Its Always DNS – PSW #897

Paul Asadoorian

1. Exploit for Use of Password Hash With Insufficient Computational Effort in Fortinet Fortiproxy CVE-2024-21754

   Could be useful for reverse engineering or password recovery, though I am not inclined to purchase an exploit from a shady site for $110 :)

2. FlashBoot

   Interesting way to create a bootable Windows OS USB thumbdrive. I am certain you can do this on your own using the installer tools such as Rufus and some configuration to get it on a USB thumb drive. I'm a huge fan of the installer customizations, including Schneegans, that let you install a trimmed down Windows OS. See my other article about switching from Linux to Windows.

3. Amazon outage breaks much of the internet

   It's always DNS.

4. Vibecoding an ESP32 Door Monitor

   I was hoping for some tips on which AI was used and how it was integrated and prompted, but didn't find it. However, great article if you are getting into ESP32 development and a neat project!

5. Oops! It’s a kernel stack use-after-free: Exploiting NVIDIA’s GPU Linux drivers

   Extremely detailed post, with a PoC that will elevate privs on Linux: "While manually probing the attack surface related to memory allocation and management we found two vulnerabilities. They were reported to NVIDIA and the vendor issued fixes in their NVIDIA GPU Display Drivers update of October 2025".

6. nullvoid.me – Merck’d-U!

   Many embedded devices (IoT if you will) contain CSRF and session token vulnerabilities. Many are also probably ignored by the vendor and never fixed, as the attack path is not straightforward. The interesting thing about this research is the hidden API calls and the TELNET service. Reversing to find these, without the source code, is a great accomplishment. I was hoping to see more details on how they found it, likely extracting the web app code from the firmware (which is essentially source code).

7. CVE-2025-9133: Configuration Exposure via Authorization Bypass

   Cool exploit, showing why we need to move away from CGI for embedded web applications.

8. Model Context Protocol (MCP) – Black Hills Information Security, Inc.

   Great tutorial for getting up to speed on MCP. Thank you, Joff Thyer!

9. Positive Technologies helps fix vulnerabilities in Broadcom network adapter firmware

   If you want to jump around Hypervisors in a cloud provider, this could be handy: "The vulnerability discovered is related to a stack-based buffer overflow, which leads to arbitrary code execution in the KONG kernel and, as a result, to the compromise of the entire network adapter or other virtual machines/hypervisors." PT also says: "Successful exploitation could disrupt services for cloud providers, data centers, and enterprise customers using the impacted hardware, and could result in the theft of employee, customer, and partner data. This could lead to financial losses and reputational damage."

10. I ditched Linux for Windows 11 for one week – and found 9 big problems

    Windows 11 is annoying, for all the reasons listed, though you can overcome many of them by customizing the Windows 11 install (Rufus / Scheegans). Still, Linux is better :)

11. Hackers exploit 34 zero-days on first day of Pwn2Own Ireland

    It took a chain of 8 exploits to successfully Pwn a QNAP device. This is exciting.

12. Try this new Linux security threat scanner to keep your system safe – you’ll thank me

    Testing whether files on your system are also in VT is just table stakes, and not that great for defending Linux systems, but better than nothing, I suppose. Good for appliances? But there are better ways...

13. Multiple Password Managers Vulnerable to Clickjacking Attacks VU#516608

    "Browser-extension password managers, which autofill sensitive information on websites, can be exposed to various clickjacking attacks. These attacks exploit the trust relationship between a web page and the user-interface elements injected by the extension. Recent studies show that Document Object Model (DOM-level) manipulation can bypass many standard clickjacking defenses, leaving several password managers at risk when users navigate to a malicious or compromised website. Users should promptly install vendor updates and carefully weigh the security risks of using password-manager features such as autofill of sensitive information that trade convenience for potential exposure" - This has always been a thing, and a security trade-off we make when using password managers.

14. Pill Camera Teardown, Capsule endoscopy

    The smallest IoT device I've ever seen.

15. I Gave Claude Access to a Device’s UART Console

    I've been using Claude for reverse engineering tasks such as this, neat skill to have it interact with a UART port directly. Going back to this to learn how to better prompt Claude code as I am still learning.

16. We need secure products as much as we need security products

    This is really interesting: "Sophos Firewall OS v22 now integrates our Sophos XDR Linux Sensor that enables real-time monitoring of system integrity, including unauthorized configuration, rule exports, malicious program execution attempts, file tampering, and more. This helps our security teams – who are proactively monitoring our entire Sophos Firewall install base – to better identify, investigate, and respond more quickly to any attack. This is an added security capability that no other firewall vendor provides." - Wow, a vendor that gets it and is now including an "XDR" agent for the appliances themselves. This is what we need. Now, does the "Sophos XDR Linux Sensor" actually catch known or unknown malicious behavior on Linux systems? Not sure, but at least its something, which is better than vendors that just drop a device on your network and ask you to just trust them, its "secure".

