Hello again, Linux administrators. The large language models and their operators continue to find and disclose kernel exploits without patches arriving in downstream distributions. This one doesn't even have a CVE.

Enjoy!

https://discourse.ifin.network/t/cifswitch-another-ai-discovered-linux-lpe/516

Adam has it right here. Severity is a model that no longer works. In use exploits is where it's at. Part of why threat intelligence networks like @ifin are so important.

https://stateofsecurity.com/stop-patching-solely-by-severity-start-patching-by-exploitation/

#patching #exploits

This is admittedly ugly but if you are in a situation like me where you don't have visibility beyond Splunk and want to see what VS Code extensions are in your environment, this is working well for me today:

index=wineventlog_security sourcetype=XmlWinEventLog EventCode=4688 code extensions
| stats count BY host, Process_Command_Line
| rex field=Process_Command_Line "\\\extensions\\\(?<extension>[^\\\\ \"]+)"
| stats values(extension) AS extensions BY host, user
| rename host AS "Host", user AS "User", extensions AS "VS Code Extensions"

Obviously you'll need to change the index, etc. to match your environment.

Edit: You should be able to take the regex and apply it to Sentinel, LogRhythm, or whatever SIEM you have access to.

IPs and domains are just the beginning of the IoC journey. Effective defense requires the distillation of atomic indicators to something more generally applicable. IFIN Staff Member Mike B walks us through the distillation process.

https://ifin-intel.org/blog/ioc-distillation/

#ThreatIntel #ThreatIntelligence #IFIN