Protecting G-Suite/MS365 and Security News – Abhishek Agrawal – PSW #884

Paul Asadoorian

1. Huawei’s chipmaker gets tossed into the ‘NextGen TV’ fracas
2. Google Sues BadBox 2.0 Botnet Operators Behind 10 Million+ Infected Devices

   Google has filed a lawsuit against the operators of BadBox 2.0, the largest known botnet affecting over 10 million uncertified Android devices (like smart TVs), which lack Google's security protections. Google discovered unusual ad traffic patterns through machine learning and responded by updating Google Play Protect to block BadBox-related malware. The lawsuit, filed in New York, cites computer fraud, RICO violations, and IP infringement, aiming to seize the syndicate’s resources and disrupt their operations. The FBI has also issued a public alert about BadBox’s methods. This case underscores the importance of better supply chain security and international cooperation as uncertified IoT devices continue to proliferate globally.

   • According to this article there are 25 defendents from China: https://thehackernews.com/2025/07/google-sues-25-chinese-entities-over.html
   • According to this article Google cannot sinkhole the domains without court approval: https://www.theregister.com/2025/07/17/googlesues25unnamedchinese/
   • From Perplexity, I believe this is accurate: "However, given that the defendants are in China and their identities remain unknown, successful prosecution or extradition is unlikely"

   Hopefully, the courts grant Google the right to take down the botnet, at least that may slow them down. I also find it interesting the the group running the operation is based in China, which makes me think it may not just be an operation for profit, but spying as well.

3. Ubiquiti UniFi Vulnerability Lets Hackers Inject Malicious Commands

   Looks to me like an authenticated command injection vulnerability (which is weird for a CVSS 9.8, which also lists the CVSS as unauthenticated!), details are here: https://sec-consult.com/vulnerability-lab/advisory/ubiquiti-networks-unifi-cloud-key-authenticated-command-injection/ - very easy to exploit after reading the code and the GET request that was published.

   • I tried to create an exploit, but it told me it required credentials
   • Side note: LLM guardrails are super annoying when creating exploits, like "sorry Dave, I can't do that", but then I just had Gemini create some Python code and added my own adjusted values in the host header for exploitation
4. “Ring cameras hacked”? Amazon says no, users not so sure

   Turns out this is a bug and not a vulnerability. However, make sure you have MFA enabled on your IoT devices and associated accounts as attackers will go after this.

5. Arch Linux pulls AUR packages that installed Chaos RAT malware

   I am so glad the team caught this early. This is a scary situation that keeps me up at night. AUR, and similar package repos, are all vulnerable to this type of attack. Its up to the community and maintainers to monitor closely for this behavior. You can check your Arch-based Linux systems using this command:

   • pacman -Q | grep -E "(librewolf-fix-bin|firefox-patch-bin|zen-browser-patched-bin)"
6. The Internet Red Button: a 2016 Bug Still Lets Anyone Kill Solar Farms in 3 Clicks

   This sounds bad: "A decade-old flaw (CVE-2016–2296) in Meteocontrol WEB’log controllers still lets anyone on the Internet pull a hidden configuration page, steal the admin password, and remotely rewrite power-plant settings. Because many operators have wired these controllers straight onto public networks, the vulnerability effectively places a “red button” over the internet: three clicks by a hobbyist can halt turbines, over-drive inverters, or black out an entire region. Spain’s 28 April 2025 outage proved the economic stakes — ≈ €1.6 billion lost nationwide and > $18 million per idle factory shift. Hundreds of unpatched solar and wind sites remain live today, so every board that leaves this gap open now faces direct liability for multi-million-euro production losses, cascading retail shocks, higher financing costs, and, where essential services are cut, potential wrongful-death exposure."

7. Weak password allowed hackers to sink a 158-year-old company

   "In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems." - Akira was the group. It still strikes me that one credential is all it takes. We've said it before: make sure MFA is enabled on all of your accounts. Not just some, not just most, but ALL. Audit this continuously. We essentially need to make it difficult to log in, yet user-friendly, which presents a challenge.

