https://www.msuiche.com/categories/detection-engineering/Recent content in Detection Engineering on Matt SuicheHugoen-usSun, 24 Aug 2025 00:00:00 +0000https://www.msuiche.com/posts/elegantbouncer-when-you-cant-get-the-samples-but-still-need-to-catch-the-threat/Sun, 24 Aug 2025 00:00:00 +0000https://www.msuiche.com/posts/elegantbouncer-when-you-cant-get-the-samples-but-still-need-to-catch-the-threat/<h2 id="the-genesis-when-signatures-arent-enough">The Genesis: When Signatures Aren&rsquo;t Enough <a href="#the-genesis-when-signatures-arent-enough" class="anchor">🔗</a></h2><p>In the world of mobile security research, there&rsquo;s a recurring frustration that keeps many of us up at night: the most sophisticated exploits - the ones that really matter - are rarely shared. When <a href="https://citizenlab.ca" target="_blank" rel="noopener">Citizen Lab</a> and <a href="https://blog.google/threat-analysis-group/" target="_blank" rel="noopener">Google TAG</a> discover NSO Group&rsquo;s latest 0-click exploits targeting journalists and activists, we get brilliant technical writeups, CVE numbers, and patches. What we don&rsquo;t get? The actual samples.</p> <p>This isn&rsquo;t a criticism - there are excellent reasons for limiting access to weaponized exploits. But it creates a fundamental problem: <strong>How do you protect against threats you&rsquo;ve never seen?</strong></p>https://www.msuiche.com/posts/researching-blastpass-detecting-the-exploit-inside-a-webp-file-part-1/Wed, 27 Sep 2023 12:00:00 +0200https://www.msuiche.com/posts/researching-blastpass-detecting-the-exploit-inside-a-webp-file-part-1/<p><p class="markdown-image"> <img src="./images/riff-webp-vp8l-whitebg.png" alt="Anatomy of a WebP file" /> </p></p> <h2 id="introduction">Introduction <a href="#introduction" class="anchor">🔗</a></h2><p>Once again compression algorithms are showing us that they are ruling the internet. My initial encounter with compression algorithms was in the year 2007, while reversing the Windows hibernation file to reimplement the now well-known <a href="https://github.com/MagnetForensics/rust-lzxpress" target="_blank" rel="noopener">Microsoft LZXpress</a> which I discovered later was used in most Microsoft products until today. This journey continues today, with the scrutiny of the vulnerability CVE-2023-4863 located within the open-source <a href="https://developers.google.com/speed/webp" target="_blank" rel="noopener">Libwebp</a> library, affecting Chromium-based browsers such as such Mozilla, Chrome, and Edge but also messaging applications such as iMessage.</p>https://www.msuiche.com/posts/researching-forcedentry-detecting-the-exploit-with-no-samples/Mon, 19 Dec 2022 12:00:00 +0200https://www.msuiche.com/posts/researching-forcedentry-detecting-the-exploit-with-no-samples/<p>Earlier this month, I reached out to my friend <a href="https://twitter.com/chompie1337" target="_blank" rel="noopener">Valentina</a> and told her I wanted to learn about macOS/iOS exploitation, so she recommended taking a look at the CVE-2021-30860 vulnerability, also known as FORCEDENTRY, and the prior work <a href="https://github.com/jeffssh/exploits/tree/main/CVE-2021-30860" target="_blank" rel="noopener">her friend Jeffrey Hofmann posted on Twitter</a>.</p> <p>One year ago, <a href="https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html" target="_blank" rel="noopener">Google Project Zero published an analysis</a> of the NSO iMessage-based zero-click exploit <a href="https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/" target="_blank" rel="noopener">caught in-the-wild by Citizen Lab</a> and was dubbed as “one of the most technically sophisticated exploits we’ve ever seen” by the Google Project Zero team.</p>