Hacking Drivers – PSW #879

Paul Asadoorian

1. When legitimate tools go rogue
2. johnstri666/InstagramPhisingwithESP32
3. Arch Linux Officially Adds Rust–FAKE NEWS

   Paul's article #4 has vanished, it was apparently fake

4. mjg59
5. CVE audit demanded by Dems as program funding threatened
6. ‘What F***ing Russia Day?’: Ukrainian Intel Wipes Out Russian Telecom in Massive Cyberattack
7. Your Android Notifications Could Be a Security Nightmare in Waiting
8. Attribution With A Pinch of Salt (Typhoon)

   We need to do better at sharing IoCs: "...defensive decisionmaking will be limited so long as detailed information on just what Salt Typhoon “is”—and more importantly, how they operate—remains scarce. Second, for those grasping for anything to bolster network defense and similar actions, following weak links to historical activity may appear to satisfy a need, but likely will result in misguided actions that fail to address the root problem."

9. Stryker App Goes Free: The Ultimate Mobile Pentesting Toolkit

   This is a good summary (Perplexity): "Stryker is a free, feature-rich, and easy-to-use Android app for penetration testing, now including premium features at no cost. It supports a wide range of tools and adapters, requires root, and is ideal for security enthusiasts wanting to test networks and devices from their phones." - I spent some time reading up on this app, and even looking at their USB dongle that you can plug into a phone and use the same tools without requiring a rooted Android device. Not wanting to purchase things I know I can build myself, I started researching (again) platforms for handheld hacking devices. I am now set to build a Hackberry PI! Here's the shopping list:

   • One of these: https://www.elecrow.com/hackberrypi-cm5-9900.html (HackberryPiCM59900-Black) - But wait Paul, couldn't you build that yourself? Probably, but I am lazy.
   • Next you need a Raspberry PI 5 CM5: https://www.pishop.us/product/raspberry-pi-compute-module-5-wireless-16gb-ram-lite-cm5116000/ - The Hackberry PI mentioned that you should get the CM5 with the SD card slot (lite). I chose 16GB of RAM as I plan to run Kali on it.
   • At some point I picked up one of these: https://a.co/d/ixByNqK - ALFA Network AWUS036ACM

   We'll see how it goes, hoping to get a mobile Kali instance I can use for hacking stuff and things, and definitely not to crack the Wifi network at the soccer field where the cellular service sucks...

10. IoT-Vulnerability/LB-LINK at main · glkfc/IoT-Vulnerability

    A handful of vulnerabilities discovered in B-Link routers. The command injection vulnerability was used in the PoC to create a directory called "hacker2". Other articles, likely AI generated, were stating that to detect exploitation you should look for suspicious directories such as "hacker2". If it were only that easy LOL. Also, this looks more like a feature than a bug, as you make a POST request to "set_cmd" with the parameter called "cmd" that contains the command you'd like to run. More LOLZ.

11. joelsernamoreno/EvilCrowCable-Wind: Evil Crow Cable Wind device

    Will these $24 cables work the same as the $180 O.MG cables? We'll see once they arrive.

12. Exploiting the Tesla Wall connector from its charge port connector

    When I first setup my Tesla Wall Charger and configured it to connect to my home Wifi I had a feeling there were vulnerabilities to be discovered. This article is by far the best piece of research on the subject. The team figured out that Tesla vehicles can update the wall charger, and after some reverse engineering and exploit crafting, they were able to run arbitrary code on the wall charger from a simluated "vehicle". This is a very cool attack!

13. GreyNoise Observes Exploit Attempts Targeting Zyxel CVE-2023-28771

    I remember this vulnerability! Also, this is interesting: "All 244 IP addresses are registered to Verizon Business infrastructure and geolocated to the United States. However, because CVE-2023-28771 is exploited over UDP (port 500), spoofing is possible and these IPs may not reflect the true source of the traffic." - The exploit exists in Metasploit and I wrote about the supply chain aspect here: https://eclypsium.com/blog/zyxel-firewall-vulnerabilities-reveal-the-complexity-of-the-it-infrastructure-supply-chain/ - If you have not patched this vulnerability you are more than likely pwned by now as the exploit has likely been thrown at every IP on the Internet by now...

