Safes, Hackers, and Web Servers – PSW #892

Paul Asadoorian

1. Samsung patches zero-day security flaw used to hack into its customers’ phones
2. Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days
3. Researching an APT Attack and Weaponizing It
4. Automated Patch Diff Analysis using LLMs
5. Hackers Went Looking for a Backdoor in High-Security Safes—and Now Can Open Them in Seconds

   It seems that no digital safe is actually safe. This is pretty amazing research, requiring reverse engineering firmware and research to uncover backdoors and other methods. This is not just for protecting home safes, many models that use the same safe technology are used in Fort Knox and pharmacies to secure drugs. Yikes. Then there are law suites threatened against the researchers.

6. ESP32-S3 wide touch display development board features a 640×172 touch LCD, AI voice support – CNX Software
7. Mainframe skills gain traction with younger techies
8. Undocumented Radios Found in Solar-Powered Devices
9. Running code in a PAX Credit Card Payment Machine (part1)
10. AI Pentesting Tool ‘Villager’ Merges Kali Linux with DeepSeek AI for Automated Security Attacks
11. AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks
12. Are Cisco ASA Devices About To Be Attacked?

    Spoiler: The evidence presented by GreyNoise and some digging on my own indicates yes. So, in August and September GreyNoise collected data showing huge spikes in scanning for ASA devices. Shodan reveals there are over 113k Cisco ASA devices on the public Internet. Many have to be exposed to support the SSL VPN functionality. Cisco has also announced plans to retire the ASA platform by 2026. There are also many exploits and toolkits for hacking the ASA platform. This, to me, is a perfect storm.

13. New VMScape attack breaks guest-host isolation on AMD, Intel CPUs

    Will this be the one we see exploited in the wild, given: "They note that a threat actor could deploy such an attack against a cloud provider by simply renting a virtual machine to leak secrets from the hypervisor or other VMs." - It could be this has already happened in the wild. If an attacker deploys a VM in the cloud, then uses it to exploit speculative execution vulnerabilities and steal secrets from another VM, who would notice? Do cloud providers have visibility into such attacks? If an attacker were to use the stolen secrets would someone think to investigate this attack? has this happend and no one told us? Am I speaking out of turn? Please, call me out....

14. New HybridPetya Weaponizing UEFI Vulnerability to Bypass Secure Boot on Outdated Systems

    Some thoughts:

    • This is all possible because programs exist that have vulnerabilities that have been signed to work with Secure Boot
    • Secure Boot takes a lot of crap, but this attack would not be possible if everyone kept their DBX or SBAT policies up-to-date
    • This was not seen in-the-wild, but ESET grabbed a copy from VT (this is where many find malware samples that do interesting things, but could be just a lab experiment that got leaked to VT)
    • If an attacker is changing the files on the EFI partition, such as swapping out bootloaders, someone and/or something should notice as this is not a common occurance
    • However, these types of devistating attacks are possible because some don't even enable Secure Boot, most don't configure it properly, and most defensive software could give two craps about bootloaders, the EFI partition, and UEFI in general. Except where I work, we are paying attention and building things and stuf to help with these problems.
15. Everything In A Linux Terminal

    I mean why not just do everything from a terminal, including render GUI apps! I love this part from Hackaday: "If, like us, you are more interested in how it works, there’s a write up explaining the nuances of the Wayland protocol. The article points out that Wayland doesn’t actually care what you do with the graphical output. In particular, “… you could print out the graphics and give them to a league of crochet grandmas to individually tie together every single pixel into the afghan of legend!” We expect to see this tested at an upcoming hacker conference."

16. Disposable Vape Web Server – Running TCP/IP over SWD lines

    The fun part is you can read the blog post on a web server that is running on a disposable vape! AI Slop Summary: "A hobbyist project explored running a web server on a disposable vape pen, leveraging the surprisingly capable microcontroller found inside some modern vapes. These vapes used a PUYA-branded ARM Cortex-M0+ chip with 24KiB flash and 3KiB RAM, which, though limited, was sufficient for embedded development tasks. The project utilized semihosting for communication between the microcontroller and a Linux host, forming a virtual network interface over USB via SLIP (Serial Line Internet Protocol). This enabled the vape’s chip to serve webpages through a minimal HTTP server, using the compact uIP IP stack after some porting and memory management tweaks."

17. GitHub – thass0/tatix: From-scratch kernel built to serve web pages

    I love projects like this: "The Tatix system is a custom kernel designed to serve static web pages. Tatix might intuitively be called an operating system, but that would be unfair since the Tatix system lacks many features of conventional operating systems. Tatix features a custom TCP/IP stack, an HTTP server, a RAM file system, and concurrent tasks based on cooperative scheduling. In support of these features, the system comes with drivers for hardware typical for x86 PCs, a library with essential routines and data structures (allocators, strings, lists, buffers, printing, formatting, etc.), and a paging implementation for virtual memory. The system has been developed and tested in a virtual environment with QEMU on Linux. This means it can easily be deployed on a Linux server that supports virtualization. Tatix depends on GNU Make, NASM (assembler), GCC, QEMU (x86-64), iptables, Bash, GNU linker (ld), and Python 3. By intention, this is standard tooling available on most Linux systems." - Talk about reducing the attack surface! Though, I am not certain this is any more or less secure than any other web server. Sure, its a lot less code and you likely won't run into the security issues that can arise from the complexities included with Nginx or Apache. However, your web application can still be vulnerable.

