Mehran Armiyon

🚨 Critical Linux Kernel Vulnerability Alert Qualys has disclosed ssh-keysign-pwn: a 6-year race condition in __ptrace_may_access() that lets unprivileged local users read root-owned files. A privileged process (e.g. ssh-keysign or chage) opens sensitive FDs. During do_exit(), after exit_mm() (mm=NULL) but before exit_files(), pidfd_getfd() can steal those FDs. Impact: • Theft of host SSH private keys → real impersonation & MitM risk until keys are rotated
• Full read access to /etc/shadow → offline password cracking Affected: All kernels before 31e62c2ebbfd (May 14, 2026) — Ubuntu, Debian, Arch, CentOS, Raspberry Pi OS and more. Immediate action required: Apply the kernel patch NOW. 🔗 PoC: https://t.co/UZJyKb6Szj
🔗 Patch: https://t.co/rNU2YB4mVv…/31e62c2ebbfd
🔗 Full analysis: Phoronix & Qualys oss-security #LinuxSecurity #KernelVulnerability #CyberSecurity #InfoSec #OpenSSH #PrivilegeEscalation #ThreatIntelligence #Linux #CyberThreat #PatchNow

این کار تحقیقی جدید بعد از چند ماه بصورت عمومی منتشر شده و چند نکته مهم داره. خود تحقیق نیاز به توضیح اضافی نداره و میتونید مطالعه کنید. بصورت خیلی خلاصه، حداقل ۳ سال قبل از _شناسایی_ استاکس نت که سیستم مدیریت سانتروفیوژها رو دستکاری و به مرور خراب میکرد، حمله و اقدام مشابه ایی انجام شده که هدف اون چند نرم افزار محاسباتی و شبیه سازی بوده (LS-DYNA 970 )که یکی از چندین کاربردش، شبیه سازی انفجارها و محاسبات مورد استفاده در تحقیقات اتمی بوده. در نهایت، بدافزار با تزریق و دستکاری داده ها، منجر به تولید نتایج محاسباتی اشتباه میشده. این بدافزار همچنین با استفاده از قابلیت انتشار خودش و الوده کردن همه سیستم های مشابه در شبکه، به این هدف میرسیدع که هر سیستم دیگه اون شبکه که این محاسبات رو انجام میده هم، همون خروجی های اشتباه رو تولید کنه! پس حتی با تکرار محاسبات روی سیستم دیگه هم امکان شناسایی خطا/دستکاری بسیار کمتر میشده. همه این ها فوق العاده جالب هستن ولی نکته ایی که من میخوام بهش اشاره کنم چیز دیگه ایی هست: استفاده از نرم افزارهای قفل شکسته و دستکاری شده از قدیم بخش جداناپذیر از فرهنگ IT ایران بوده و شرکت و فروشگاه های زیادی هم بیش از دو دهه هست که از این راه کاسبی میکنن. همین الان هم بخش بسیار زیادی از ارگان ها و حتی زیرساخت کشور با همین رویه راه اندازی و مدیریت میشن. این همیشه بهترین فرصت بوده/هست برای پیاده سازی و انجام حملات و سو استفاده های مشابه. حالا تصور کنید که اگر ۲۲ سال پیش در این حد حساب شده و پیشرفته برای حملات سایبری برنامه ریزی و کار میشده، سطح و سقف فعالیت ها الان کجاست؟ همچنین باید در نظر گرفت که در این بازه زمانی ۲۰ ساله، ده ها حمله و عملیات مشابه(در خوشبینانه ترین حالت) انجام شده و فقط بهش خیلی خیلی کوچکی از اونها بعد ها شناسایی میشن. وقتی از کشوری بعنوان بازیگر جدی و قدرت سایبری یاد میشه، این مدل موارد هست که اونها رو برتر میکنه نه حمله های سایبری سطحی و پیش پا افتاده و کم/بی اثر مثل فعالیت های جاری ایران.

‼️🇮🇷 The IRGC (Islamic Revolutionary Guard Corps) surveillance system and Iranian police database have allegedly been leaked and posted for free download on a popular cybercrime forum. ‣ Threat Actor: IamNotaFBIWorker ‣ Category: Data Breach / Leak ‣ Victim: IRGC Surveillance System / Iranian Police ‣ Industry: Government / Military / Law Enforcement ‣ Country: Iran The data leak allegedly exposes sensitive information and the inner workings of the state's monitoring apparatus. The information allegedly leaked includes: ▪️ User Account Details and Activity Metrics ▪️ Social Connections and Interactions ▪️ Sensitive Personal Information ▪️ Machine Learning-Based Sentiment Analysis (e.g., "Against" the state) ▪️ Emotion Analysis of User Content (e.g., "ANGRY", "SAD") ▪️ Topic Categorization (e.g., "political", "economical") Two separate archives were posted for free download: the SEPAH-X-SURVEILLANCE dataset and a separate Iranian police database (mini). The threat actor stated they hope Iran takes this as a lesson.