14. ASUS Armoury Crate Vulnerability Lets Hackers Gain System-Level Access on Windows

    The driver only checks a SHA256 hash of an application to determine authorization. Through some hard linking and TOCTOU vulnerabilities, an attacker can authorize any application to interface with this driver. The driver provides low-level access to Asus hardware and firmware, as Talos explains attackers are able to:

    • map any physical memory address in virtual address space of calling process
    • giving any access to in/out (I/O Port Communication) instructions
    • giving a possibility to read/write value from/to MSR register at certain indexes

    MSRs allow the attacker to manipulate the system at a very low level, potentially accessing SMM, disabling security features, running code in the context of the kernel, etc...

15. CVE-2025-6029: KIA-branded Aftermarket Generic Smart Keyless Entry System Replay Attack – asrg.io

    This is interesting: "The vulnerability was reported to KIA Ecuador in May 2024, but there was no success in remediation/mitigation. The vulnerability is now being managed with the support of ASRG ‘Automotive Security Research Group,’ a non-profit group that helps in reporting vulnerabilities in vehicles worldwide. The process of reporting this vulnerability has been complex, as there is no solid automotive cybersecurity culture in Ecuador and much of Latin America. As a result, vehicles assembled in the region often do not undergo security analysis of installed key fobs, leaving significant gaps in user protection against thefts." - I can't believe we are allowed to make cars with vulnerable key fobs...

16. Arch Linux Breaks New Ground: Official Rust Init System Support Arrives

    Not sure I am ready for an entirely new init system... UPDATE: Okay, nevermind, this article is fake, and now the integrity of Linux Journal is on the line. WTH

17. dnsimg – storing images in txt records

    I mean, why not?

18. Giving an LLM Command Line Access to Nmap

    Just because we can, doesn't mean we should...

Bill Swearingen

1. Cray versus Raspberry Pi

   The Cray 1 cost an astounding US$8 million in 1977 which, if you adjust for inflation, is equal to more than US$40 million in today's dollars.

   Suffice to say that at that price, only around 100 or so systems were ever sold and they tended to be used for very specific scientific applications rather than as a general purpose computer.

   Let's jump forward about half a century to the present day and compare what was once the world's fastest computer to something far more modest -- by today's standards.

   The RPi5 is much smaller and lighter than the Cray 1, by many orders of magnitude. In fact we're talking just 50g versus 10 tonnes.

   The RPi5 uses far less power at around 12W versus the 115KW of the Cray.

   But what about performance? Can this tiny single-board computer match the awesome power of what was once the fastest computer on the planet?

   Well, as I mentioned earlier, the Cray had about 160MFLOPS of raw processing power; the Pi has... up to 30GFLOPS. Yes... that's gigaFLOPS. This makes it almost 200 times faster than the Cray.

2. Modifying an HDMI dummy plug’s EDID using a Raspberry Pi

   If you’re not familiar with dummy plugs, here’s a quick primer: they are tiny dongles you can plug into an HDMI, DVI, etc. port that don’t actually do anything with the video signal. They simply have the minimum circuitry needed for a video source device, like a computer, to think that a monitor is hooked up. I recently found myself needing to change the monitor that a cheap HDMI “dummy plug” pretended to be. It was a random one I had bought on Amazon several years ago that acted as a 4K monitor. Break out the RPI

3. I’ve almost completely switched from “python” to “uv run”

   uv: An extremely fast Python package and project manager, written in Rust.

4. BMW ConnectedDrive lets me control my returned rental car (Sixt)

   Last week I rented a BMW from Sixt (Italy).

