Devices Are Attacking – PSW #886

Paul Asadoorian

1. GitHub – x41sec/EncroCam: Privacy security camera based on commodity hardware
2. GitHub – jeanlucdupont/EXEfromCER: PoC that downloads an executable from a public SSL certificate
3. Plague: A Newly Discovered PAM-Based Backdoor for Linux – Nextron Systems
4. HTTP Request Smuggling Explained: with seasoned bug bounty hunter NahamSec and world-class researcher James Kettle
5. Malicious Packages Across Open-Source Registries: Detection Statistics and Trends (Q2 2025)
6. Uncovering memory corruption in NVIDIA Triton (as a new hire)

   This is great research, and props to Will for nailing it as his new job. Way to go!

7. ReVault! When your SoC turns against you…

   "On the Windows side, a non-administrative user can interact with the CV firmware using its associated APIs and trigger an Arbitrary Code Execution on the CV firmware. From this vantage point, it becomes possible to leak key material essential to the security of the device, thus gaining the ability to permanently modify its firmware. This creates the risk of a so-called implant that could stay unnoticed in a laptop’s CV firmware and eventually be used as a pivot back onto the system in the case of a Threat Actor’s post-compromise strategy. The following video shows how a tampered CV firmware can be used to “hack Windows” by leveraging the unsafe deserialization bug mentioned previously. " - I'm not sure if this device runs Linux, however, attackers lurking in components instead of the host OS is very scary. Throw all your security tools out the window, they won't help you much in this scenario.

8. Rapid Breach: Social Engineering to Remote Access in 300 Seconds

   What went wrong and what went right in this scenario? - "The Threat Actor targeted around twenty users, impersonating IT support personnel, and successfully convinced two users to grant remote access to their system using the Windows native QuickAssist remote support tool. In less than five minutes the Threat Actor executed PowerShell commands that led to the download of offensive tooling, malware execution and the creation of persistence mechanisms...The actions described above were completed by the threat actor in a session that lasted two minutes and forty-seven seconds, fortunately this was caught by the internal security team which isolated the hosts, preventing a bigger infection."

9. Every Reason Why I Hate AI and You Should Too

   I used AI to summarize MalwareTech's article, just to be a punk :) You should actually read the article though, he makes some really great points.

   • Job Displacement: AI automates roles traditionally held by humans, leading to unemployment and a diminished sense of purpose for people whose jobs are replaced.
   • Lack of Accountability: Decisions made by AI—especially in areas like finance, law, or medicine—can be difficult to audit, and when AI makes mistakes, there often isn’t a clear party to hold responsible.
   • Bias and Inequality: AI systems frequently reinforce existing societal biases because they are trained on historical data that may already be skewed or prejudiced.
   • Loss of Human Connection: The author expresses concern about human relationships being replaced or diminished by AI-driven interactions, which may be superficial or manipulative.
   • Surveillance and Privacy: AI increases the potential for surveillance, data mining, and privacy breaches, highlighting ethical dangers as more aspects of daily life become monitored.
   • Overhyped and Underregulated: The article criticizes the tech industry and media for overhyping AI's capabilities while regulators struggle to keep up, creating a gap between promises and reality.
   • Security Concerns: AI introduces new vectors for security problems, including deepfakes, automated hacking, and weaponization.
   • Erosion of Skills and Critical Thinking: Reliance on AI tools can cause individuals to lose important skills or the motivation to think critically.
10. Why the Old Ways Are Still the Best for Most Cybercriminals

    While I agree with so much in this article, I do not believe this is the answer: "AI can help by continuously monitoring and flagging vulnerabilities, misconfigurations, and other security gaps — delivering risk scores, playbooks, and orchestrated remediation. It can also help SecOps teams to react fast to new threats, using automated workflows, context-rich detection and AI-driven threat hunting to contain breaches before they spread. Generative AI (GenAI) assistants empower security operation center (SOC) teams to close skills gaps and work more productively. And emerging agentic AI solutions could anticipate and prevent future security challenges." - AI is not the answer. AI can help as a tool, but it is not a solution. Combining proactive defenses, anomaly detection, and effective teamwork and response will yield success. Will AI help with this? Sure, but it still takes many different technologies and processes to deal with attacks effectively.

11. Perplexity is using stealth, undeclared crawlers to evade website no-crawl directives

    And so begins the crawler wars...

12. SonicWall urges admins to disable SSLVPN amid rising attacks

    I want to praise SonicWall. To come out and tell your customers to disable a feature is a bold move. Too often, I see companies trying to sweep things under the rug and downplay attacks to protect the bottom line. SonicWall is doing just the opposite. They are trying to help their customers. I appreciate them for this, despite having vulnerabilities that are being exploited.

13. Hospital fined after patient data found in street food wrappers

    I am all for recycling and re-use. If you look at what runs our studio, it's mostly recycled tech. However, using patient records to wrap food is a bad idea for many reasons!

14. Introducing Runtime Memory Protection

    While I love this approach: "The system focuses on the universal step required for all cyberattacks: execution of code on an endpoint. Rather than try to predict endless attacker techniques, Prelude detects “out-of-context execution”—situations where code paths not intended by the original application are run. This covers in-memory attacks like code injection, exploitation, and fileless malware." - I believe it will only detect certain classes of attacks. Don't get me wrong, this is important and has the potential to be effective at stopping attacks. However, attackers abuse credentials, use signed drivers, and built-in utilities. I am also predicting that attackers will dwell outside the operating system in UEFI and other built-in and add-on components, making detection extremely difficult. The problem now is that evasion and stealth are not that difficult to achieve inside the OS. As we squeeze the malicious behavior out of the OS, attackers will go elsewhere and live off the land and dwell inside other components. Don't believe me yet? Check out the talks at summer camp this year...

15. Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource – Black Hills Information Security, Inc.

    I love cheat sheets. These are great. Why? They actually explain WHY you would want to run the tool, not just how. This is important.

16. ThrottleStop driver abused to terminate AV processes

    So the malware uses a signed kernel driver that allows the attackers to kill running AV processes, in this example Windows Defender. Kapspersky says this: "It is important to note that Kaspersky products, such as Kaspersky Endpoint Security (KES), have built-in self-defense mechanisms that prevent the alteration or termination of memory processes, deletion of application files on the hard drive, and changes in system registry entries. These mechanisms effectively counter the AV killer described in the article." - While I do believe some products are better than others at evading AV killer techniques, none are totally immune. As EDR/AV gets better at not letting processes kill them, attackers will just move to bootkits to get rid of EDR/AV.

17. CISA Adds Three Known Exploited Vulnerabilities to Catalog

    They are all D-Link products:

    • CVE-2020-25078 D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability
    • CVE-2020-25079 D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability
    • CVE-2022-40799 D-Link DNR-322L Download of Code Without Integrity Check Vulnerability

    EOL D-LINK products contain A LOT of vulnerabilities. I need to get back to it, but I used Claude to find at least one "new" one, which is just a variation on command injection vulnerabilities that are prevalent in these platforms, and will never get a fix. Point being, we have enough examples of vulnerabilities in these devices to train a model that could be very effective at finding new vulnerabilities and improving on exploitation techniques, to the point where every one of these devices will be part of a botnet operated by an enemy nation state. And we have no solution in the works to combat this threat...

Larry Pesce

1. UNC2891 Breaches ATM Network via 4G Raspberry Pi, Tries CAKETAP Rootkit for Fraud
2. TEMPEST-LoRa: Emitting LoRa Packets from VGA or HDMI Cables
3. DrawAFish.com Postmortem — Aug 3, 2025 Incident

Sam Bowne

1. Global study of more than 100,000 young people latest to link early smartphone ownership with poorer mental health in young adults

   They used the Mind Health Quotient (MHQ)—a self-assessment tool that measures social, emotional, cognitive, and physical wellbeing—to generate an overall ‘mind health’ score. The specific symptoms most strongly linked with earlier smartphone ownership include suicidal thoughts, aggression, detachment from reality, and hallucinations. Young adults who received their first smartphone before age 13 had lower MHQ scores, with scores progressively declining the younger the age of first ownership. For example, those who owned a smartphone at age 13 scored an average of 30, dropping to just 1 for those who had one at age five.

2. Hacker still holds $14 billion in stolen Bitcoin from massive 2020 LuBian attack: Arkham

   It is not only the biggest crypto heist in history but also one of the longest-concealed cases.

3. Microsoft CEO sends a surprising message on quantum computing

   On Microsoft’s latest earnings call, Nadella hailed quantum as “the next big accelerator in the cloud.” Quantum is heating up just like the AI arms race. Microsoft is building Magne, a robust neutral-atom quantum system with Atom Computing. Construction begins in fall 2025, with early workloads targeted for 2027.

4. Ukraine rescues soldier via drone delivery of complete e-bike

   It was a really big drone, and it took three tries.

5. AI-powered Cursor IDE vulnerable to prompt-injection attacks

   A vulnerability that researchers call CurXecute is present in almost all versions of the AI-powered code editor Cursor, and can be exploited to execute remote code with developer privileges. Cursor IDE has support for the MCP open-standard framework, which extends an agent’s capabilities and context by allowing it to connect to external data sources and tools. This can compromise the agent as it is exposed to external, untrusted data that can affect its control flow.

6. ChatGPT users shocked to learn their chats were in Google search results

   OpenAI scrambles to remove personal ChatGPT conversations from Google results. "When users clicked 'Share,' they were presented with an option to tick a box labeled 'Make this chat discoverable.' Beneath that, in smaller, lighter text, was a caveat explaining that the chat could then appear in search engine results." This confusing interface caused many users to share private chats.

7. SRAM Has No Chill: Exploiting Power Domain Separation to Steal On-Chip Secrets

   This seems useless in practice. Basically, you apply external power so the chip never really shuts off. If you can do that, you already have access to the memory anyway.

8. AI site Perplexity uses “stealth tactics” to flout no-crawl edicts, Cloudflare says

   Sites that block crawling with robots.txt or WAF rules are crawled anyway, using over 10,000 domains and millions of requests.

9. Proton fixes Authenticator bug leaking TOTP secrets in logs

   Proton fixed a bug in its new Authenticator app for iOS that logged users' sensitive TOTP secrets in plaintext, potentially exposing multi-factor authentication codes if the logs were shared. The debug logs can be found under Settings > Logs.

10. Ohio sets new cybersecurity rules for local governments, including public approval of ransomware payments

    Following a string of cyberattacks on local governments across Ohio, the state is now requiring all local governments to have cybersecurity policies and to approve ransom payments to hackers in full view of the public.