Exploring the architecture, challenges, and implementation patterns for building AI agents with small language models (270M-32B parameters) that can run on consumer hardware| www.msuiche.com
The story of how ELEGANTBOUNCER was born from the frustration of not having access to in-the-wild exploit samples, and why structural analysis beats signatures for advanced mobile threats| www.msuiche.com
Blog| www.msuiche.com
Technical analysis and detection methodology for CVE-2025-43300, a critical 0-click RCE vulnerability in Apple's DNG image processing| www.msuiche.com
This is the last part of a 3-part series on Bob and Alice in Kernel-land. You can find Part 1 here and Part 2 here. CrowdStrike podcast “Adversary Universe Podcast” just released a new episode entitled “The Kernel’s Essential Role in Cybersecurity Defense” featuring Adam Myers w/ Alex Ionescu, who is the original architect of the CrowdStrike Falcon kernel agent and also known for being the co-author of “Windows Internals” book and to be among the most knowledgeable people when i...| www.msuiche.com
It’s been a month since I wrote Part 1 of “Bob and Alice in Kernel-land”. As expected, we saw minimal constructive feedback from vendors, with a few notable exceptions. Sophos provided the most detailed information about their drivers, while CrowdStrike offered valuable insights into their kernel architecture, including the use of Microsoft’s Winsock kernel file transfer. This feature, introduced in Windows Vista+, was designed to replace the outdated Transport Driver Interface (TDI).| www.msuiche.com
Over the past decade, several cyber incidents have shed light on how SWIFT operates between institutions. In 2017, I covered the vulnerabilities with PASSFREELY and the JEEPLEA SIGINT operations revealed in TheShadowBrokers leaks. Additionally, the 2016 Bangladesh Central Bank Heist, orchestrated by North Korea, offered valuable insights into the workings of international inter-bank SWIFT messaging. Since then, financial messaging standards have undergone significant changes. Legacy standards...| Posts on Matt Suiche
A while back, I discussed how memory could be used as an ultimate form of the log as long as the analysis workflow and process is smooth. This blog post will start by explaining the blind spots created by event-driven detection solutions such as Endpoint Detection & Response (EDR), and how this can be balanced by using Comae DumpIt + Stardust as part of an incident response & compromise assessment strategy.| Posts on Matt Suiche
Going beyond log files, accepting memory as its own format. 🔗Logging is a common practice for IT and Security purposes. Mature organizations tend to have extensive and in-depth logging capabilities using either commercial or free solutions. Although, logging is a powerful way to troubleshoot and investigate events it’s often limited by the initial input format of the logs during the collection process. As the complexity of attacks increase, it’s almost natural for defensive capabilitie...| Posts on Matt Suiche
Ransomware-as-a-service soon to be renamed Lure-as-a-Service 🔗Dubbed Fakesomware by Comae (Also called ExPetr, PetrWrap, NotPetya, DiskCoder).** TL;DR:** The ransomware was a lure for the media, this variant of Petya is a disguised wiper. Update1: Few hours later, Kaspersky’s research led to a similar conclusion. Update2: Added more info on the wiper command & comparative screenshots of the two keys that visually confirms Kaspersky’s finding and why the MBR copy routine didn’t make s...| Posts on Matt Suiche
What we know so far about Byata. 🔗Summary 🔗Yes, this is bad — real bad — this is another ransom-ware leveraging SMB network kernel vulnerabilities to spread on the local network. The exploit used is based on ETERNALBLUE NSA’s exploit leaked by TheShadowBrokers in April, 2017. Similar to WannaCry. No kill-switch this time. (& stop hoping for one) Update: The initial infection vector seem to have been a rogue update pushed by the attackers via the Ukranian accounting softwar...| Posts on Matt Suiche
Working Windows XP & 7 demos. #FRENCHMAFIA 🔗Read More: Part 1 — Part 2 — Part 3 — Part 4 — @msuiche (Twitter) In Short 🔗DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*! *ASAP because prime numbers may be over written in memory after a while. Frequently Asked Questions 🔗Here. Usage 🔗You just need to download the tool and run it on the infected machine. Default settings should work.| Posts on Matt Suiche
