When Lily from Human Resources develops BIOS code in her spare time.
Pinned Tweet
Follow
Click to Follow craiu
Costin Raiu
@craiu
Romanian antihacker from another planet; chief paleontologist; director of Global Research and Analysis Team at . Tweets are my own. #chess #taekwondo
Costin Raiu’s Tweets
New blog on Raspberry Robin 🍓🐦
🌍 Globally spreading campaign
☣️ USBs infected with malware
🔒 A Ransomware precursor
🤖 A botnet of IoT NAS devices
blog.bushidotoken.net/2023/05/raspbe
6
55
145
Who is #GoldenJackal? Giampaolo Dedola of takes a deep dive into this #APT actor over on securelist.com/goldenjackal-a
2
11
Great overview of major Turla ops from Andy, '96 to present. Long term, a smaller, dedicated and less resourceful group of smarter people overtakes a larger group with a bigger budget, eg. Sofacy.
Quote Tweet
From the first-ever foreign state cyberspying operation to a USB worm that infected air-gapped PCs to hiding in satellite comms to hijacking the infrastructure of other hackers, Turla’s persistence and ingenuity have made it “adversary #1” as Johns Hopkins’ Thomas Rid puts it.
Show this thread
1
9
27
I finally met the woman I’ve had the longest lasting toxic relationship of my life with face-to-face. She’s much kinder in person (h/t ). #IDAPro
5
123
Apple's new security release states that's the rapid security response from a few weeks ago patched 3 Safari itw 0-days: CVE-2023-32409, CVE-2023-28204, CVE-2023-32373. CVE-2023-32409 was reported by and
support.apple.com/en-us/HT213757
read image description
ALT
3
37
101
How did we get from "malware author arrested by law enforcement" to "check out my new malware development course on Github"?
33
114
750
Do you remember 's tweet about his YARA rule based on the Volatility plugin published by
- well, there's an old Snake sample on VT with a match
- out.exe (often used when carved from mem)
Tweet
twitter.com/msuiche/status
Sample
virustotal.com/gui/file/fc680
Quote Tweet
Just wrote a memory-focused YARA rule based on the Volatility plugin published at the end of the Snake Malware report.
gist.github.com/msuiche/8c8fd2
You can use it with the latest release of @MagnetForensics AXIOM Cyber 7.0 that supports our new memory analysis capabilities and… Show more
gist.github.com/msuiche/8c8fd2
You can use it with the latest release of @MagnetForensics AXIOM Cyber 7.0 that supports our new memory analysis capabilities and… Show more2
28
83
Show this thread
Same with the Yara rule, sadly.
2
4
14
YARA best practices
1. only use nocase if you really think that the value could be cased differently
2. If a string only consists of ASCII characters, don't write it as hex string (it confuses people)
2
20
76
Show this thread
🔍 Pivoting on Dragos IoCs reported today:
Focusing on 162.33.179.126:53 with hash:-208508626, discovered a small cluster 🎯:
1️⃣ 162.33.179.157
2️⃣ 162.33.179.126
3️⃣ 162.33.179.153
4️⃣ 162.33.179.165
5️⃣ 162.33.179.82
Investigating 162.33.179.165 relations 🕵️:
📁… Show more
3
34
93
Show this thread
It's time to destigmatize security events. Yes it happens at security companies and here's why we need to talk about it. #cybersecurity #icscybersecurity #otcybersecurity #industrialcybersecurity #criticalinfrastructureprotection
6
130
304
Dear , considering that you won't allow me to renew my licence, I'd appreciate it if you either:
a) Granted me an OSS dev license, considering the value I bring to your customers for free
b) Refrained from using my work for PR purposes
Cheers
Quote Tweet
#Gepetto keeps the first position for the second month in a row! Good job @JusticeRage 
Got a plugin that could be on the top of the chart? Publish it, and let’s see 
plugins.hex-rays.com//?utm_source=S
#IDAPlugin #PluginRoundup #IDAPro #IDAPython
Got a plugin that could be on the top of the chart? Publish it, and let’s see plugins.hex-rays.com//?utm_source=S
#IDAPlugin #PluginRoundup #IDAPro #IDAPython
read image description
ALT
5
13
81
Officially on the job market today. Anyone looking for an old TI guy with a "smidge" of years under his belt, let me know. Happy to have a chat.
