Matt Suiche
Cybersecurity Researcher
Hello! My name is Matt Suiche. I am an independent researcher, advisor, and investor. I previously served as the Head of Detection Engineering at Magnet Forensics. Our organization was passionately dedicated to justice and protecting the innocent, a mission we embarked on more intensely after the 2022 acquisition of my cybersecurity start-up, Comae Technologies.
My professional journey began as the Chief Scientist and Co-Founder at CloudVolumes which was acquired by VMware (NASDAQ:VMW) in 2014, before founding Comae. In addition, I’m proud to have initiated the cybersecurity community project, OPCDE.
My life-long fascination with learning and understanding complex systems first led me to cybersecurity. My teenage years were spent immersed in reverse engineering, which ignited a profound curiosity about technology that continues to this day. I’ve since explored various fields including operating systems architecture, programming languages, virtualization, modern web application development, and generative art. Furthermore, I’ve delved into numerous domains such as privacy, surveillance, forensics, blockchain, and community development among others.
Latest
Going beyond log files, accepting memory as its own format. 🔗Logging is a common practice for IT and Security purposes. Mature organizations tend to have extensive and in-depth logging capabilities using either commercial or free solutions.
Although, logging is a powerful way to troubleshoot and investigate events it’s often limited by the initial input format of the logs during the collection process.
As the complexity of attacks increase, it’s almost natural for defensive capabilities to also evolve — particularly in the logging capabilities area.
What languages I’ll keep a close look at next year (2018)
If “crypto” stands for cryptography… then, is my auto-correct right to call “cryptocurrencies” just “currencies”?
Cryptocurrencies and blockchain made a lot of noise this year, good and bad. Smart contracts are finding new use cases (e.g. CryptoKitties), and some existing use case like multi-sig wallets (e.g. Parity) have been challenged due to their high complexity which introduced, like any piece of complex software, security vulnerabilities.
Porosity 🔗 GitHub Repository: https://github.com/msuiche/porosity Abstract 🔗Ethereum is gaining a significant popularity in the blockchain community, mainly due to fact that it is design in a way that enables developers to write decentralized applications (Dapps) and smart-contract using blockchain technology. This new paradigm of applications opens the door to many possibilities and opportunities. Blockchain is often referred as secure by design, but now that blockchains can embed applications this raise multiple questions regarding architecture, design, attack vectors and patch deployments.
Ransomware-as-a-service soon to be renamed Lure-as-a-Service 🔗Dubbed Fakesomware by Comae (Also called ExPetr, PetrWrap, NotPetya, DiskCoder).**
TL;DR:** The ransomware was a lure for the media, this variant of Petya is a disguised wiper.
Update1: Few hours later, Kaspersky’s research led to a similar conclusion.
Update2: Added more info on the wiper command & comparative screenshots of the two keys that visually confirms Kaspersky’s finding and why the MBR copy routine didn’t make sense.
What we know so far about Byata. 🔗Summary 🔗Yes, this is bad — real bad — this is another ransom-ware leveraging SMB network kernel vulnerabilities to spread on the local network. The exploit used is based on ETERNALBLUE NSA’s exploit leaked by TheShadowBrokers in April, 2017. Similar to WannaCry. No kill-switch this time. (& stop hoping for one)
Update: The initial infection vector seem to have been a rogue update pushed by the attackers via the Ukranian accounting software Me-Doc.
This week during the SSTIC2017 annual cyber security conference, a French conference running consecutively since 2004, the National Cybersecurity Agency of France (ANSSI) gave a presentation detailing their 2015 audit of their investigation and remediation of the intrusion which affected TV5Monde television network channel. This intrusion was allegedly conducted by the Fancy Bear/APT28 actor, and resulted into broadcasting and social media sabotage.
Although, this happened two years ago — hats off to both ANSSI and TV5Monde for sharing their experience, what they have learned and their methodology during the investigation.
Working Windows XP & 7 demos. #FRENCHMAFIA 🔗Read More: Part 1 — Part 2 — Part 3 — Part 4 — @msuiche (Twitter)
In Short 🔗DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*!
*ASAP because prime numbers may be over written in memory after a while.
Frequently Asked Questions 🔗Here.
Usage 🔗You just need to download the tool and run it on the infected machine. Default settings should work.
Potential links to North Korea have been found. 🔗Read More: Part 1 — Part 2 — Part 3 — Part 4
Code similarities are shared between a February 2017 sample of WannaCry and 2015 Contopee sample (previously attributed last year to Lazarus Group by Symantec) had been found. Initially, reported on Twitter by Google researcher Neel Mehta, I investigated further. Since then, this suspicion has been shared by Kaspersky too.
One new wave stopped today but the worse is yet to come 🔗Read More: Part 1 — Part 2 — Part 3 — Part 4 @msuiche (Twitter)
UPDATE: Latest development (15May): Attribution and links to Lazarus Group
UPDATE2: — Decrypting files
As a follow-up article on WannaCry, I will give a short brief about the new variants found in the wild, not for experimentation but on infected machines today.
In short, one is a false positive some researchers uploaded to virustotal.
More than 70 countries are reported to be infected. 🔗Read More: Part 1 — Part 2 — Part 3 — Part 4 — @msuiche (Twitter)
UPDATE: Latest development (15May): Links to Lazarus Group
UPDATE2: — Decrypting files
IMPORTANT NOTE: Microsoft released an emergency patch (KB4012598)for unsupported version of Windows (Windows XP, 2003, Vista, 2008). APPLY NOW!
NOTE2: On Sunday 14 May, We just stopped the second wave of attack by registering a second killswitch but this is temporary.