Potential links to North Korea have been found. 🔗Read More: Part 1 — Part 2 — Part 3 — Part 4 Code similarities are shared between a February 2017 sample of WannaCry and 2015 Contopee sample (previously attributed last year to Lazarus Group by Symantec) had been found. Initially, reported on Twitter by Google researcher Neel Mehta, I investigated further. Since then, this suspicion has been shared by Kaspersky too.| Posts on Matt Suiche
One new wave stopped today but the worse is yet to come 🔗Read More: Part 1 — Part 2 — Part 3 — Part 4 @msuiche (Twitter) UPDATE: Latest development (15May): Attribution and links to Lazarus Group UPDATE2: — Decrypting files As a follow-up article on WannaCry, I will give a short brief about the new variants found in the wild, not for experimentation but on infected machines today. In short, one is a false positive some researchers uploaded to virustotal.| Posts on Matt Suiche
More than 70 countries are reported to be infected. 🔗Read More: Part 1 — Part 2 — Part 3 — Part 4 — @msuiche (Twitter) UPDATE: Latest development (15May): Links to Lazarus Group UPDATE2: — Decrypting files IMPORTANT NOTE: Microsoft released an emergency patch (KB4012598)for unsupported version of Windows (Windows XP, 2003, Vista, 2008). APPLY NOW! NOTE2: On Sunday 14 May, We just stopped the second wave of attack by registering a second killswitch but this is ...| Posts on Matt Suiche
On 14 April, the mysterious group ShadowBrokers released an archive containing several exploits, tools and operational notes on one of the most complex cyber-attack in History: JEEPFLEA. Main function which redirects the logic based on the target Oracle server version Among those tools Windows exploits but also tools, to compromise SWIFT Service Alliance servers. One of this tool, PASSFREELY, enable the bypass of the authentication process of Oracle Database servers, and the second ones, init...| Posts on Matt Suiche
This is by far, the most interesting release from Shadow Brokers as it does not only contain tools — but also materials describing the most complex and elaborate attack ever seen to date. A multi stages attack bypassing Cisco ASA Firewall appliances, exploiting and infecting Windows servers in order to copy Oracle databases of multiple hosts belonging to a SWIFT Service Bureau part of the internal financial system. The last time a nation-state used multiple 0days to target another count...| www.msuiche.com
As the U.S. presidential elections draw closer, the topic of election security is gaining increasing attention. This issue took on added significance yesterday when the current U.S. Vice President and new Democratic candidate, Kamala Harris, tweeted the following: Paper ballots are the smartest, safest way to ensure your vote is secure against attacks by foreign actors. Russia can’t hack a piece of paper like they can a computer.| www.msuiche.com
As part of the attack chain, the initial infection starts with attackers dispatching a malicious PDF as an iMessage attachment. This particular attachment is crafted to stealthily leverage a remote code execution vulnerability in the FontParser, identified as CVE-2023-41990 and reported by Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky to Apple. As someone who worked at the NSA, I always think it's hilar...| Home on Matt Suiche
More than 14 weeks pasted since Apple Product Security team reported the issue affecting WebP open source project to Google, in follow up to the BLASTPASS iOS exploit that was discovered in the wild by CitizenLab and discussed in September. This means that the email chain is now public as of December 14, 2023. We also learn that that Brotli compression algorithm almost got impacted by the same issue (c.f. BrotliBuildHuffmanTable) but the shape of Huffman tree is checked before actual lookup t...| Home on Matt Suiche
Introduction 🔗Once again compression algorithms are showing us that they are ruling the internet. My initial encounter with compression algorithms was in the year 2007, while reversing the Windows hibernation file to reimplement the now well-known Microsoft LZXpress which I discovered later was used in most Microsoft products until today. This journey continues today, with the scrutiny of the vulnerability CVE-2023-4863 located within the open-source Libwebp library, affecting Chromium-bas...| Home on Matt Suiche