4
62
102
Two years ago the SolarWinds hack made history as the boldest, most sophisticated supply chain hack ever pulled off. I dug into the detailed story about the ingenious way the hackers pulled it off - and then got caught - in this tale for WIRED magazine
13
279
668
Show this thread
How good #ChatGPT recognizes malicious URL?
We conducted an experiment:
DR: 87.2% / 93.8%
FPR: 23.2% / 64.3%
For a 0-shot system it's amazing. But it has limitations for #cybersecurity due to “hallucination” tendency and limited context window 👉 kas.pr/zkt2
2
39
77
Got a naked laptop? Get a big NSA sticker for it. Guaranteed conversation starter!
Pick them up at the booth on the RSA floor. #WeAreHiring
67
65
542
In my free time I hang out silently in Slack workspaces or on Discord servers on which red teamers discuss how to evade AV signatures, take notes and write sigs for that shit - it's a pretty satisfying hobby
19
30
437
NEW REPORT: NSO Group had a busy 2022, in which they appear to have debuted 3 iPhone zero-click exploits, deployed against civil society targets around the world running iOS 15 and 16. We break down the technical details in our latest report
3
36
66
Show this thread
We noticed two new #Gopuram backdoor samples with lower AV detection rates using our rule by
They don't use
%s\config\TxR\%s.TxR.0.regtrans-m
anymore, but
C:\Windows\system32\dovez.efs
^ new IOC
Rule
valhalla.nextron-systems.com/info/rule/APT_
#3CX #UNC4736
1
33
90
We found a new zero-day (CVE-2023-28252) in Microsoft Windows used in Nokoyawa ransomware attacks
5
216
420
Quantum restaurant, you don’t know if it’s smoking or non smoking until you enter
3
2
23
Getting ready for my presentation on Lazarus Group's campaign! Excited to share my experiences & see everyone in person after the pandemic.
2
9
53
Awesome work by and getting out their blog about the final payload of the #3CX compromise. I made a rule for #100DaysofYARA based off of the loader string and the hashing it does of a call to GetModuleFileNameW to get its own filename. I wonder what name🤔
1
11
37
Show this thread
Hey everyone, this is my first tweet! We identified a backdoor we dubbed #Gopuram, the final payload in the #3CX attack. The threat actor (likely to be Lazarus) has deployed it to cryptocurrency companies. More details in this thread and on Securelist (securelist.com/gopuram-backdo)
8
111
177
Show this thread
New reporting by and says the U.S. government purchased a surveillance tool from NSO called Landmark. The tool allows the operator to identify someone’s location based on their phone number.
5
38
77
Show this thread
The methods used by the Pinduoduo app in China are highly unusual. There are couple of scenarios of what might have happened here, and all of them are bad:
-Pinduoduo is hacked
-Pinduoduo has a malicious insider
-Pinduoduo lost their signing key
-Pinduoduo hacked their own users
Quote Tweet
“We haven’t seen a mainstream app like this trying to escalate their privileges to gain access to things that they’re not supposed to gain access to,” said @Mikko Hyppönen, chief research officer at WithSecure, a Finnish cybersecurity firm.
Show this thread
2
27
61
I’m sure in a not too distant future blue teamers discuss methods to obfuscate their canaries and red teamers write and share YARA rules to detect them
7
21
107
RE: The 3CX VOIP supply chain attack, vendors have stated that macOS was also targeted - but I couldn't find any specific technical details (yet) 🍎🐛☠️
One vendor stated, "we cannot confirm that the Mac installer is similarly trojanized"
...let's dive in! 1/n 🧵
14
249
594
Show this thread
