Turning To The Darkside & AI Cyberslop – PSW #899

Paul Asadoorian

1. How an ex-L3Harris Trenchant boss stole and sold cyber exploits to Russia
2. Private data at risk due to seven ChatGPT vulnerabilities
3. Former cybersecurity employees attempted to extort five U.S. companies in 2023 using BlackCat ransomware attacks
4. GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools
5. CERT/CC Vulnerability Note VU#517845
6. Shuffle Up and Deal: Analyzing the Security of Automated Card Shufflers
7. CVE-2025-62725: From “docker compose ps” to System Compromise
8. Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk
9. Chaotic-AUR is trying to fight Arch Linux malware
10. Quantifying Swiss Cheese, the Bayesian Way
11. Using Ghidra to patch my keyboard’s firmware

    Sometimes reverse engineering is not looking for vulnerabilities, but modifying firmware to add or change functionality. This is an awesome example.

12. The YouTube Ghost Network: How Check Point Research Helped Take Down 3,000 Malicious Videos Spreading Malware – Check Point Blog

    "The operation relied on cracked software and game hack videos to lure victims into downloading password-protected archives containing malware." - People want cracked software and game cheats, so attackers used YouTube to trick people into downloading fake cracks/cheats. Sounds familiar? I am pretty sure this technique dates back to the days of BBS.

13. Invasion of the Face changers: Halloween Hijinks with Bluetooth LED…

    Love this hack so much, I want to test it myself. I have one of these masks, but I don't believe it is the Bluetooth version. With BT, an attacker can upload new images and tell the mask to display that image. The Bishopfox team uploaded their logo, but your imagination can now run wild as to which image(s) you want to display on another person's mask.

14. Experts warn of ‘ghost tapping’ scam that steals credit card data without swiping

    I believe these stories are FUD because: "Sensitive security features like the three-digit CVV (security code), PIN, and cryptographic keys are not accessible over NFC. The CVV printed on your card is never transmitted by NFC and is not stored where the Flipper can touch it.​ Modern EMV cards generate one-time cryptograms for each transaction, so even the dynamic codes used for in-person tap-to-pay cannot be stolen or reused by a Flipper or similar device." - Yes/No?

15. Remote access, real cargo: cybercriminals targeting trucking and logistics

    This is like Hollywood hacking:

    • Threat actors compromise broker load board accounts to post fake shipments and lure carriers into installing RMM payloads.
    • RMM tools like ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve are used to establish remote access, often evading detection due to their legitimate appearance and signed installers.1
    • Attackers use credential harvesters (e.g., WebBrowserPassView) after initial compromise to expand access and increase their chances of successful cargo theft.

    This is nuts: "the attacker compromised the company via RMM delivery, deleted existing bookings and blocked dispatcher notifications, added their own device to the dispatcher’s phone extension, booked loads under the compromised carrier’s name, and coordinated the transport."

16. Introducing Aardvark: OpenAI’s agentic security researcher

    This has legs:

    • Aardvark begins by analyzing entire code repositories, producing a threat model tailored to the project’s objectives and design.
    • It monitors and scans code commits for vulnerabilities, referencing both recent changes and overall project context.
    • When a vulnerability is identified, Aardvark annotates the code and attempts to validate exploitability in a sandbox, minimizing false positives.
    • For each finding, it proposes a patch using OpenAI Codex and integrates into developer workflows, supporting efficient human review and one-click patching.
17. Methodology: 2k+ Vulnerabilities in Vibe-Coded Apps

    If you are a developer or not, is this because the model doesn't know how to write secure code or the user doesn't know how to prompt it to write secure code or even better use AI to test the app for vulnerabilities? This is scary:

    "Across platforms, critical weaknesses (e.g., exposed Supabase tokens, misconfigured APIs, and missing row-level security) were accessible directly through public endpoints. Tokens such as Supabase service keys were often trivially retrievable from frontend bundles, underscoring that many security issues in vibe-coded apps exist “in the open,” without requiring any privileged access. If we decided to go more in-depth, we could develop an AI-driven auto-authentication system that leveraged headless browser automation and agent-based orchestration."

    AI generated sites are the new PHP, people with little to no experience are creating apps that have no security. I can tell you first hand that when prompted correctly AI will find authentication issues, but you have to know how to prompt it (and have knowledge of authentication bypass techniques).

