Dave Aitel Yes and also time to recognize most of the vulnerable functionality in these edge devices is implemented in memory safe languages. I’m good with the push on memory safety but maybe time for a USG campaign for “no more shelling out for developer convenience”.

We don't need software liability. We just need the ability and courage to say 'these boxes are not and were never safe to run on your network. Throw them away immediately'.

I notice 'removed telemetry from mitigations' is not in the timeline ?

Do attackers not clean logs anymore? These are very misleading things to say.

CtF hAs nOThInG tO dO wiTh AcTuAl SeCuRity ReSeArcH

Over a decade in the making: Sandworm is now APT44.

Below is a thread with some major takeaways and insights from our new report:

cloud.google.com/blog/topics/th…

Yeah, so that mitigation to disable telemetry...
Turns out that it was just made up.
Suckers.

Worth noting:
- Fixes have not been released yet.
- This is being exploited in the wild.
- One mitigation is to disable device telemetry. Which I'd like to assume actually blocks the attack vector, as opposed to merely keeping the product owner blissfully ignorant.
Right??

Brian in Pittsburgh Dave Aitel I love how they use the language that it 'is no longer an effective mitigation'
As in, it used to block the vulnerability at the time of writing it.
But somehow the world changed to make them now wrong.

The USG can't be trustworthy unless they are willing to say things that go against what a vendor wants to hear - sometimes that means acknowledging patching a vulnerability is not the answer.

The idea a vendor would suggest that only configurations with telemetry on were vulnerable and then have to walk that back is amazing. The USG needs to go on record and provide stable advice to people that these boxes should not be used and are not patchable.

Since it's out there now this is what I caught in wild CVE-2024-3400

GET /global-protect/login.esp HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept-Encoding: gzip, deflate, br…

This is the craziest paleo story of the year. Hominid mandible in someone's bathroom reno! johnhawks.net/weblog/how-man…

The whole point of Trump's statement was as a call out to Confederates. It's how the Taliban says 'Sheikh Osama* when talking about Bin Laden.

So, uhh, you know how Palo-Alto said you were only vulnerable to CVE 2024-3400 if you had GlobalProtect gateway *and* telemetry enabled and therefore you might disable telemetry to protect yourself as an emergency measure?
Yeah.
Turns out that was not, as one might say, correct.

I love how Palo-Alto says 'Disabling telemetry is no longer an effective mitigation.' As if it *was* an effective mitigation but somehow the nature of the vulnerability spontaneously evolved over the last two days.
🤥🤥🤥🤥

One of my issues with most bugbounty programs is that they effectively attempt to buy silence instead of focusing strictly on improving security.
There are notable exceptions, like Google, which applies the 90 day policy to itself as well.

A group called Cyber Army of Russia posted videos in which it tampers with control software for US water utilities, a Polish wastewater plant, and a French hydroelectric dam.

Now a report from Mandiant ties the group to Russia's Sandworm hacker group. wired.com/story/cyber-ar…

Important to remember: the GRU habitually exaggerates the impact of cyber operations in their IO activity - it's been a core feature extending back to the CyberBerkut era.

Fantastic work shining sunlight on yet another case of that playbook in action here from Le Monde

What are the consequences of a vendor for a security product choosing to use a feature (shell=true) that's well documented to introduce vulnerabilities?
Oh, right. None.
There aren't any.