It’s A Trap! – PSW #876

Paul Asadoorian

1. BadUSB Attack Explained: From Principles to Practice and Defense
2. Offensive Threat Intelligence
3. Apache Tomcat RCE Vulnerability Exposed with PoC Released
4. Chrome Zero-Day Flaw Exposes Login Tokens on Linux
5. ViciousTrap – Infiltrate, Control, Lure: Turning edge devices into honeypots en masse

   This is really cool! I had not anticipated attackers using a botnet this way:

   • "Sekoia.io investigated a threat actor nicknamed ViciousTrap, who compromised over 5,500 edge devices, turning them into honeypots."
     • "More than 50 brands — including SOHO routers, SSL VPNs, DVRs, and BMC controllers — are being monitored by this actor, possibly to collect exploited vulnerabilities affecting these systems."
   • " This setup would allow the actor to observe exploitation attempts across multiple environments and potentially collect non-public or zero-day exploits, and reuse access obtained by other threat actors."

   Though I suspect this botnet was multi-purpose (as pointed out on the 3-buddy problem podcast). The thing that strikes me is that the attackers went after BMC devices, but only for the purpose of a honeypot or an ORB network. Specifically, the report states that SuperMicro BMC devices were targeted. While it could be just default passwords, there are also many older CVSS 10.0 vulnerabilities, some with public exploits, that could have been used (ref: https://www.cvedetails.com/vulnerability-list/vendor_id-12753/Supermicro.html?page=1&order=3). So weird that an attacker gains access to the HIGHEST level of privileges on a system, but then just uses it for a honeypot to collect more exploits or as an ORB network. Makes me wonder if they even realized what they had. Also makes me wonder just how many BMCs we could find exposed to the Internet.

6. chrisj7903/Read-Victron-advertised-data: Read the Bluetooth advertised data from a Victron Battery Monitor or Solar Charger, without (or in addition to) using the VictronConnect App
7. Serious Discussion – Some guy asks if Windows Defender is enough and this is the amazing answer he got back
8. Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites
9. Congress queries Juniper Networks as debate stirs over new encryption law – SiliconANGLE
10. Signal signals discontent with Microsoft Recall
11. CVE-2025-32756: Fortinet RCE Exploited in the Wild
12. cve-2025-26817 netwrix rce
13. How to Build a Secure Password Manager in Python

    I think this is a fun project to learn some stuff, but I do not recommend using it in "production". There are some great password vaults out there, for free, such as KeePass. Use those instead :)

14. The Windows Subsystem for Linux is now open source

    Not entirely certain why Microsoft would do this, I suppose it's low risk (e.g., if someone wants the code, what else would they do with it other than make another WSL that runs on Windows?). Its MIT licensed, which means anyone can do whatever they want with it, including sell it. Who knows, maybe we will see interesting things with WSL on Windows. Could attackers take the code and weaponize it? Is it now easier to find vulnerabilities?

15. I Hacked my Smart Grill – Unauthenticated Temp Readings

    Some pretty awesome BT/BLE hacking in this one. I didn't dig into the details, but I almost bought one of these grill/smokers from Masterbuilt. Sounds like you can read settings. All these fancy smokers and grills now have BT and Wifi, we've seen some research around them in the past too. The thing is attackers would be just using this more for a prank than an actual attack as the smoker only comes online when you are cooking...

16. ESP32-S3Rogue: Building Advance Rogue Wi-Fi AP for Security Research and Demonstration.

    This is on my list of projects as I love the usage of LoRa for C2 communications. The author did a nice job writing it all up and there is some code on Github.