Larry Pesce

1. Hosting a WebSite on a Disposable Vape
2. Self-replicating Shai-hulud worm spreads token stealing malware on npm
3. Microsoft: WMIC will be removed after Windows 11 25H2 upgrade
4. The Practicality Of Solar Powered Meshtastic

Lee Neely

1. This ‘critical’ Cursor security flaw could expose your code to malware – how to fix it

   Researchers from Oasis Security have identified a critical vulnerability in the Cursor AI code editor "that enables the automatic execution of malicious code upon opening a repository." The problem is due to the fact that Cursor ships with the Workplace Trust security setting disabled by default. Oasis writes that in this state, "when a user opens such a repository in Cursor, even for simple browsing, arbitrary code can be run in their environment. This has the potential to leak sensitive credentials, modify files, or serve as a vector for broader system compromise." Suggested mitigation include enabling WorkSpace Trust in Cursor; opening unknown repositories in a different editor; and auditing repositories before opening them.

   The setting may feel backwards - Enable WorkSpace Trust in Cursor to disable the auto execution on open behavior.

2. Samsung patches Android 0-day exploited in the wild

   As part of their September security update, Samsung has patched a critical out-of-bounds write vulnerability in the libimagecodec.quram.so closed-source image parsing library that affects Android OS versions 13, 14, 15, and 16. The flaw, which can lead to arbitrary code execution, has already been exploited in the wild. The flaw was reported to Samsung on August 13 by the Meta and WhatsApp security teams.

   Not to be outdone by those Apple updates, you need to update all your Samsung mobile devices running Android 13 or later.

3. Apple Updates Everything – iOS/macOS 26 Edition – SANS ISC

   Apple has released updates for iOS, iPadOS, macOS, tvOS, watchOS, and visionOS to address multiple vulnerabilities. One of the vulnerabilities (CVE-2025-43300), an out-of-bounds write issue affecting iOS, iPadOS, and macOS, was patched last month, but only for current versions of the operating systems. The updates released on September 15 backport the patch for older versions of affected operating systems. With this set of updates, most users have the option of updating to a numerically sequential version of operating systems, which are in the teens, or leapfrogging ahead to version 26, which reflects the upcoming calendar year and offers a number of new features

   You should be testing out iOS/iPadOS/macOS 26. It’s got changes to UIs you want to know about. And you need to decide if you want to roll 26.0 or wait for the first big update (e.g., 26.1) the newest devices are expected come with 26, named after the calendar year. Verify your device management and enterprise support tools work with the new OS.  Weather you're rolling out 26 or not, make sure you’re deploying the updated OS packages, they hit pretty much everything Apple you have. Apple security releases: https://support.apple.com/en-us/100100

Sam Bowne

1. HybridPetya: More proof that Secure Boot bypasses are not just an urban legend

   The code seems to be just a proof-of-concept. It exploits a patched vulnerability to bypass Unified Extensible Firmware Interface (UEFI) Secure Boot on Windows systems, making it the fourth publicly known bootkit capable of punching through the feature and hijacking a PC before the operating system loads.

2. How an Attacker’s Blunder Gave Us a Rare Look Inside Their Day-to-Day Operations

   Because these services are designed to monitor for and detect threats, EDR systems monitor system activity. An attacker insstalled Huntress, so they published items from his browser history, showing the tools and AIs he used.

3. Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework

   It's a Phishing-as-a-Service (PhaaS) operation, targeting Microsoft and Google accounts. The service uses Adversary-in-the-Middle (AitM) techniques, capturing credentials, MFA codes and session tokens. It can bypass the protection of several common MFA methods, such as SMS codes and one-time passwords (OTP) from authenticator apps, but it doesn't work for Passkeys because they won't send data to the wrong server.

4. ‘WhiteCobra’ floods VSCode market with crypto-stealing extensions

   In a public post, core Ethereum developer Zak Cole described how his wallet was drained after using a seemingly legitimate extension (contractshark.solidity-lang) for Cursor code editor. The extension featured all the signs of a benign product with professionally designed icon, a detailed description, and 54,000 downloads on OpenVSX, Cursor's official registry.

5. AI Podcast Start Up Plans 5,000 Shows, 3,000 Episode a Week

   Human podcasters cost millions, so Inception Point AI plans to flood the zone with AI podcasts and become influencers across social media, literature and more. “We believe that in the near future half the people on the planet will be AI, and we are the company that’s bringing those people to life.”

6. The Elephant in The Biz: outsourcing of critical IT and cybersecurity functions risks UK economic security

   Recently, there’s been three major UK ransomware and/or extortion incidents at three big UK companies — Co-op Group, Marks and Spencer and Jaguar Land Rover. One thing connects them all: in the past 5 years, they all outsourced key IT and cybersecurity services to TCS, aka Tata Consultancy Services.

7. Cyberspike Villager – Cobalt Strike’s AI-native Successor

   Straiker uncovers Villager, a Chinese-based pentesting framework that acts as an AI-powered framework in the style of Cobalt Strike, automating hacking and lowering the barrier for global attackers.

8. ‘Powerful but dangerous’ full MCP support beta for ChatGPT arrives

   OpenAI has added a beta of Developer mode to ChatGPT, enabling full read and write support for MCP (Model Context Protocol) tools, though the documentation describes the feature as dangerous. The feature could link ChatGPT to Stripe so that the AI can raise invoices and send them in response to a prompt. There is a Confirm button before an action is taken but this can be disabled.

9. China’s internet watchdog mandates 1-hour reporting for serious cybersecurity incidents

   Network operators must report “particularly serious” cybersecurity incidents within one hour to relevant authorities.