🚨‼️ CRITICAL: Ubiquiti UniFi Network Application vulnerabilities were just disclosed CVE-2026-22557 CVSS 10.0 Remote path traversal vulnerability allowing an attacker to access and manipulate files, leading to account takeover. No authentication required. CVE-2026-22558 — CVSS 7.7 Authenticated NoSQL Injection allowing privilege escalation.

گروه Void Verge که دیروز باعث اختلال در شبکه زیرساخت شده بود، اعلام کرده که حکومت درحال آماده‌سازی فاز بعدی از قطع سراسری اینترنت در شرایط اضطراریه. هدف از این اقدام محدود کردن زنجیره ارتباط در اینترنت داخلیه، تا کاربران نتونن ابزارهای اتصال به اینترنت بین‌المللی رو با هم به اشتراک بذارن. بر اساس این ادعا، اقداماتی مثل مسدود کردن سرویس‌های رایگان اشتراک فایل در اپراتورهای اینترنت همراه، محدودسازی گسترده ارسال لینک و محتوا در پیام‌رسان‌های داخلی، ارسال پیامک‌های تهدیدآمیز و همینطور شناسایی وی‌پی‌ان‌های فعال در کانال‌ها و گروه‌ها درحال انجامه و گفته میشه این اطلاعات بصورت دستی یا با استفاده از ابزارهای خزنده (از جمله اسپارتا) جمع‌آوری میشن، تا دسترسی‌ها مسدود بشن.

Finally got some breathing room, so here's a quick recap of the cyber side of IR/US ongoing war: 1. Right after the first strikes by US, within the first hours, multiple popular (pro regime) news agencies and outlets were compromised at the same time. Legitimate looking news contents were injected to the front page, aimed at degrading morale of pro-regime force by typical PSYOPS tactics. Sites were quickly taken down and restored. 2. Shortly after that, BadeSabaa (Prayer time app), a popular mobile app with 30+ Million installations (from Iranian app store) was hijacked and used to send push notifications to users. This time the target audience was mostly army members, calling them to surrender and join the people, if they want to survive. This app is an interesting pick, not just because it has a high number of downloads. Users of the app are particularly religious people and have higher chance to be also pro-regime and within body of the army. One important but seemingly ignored fact about this app is that it requests location access to operate. It's safe to assume most users allow that for more accurate prayer time results. It's also safe to assume that, if the app backend is compromised enough to allow sending push notifications, it's safe to assume that any telemetry logs and data from the app would be also compromised. Correlating telemetry with unique device ID for that large user base can be (ab)used in many different and interesting ways! Not that it has been the case. * Rumors circulated that EITAA, an Iranian popular messaging app, was also taken down and no longer accessible. That turned out to be just a rumor as I verified. 3. Iran internet went in full blackout mode again. Not that this had anything to do with a cyber operation. Initially starting from MCI and expanding to the entire country within a day. Like in previous case, there are still a small fraction of hosts that remain accessible from outside, but if you have been logging previous round's data and compare it with current one, you might notice interesting discrepancies ;) This is likely a multi-reason effort to contain exposure of impact of strikes, possible denial of service to smaller drones (which turned out a failed assumption and attempt during IR/IL war too) and finally to have a veil over any potential aggression towards upcoming unrests and protests by people in the streets. 4. During second day of strikes, Iranian national TV's Channel 3 satellite streams (IntelSat) were hijacked (2nd time since recent protests) and videos of Trump and Netanyahu speeches were broadcasted instead. Again, expected PSYOPS move considering the situation. Other covert operations have been also in progress, which I guess we might be hearing about them (or not) in near future. I will be occasionally updating this as a thread, if more notable cyber attacks takes place.

Best way to test it was to create a functional wrapper around it, so I tasked Codex to make me Mr. Apple https://t.co/3JFr7uxioh The MCP support is experimental, but otherwise the idea is to have something like Claude or Codex, based on the locally available Apple Intelligence model. It can already interact with OS commands and filesystem. And yes, it's dumb, in comparison to frontier and most other heavier open models, but you get what you pay for :)