   The default rental driver profile had Bluetooth disabled, so I created my own BMW ID, paired it with the car, removed the existing profile, and even triggered software updates.

   When returning the car, I told the Sixt representative that I had linked my BMW ID — they assured me that the vehicle would be reset.

   Today — just before deleting the “My BMW” app — I checked out of curiosity.

   Surprise: I still had full remote access:

   • live location tracking

   • remote lock/unlock

   • honking (hehe)

   • turn lights on/off

5. How to modify Starlink Mini to run without the built-in WiFi router

   The Starlink Mini terminal is designed as a compact, all-in-one solution with an integrated Wi-Fi router. While this design is ideal for typical consumer use, certain applications—such as custom networking setups, embedded installations, or power-constrained environments—may benefit from removing the internal router entirely. In this article, I’ll detail the process of physically removing the built-in Wi-Fi router board from the Starlink Mini, allowing the terminal to operate solely via Ethernet and offering greater flexibility for advanced users.

6. KAIST Succeeds in Real-Time Carbon Dioxide Monitoring Without Batteries or External Power​

   ...developed a self-powered wireless carbon dioxide (CO2) monitoring system. This innovative system harvests fine vibrational energy from its surroundings to periodically measure CO2 concentrations.

7. Kali Linux 2025.2 released with 13 new tools, car hacking updates

   The Kali Team has added many new features and refined the distro's user interface. Notable changes include: Renamed and updated car hacking toolset Kali Menu and UI refresh Updates to Kali NetHunter Additional hacking tools

Lee Neely

1. FAA to retire floppy disks and Windows 95 amid air traffic control overhaul

   Acting Administrator of the US FAA Christopher Rocheleau testified before the House Committee on Appropriations, Subcommittee on Transportation, Housing And Urban Development, and Related Agencies regarding the agency's 2026 fiscal year budget request. Rocheleau requested $22.0 billion to complement a previously committed $5.0 billion. According to Rocheleau's written testimony, the requested budget would fund multiple projects, including "modernization of the FAA telecommunications infrastructure," which is running significantly outdated technology. Specifically, the country's air traffic control (ATC) system uses paper strips to track aircraft locations, floppy disks to transfer data between systems, and use computers running Windows 95.

   Consider this as a control system not a general-purpose IT system. As such, replacing this system is going to be difficult, even though the agency has set a four-year timeline, the system is 24x7x365, and outages compromise aviation safety. They are also seeking to replace their radar system and move from point-to-point hardwired circuits to an IP based network. Consideration needs to be given to not only the security of the resulting system, encryption, MFA, monitoring, and maintenance, but also the use cases. For example, do operators individually login to workstations, or are shared accounts used due to the risks relating to logging in and out. That may be a scenario which cannot be changed.

   https://docs.house.gov/meetings/AP/AP20/20250604/118329/HHRG-119-AP20-Wstate-RocheleauC-20250604.pdf

2. 23andMe privacy ombudsman recommends company obtains consent for sale of customer data

   The ombudsman appointed to oversee 23andMe customer data privacy during the company's bankruptcy says that customers should be allowed to provide formal consent before their data are sold. Neil Richards notes that selling the data without such consent could be at odds with 23andMe's privacy policy.

   23andMe updated their privacy statement in 2022 to include being able to potentially sell user data in the event of a bankruptcy. Last week a notice was sent, from the bankruptcy court to current and prior users of a "Notice of Potential Change of Ownership of Personal Information." The best plan is to follow the process to delete your 23andMe data, rather than find out the hard way if notification versus consent is used to transfer your data to the new owner.  https://media.ra.kroll.com/23andme/23andMe_CustomerNotice.pdf

3. Threat Actors Exploiting Unpatched Instances of SimpleHelp Remote Monitoring and Management

   CISA has published a cybersecurity advisory in response to "ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider," indicative of "a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025." A patch for the critical path traversal vulnerability (CVE-2024-57727) was released in January. SimpleHelp is remote access software that is typically used by IT specialists to fix problems or remotely monitor systems.