18. codykociemba/NoLongerEvil-Thermostat: Breathe fresh life into your bricked Nest Gen 1 & 2, now with 100% less evil!

    I can't express how much work this is and how amazing this project is, check out the high level: "The custom firmware flashes the device with modified bootloader and kernel components that redirect all network traffic from the original Nest/Google servers to a server we specify. This server hosts a reverse-engineered replica of their API, allowing the thermostat to function independently while giving you complete control over your device data and settings." - However, it would be nice if you could host the server yourself, maybe you can, but a quick scan of the docs shows that you have to register with https://nolongerevil.com/

19. Tailscale Peer Relays: High-throughput relays for secure, flexible networks

    Tailscale Peer Relays is a new feature made publicly available in beta, offering a customer-managed traffic relaying option alternative to Tailscale’s managed DERP servers. This allows Tailscale nodes to relay traffic for peers in the same tailnet, including for themselves, using a high-throughput and low-latency relay based on UDP, embedded directly in the Tailscale client. It is designed to improve performance where direct connections are not possible, such as behind strict firewalls or in cloud environments with NATs.

    • Peer Relays are managed by the customer, providing throughput comparable to direct connections, often much higher than DERP relays.
    • They enable connections in "hard NAT" and firewall-restricted environments by only requiring a single open UDP port per relay.
    • Available on all Tailscale plans, including free, with two peer relays allowed initially. The feature is still in beta, with ongoing improvements in connectivity and debugging.

    "A Tailscale DERP (Designated Encrypted Relay for Packets) is a relay server used by Tailscale to facilitate device-to-device connections—especially when a direct connection between devices in your Tailnet cannot be established due to strict NAT, firewalls, or other network barriers."

20. Repurposing Dodgy Android TV Boxes As Linux Boxes

    I've done this, it's interesting, Debian is not the greatest experience for a TV box (often you'd just use a browser to navigate to Netflix to watch). One thing that struck me: Android TV boxes advertise higher CPU/RAM/Storage than what they are actually selling. Go figure, I mean they include malware AND false advertising, yet Amazon sells tons of them, yet they won't sell a Flipper Zero. WTH?

21. Epic Pentest Fail – SpecterOps

    We've all been there, on a pen test, and made an oops. Good for Spectre Ops for sharing their lessons learned. Most pen test posts are like "look at all the cool stuff I did" rather than "we made an oops, learn from it".

22. Dead Domain Discovery: Discover Expired or Unregistered Domains

    Neat tool for finding dead domains.

23. Demonstrating a Rollback Attack on a Honda via HackRF Portapack and an Aftermarket Security Solution

    I need to test this: "Over on YouTube "Obsessive Vehicle Security" has uploaded a video demonstrating a rollback attack against a Honda vehicle using a HackRF Portapack and the "Remote" function on the Mayhem firmware. His recent blog post also succinctly explains the various types of keyless vehicle theft used by modern thieves, including Roll-Jam, Relay Amplification and Rollback attacks." - Now I just need an older Honda :)

24. CyberSlop — meet the new threat actor, MIT and Safe Security

    We have to get better at checking this stuff, 80% of ransomeware does not use AI, and we need to be able to spot AI generated research papers.

25. EDR-Redir V2: Blind EDR With Fake Program Files

    Moar EDR bypass: "EDR-Redir V2 is a technique that leverages Windows bind link technology to redirect the operating folders of Antivirus and EDR solutions, such as Windows Defender, through a controlled folder and disrupt their ability to monitor or protect their core files. Traditionally, EDRs block file writes in their own directories, but they cannot block actions in their parent folders (like "Program Files"), as doing so would impact overall software functionality. By creating strategic bind links—redirecting folders to themselves and excluding the EDR’s own subfolder—it's possible to break the security model, tricking the EDR into seeing a different folder as its parent and enabling DLL hijacking opportunities"

Jeff Man

1. Ex-Cybersecurity Staff Charged With Moonlighting as Hackers

   Didn't we used to suspect that the antivirus companies were releasing viruses so folks would buy their products? DigitalMint President Marc Jason Grens said [Kevin Tyler] Martin’s alleged crimes were “completely outside the scope of his employment.” - thanks for clarifying.