17. How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation

    This is signifigant as I keep seeing this come up in my feeds and really thought someone may have gotten lucky. That's not the case. The author found a vulnerability "the old fashioned way", then turned an LLM (o3) loose to find similar bugs and was successful. Some LLM notes:

    • o3 demonstrated a significant leap in code reasoning, making LLMs genuinely useful for vulnerability research. While not replacing expert researchers, LLMs like o3 can make them much more efficient.
    • The author first tested o3’s ability to find a known vulnerability (CVE-2025-37778) in ksmbd, which it detected in 8 out of 100 runs (compared to 3/100 for Claude Sonnet 3.7 and 0/100 for Sonnet 3.5).
    • When analyzing all SMB command handlers at once (~12,000 lines of code), o3 not only found the known bug but also reported a novel use-after-free vulnerability in the logoff handler (CVE-2025-37899). The bug involves a race condition where one thread frees a session user object while another thread may still access it, leading to potential kernel memory corruption or code execution.
    • o3’s bug reports were concise and structured, resembling human-written vulnerability reports, and sometimes even highlighted subtleties missed by the author.
    • o3 is not perfect—there are still many false positives and negatives, but the signal-to-noise ratio is improving. The cost of running large-scale analyses is non-trivial.
18. POV On The Flipper Zero

    I SO want this: "The LightMessenger is a hardware add-on module developed by LAB401 in collaboration with [TIX LE GEEK] for the Flipper Zero. In persistence-of-vision mode, you can plug it in via the GPIO header and display messages in the air by shaking it around. Even better, you can do so in color, with a height resolution of 16 pixels—meaning you can display some nice text or basic graphics."

19. Hardcoded credentials in the Telnet service in D-Link DIR-605L v2.13B01 and DIR-816L v2.06B01

    This is an obvious backdoor, as the Telnet service accepts a user named "Alphanetworks" with a password stored in a plaintext file on the read-only filesystem. These products are end of life. I might be pretty simple to remove this backdoor, though you'd have to unpack and re-pack the firmware (and change the password or make other modifications to remove the backdoor in between those steps). Also, you may just need to replace your router.

    Update: I asked Perplexity to research and tell me where "Alphanetworks" comes from. It's answer is amazing, here is the summary: "The "Alphanetworks" reference in CVE-2025-46176 represents the continuation of a long-standing pattern rooted in the corporate relationship between D-Link Corporation and its spun-off R&D and manufacturing arm, Alpha Networks Inc. The vulnerability demonstrates how firmware development practices established over two decades ago continue to create security risks in contemporary networking devices. The persistent appearance of hardcoded "Alphanetworks" user accounts across multiple vulnerability disclosures from 2013 to 2025 indicates systemic issues in firmware development and security practices that have not been adequately addressed despite repeated public exposure. Organizations using affected D-Link devices should prioritize identifying and mitigating these vulnerabilities while implementing network security controls to prevent unauthorized access through these hardcoded credentials. The broader industry implications suggest the need for enhanced security standards and practices in ODM firmware development processes to prevent similar vulnerabilities from affecting future networking products."

Jeff Man

1. Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials

   Huge compilation of real data. Unknown source. Now taken down...but still available to someone....

2. Adidas says customer data stolen in cyber attack

   "Adidas said passwords and credit card and other payment data were not compromised." Nothing to see here - just contact information stolen from a help desk database or ticketing system.

3. Hack of Contractor Was at Root of Massive Federal Data Breach

   It's long been said that you are only secure as your weakest link, but how do you account for third parties when the whole point is you are attempting to transfer risk so you don't have to think about security?

   This is a real insider threat attack - twin brothers, no less.

4. AI Service Provider Faces Class Actions Over Catholic Health Data Breach

   Who's minding the third parties?

5. Kettering Health Cyber-Attack Disrupts Services

   “Elective inpatient and outpatient procedures at Kettering Health facilities have been canceled for today" -that's bad.

6. M&S cyber-attack: how to protect yourself from sim-swap fraud

   Sounds like a technical attack, but it's really just a hijacking/social engineering attack.