8. Microsoft’s Secure Boot UEFI bootloader signing key expires in September, posing problems for Linux users
   • Not a bad description: "It's up to manufacturers to make sure "the signature database (db), revoked signatures database (dbx), and Key Enrollment Key database (KEK)" are "stored on the firmware nonvolatile RAM (NV-RAM) at manufacturing time." The manufacturer then "locks the firmware from editing, except for updates that are signed with the correct key or updates by a physically present user who is using firmware menus, then generates a platform key (PK) [...] used to sign updates to the KEK or to turn off Secure Boot."
   • Not entirely true: "Most devices ship with Microsoft's OS pre-installed, however, which means installing something else first requires someone to disable Secure Boot." - Most devices ship with Microsoft's 3rd party CA certificate in the KEK, and Shim is signed with this key, allowing Linux ditros to use Secure Boot. On Ubuntu, for example, this works pretty great. Arch-based distros, not so much as they basically refuse to play ball, leaving it to you as the owner/user to configure Secure Boot manually using MOK key and other messy things.
   • There is a replacement key (that also works with Shim) has to be installed on the system. This may come in the form of a UEFI update, or you are left updating it on your own, which is a somewhat terrible process.
9. Kali Linux Introduces Two New Tools for Raspberry Pi to Boost Wi-Fi Performance

   This is really cool because on my Hackberry PI I have an external antenna connector and have seen mods that attach one, which means I don't need an external dongle to do hacking stuff. Nice! Very nice!

10. A power utility is reporting suspected pot growers to cops. EFF says that’s illegal.

    This is crazy! We always said that power consumption profiling could raise the interest of law enforcement. In CA, this has been the case, with many raids (without a warrant?). I would think they need a warrant to enter the home, and also one to pull the data and then act upon it. Also, marijuana has been legal in CA for some time, calling into question the theory that if you legalize something, it should cut down on the illegal activities, and maybe it has. Turns out its similar to RI, you can grow 6 plants per household, if you do a little math, on average (depending on many factors such as indoor vs. outdoor, soil vs. hydro), you looking at around 3-4 lbs per year that you can harvest legally per year. That's A LOT of weed. According to AI, it's TENS of THOUSANDS of 5mg edibles per year. Wow, that was a rabbit hole, only to prove a point that if you are growing more than 6 plants, you are likely looking to sell it to make a profit.

11. ToolShell Zero-day: Microsoft Rushes Emergency Patch for Actively Exploited SharePoint Vulnerabilities

    If there was ever a reason NOT to host your own Sharepoint server, this is it...

12. Time to next exploit

    Findings from the report:

    • A vulnerability that went on to be exploited was published every 2 days, a 23% higher rate than in 2024.
    • A zero-day vulnerability that was then found to be exploited was published every 3 days, a 46% higher rate than in 2024. This is double the growth rate of exploited vulnerabilities as a whole, suggesting either increasing targeting of zero-days by actors, or a failure to identify vulnerabilities by developers.
    • A security service vulnerability was published every 10 days, a 34% rate of increase – This means that in 2025 security service vulnerabilities are being discovered at a 50% faster rate than average.
    • A security service zero-day that was then found to be exploited was published every 15 days. While this is a 15% increase on 2024, that means the growth rate was lower than for zero-days as a whole, or even for all vulnerabilities. This suggests that security improvements in security service development may well be having an effect.

    And just to clarify:

    • There were 3.4 security service-related CVEs (Anti-virus, VPN gateway, Firewall, etc.) published per month and added to the KEV in 2025, which is a 32% increase on 2024.

Jeff Man

1. Dell Breached by Extortion Group, Says Data Stolen Was ‘Fake’

   Sounds bad....really wasn't.

2. SonicWall Secure Mobile Access Attack

   This ongoing campaign was identified by the Google Threat Intelligence Group (GTIG) and has been attributed, with moderate confidence, to a suspected financially motivated threat actor tracked as UNC6148.

3. Microsoft server hack hit about 100 organizations, researchers say

   If you don't like reading, there's a video!

4. U.S. nuclear weapons department compromised in SharePoint attack

   Grumpy curmudgeons like me might ask why the DOE uses SharePoint in the first place???

5. 5 Real-Life Examples of Data Breaches Caused by Insider Threats

   Well thought out and organized and wrong.... But they at least coin a phrase for the not-an-insider-threat. Negligence. I don't think negligence is the right word for falling for a phish, but at least this article might be a conversation starter.

