home > posts
  • August 4, 2024
    HD Moore
    @hdm

    Attending BSidesLV? I really enjoyed working with the @HexxedBitHeadz duo to support their first speaking engagement in the Proving Ground at 14:00pm on Wednesday. Their presentation is 🔥 and if you love Skyrim, even better!

    A New Host Touches the Beacon

    >Join us on an epic journey through the enchanting realms of Skyrim and the shadowy world of hacking in our first-ever technical blog turned talk. As passionate Skyrim players and modders, we stumbled upon an unexpected revelation – malicious Skyrim mods with the potential for real-world impact. In this presentation, we explore the intersection of gaming and cybersecurity by demonstrating a malicious Skyrim mod. This mod, triggered by the seemingly innocuous in-game item "Meridia’s Beacon," unleashes a reverse shell to an attacker host. Our journey unfolds as we probe into the complexities of crafting this mod, touching on research, development, and testing. Discover the unexpected dangers lurking in the world of gaming and gain insights into the fascinating realm of hacking studies. Prepare for a “Fus Ro Dah” of a time as we showcase not only the capture of a netcat reverse shell but the transformation of our payload into a full-blown Command and Control (C2) beacon.

    https://bsideslv.org/talks#FELX39

    ↪ reply
  • August 4, 2024
    HD Moore
    @hdm

    "How many slides are there in a 40-minute talk Michael, 100?" @rk and I are super excited to share our investigation into the Secure Shell protocol and implementations this Wednesday at Black Hat USA (3:20pm-4:00pm in South Pacific F, Level 0).

    This presentation may feel more like a rap battle than a lecture given the quantity of material and available time, but it should be a blast.

    If you would like to be notified when our new open source tool, "SSHamble", is released, you can sign up here:

    https://www.runzero.com/sshamble-access/

    ↪ reply
  • August 1, 2024
    HD Moore
    @hdm

    CrowdStrike attempts takedown of parody site: https://clownstrike.lol/crowdmad/

    (cue references to https://en.wikipedia.org/wiki/Streisand_effect)

    ↪ reply
  • July 30, 2024
    HD Moore
    @hdm

    @screaminggoat thanks! amazing year so far (and how easy it is to forget about previous events)

    ↪ reply
  • July 30, 2024
    HD Moore
    @hdm

    2024 has been a trip. Microsoft shipped an infostealer as a feature, on by default (Recall), then took down a chunk of Azure one evening, and was still overshadowed by CrowdStrike accidentally causing more harm than any malware campaign ever ($5b+ ?USD in losses). Also, OpenSSH remote exploits! See some of yall in Vegas soon!

    EDIT: Also, the whole multi-year con to backdoor xz and sshd on systemd distros (thanks @AlesandroOrtiz )

    ↪ reply
  • July 25, 2024
    HD Moore
    @hdm

    Secure Boot is completely broken on 200+ models from 5 big device makers:

    https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/

    Great work by the Binarly team and an excellent write-up by @dangoodin!

    ↪ reply
  • July 24, 2024
    HD Moore
    @hdm

    runZero Discovers all IP-Addressable Assets and Proves Active Scanning is Safe for Operational Technology in NREL/CECA Testing:
    https://www.runzero.com/newsroom/runzero-discovers-all-ip-addressable-assets-and-proves-active-scanning-is-safe-for-operational-technology-in-nrel-ceca-testing/

    ↪ reply
  • July 24, 2024
    HD Moore
    @hdm

    A more coherent[1] explanation of Blue Friday:

    https://www.youtube.com/watch?v=y8OnoxKotPQ

    1.The less clear version is at https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/

    ↪ reply
  • July 14, 2024
    HD Moore
    @hdm

    I'm stoked to announce that @rk and I are speaking at @defcon DEF CON 32 on Friday at 1:00pm. Our talk, `sshamble: Unexpected Exposures in the Secure Shell` covers lesser-known tricks for making remote secure shells into your shells.

    https://defcon.org/html/defcon-32/dc-32-speakers.html#54452

    Also, DEF CON's deadline for materials is midnight and our servers are working as hard as they can to pull the necessary data.

    ↪ reply
  • July 4, 2024
    HD Moore
    @hdm

    my favorite quasi-backdoor SSH capability (today) is ""Russia URAL Special Auth Feature""

    ↪ reply
  • << View newer posts View older posts >>

Copyright 1998-2025 HD Moore