2. When Security Professionals Turn to the Dark Side

   Another perspective on this incident. If you can't trust the experts, who can you trust? (Hint: nobody)

3. HSBC USA caught in data breach controversy after Cyber Attack

   PSA: Don't deny a breach at the outset (just because you haven't found it yet), say it's being investigated.

4. M&S Cyberattack: Next’s Profits Expose the Real Breach Cost

   This shouldn't come as a surprise to anyone but one of the consequences of a breach might be your customers take their business elsewhere. But the most interesting part of this article is the assertion that most companies over-estimate their cyber readiness in detecting and protecting against a cyberattack. The article suggests that "that this vulnerability isn’t just an abstract risk but a strategic blind spot." I do not disagree.

5. Shadow AI’s Silent Siege on Corporate Security

   Shadow AI...of course this is happening. On a related note - I figured out how to disable CoPilot in my Outlook!

6. Top 10 Countries that have payment card info spilled onto the dark web in 2025

   Yes, the United States is ranked #1 but the number of cards stolen? Only 30,000. What's interesting about this article is the claim that stolen cards remain active for up to 16 months after they've been compromised. (reminder: check your credit card bill)

7. Police busts credit card fraud rings with 4.3 million victims

   This article suggests this credit card fraud "network" involved 4.3 million cardholders. That's a way different number than the previous article. #OperationChargeback! And, if there's a theme emerging this week, it's that some of the suspects arrested and charged were employees, sorry, executives and compliance officers of the service providers that were targeted by the fraudulent activities. Most of the fraud indicated in this article were nominal charges, mostly subscriptions, that likely go unnoticed by the cardholders. (again, check your billing statement).

8. 400,000 WordPress Sites Affected by Account Takeover Vulnerability in Post SMTP WordPress Plugin

   Seems like forever since we talked about a wordpress vulnerability. Our friend and colleague Evan Schuman shared this article with me, asking the question "is this a big deal?" Well, is it? PAUL: Short answer: Yes. This from the article: "This can be used for complete site compromise by an attacker triggering a password reset for a site’s administrator user, and then obtaining the password reset email through the log data. Once an attacker has access to this key, they can reset the password for that user and log in to the account." So I should say, if you are using this plugin, and its the vulnerable version, then yes, this is a huge problem. It is also being actively exploited, though the article hints that Wordfence blocks exploit attempts.

Lee Neely

1. Japan Issues OT Security Guidance for Semiconductor Factories

   Japan's Ministry of Economy, Trade and Industry has published OT security guidance for semiconductor manufacturers. The document references SEMI's E187 and E188 standards, which address incorporating security into the development phase of new semiconductor manufacturing equipment and extending security to existing semiconductor manufacturing equipment. The Japanese guidance also references the NIST's Cybersecurity Framework Version 2.0 Semiconductor Manufacturing Profile, which "identifies five primary business and mission objectives for the semiconductor manufacturing sector": Maintain environmental safety; Maintain human safety; Maintain production goals; Maintain semiconductor quality; and Protect sensitive information.

   Where you have a choice use a relevant standard you understand and fits the scope of your system and abilities. Double down on one your regulator will accept. Talk to your peers about what they use, replicating rather than building controls from scratch. Leverage available current templates.

2. Denmark Steps Away from Chat Control

   Denmark has withdrawn a bill that would have required service providers to scan all electronic communications, including those exchanged on end-to-end encrypted platforms, like WhatsApp. Dubbed Chat Control, the bill's stated goal was to reduce the trafficking of child abuse content. The European Commission introduced the bill in 2022. Denmark currently holds the Presidency of the Council of the European Union EU Council until the end of this calendar year. Denmark's Justice Minister says they will support a voluntary measure for service providers to search for offending content. On October 8, Germany said it would not support the legislation. Poland and the Netherlands have also opposed the measure; France and Ireland support Chat Control.

   This is a step in the right direction, one hopes they, and others similarly inclined realize the futility of a limited scope encryption back door. Most likely countries which require such mechanisms will find the apps no longer work there rather than the delivery of the capability.