Earlier this month, I reached out to my friend Valentina and told her I wanted to learn about macOS/iOS exploitation, so she recommended taking a look at the CVE-2021-30860 vulnerability, also known as FORCEDENTRY, and the prior work her friend Jeffrey Hofmann posted on Twitter. One year ago, Google Project Zero published an analysis of the NSO iMessage-based zero-click exploit caught in-the-wild by Citizen Lab and was dubbed as “one of the most technically sophisticated exploits we’ve ev...| Home on Matt Suiche
POC is one of the top conference in Asia and has been running since 2006, and today I’ve had the opportunity to give the opening keynote (Slides) for POC 2022 conference in Seoul, Korea where I discussed our favorite memory safe language: Rust - thanks again to the organizers for the invitation. I chose to discuss Rust from a software engineering and application security point of view. The main points were:| Home on Matt Suiche
This year marks 5 year since I gave my first blockchain/web3 related presentation at DEFCON 25 when I presented Porosity which was an experimental decompiler and static analysis tool for Ethereum Virtual Machine bytecode, but also mentioned on why we should keep an eye on WebAssembly Virtual Machines back when eWASM was being drafted and an option for Ethereum as a replacement for EVM itself. Since then, new layer 1 blockchains have emerged such as Solana (eBPF-variant), and NEAR & Polkadot (...| Home on Matt Suiche
Magnet Forensics, a developer of digital investigation solutions for more than 4,000 enterprises and public safety organizations in over 100 countries, announced the acquisition of the strategic IP assets of Comae Technologies. As part of the acquisition, Comae founder Matt Suiche will lead a memory analysis and incident response research and development team at Magnet Forensics, where he will further develop a memory analysis platform and integrate the technology into the company’s existin...| Home on Matt Suiche
The recent SolarWind’s hack which resulted in a backdoor version of their SolarWind Orion product which counts 33,000 customers has been all over the news in the past few weeks - most things have been said and repeated, although there are few notes that I mentioned on Twitter which I would like to compile in a blogpost for perenniality. First of all, I would like to point out to the presence in the backdoor process blacklist (the full list can be found on Itay Cohen’s repository) of sever...| Home on Matt Suiche
GitHub Repository: https://github.com/msuiche/ruby-square Introduction 🔗In May, Microsoft announced a bounty for their new IoT platform called Azure Sphere. The interesting part about it is that it’s created with security in mind, which is a much needed initiative, so we decided to take a look. While we didn’t find any issues worth reporting, we thought it would be a waste not to share what we’ve learned. Hopefully, this will be useful for others wanting to research the platform or t...| Home on Matt Suiche
SMBaloo 🔗A CVE-2020-0796 (aka “SMBGhost”) exploit for Windows ARM64. Because vulnerabilities and exploits don’t need to always have scary names and logos. GitHub Repository: https://www.github.com/msuiche/smbaloo Original post on Comae’s blog: https://www.comae.com/posts/2020-06-25_smbaloo-building-a-rce-exploit-for-windows-arm64-smbghost-edition/ Author: Matt Suiche (@msuiche) Acknowledgments 🔗 @hugeh0ge for his great blogpost and @chompie1337 for her excellent POC! On top of a...| Home on Matt Suiche
Key Takeaways 🔗 Twitter is doing better than other platforms by releasing datasets, albeit partial, on Information Operations (IO). There is so much more information yet to be disclosed. Recommendations are given. Attribution blindspots seem to be a common problem with social media companies. Aggregated Twitter data and Python scripts are available on Github - and will be kept up-to-date. Beautiful dynamic data visualization for Twitter’s IO datasets, generated in real time from our GitH...| Home on Matt Suiche
