Paul Asadoorian

1. Attacking GenAI applications and LLMs – Sometimes all it takes is to ask nicely! – hn security
2. Welcome
3. Escaping the Confines of Port 445 – SpecterOps
4. UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion Evasion
5. Breaktooth: Breaking Security and Privacy in Bluetooth Power-Saving Mode
6. How we Rooted Copilot – Eye Research
7. Supply-chain attacks on open source software are getting out of hand
8. Linux 6.16 Release – Main changes, Arm, RISC-V, and MIPS architectures – CNX Software
9. Millions of cars at risk from Flipper Zero key fob hack, experts warn

   I am skeptical, but have heard reports that this is real, but have not validated these claims: "But the new hack sidesteps these protections by exploiting the rolling code algorithm to calculate valid key fob commands based on a single intercepted signal. “I can sit in a parking lot and wait for someone to lock their car, and immediately I get all their fob buttons,” Jeremy Yablan, a hacker known online as RocketGod, told Straight Arrow News. “Other attacks are tricks. This one just captures a single keypress and decodes all buttons and rolling codes in an instant. You open your trunk – the bad guy has your entire fob.”" - Right now, I have more questions than answers; however, if this is real, we have a huge problem when it comes to vehicle security.

10. A Spike in the Desert: How GreyNoise Uncovered a Global Pattern of VOIP-Based Telnet Attacks

    The Internet is full of treasure, including VOIP devices running Linux and TELNET, apparently participating in a Mirai botnet...

11. World Leaks Outfit Linked to Dell Test Lab Intrusion

    Likely AI generated, but this last point is interesting: "This incident shows the expanding landscape of cyber threats, as attackers increasingly target demonstration and testing environments as potential entry points into larger corporate networks, making robust security architecture vital for organisational protection." - Is this really true or just AI being all "AI", with a focus on artificial?

12. A Novel Technique for SQL Injection in PDO’s Prepared Statements › Searchlight Cyber

    Even when trying to protect the app with prepared SQL statements, there is still potential for SQL injection. Details in the post, very neat stuff.

13. The dream of a Raspberry Pi laptop becomes a reality — ArgonOne Up Review

    Amazing hardware: Slap a RPI CM5 in a laptop with an NVME. I do this on my Hackberry PI, and it works awesome. The only downside I have found on the Hackberry PI is that GPIO is generally not available as it is used by the hardware platform. Somehow, not entirely sure yet, ArgonOne has a breakout to allow you to access GPIO: "We need a GPIO attachment, which connects to two USB Type C ports on the left hand side. Yes, these two USB Type C ports have a dual function. Normally used as USB 2 Type C ports, they also connect the Compute Module 5 to an external GPIO breakout, which is pin compatible with the Raspberry Pi 5 and most of the previous Raspberry Pi." - This is pretty amazing!

14. Hijacking Discord invite links to install malware

    Neat attack, here is a summary, but better details are in the post:

    • Hijacking Codes: When a Discord server’s temporary or permanent invite link expires or is deleted, its code cannot be reused—except that if someone creates a custom (vanity) link with that code (and has a “Level 3” server), it becomes active again, but for a completely different server.
    • Redirecting from Trusted Sources: Attackers monitor legitimate invite codes as they expire, then “re-register” those codes as custom vanity URLs on their own malicious servers. As a result, old invite links spread on trusted forums, blogs, or social media now point to scam servers—without the original content creators ever noticing.

    ClickFix Infection Method:

    • Victims clicking these links arrive at a Discord server with restricted access and are prompted (via a bot) to click “Verify.”
    • This process sends them to a convincing fake Discord verification webpage.
    • The site instructs users to copy and paste a PowerShell command into their Windows Run dialog—essentially tricking them into infecting themselves.

