Matt Suiche
Cybersecurity Researcher
Hello! My name is Matt Suiche. I am an independent researcher, advisor, and investor. I previously served as the Head of Detection Engineering at Magnet Forensics. Our organization was passionately dedicated to justice and protecting the innocent, a mission we embarked on more intensely after the 2022 acquisition of my cybersecurity start-up, Comae Technologies.
My professional journey began as the Chief Scientist and Co-Founder at CloudVolumes which was acquired by VMware (NASDAQ:VMW) in 2014, before founding Comae. In addition, I’m proud to have initiated the cybersecurity community project, OPCDE.
My life-long fascination with learning and understanding complex systems first led me to cybersecurity. My teenage years were spent immersed in reverse engineering, which ignited a profound curiosity about technology that continues to this day. I’ve since explored various fields including operating systems architecture, programming languages, virtualization, modern web application development, and generative art. Furthermore, I’ve delved into numerous domains such as privacy, surveillance, forensics, blockchain, and community development among others.
Latest
Earlier this month, I reached out to my friend Valentina and told her I wanted to learn about macOS/iOS exploitation, so she recommended taking a look at the CVE-2021-30860 vulnerability, also known as FORCEDENTRY, and the prior work her friend Jeffrey Hofmann posted on Twitter.
One year ago, Google Project Zero published an analysis of the NSO iMessage-based zero-click exploit caught in-the-wild by Citizen Lab and was dubbed as “one of the most technically sophisticated exploits we’ve ever seen” by the Google Project Zero team.
POC is one of the top conference in Asia and has been running since 2006, and today I’ve had the opportunity to give the opening keynote (Slides) for POC 2022 conference in Seoul, Korea where I discussed our favorite memory safe language: Rust - thanks again to the organizers for the invitation.
I chose to discuss Rust from a software engineering and application security point of view. The main points were:
This year marks 5 year since I gave my first blockchain/web3 related presentation at DEFCON 25 when I presented Porosity which was an experimental decompiler and static analysis tool for Ethereum Virtual Machine bytecode, but also mentioned on why we should keep an eye on WebAssembly Virtual Machines back when eWASM was being drafted and an option for Ethereum as a replacement for EVM itself.
Since then, new layer 1 blockchains have emerged such as Solana (eBPF-variant), and NEAR & Polkadot (WebAssembly) as part of a new wave of architectures relying on the LLVM compiler and ELF file formats, instead of reinventing the wheel like the Ethereum Virtual Machine and Solidity programming language.
Magnet Forensics, a developer of digital investigation solutions for more than 4,000 enterprises and public safety organizations in over 100 countries, announced the acquisition of the strategic IP assets of Comae Technologies.
As part of the acquisition, Comae founder Matt Suiche will lead a memory analysis and incident response research and development team at Magnet Forensics, where he will further develop a memory analysis platform and integrate the technology into the company’s existing solutions.
The recent SolarWind’s hack which resulted in a backdoor version of their SolarWind Orion product which counts 33,000 customers has been all over the news in the past few weeks - most things have been said and repeated, although there are few notes that I mentioned on Twitter which I would like to compile in a blogpost for perenniality.
First of all, I would like to point out to the presence in the backdoor process blacklist (the full list can be found on Itay Cohen’s repository) of several processes that can be used for either:
GitHub Repository: https://github.com/msuiche/ruby-square Introduction 🔗In May, Microsoft announced a bounty for their new IoT platform called Azure Sphere. The interesting part about it is that it’s created with security in mind, which is a much needed initiative, so we decided to take a look.
While we didn’t find any issues worth reporting, we thought it would be a waste not to share what we’ve learned. Hopefully, this will be useful for others wanting to research the platform or those considering to use it for their projects.
SMBaloo 🔗A CVE-2020-0796 (aka “SMBGhost”) exploit for Windows ARM64.
Because vulnerabilities and exploits don’t need to always have scary names and logos.
GitHub Repository: https://www.github.com/msuiche/smbaloo Original post on Comae’s blog: https://www.comae.com/posts/2020-06-25_smbaloo-building-a-rce-exploit-for-windows-arm64-smbghost-edition/ Author: Matt Suiche (@msuiche) Acknowledgments 🔗 @hugeh0ge for his great blogpost and @chompie1337 for her excellent POC! On top of answering my questions on Twitter, their materials were really good and helped me immensely to understand the vulnerability and the exploitation part.
Key Takeaways 🔗 Twitter is doing better than other platforms by releasing datasets, albeit partial, on Information Operations (IO). There is so much more information yet to be disclosed. Recommendations are given. Attribution blindspots seem to be a common problem with social media companies. Aggregated Twitter data and Python scripts are available on Github - and will be kept up-to-date. Beautiful dynamic data visualization for Twitter’s IO datasets, generated in real time from our GitHub datasets.
Key Takeaways 🔗 A lot of the information shared by social media companies is still incomplete or missing. Further transparency on processes and data is required to increase visibility and awareness of campaigns. Elections have been a key focus of CIB campaigns. CIBs are also currently used in conflict-affected & politically vulnerable countries (e.g. Northern & Eastern Africa), although under-reported by media outlets. The data collected on Facebook’s CIBs is available on GitHub.
A while back, I discussed how memory could be used as an ultimate form of the log as long as the analysis workflow and process is smooth.
This blog post will start by explaining the blind spots created by event-driven detection solutions such as Endpoint Detection & Response (EDR), and how this can be balanced by using Comae DumpIt + Stardust as part of an incident response & compromise assessment strategy.