Fortinet has published an advisory on active exploitation of CVE-2022-42475 in the wild. My colleagues at Mandiant and myself followed up with analysis of a backdoor associated with this activity and targets Fortinet devices, dubbed BOLDMOVE.
Based on artefacts from a Windows variant of BOLDMOVE (54bbea35b095ddfe9740df97b693627b) that allude to a UTC+8 timezone and usage of the GBK character encoding in the actors environment, it is assessed with low confidence that the activity is affiliated to a China-nexus
threat actor.

https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw

This is my account on Twitter - https://twitter.com/_marklech_ - verified by https://Twittodon.com

(for verification, don't follow me there)

@maldr0id I once sat in a meeting between a malware RE team that I led with an executive who started it with the premise "so now that malware reverse engineering has become a commodity..."

@r00tbsd @Sebdraven one day we will translate it to English

Twitter was special. But it's time to leave

https://www.pwnallthethings.com/p/twitter-was-special-but-its-time

There is far too little recognition of the fact that the US Intelligence Community’s ability to discover Russian invasion plans and share them with Ukraine is one of the greatest intelligence successes of the last 50 years and has had a critical impact on thwarting Putin’s imperialist ambitions.

They knew the Russian war plans better than most of the Russian military executing the invasion (who mostly had no idea they were going to war) and even members of Putin’s Security Council! Remarkable!

Elon's gesture looks like it has a question mark at the end of it

This must be the feeling of infinite and all consuming cringe
https://twitter.com/elonmusk/status/1593899029531803649

The charla&tan fraud matrix - from attack methods (in red) to defence methods (in blue)

https://twitter.com/cpartisans/status/1593634667147988993?s=20&t=Z0vL_UldqH5W1AVbzu_myQ
I don't know much about the credibility of this entity, but if that data is out I think its in the best interest of all of us to know who Roskomnadzor has been targeting since at least February. Who knows what familiar names may come up there.

@roccobarbi I can't imagine who still uses Myspace, maybe bots. With Elon onboard, Im not surprised even they don't want to use Twitter.

I have uninstalled the Twitter app from my phone, recommend you do the same. I feel Twitter is about to reunite with MySpace in social media heaven.

While everyone is mocking Lavrov (rightfully so) for his western outfit and gadgets, I keep thinking how many APTs are lurking in his iPhone.

@pinkflawd libboost is just as much worse to RE on Windows

#intoduction
I've been doing malware RE and CTI research for the better part of a decade, with a primary focus on APTs.

A bit of my past work (along with colleagues across different companies) can be found in the public domain. This includes research of the following APT activities:

- MoonBounce (with Vasiliy Berdnikov): https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
- GhostEmperor (with Vasiliy Berdnikov, @r00tbsd, Aseel Kayal)
https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/
- MosaicRegressor:
https://securelist.com/mosaicregressor/98849/
- Operation TunnelSnake (with Giampaolo Dedola):
https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/
- LuminousMoth (with @r00tbsd and Aseel Kayal):
https://securelist.com/apt-luminousmoth/103332/
- Lyceum (with @r00tbsd and Aseel Kayal):
https://securelist.com/lyceum-group-reborn/104586/

I also did some research on DPRK sourced security products:
- SiliVaccine AV (with Michael Kajiloti):
https://research.checkpoint.com/2018/silivaccine-a-look-inside-north-koreas-anti-virus/
https://www.youtube.com/watch?v=7xcLAiWQm9Y&t=2s
- The North Korea AV Anthology (with Ariel Jungheit):
https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view

As well as a work with my friend @hasherezade on unusual malware formats:
https://drive.google.com/file/d/1k758QQLHxgIynCYhWfnizk8k7emZk_h8/view

Happy to discuss on anything APT\CTI\RE related.

@campuscodi yeah I'm definitely way behind in the social media game.

@campuscodi good to see you here

@cstromblad Still exploring this neighborhood. Thanks for the warm welcome!

Verifying myself (to the best of my ability):
https://twitter.com/_marklech_/status/1588893724310110210

https://youtu.be/XMXO_oqOCnE