    Malware Delivered:

    • AsyncRAT: A remote access tool giving full control of the victim’s device.
    • Skuld Stealer: Malware that steals Discord credentials, browser tokens, and the seeds/passwords of popular crypto wallets, sending them to the attacker via Discord webhooks.
15. How We Gained Full Access to a $100M Zero-Trust Startup

    Don't ignore CSRF and CORS vulnerabilities. This is a great example of why! SSH keys were generated for an admin account and sent to a malicious site as part of the test. Oops.

16. Pro-Ukrainian hackers take credit for attack that snarls Russian flight travel

    Cyberwar is real: "Silent Crow and the other group, named Belarusian Cyberpartisans, said the cyberattack was the result of a yearlong operation that had deeply penetrated Aeroflot's network, destroyed 7,000 servers, and gained control over the personal computers of employees, including senior managers." - Was it activists or an actual plot? We may never know, but it's fun to theorize!

17. iSTAR Ultra Door Access Vulnerabilities

    We now live in a world where getting this right is important: *"Firmware contains software signing key for additional devices. The iSTAR Ultra firmware contains a secret key for signing packages and firmware updates for Tyco NVR products. This key may be retrieved from any device using CVE-2022... etc, allowing an attacker to sign malicious updates for NVR devices. No fix appears planned by the vendor. CVE-2025-53700. This vulnerability is hard to character: it really impacts other devices."

18. Michael Ossmann Gives A First Look at the HackRF Pro in YouTube Video

    Pretty sweet, here's some of the updates::

    • Wider operating frequency range (up to 6GHz)
    • Improved RF performance with flatter frequency response
    • Modern USB Type-C connector
    • Built-in TCXO crystal oscillator for superior timing stability
    • Logic upgrade from a CPLD to a power-efficient FPGA
    • Elimination of the DC spike
    • Extended precision mode with 16-bit samples for low sample rates (typical ENOB: 9-11)
    • More RAM and flash memory for custom firmware
    • Installed shielding around the radio section
    • Trigger input and output accessible through clock connectors
    • Cutout in the PCB provides space for future add-ons
    • Improved power management
19. Stack Overflows, Heap Overflows, and Existential Dread (SonicWall SMA100 CVE-2025-40596, CVE-2025-40597 and CVE-2025-40598)

    Why are we in a place where commentary such as this is so relevant: "It’s 2025, and at this point, we’re convinced there’s a secret industry-wide pledge: every network appliance must include at least one trivially avoidable HTTP header parsing bug - preferably pre-auth. Bonus points if it involves sscanf."

20. Exploiting zero days in abandoned hardware

    If you are looking for examples on how to create more reliable exploits for IoT devices, look no further:

    • CVEs: CVE-2024-53902, CVE-2024-53903, CVE-2022-27643
    • This chain involves three separate vulnerabilities. First, we will need to arbitrarily change the router's password to reach the code path that enables memory corruption (which ended up being an n-day but exploited differently). Then, we'll exploit a known n-day for a BSS overflow. Rather than relying on a known exploitation technique to achieve authentication bypass, we'll instead pivot the vulnerability to a stack-based overflow to enable full remote code execution.

    I like how the team improved upon previous research and vulnerabilities to create something even better, or worse, depending on your perspective. We have some serious technical debt to overcome, especially given how many IoT routers are in use worldwide running older, and in many cases, unsupported code.

21. WhoFi: Deep Person Re-Identification via Wi-Fi Channel Signal Encoding

    Some new research on this topic: "Person Re-Identification is a key and challenging task in video surveillance. While traditional methods rely on visual data, issues like poor lighting, occlusion, and suboptimal angles often hinder performance. To address these challenges, we introduce WhoFi, a novel pipeline that utilizes Wi-Fi signals for person re-identification. Biometric features are extracted from Channel State Information (CSI) and processed through a modular Deep Neural Network (DNN) featuring a Transformer-based encoder. The network is trained using an in-batch negative loss function to learn robust and generalizable biometric signatures. Experiments on the NTU-Fi dataset show that our approach achieves competitive results compared to state-of-the-art methods, confirming its effectiveness in identifying individuals via Wi-Fi signals."

