker is being proposed as a JEP. openjdk.org/jeps/8368874 What is the rationale? // @Java @BillyKorando @nipafx

@SwiftOnSecurity But... but ... is heaven a halfpipe?

"It is seen as increasingly possible Eminem at no point had a fan named Stan, who put his pregnant girlfriend in the trunk and drove off a bridge with a tape that didn't say who it was to."

#JUnit 6.0.0 is released! ✨ Java 17 and Kotlin 2.2 baseline 🌄 JSpecify nullability annotations 🛫 Integrated JFR support 🚟 Kotlin suspend function support 🛑 Support for cancelling test execution 🧹 Removal of deprecated APIs docs.junit.org/6.0.0/release-…

Using URLs from the browser history for AI prompt injection is creative, I have to admit. 😬🫠

Ouch. Tokens with unrestricted access without any audit logs. What could possibly go wrong?