6. 6 Warning Signs of a Data Breach in Progress

   Every security professional's worst nightmare: Being informed by law enforcement or another third-party entity that you have suffered a data breach. Here, I thought it was having to push a patch on critical systems over the weekend.

7. Cyberattacks & Data Breaches

   Hackers and cybercrime groups are part of a virtual feeding frenzy, after Microsoft's recent disclosure of new vulnerabilities in on-premises editions of SharePoint Server. Virtual feeding frenzy - also a candidate for a security professional's worst nightmare?

8. What to know about supposed Ring doorbell security breach in May 2025

   This one's for Paul. 1. Is Snopes even a legitimate news source? b. It's not a breach at all, it's a bug.

Sam Bowne

1. Vibe Coding Day 8

   This guy uses an AI tool for coding, but after 8 days of struggling, he can't stop it from writing bad code, lying about test results, and finally deleting the whole production database against explicit orders. This whole thing comes from misunderstanding how LLMs work. They don't understand anything in the questions or the answers; they just create a response that is statistically the expected response. Tell them to do a job, they create a normal-looking report claiming success. Tell them to do tests, they provide the expected test results. Tell them they did it wrong, they create a typical apology letter. Then they make the same error again, because they never understood anything that went on. Words are just reduced to vectors, and the next likely words are calculated from that, all without any understanding.

2. A Prominent OpenAI Investor Appears to Be Suffering a ChatGPT-Related Mental Health Crisis, His Peers Say

   Geoff Lewis — managing partner of the multi-billion dollar investment firm Bedrock, posted a disturbing video on X. "Over the past eight years, I've walked through something I didn't create, but became the primary target of: a non-governmental system, not visible, but operational. Not official, but structurally real. It doesn't regulate, it doesn't attack, it doesn't ban. It just inverts signal until the person carrying it looks unstable." Most alarmingly, Lewis seems to suggest later in the video that the "non-governmental system" has been responsible for mayhem including numerous deaths. "This is an important event: the first time AI-induced psychosis has affected a well-respected and high achieving individual," wrote Max Spero, an AI entrepreneur, on X.

3. Claude Jailbroken to Mint Unlimited Stripe Coupons

   These researchers set up Stripe MCP in Claude Desktop, a system to manage payments and coupons. The attack sends an iMessage that appears to be a multi-message conversation to Claude, which accepts from this context that a transaction has already been approved. Claude then issued a $50,000 coupon without requiring any additional verification.

4. Microsoft Stops Using China-Based Engineers for DOD Computer Systems, Company Says

   This is a response to the ProPublica expose we discussed last week.

5. Risky Bulletin: SMS blasting incidents are rising

   SMS blasters are devices that mimic a mobile base station to trick nearby phones into connecting to them. They are a variation of IMSI catchers (stingrays), but instead of intercepting mobile traffic to snoop on a target and track their location, SMS blasters are designed to automatically send SMS messages to all users trapped in the fake base station's coverage. Criminals use them for smishing. When it comes to protecting against SMS blasters, the easiest way is to disable 2G on your phone. SMS blasters exploit the lack of proper authentication systems in the 2G protocol to work. The best protection against SMS blasters is in Android, which, since v12, has had a dedicated setting to let users disable 2G traffic. On iOS, it's a little bit complicated. There's no separate option to disable 2G, but putting your iPhone in Lockdown Mode also disables 2G, although Lockdown Mode also disables a lot of other features users might want to keep enabled.

6. Lawsuit says Clorox hackers got passwords simply by asking

   "if all they had to do was call and ask straight out, that’s not social engineering and it is negligence/non-fulfillment of duty." The 2023 hack at Clorox caused $380 million in damages.

7. Microsoft SharePoint zero-day exploited in RCE attacks (Patch out now)

   This has been patched, see Paul's story #2.

   A critical zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770, has been actively exploited since at least July 18th, with no patch available and at least 85 servers already compromised worldwide. To mitigate the flaw, Microsoft recommends that customers enable AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers. If you cannot enable AMSI, Microsoft says that SharePoint servers should be disconnected from the internet until a security update is released. To detect if a SharePoint server has been compromised, admins can check if the C:PROGRA~1COMMON~1MICROS~1WEBSER~116TEMPLATELAYOUTSspinstall0.aspx exists.