3. Hackers are attacking Britain’s drinking water suppliers

   According to information obtained from the UK's Drinking Water Inspectorate (DWI), drinking water suppliers have reported five cyberattacks since the beginning of 2024. In all, DWI has received 15 reports under Network and Information Systems (NIS) Regulations from suppliers since January 1, 2024. Of those, 10 were deemed not to be cyber-related; the other five were classified as "out-of-NIS-scope systems." Current NIS rules require the formal reporting of cyber incidents that disrupt essential services; therefore, the detection of an intruder's presence on an IT system does not fall under the mandatory reporting guidelines. When the UYK's Cyber Security and Resilience Bill is introduced in Parliament later this year, the high threshold for mandatory reporting is expected to be amended. Recorded Future News obtained the incident data from DWI under freedom of information laws.

4. Introducing Proton’s Data Breach Observatory

   Proton AG launched the Data Breach Observatory, an online public catalog of major data breaches. Proton created the project in the interest of responsible transparency and awareness, citing risks to consumers and smaller businesses when inconsistent self-reporting means breaches may go undisclosed, hidden, or ignored. Constella Intelligence is collaborating with Proton on the Observatory, conducting research and near-real-time monitoring of the dark web for leaks.

   Protons value add on Dark Web breach discovery is validation of breaches beyond just ingesting data from the dark web. This service is targeted to small businesses who are the top targets for breaches and typically don’t have access to or budget for the larger threat feeds and supporting analytics.

5. DOJ accuses US ransomware negotiators of launching their own ransomware attacks

   Two former cybersecurity incident response professionals and an unnamed conspirator have been indicted by the US Department of Justice for conducting ransomware attacks against five US companies in 2023. Ryan Clifford Goldberg, a former incident response manager for Sygnia Cybersecurity Services, and Kevin Tyler Martin, a former ransomware threat negotiator for DigitalMint, are charged with conspiracy and interference with interstate commerce by extortion, and intentional damage to protected computers. All three were employed at the time of the attacks but have since been terminated; while the unnamed "Co-Conspirator 1" is mentioned in the indictment and was also a DigitalMint ransomware negotiator, the filing only specifies charges for Goldberg and Martin

   A clear case of ethical behavior failing , or being suppressed by the perceived rewards of the attackers game, in this case becoming affiliates for the ALPHV/BlackCat Ransomware service. While DigitalMint and Sygnia terminated these guys as soon as their alleged involvement was detected, they will still be doing damage control and reputation repair for a bit. A question is could you detect employees “going bad?” Do you ever recheck their background or watch for aberrations in behavior? This could be a good topic to run to ground with HR.

6. Europe’s energy grid faces growing cyber threat

   In April, a series of cascading failures plunged Spain, Portugal, and parts of France into a world without electricity. Reminds people of the 2015 Ukrainian power grid outage that was a cyberattack. The EU power grid is very connected, with issues in one country easily leading to problems in other countries.  Power plant IT infrastructure is a unique assemblage of software, hardware, and operating systems from a variety of vendors who may be resistant to having cybersecurity professionals dig too deeply. "Exotic operating systems" control systems with unsecured protocols; Some rural areas still use dial-up internet. The European Commission is focusing on improving power grid resilience; they are funding several projects, including the eFORT framework, which is being developed by researchers at Netherlands Organisation for Applied Scientific Research (TNO) and the Delft University of Technology (TU Delft).

   https://efort-project.eu/

7. Vulnerabilities in Monitoring Software from IBM and Nagios

   Vulnerabilities in IT infrastructure monitoring software products from IBM require administrators to make configuration changes; a trio of critical vulnerabilities in Nagios XI can be addressed by updating to Nagios XI version 2026R1. A pair of vulnerabilities in the KT1 component of ITM/ITCAM Agents IBM Tivoli Monitoring could be exploited by "remote attacker to traverse directories on the system [through maliciously-crafted URLs and] view, overwrite, or append to arbitrary files on the system." There is not a patch for these issues. Instead, admins need to configure the agents "to use only TLS for communication."

   The exploit requires an authenticated user to be successful, but don’t rely on that being a high bar. Nagios IX version 2026R1 was released in September but the CVEs were only just published, so don’t panic, just get the update going. Fixing the IBM Tivoli KT1 flaw requires you to follow the IBM security advisory to convert communication to TLS only. You need IBM support credentials with appropriate access to read this bulletin.