Key Takeaways 🔗 A lot of the information shared by social media companies is still incomplete or missing. Further transparency on processes and data is required to increase visibility and awareness of campaigns. Elections have been a key focus of CIB campaigns. CIBs are also currently used in conflict-affected & politically vulnerable countries (e.g. Northern & Eastern Africa), although under-reported by media outlets. The data collected on Facebook’s CIBs is available on GitHub.| Home on Matt Suiche
What languages I’ll keep a close look at next year (2018) If “crypto” stands for cryptography… then, is my auto-correct right to call “cryptocurrencies” just “currencies”? Cryptocurrencies and blockchain made a lot of noise this year, good and bad. Smart contracts are finding new use cases (e.g. CryptoKitties), and some existing use case like multi-sig wallets (e.g. Parity) have been challenged due to their high complexity which introduced, like any piece of complex software, ...| Home on Matt Suiche
Porosity 🔗 GitHub Repository: https://github.com/msuiche/porosity Abstract 🔗Ethereum is gaining a significant popularity in the blockchain community, mainly due to fact that it is design in a way that enables developers to write decentralized applications (Dapps) and smart-contract using blockchain technology. This new paradigm of applications opens the door to many possibilities and opportunities. Blockchain is often referred as secure by design, but now that blockchains can embed appl...| Home on Matt Suiche
This week during the SSTIC2017 annual cyber security conference, a French conference running consecutively since 2004, the National Cybersecurity Agency of France (ANSSI) gave a presentation detailing their 2015 audit of their investigation and remediation of the intrusion which affected TV5Monde television network channel. This intrusion was allegedly conducted by the Fancy Bear/APT28 actor, and resulted into broadcasting and social media sabotage. Although, this happened two years ago — h...| Home on Matt Suiche
Offline domain join is a new process that joins computers running Windows® 7 or Windows Server 2008 R2 to a domain in Active Directory Domain Services (AD DS)—without any network connectivity. This process includes a new command-line tool, Djoin.exe, which you can use to complete an offline domain join. Run Djoin.exe to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a .| Home on Matt Suiche
Here is a method I’m using in the next version of Win32DD (1.2), to retrieve MmPhysicalMemoryBlock regardless of the NT Version. The main problem with KDDEBUGGER_DATA64 structure is the version dependency. Then, we have to rebuild this field by ourselves. To retrieve physical memory runs, I’m using MmGetPhysicalMemoryRanges() undocumented function. This function usage had been documented by Mark Russinovich in 1999, in the Volume 1 Number 5 edition of the Sysinternals Newsletter.| Home on Matt Suiche
Today, I wrote a tool called sym32guid which aims at retrieving all stored Program DataBase (*.PDB File) GUID (Globally Unique Identifier) from a physical memory dump. To do why? The first goal was to use use symbols as additional information regarding unexported functions like the über-famous msv1_0!MsvpPasswordValidate, but it looks it can also be used to detect Virus and Trojan… The target machine is a Windows Vista SP1 32bits, I’ve installed last week inside a Virtual Machine and I...| Home on Matt Suiche
X-Ways (WinHex editor) Forensics Beta 2 now includes hibernation file(hiberfil.sys) support for Windows XP 32-bit only. Please notice, Sandman library/framework is an open-source project under GNU General Public License v3 to read and write the hibernation file released 2 months ago… Posted on Friday, Mar 28, 2008 – 1:05: Ability to decompress Windows XP 32-bit hiberfil.sys files, whether active or inactive, to get a dump of physical memory with all in-use pages from a previous point of t...| www.msuiche.com
Already dubbed “The Largest IT, Outage In History, the CrowdStrike update from July 18, 2024, has affected at least 8.5 million Windows devices, according to Microsoft. Several of these devices are critical assets and run multiple essential services. For instance, I was unable to pay for my coffee in Dubai because the payment systems used by the coffee shop were down, and a friend lost her passport while stranded in Barcelona due to flight disruptions.| www.msuiche.com