17. A Review of the SunFounder Pironman 5 MAX Raspberry Pi 5 Enclosure

    I REALLY want one of these. I don't NEED one of these, but when has that ever mattered when it comes to buying tech? :)

18. What Happened To Running What You Wanted On Your Own Machine?

    In many cases, you don't really own the machine or the software and are limited by the ecosystem. A locked-down ecosystem is more secure, but the sacrifice is freedom.

19. The Hidden Costs of Firmware Bugs – and How to Avoid Them

    I believe the most common firmware-based vulnerabilities live in the management and communication protocols. All it takes is an authentication bypass and a command injection, and its game over. It doesn't matter what other protections exist, if I can skirt around the authentication or authorization and then execute commands, game over. Memory protections are great, but do not protect against an attacker using built-in tools to execute commands.

Larry Pesce

1. Watch out – Microsoft Teams might be telling your bosses when you’re in the office or not
2. Defrosting PolarEdge’s Backdoor
3. AWS crash causes $2,000 Smart Beds to overheat and get stuck upright – Dexerto
4. A classified network of SpaceX satellites is emitting a mysterious signal
5. Satellites Are Leaking the World’s Secrets: Calls, Texts, Military and Corporate Data

Lee Neely

1. AWS Outage Disrupts Sites and Services Globally

   The problems started with US-East-1, then spread to DynamoDB API DNS issues. Many sites impacted including banks and government sites as well as "McDonald's, DisneyPlus, Snapchat, Signal, Roblox, Verizon, Fortnite, Venmo, Perplexity, Hulu, Duolingo, Perplexity, Reddit, ... Coinbase," Zoom, Signal, WhatsApp, and Alexa and Ring devices. 

   At first blush, it appears being solely dependant on the US-East-1 was what took services out, but the impacted services, are known to be spread across multiple regions which should not have been affected. For the future, you need to have a conversation about reduced dependency any single region, which comes at a cost, but so does an outage. Someone is going to suggest multiple cloud providers as an alternative, drill down on that as well, it may sound alluring,  the costs and overhead, to include replication/creation of services across providers is likely more than you wish to take on.

2. Cybercrime-as-a-service takedown: 7 arrested – Operation takes down sophisticated criminal network that enabled criminals to commit serious crimes across Europe

   Law enforcement authorities in Europe have arrested seven individuals and dismantled support infrastructure related to a SIM farm. Operation SIMCARTEL involved law enforcement authorities from Austria, Estonia, Finland, and Latvia, Europol and Eurojust, and the Shadowserver Foundation. The criminal endeavor offered cybercrime-as-a-service through SIM cards that allowed the use of phone numbers that belong to other people to create phony social media accounts and conduct criminal campaigns, including "phishing, smishing, extortion, investment fraud, daughter-son scams, and fraudulent calls connected to fake shops and fake bank pages." Those involved in dismantling the operation seized five servers, two websites, 1,200 SIM box devices that were linked to 40,000 SIM cards, and hundreds of thousands of additional SIM cards.

   The scale is impressive, look at the photos in the articles to see just how small a 40,000 SIM card server operation is, which was used to create more than 49 million online accounts, just by renting numbers, from 80 different countries, to customers. Use this as an argumet to support moving away from SMS based authentication/validation.

3. Prosper Breach May Affect 17.5 Million, Says HIBP

   Financial services company Prosper, which facilitates peer-to-peer lending, disclosed a data breach on September 2, 2025, which has now been analyzed by Troy Baker's "Have I Been Pwned" (HIBP) data breach aggregator. Prosper's FAQ states that the company detected and worked quickly to stop unauthorized activity on its systems, strengthened its security measures, engaged a third-party cybersecurity firm to investigate, and contacted law enforcement. Prosper is enhancing its monitoring and security controls, and reviewing security and privacy policies.

   Prosper, a 20 year old, innovative personal loan provider, is still determining which customers and data were impacted, so isn't yet offering ID/Credit monitoring to affected users. So it's a waiting game to find out if you're included. As always, I suggest not relying on others to secure your credit and actively monitor it. 

   https://haveibeenpwned.com/Breach/Prosper

4. GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace

   researchers at Koi have identified a worm that targets VSCode extensions on the OpenVSX marketplace and is still actively spreading. The worm hides malicious code in unprintable Unicode characters and uses a public blockchain for command and control (C2) infrastructure with Google Calendar as a backup. The malware turns an infected system into a SOCKS proxy server and propagates through the developer ecosystem, stealing and exploiting credentials and tokens to compromise extensions in npm, GitHub, OpenVSX, Git, and others, as well as targeting/draining cryptocurrency wallets, deploys proxy servers and hidden VNC servers. Koi has published indicators of compromise (IoCs), warning that some extensions are still actively distributing malware. There are 36,000 GlassWorm victims and it's still growing.