22. New Lenovo UEFI firmware updates fix Secure Boot bypass flaws

    I'm not picking on vendors, here is my take: We have a pretty serious supply chain security problem when it comes to UEFI. This firmware starts off with the UEFI reference implementation (EDK II), then transitions to AMI/Phoenix/Insyde's of the world, which then transfers to the OEMs (Dell, Lenovo, HP, etc..). The problems are:

    • Security vulnerabilities in the reference implementation likely transfer to all parties involved as they re-use a TON of code in UEFI
    • The UEFI providers make more specific implementations and improvements
    • The OEMs then make more modifications
    • We've seen test keys get used in production
    • We've seen weird vulnerabilities, such as LogoFAIL, use the image processing as a point of entry
    • OEMs may not take all of the upstream fixes
    • OEMs introduce, as is the case here, their own vulnerabilities based on modifications
    • To make matters worse, fixing these vulnerabilities is hard given the complex supply chain and many platform dependencies
    • OEMs, especially in gaming/consumer markets, move fast and don't support firmware for very long

    I belive its only a matter of time before attackers start creating really amazing malware that lives outside the OS. There seems to be new SMM vulnerabilities coming out every month. We're getting better at finding the vulnerabilities, and attackers will come along and get better at weapionizing them.

Jeff Man

1. Clorox Sues Cognizant for Alleged IT Help Desk Failures in 2023 Cyber Attack

   We used to tell our clients that their security was only as strong as the weakest link. Then outsourcing and "risk transfer" became popular. Then stuff like this happens.

   "The company is also accusing Cognizant of being “incompetent” in its containment and incident response measures. Cognizant has replied with a statement calling Clorox “inept” in its cybersecurity and claiming that it was only contracted for specific help desk features that it performed as asked."

   fingerpointing #passthepopcorn

2. Luxury Brand Louis Vuitton Suffers a Multi-Country Cyber Attack that Leaked Personal Data

   Attack allegedly came from "ShinyHunters". Other companies victimized by ShinyHunters include AT&T, Salesforce, PowerSchool, Ticketmaster, Neiman Marcus, and Advance Auto Parts. The retailer, the leading brand of the French luxury group LVMH, said an unauthorised third party had accessed its UK operation’s systems and obtained information such as names, contact details and purchase history. Good news - probably didn't compromise payment card data!

3. Allianz Life suffers third-party CRM breach affecting 1.4m

   Allianz Life Insurance Company of North America has confirmed that hackers accessed personal data belonging to most of its 1.4 million customers through a breach of a third-party cloud-based customer relationship management system. The attack occurred on 16 July when threat actors employed social engineering techniques to gain unauthorised access to the CRM platform

4. French submarine secrets surface after cyber attack

   "Keep in mind, nothing is truly disconnected from Internet..." So true.

5. Palo Alto Networks Announces Agreement to Acquire CyberArk, the Identity Security Leader

   Because pursuit of technology automation to solve cybersecurity problems will never end.

Larry Pesce

1. Customer guidance for SharePoint vulnerability CVE-2025-53770
2. Vibe Coding Goes Wrong As AI Wipes Entire Database
3. darkmatter2222/HTIT-Tracker-Heltec-v1.2-GPS-Reciever: ????️ Life-saving GPS tracker that works when cell service fails! Navigate back to “home” using ESP32 + GPS with simple cardinal directions. Perfect for hiking, hunting, emergencies. 20+ hour battery, dual screens, beginner-friendly guide.
4. Rooting the TP-Link Tapo C200 Rev.5
5. PerfektBlue: Critical Bluetooth Flaws Expose Millions of Cars to Remote Hacks
6. How I hacked my washing machine – Nex’s Blog
7. Introducing OSS Rebuild: Open Source, Rebuilt to Last
8. Serious vulnerability in Bluetooth protocol: once a device goes to sleep, its session can be hijacked by attacker. ????၊၊
9. Exploiting zero days in abandoned hardware

Sam Bowne

1. AI-Generated Linux Miner ‘Koske’ Beats Human Malware

   Koske uses layer upon layer of tricks to establish persistence and concealment in a target's system. It installs a rootkit, schedules cron jobs, and alters Linux startup files to ensure it starts upon any system reboot. It was apparently developed with AI, so it has an impressive array of troubleshooting methods to connect to its C2 infrastructure: resetting and changing proxy and domain name system (DNS) settings, erasing firewall rules, etc.