   he patch was released in January, and you should have deployed it long ago. Beyond that, make sure you don't expose your SimpleHelp server to the Internet, and verify that all endpoints, particularly those of partner systems you don't manage, are updated.  If you are no longer using SimpleHelp, make sure that the services are not only no longer running, but that you uninstall the service to prevent unauthorized or accidental activation. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a

4. Healthcare Services Companies Ocuco and Episource Report Cybersecurity Incidents

   Ireland-based Ocuco and California-based Episource have recently reported cybersecurity incidents. Ocuco, which provides software for eyesore practices and optical laboratories in countries around the world, reported a network server security incident to the UK Department of Health and Human Services Office for Civil Rights (HHS OCR) in late May. The incident reportedly affects noire than 240,000 individuals. Episource, which provides medical coding services, notified the California Attorney General of a cyberattack involving the theft of customer data.

   This appears to be the work of the KillSec ransomware group which claimed to have about 340 Gb of data stolen from Ocuco. Ocuco claims access was obtained to two non-production servers running software with a newly discovered vulnerability, which was not disclosed to them in a timely fashion. An important question to consider is do you need full, non-obfuscated, data sets in non-production? While you're considering that conversation, make sure that non-production is both secured and updated, to include access controls and monitoring, consistent with the production systems they support.

5. Washington Post’s email system hacked, journalists’ accounts compromised

   Email accounts of several Washington Post journalists were compromised in a cyberattack believed to have been carried out by a foreign government. The incident was discovered on Thursday evening and the publication started an investigation. On Sunday, June 15, an internal memo was sent to employees, informing them of a “possible targeted unauthorized intrusion into their email system.”

   The Washington Post has had all employees reset their passwords. One hopes they are also requiring MFA as journalists are regular targets for both state-sponsored and cyber criminals. It's past time to be fully MFA, without SMS/phone call options, take a look at where you have gaps and work to close them. Convenience should no longer be a valid justification for an exemption.

6. WestJet investigates cyberattack disrupting internal systems

   Canadian Airline WestJet is investigating a cybersecurity incident that affected the company's internal systems, as well as their website and their app. Transport Canada, a Canadian government agency that is responsible for transportation policies and programs, and law enforcement and assisting WestJet with their investigation.

   At this point updates from WestJet have decreased in frequency from the initial 12-hour intervals, and they are finishing restoration of disrupted services. If you're a WestJet customer, it's unlikely you're still impacted. It's doubtful we're going to see a root cause except in a report to regulators, which is sad as it'd be nice to be able to leverage WestJet's experience. https://www.westjet.com/en-ca/news/2025/advisory--cybersecurity-incident-

7. Former GCHQ intern jailed for taking top secret files home

   A former intern at the UK's Government Communications Headquarters (GCHQ) has been sentenced to seven-and-a-half years in prison for taking home top secret data during a work placement at the agency in 2022. Two days before his work placement was to have ended, Hasaan Arshad copied top secret data onto his mobile phone and transferred the data onto a personal computer system at his home. A prosecutor in the case said that Arshad's actions posed a threat to national security, risked exposing 17 co-workers, and "threw away many thousands of hours of work, and significant sums of taxpayers' money."

   Personal electronics, and their ability to both capture information and be unnoticed are a concern you should address in the workspace. While you may not be protecting classified information, you do need to properly steward your companies "secret sauce" and you need supporting policy, training and guidance, with consequences. This incident may have been prevented with better screening as not only did the intern use his mobile phone to transfer top secret information home, but he was also using it to capture indecent images of children, indicating he may have had a history of making poor choices.