Larry Pesce

1. Montana Becomes First State to Close the Law Enforcement Data Broker Loophole
2. Hacking My Car, and probably yours— Security Flaws in Volkswagen’s App
3. Have I Been Pwned 2.0 is Now Live!
4. VanHelsing ransomware builder leaked on hacking forum
5. Mobile carrier Cellcom confirms cyberattack behind extended outages
6. Reddit – The heart of the internet
7. Lumma infostealer’s infrastructure seized during US, EU, Microsoft operation

Sam Bowne

1. How Russia’s Drone Swarms Work–AI and Telegram

   They no longer rely on jammable GPS, are driven by artificial intelligence, and piggyback on Ukraine’s own internet and mobile internet networks. The team say they recently discovered a note inside one of the drones they were dismantling—presumably left by a sympathetic Russian engineer—which hinted at the new control algorithm. The drones are controlled via bots on the Telegram social-media platform, the note indicated, sending flight data and live video feeds back to human operators in real time.

2. 10 to 100 Times Faster than a Starlink Antenna, and Cheaper Than Fiber: Taara Unveils a Laser Internet That Could Shatter the Status Quo

   Taara’s system transmits information using focused beams of light—what the company calls Lightbridges—that can send data up to 20 kilometers at speeds of 20 gigabits per second. The devices, which are roughly the size of a traffic light, are designed to be mounted on rooftops or poles, where they can maintain an unobstructed line of sight.

   Similar “free-space optics” systems have been tested since the late 1990s, but past attempts were limited by weather conditions and fragile alignment systems. Taara claims its devices overcome many of those limitations with improved beam tracking and more resilient design.

3. Until NotebookLM, I never believed AI could be this game-changing for productivity

   NotebookLM is more of a study buddy than a shortcut. It won’t give you the answers you need to cheat. Instead, it’ll help you make sense of complex materials and actually understand whatever you’re studying or researching. This makes all the difference for someone who wants to actively understand the research they’re doing rather than just scrape by. You provide the tool with the sources, and then it uses AI to manipulate them in different ways.

   NotebookLM doesn't hallucinate. Instead of generating responses by pulling information from the web or its own internal knowledge, NotebookLM relies solely on the documents you feed it or the information you share with it via chat. When the tool doesn't know the answer to your question, it won't make up information or try to guess just to please you. Instead, it'll tell you that what you're asking isn't mentioned anywhere in the sources you uploaded or your conversation history.

4. I Gave Gemini Access to My Gmail, and It Weirds Me Out

   Google’s AI Pro plan automatically unlocks Gemini’s Gmail integration—without an explanation of what it does or the choice to opt out. Clicking the Gemini icon in Gmail opens up a sidebar where you can talk to Gemini about your email. However, Google doesn't use Gemini data from Google Workspace apps, like Gmail, for training, ad targeting, or selling. I appreciate the guarantee, but I don’t fully trust Google.

5. How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation

   The vulnerability it found is CVE-2025-37899 (fix here), a use-after-free in the handler for the SMB ‘logoff’ command. Understanding the vulnerability requires reasoning about concurrent connections to the server, and how they may share various objects in specific circumstances. o3 was able to comprehend this and spot a location where a particular object that is not referenced counted is freed while still being accessible by another thread. As far as I’m aware, this is the first public discussion of a vulnerability of that nature being found by a LLM.

   He used a carefully-designed prompt and ran it 100 times to search for a known bug. o3 found the vulnerability in 8 of the 100 runs. In another 66 of the runs o3 concludes there is no bug present in the code (false negatives), and the remaining 28 reports are false positives.

   Then he told the LLM to test all possible command handlers, in 9000 lines of code. It found a new 0day in 1 of the 100 runs.

6. Hacker Conference HOPE Says U.S. Immigration Crackdown Caused Massive Crash in Ticket Sales

   The conference usually has around 1,000 attendees and the event is almost entirely funded by ticket sales. There isn’t a serious danger of the event not going ahead, but the conference may need to "significantly decrease” its space in the venue to manage HOPE’s budget.

7. “Microsoft has simply given us no other option,” Signal says as it blocks Windows Recall

   Signal for Windows will by default block the ability of Windows to screenshot the app, using an API Microsoft provides for protecting copyrighted material.

8. CISA loses nearly all top officials as purge continues

   Virtually all of the top officials at the Cybersecurity and Infrastructure Security Agency (CISA) have departed the agency or will do so this month. "There’s a lot of anxiety around when the cuts and departures will finally stop and we can move forward as an agency."