2. Koske Malware Hides in Panda Images, Weaponizes AI to Target Linux

   Koske uses stealth rootkits to hide its files, processes, and even its own presence from system monitoring tools. It establishes persistence through cron jobs, modifications to .bashrc and .bash_logout, and even creates custom systemd services. Its connectivity module is capable of proxy discovery and failover, giving it resilience in varied network conditions—a hallmark of AI-generated logic. Security researchers have flagged verbose, modular code structures, well-commented logic, and defensive programming patterns as signs that large language models (LLMs) played a role in writing Koske. This points to a disturbing new frontier: the rise of AI-generated malware that can learn, adapt, and hide better than anything seen before.

3. How Anthropic teams use Claude Code

   While many of their use cases were predictable—debugging, navigating codebases, managing workflows—others surprised us. Lawyers built phone tree systems. Marketers generated hundreds of ad variations in seconds. Data scientists created complex visualizations without knowing JavaScript. The pattern became clear: agentic coding isn't just accelerating traditional development. It's dissolving the boundary between technical and non-technical work, turning anyone who can describe a problem into someone who can build a solution.

4. Microsoft: macOS Sploitlight flaw leaks Apple Intelligence data

   Apple's Transparency, Consent, and Control (TCC) is a security feature that blocks apps from accessing private user data--it requires users to allow access in Systen Settings for each app. This Sploitlight attack uses the privileged access of Spotlight plugins to access sensitive files and steal their contents. This includes, but is not limited to, photo and video metadata, precise geolocation data, face and person recognition data, user activity and event context, photo albums and shared libraries, search history and user preferences, as well as deleted photos and videos. Apple has fixed the security flaw in patches released in March for macOS Sequoia 15.4 with "improved data redaction."

5. CYBERSTRIKE ON RUSSIAN AEROFLOT!

   They destroyed over 7 thousand servers and workstations, causing cancellations of over 100 flights. The network uses Windows XP and 2003, which led to the compromise of their entire infrastructure. Successful penetration is largely due to the fact that some company employees neglect basic password security. So Aeroflot CEO Sergey Aleksandrovsky hasn’t changed his password since 2022.

6. Tea app leak worsens with second database exposing user chats

   The Tea app is a women-only dating safety platform where members can share reviews about men, with access to the platform only granted after providing a selfie and government ID verification. The Tea app data breach has grown into an even larger leak, with the stolen data now shared on hacking forums and a second database discovered that allegedly contains 1.1 million private messages exchanged between the app's members.

7. Brits can get around Discord’s age verification thanks to Death Stranding’s photo mode, bypassing the measure introduced with the UK’s Online Safety Act. We tried it and it works—thanks, Kojima

   Death Stranding is a 2019 action-adventure game. The method requires using a phone for the Discord age verification, opening Death Stranding's Photo Mode, and preparing a close up of Sam Porter, played by one Norman Reedus.

8. Millions of cars at risk from Flipper Zero key fob hack, experts warn

   The new hack exploits the rolling code algorithm to calculate valid key fob commands based on a single intercepted signal. Vehicles vulnerable to the attack include numerous models manufactured by Chrysler, Dodge, Fiat, Ford, Hyundai, Jeep, Kia, Mitsubishi and Subaru, according to an infographic provided with the firmware.

9. Preston Thorpe is a software engineer at a San Francisco startup — he’s also serving his 11th year in prison

   A new way to save money on salaries: hire people inside prison! A community college professor is also working from prison. What could possibly go wrong?