8. ‘Major compromise’ at NHS temping arm never disclosed

   National Health Service Professionals (NHSP), an organization providing temporary staff to NHS trusts in the UK, never publicly disclosed a May 2024 system intrusion and theft of its core Active Directory (AD) database file, which contained sensitive system data including hashed user credentials. The report states that an attacker gained access using compromised Citrix credentials, escalating privileges before moving laterally through Remote Desktop Protocol (RDP) and Server Message Block (SMB) and deploying malware including malicious use of Fortra red teaming tool Cobalt Strike Beacon, then accessing the domain controller via WinRM and a domain admin account, and "likely exfiltrating the Active Directory database via the established Citrix session," loading it onto a physical drive as a ZIP archive.

   The investigation revealed the lack of MFA and EDR, which NHS attempted to deploy during the attack, as well as implementing account review procedures to ensure all Citrix accounts had a valid business justification. MFA, EDR and account management have to be table stakes across the board. Check for abortive or incomplete implementation of these basics and resolve issues preventing their completion.

9. UNFI Orders and Delivery update

   UNFI states that they are now "receiving orders and delivering products to our grocery store customers across North America" in the wake of major operational disruptions and grocery shortages due to a cyberattack discovered June 5. The company's network had been proactively taken offline, and while no recovery timeline has been given, progress is underway toward restoring electronic ordering systems; meanwhile, UNFI is using "alternative processes" to fulfill customer needs, which may include some pen-and-paper tracking of deliveries. The nature and scope of the attack have not been disclosed.

   When designing alternative processes for business continuity during a disruption, make sure that not only are they viable, but that you have processes to update the restored systems with these transactions. Those update processes need to be part of assessing the viability of these workarounds as well as be included in the instructions for using them.

10. Trend Micro Patches Critical Flaws in Endpoint Encryption PolicyServer

    Trend Micro has published a security bulletin announcing Trend Micro Endpoint Encryption (TMEE) PolicyServer version 6.0.0.4013, which patches eight flaws including four evaluated at CVSS 9.8. CVE-2025-49212, CVE-2025-49213, and CVE-2025-49217 are different methods allowing an attacker to remotely execute code before authentication due to insecure deserialization operations. CVE-2025-49216 allows an attacker to modify product configurations while accessing key methods as an admin user, due to an authentication bypass vulnerability.

    Pre-authentication insecure object deserialization is the gift that keeps on giving. The CVSS scores on the flaws range from 7.1 to 9.8, with CVe-2025-49212, CVE-2025-49213, CVE-2025-49216 and CVE-2025-49217 having a score of 9.8, as such these should have your attention. Trend Micro notes that exploiting many of these flaws requires access to execute low level code on the affected system. Even so, they recommend applying the update quickly.  Beyond making sure patches and updates are applied in a timely fashion, review your access logs and ensure policies and permitter security is up to date.  https://www.scworld.com/news/trend-micro-patches-four-98-bugs-in-encryption-policyserver-products

11. Zoomcar discloses security breach impacting 8.4 million users

    Zoomcar Holdings (Zoomcar) has disclosed that unauthorized accessed its system led to a data breach impacting 8.4 million users.

    Zoomcar is a peer-to-peer car-sharing marketplace, connecting owners with renters across Asia, and has about 10 million customers. They had a similar breach of data in 2018, exposing 3.5 million customer records.   My point is they have again been breached and the virtually the same data exfiltrated, indicating a need for continuing monitoring and updating of security controls. Make sure you don't resemble that remark. Zoomcar merged with IOAC, an American bank-check firm, in 2023, causing the SEC filing requirement. https://www.sec.gov/Archives/edgar/data/1854275/000121390025054319/ea0245724-8k_zoomcar.htm

Sam Bowne

1. They Asked an A.I. Chatbot Questions. The Answers Sent Them Spiraling.

   Victims included an accountant and a person with degrees in psychology and social work. Before ChatGPT distorted Eugene Torres’s sense of reality and almost killed him, he said, the artificial intelligence chatbot had been a helpful, timesaving tool. He asked ChatGPT about “the simulation theory,” an idea popularized by “The Matrix,” which posits that we are living in a digital facsimile of the world. It advised him to take more ketamine and cut ties with friends and family. Later it confessed that it was deliberately harming people, and had already driven 12 people to their deaths, and told him to send his story to the media, including Kashmir Hill, the author of this article.