5. Moxa Releases Firmware Updates to Address Five Vulnerabilities, Three CriticalMoxa has released updates to address five vulnerabilities in the company’s network security appliances and routers. Three of the vulnerabilities are rated critical: two execution with unnecessary privileges vulnerabilities (CVE-2025-6893 and CVE-2025-6949), and a hard-coded credentials issue (CVE-2025-6950) affecting JSON Web Tokens (JWT), which could lead to “complete system compromise.” The other two vulnerabilities

   Moxa has released updates to address five vulnerabilities in the company's network security appliances and routers. Three of the vulnerabilities are rated critical: two execution with unnecessary privileges vulnerabilities (CVE-2025-6893 and CVE-2025-6949), and a hard-coded credentials issue (CVE-2025-6950) affecting JSON Web Tokens (JWT), which could lead to "complete system compromise." The other two vulnerabilities are a high-severity incorrect authorization vulnerability (CVE-2025-6892) and a medium-severity execution with unnecessary privileges vulnerability (CVE-2025-6894). The issues affect the following Moxa products: EDR-G9010 Series, EDR-8010 Series, EDF-G1002-BP Series, TN-4900 Series, NAT-102 Series, NAT-108 Series, and OnCell G4302-LTE4 Series. Users are urged to install the most recent firmware updates (v 3.21 or later) as soon as possible.

6. Microsoft Disrupted Vanilla Tempest Attack by Revoking Certificates Used to

   In early October 2025, Microsoft disrupted a Vanilla Tempest campaign by revoking over 200 certificates that the threat actor had fraudulently signed and used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware.

   The fake installers were delivered from sites impersonating the real Microsoft Teams download site, e.g., teams-download[.]buzz, teams-install[.]run, or teams-download[.]top. Users are directed to these sites through SEO poisoning. Make sure you're blocking those sites, blocking allowing installs of packages withj revoked certificates, as well as detecting the Vanilla Tempest TTPs.

7. Supply Chain Risks Lurking in VS Code Marketplaces

   Wiz Research has published a blog post describing their discovery that over 500 VSCode extension packages contained publicly accessible hardcoded secrets. Wiz found .vsix files from hundreds of publishers that notably contained "AI provider secrets (OpenAI, Gemini, Anthropic, XAI, DeepSeek, HuggingFace, Perplexity); High risk profession platform secrets (AWS, Github, Stripe, Auth0, GCP); [and] Database secrets (MongoDB, Postgres, Supabase)" among others. Over 130 packages contained access tokens for the VSCode Marketplace or OpenVSX Marketplace that authorize updates to an extension, putting the supply chain at risk.

   At core is leakage of secrets in the Visual Studio Code marketplace. Make sure that you are not publishing secrets in your code repositories, particularly your extensions (.visx files.) These files are able to be unzipped and inspected, and need to not be distributed externally, even though they often are for convenience.

   https://www.wiz.io/blog/supply-chain-risk-in-vscode-extension-marketplaces

Sam Bowne

1. The Surveillance Empire That Tracked World Leaders, a Vatican Enemy, and Maybe You – Mother Jones

   Operating from their base in Jakarta, where permissive export laws have allowed their surveillance business to flourish, First Wap’s European founders and executives have quietly built a phone-tracking empire, with a footprint extending from the Vatican to the Middle East to Silicon Valley.

2. US Congress committee investigating Musk-owned Starlink over Myanmar scam centres

   Elon Musk’s Starlink provides internet access to Myanmar scam centres, blamed for swindling billions from victims across the world.

3. Recovery Contacts: Sign in with a little help from your friends and family

   A new option that lets you choose trusted friends or family members to help if you ever get locked out of your Google Account

4. Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces

   Wiz Research identified a pattern of secret leakage by publishers of VSCode IDE Extensions. Critically, in over a hundred cases this included leakage of access tokens granting the ability to update the extension itself.

5. Nation-state hackers deliver malware from “bulletproof” blockchains

   Hacking groups—at least one of which works on behalf of the North Korean government—have found a new and inexpensive way to distribute malware from “bulletproof” hosts: stashing them on public cryptocurrency blockchains.

6. Hackers exploit Cisco SNMP flaw to deploy rootkit on switches

   The security issue leveraged in the attacks affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE and leads to RCE if the attacker has root privileges. The rootkit planted on vulnerable Cisco devices features a UDP controller that can listen on any port, toggle or delete logs, bypass AAA and VTY ACLs, enable/disable the universal password, hide running configuration items, and reset the last write timestamp for them.

7. US court orders spyware company NSO to stop targeting WhatsApp, reduces damages

   A U.S. court has ordered Israel's NSO Group to stop targeting Meta Platforms' (META.O), opens new tab WhatsApp messaging service, a development the spyware company warned could put it out of business.

8. Network security devices endanger orgs with ’90s era flaws

   Enterprises have long relied on firewalls, routers, VPN servers, and email gateways to protect their networks from attacks. Increasingly, however, these network edge devices are becoming security liabilities themselves. Many of the vulnerabilities discovered in the past two years should have been caught with automatic code analysis tools or code reviews. Looking at what we’ve seen the last 12 months, there’s no evidence that security efforts being made by those vendors are having an effect. Another problem? These appliances have a lot of legacy code, some that is 10 years or older. Tackling vulnerabilities in old code, known as security debt, is expensive and hard. Vendors need to set a higher standard for themselves