Matt Suiche
Hacker · Founder of OnDB
Hello! My name is Matt Suiche. I am the founder of OnDB Inc., a data infrastructure startup for the agentic economy. I recently discussed cyberwar in the age of AI, Iran’s cyber capabilities, and how AI is reshaping hacking on Bloomberg’s Odd Lots and the National Security Lab podcast.
Previously, I co-founded CloudVolumes (acquired by VMware in 2014) and Comae Technologies (acquired by Magnet Forensics in 2022), where I later served as Head of Detection Engineering. I also founded the cybersecurity community project OPCDE.
My path into technology started in reverse engineering as a teenager, and has since spanned memory forensics, operating systems, virtualization, blockchain, and now AI infrastructure.
Latest
One new wave stopped today but the worse is yet to come 🔗Read More: Part 1 — Part 2 — Part 3 — Part 4 @msuiche (Twitter)
UPDATE: Latest development (15May): Attribution and links to Lazarus Group
UPDATE2: — Decrypting files
As a follow-up article on WannaCry, I will give a short brief about the new variants found in the wild, not for experimentation but on infected machines today.
In short, one is a false positive some researchers uploaded to virustotal.
More than 70 countries are reported to be infected. 🔗Read More: Part 1 — Part 2 — Part 3 — Part 4 — @msuiche (Twitter)
UPDATE: Latest development (15May): Links to Lazarus Group
UPDATE2: — Decrypting files
IMPORTANT NOTE: Microsoft released an emergency patch (KB4012598)for unsupported version of Windows (Windows XP, 2003, Vista, 2008). APPLY NOW!
NOTE2: On Sunday 14 May, We just stopped the second wave of attack by registering a second killswitch but this is temporary.
On 14 April, the mysterious group ShadowBrokers released an archive containing several exploits, tools and operational notes on one of the most complex cyber-attack in History: JEEPFLEA. Main function which redirects the logic based on the target Oracle server version
Among those tools Windows exploits but also tools, to compromise SWIFT Service Alliance servers. One of this tool, PASSFREELY, enable the bypass of the authentication process of Oracle Database servers, and the second ones, initial_oracle_exploit.
This is by far, the most interesting release from Shadow Brokers as it does not only contain tools — but also materials describing the most complex and elaborate attack ever seen to date. A multi stages attack bypassing Cisco ASA Firewall appliances, exploiting and infecting Windows servers in order to copy Oracle databases of multiple hosts belonging to a SWIFT Service Bureau part of the internal financial system.
The last time a nation-state used multiple 0days to target another country’s critical infrastructure was when Stuxnet was launched targeting Iran’s nuclear enrichment program.
Offline domain join is a new process that joins computers running Windows® 7 or Windows Server 2008 R2 to a domain in Active Directory Domain Services (AD DS)—without any network connectivity. This process includes a new command-line tool, Djoin.exe, which you can use to complete an offline domain join. Run Djoin.exe to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a .
Here is a method I’m using in the next version of Win32DD (1.2), to retrieve MmPhysicalMemoryBlock regardless of the NT Version. The main problem with KDDEBUGGER_DATA64 structure is the version dependency. Then, we have to rebuild this field by ourselves. To retrieve physical memory runs, I’m using MmGetPhysicalMemoryRanges() undocumented function. This function usage had been documented by Mark Russinovich in 1999, in the Volume 1 Number 5 edition of the Sysinternals Newsletter.
Today, I wrote a tool called sym32guid which aims at retrieving all stored Program DataBase (*.PDB File) GUID (Globally Unique Identifier) from a physical memory dump. To do why? The first goal was to use use symbols as additional information regarding unexported functions like the über-famous msv1_0!MsvpPasswordValidate, but it looks it can also be used to detect Virus and Trojan…
The target machine is a Windows Vista SP1 32bits, I’ve installed last week inside a Virtual Machine and I’ve extracted the physical memory dump from the windows hibernation file through SandMan Framework.
X-Ways (WinHex editor) Forensics Beta 2 now includes hibernation file(hiberfil.sys) support for Windows XP 32-bit only. Please notice, Sandman library/framework is an open-source project under GNU General Public License v3 to read and write the hibernation file released 2 months ago…
Posted on Friday, Mar 28, 2008 – 1:05:
Ability to decompress Windows XP 32-bit hiberfil.sys files, whether active or inactive, to get a dump of physical memory with all in-use pages from a previous point of time when the computer entered into hibernation, as well as individually carved xpress chunks from hiberfil.