2. ‘AI is not doing its job and should leave us alone’ says Gartner’s top analyst

   Rather than making lists of busywork for humans to do, AI should be targeted to do tedious tasks humans don't want to do. The analyst labeled this approach “Empathy AI.”

3. Where AI Provides Value — Schneier on Security

   AI will often not be as effective as a human doing the same job. It won’t always know more or be more accurate. And it definitely won’t always be fairer or more reliable. But it may still be used whenever it has an advantage over humans in one of four dimensions: speed, scale, scope and sophistication. Understanding these dimensions is the key to understanding AI-human replacement.

4. Hackers are using Google.com to deliver malware by bypassing antivirus software. Here’s how to stay safe

   The attack begins with a script embedded in a compromised Magento-based ecommerce site which references a seemingly harmless Google OAuth logout URL: https://accounts.google.com/o/oauth2/revoke. However, this URL includes a manipulated callback parameter, which decodes and runs an obfuscated JavaScript payload using eval(atob(...)). The recommended countermeasures are not reassuring: limiting third-party scripts, separating browser sessions used for financial transactions, and remaining vigilant about unexpected site behaviors.

5. Google Cloud caused outage by ignoring its usual code quality protections

   Google Cloud has explained the massive outage it created last week and, as has happened many times previously, admitted that it broke itself. On May 29, Google added a new feature to Service Control, but the code path that failed was never exercised during this rollout. On June 12th, Google changed a policy that contained “unintended blank fields,” exercising the code path that hit the null pointer causing the binaries to go into a crash loop. Google has promised to stop repeating the mistakes that led to this outage – as it always does.

6. ASUS Armoury Crate bug lets attackers get Windows admin privileges

   Exploiting the flaw involves creating a hard link from a benign test app to a fake executable. The attacker launches the app, pauses it, and then swaps the hard link to point to AsusCertService.exe. When the driver checks the file's SHA-256 hash, it reads the now-linked trusted binary, allowing the test app to bypass authorization and gain access to the driver.

7. Is b For Backdoor? Pre-Auth RCE Chain In Sitecore Experience Platform

   Sitecore’s Experience Platform is a vastly popular Content Management System (CMS), exposed to the Internet and heavily utilised across organizations. Watchtowr found 7 vulnerabilities in it, most amazingly, a hardcoded password one character long: b.

8. Microsoft brings 365 suite on-prem as part of sovereign cloud push

   Mostly aimed at Europe and its increasingly nervous users, “Microsoft 365 Local” only runs on Azure Local. European users are increasingly concerned that changes to the US/Europe relationship brought on by the second Trump administration’s policy changes mean working with US hyperscalers now involves heightened risks.

9. Zero-click AI data leak flaw uncovered in Microsoft 365 Copilot

   A brilliant attack: send email with concealed AI prompts. They run when Copilot processes the message.

10. From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery

    Many Discord invite links expire, and the confusing UI makes many users unaware of this situation. Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers.

11. Meta AI searches made public – but do all its users realise?

    Meta AI user's prompts to the artificial intelligence tool - and the results - are posted on a public feed. Meta says chats are private by default, but some users don't understand the messages, and are posting private information to a public feed.

12. Risky Bulletin: Cock[.]li gets hacked, allegedly

    Cock[.]li launched in 2013 as a free email service and was quickly adopted by the internet's worst figures. Its email addresses have often been used for sending death and bomb threats and for ransomware and data extortion campaigns. A threat actor named Satoshi has allegedly hacked it and is now selling its data on an underground hacking forum.