Sam Bowne

1. ICE and CBP Agents Are Scanning Peoples’ Faces on the Street To Verify Citizenship

   ICE has a new app called Mobile Fortify, which scans someone’s face and is built on a database of 200 million images. The app queries an unprecedented number of government databases to return the subject’s name, date of birth, alien number, and whether they’ve been given an order of deportation. ICE officials have told us that an apparent biometric match by Mobile Fortify is a ‘definitive’ determination of a person’s status and that an ICE officer may ignore evidence of American citizenship—including a birth certificate—if the app says the person is an alien.

2. Revealed: Israel demanded Google and Amazon use secret ‘wink’ to sidestep legal orders

   The deals prohibit the US companies from restricting how Israeli agencies use their cloud services, even if they violate the terms of service. It also requires them to send "wink" messages revealing the identity of the country they had been compelled to hand over Israeli data to, but were gagged from saying so. The "winks" were payments in amounts that contained the area code of the country. Several experts described the mechanism as a “clever” workaround that could comply with the letter of the law but not its spirit. “It’s kind of brilliant, but it’s risky,” said a former senior US security official.

3. OpenAI data suggests 1 million users discuss suicide with ChatGPT weekly

   OpenAI also estimates that a similar percentage of users show heightened levels of emotional attachment to ChatGPT, and that hundreds of thousands of people show signs of psychosis or mania in their weekly conversations with the chatbot. The company claims its new work on ChatGPT involved consulting with more than 170 mental health experts and that these clinicians observed the latest version of ChatGPT “responds more appropriately and consistently than earlier versions.”

4. VPNs from Cisco and Citrix Riskiest Products for Ransomware: At-Bay Rankings Report

   from Cisco and Citrix Riskiest Products for Ransomware: At-Bay Rankings Report The two most prominent cyber threat vectors are email and remote access. These two threat vectors together accounted for 90% of cyber claims in 2024, when excluding incidents caused by third-party compromises or non-cyber events. Email fraud is now one of the biggest drivers of losses, yet most security tools are still focused on phishing links and malware. In 2024, 80% of ransomware attacks had a remote access tool as the entry vector, with 83% of those cases involving a VPN device. Businesses using on-premise VPN solutions are nearly 4X more likely to be a victim of a ransomware attack than those using a cloud-based VPN or no VPN at all.

5. Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking

   Cellebrite can apparently extract data from most Pixel phones, unless they’re running GrapheneOS.

6. Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices

   What began as just a few isolated samples has now expanded to more than 760 malicious apps observed in the wild. Approximately 20 institutions have been impersonated - primarily Russian banks and financial services, but also targets organizations in Brazil, Poland, Czech Republic, and Slovakia

7. Windows 11 KB5067036 update rolls out Administrator Protection feature

   Administrator protection requires that a user verify their identity with Windows Hello integrated authentication before allowing any action that requires administrator privileges.

8. PhantomRaven: NPM Malware Hidden in Invisible Dependencies

   By linking dependencies directly to URLs, the dependencies are hidden from the dependency analysis that most security tools rely on.

9. Protecting more Edge users with expanded Scareware blocker availability and real-time protection

   Scareware blocker for Microsoft Edge is now enabled by default on devices with more than 2 GB of RAM and four CPU cores, where it won’t slow down everyday browsing. It protects users from fresh scams hours or even days before they appear on global blocklists. Unsurprisingly, AI-powered features like Scareware blocker will forever change the way we protect customers from attacks.

10. CyberSlop — meet the new threat actor, MIT and Safe Security

    A widely-cited MIT paper claimed that "80% of ransomware attacks are now powered by AI." Marcus Hutchins, Kevin Beaumont, and others debunked it. It was deceptive marketing material from a company trying to sell some sort of AI defenses. MIT simply removed it, without discussion or explanation.

11. Study concludes cybersecurity training doesn’t work

    Phishing training doesn't prevent people from clicking on phishing links. Most people will eventually click on one. Given how ineffective cybersecurity training is, we should focus on other defenses like multifactor authentication or email spam detection.

12. Manufacturer issues remote kill command to disable smart vacuum after engineer blocks it from collecting data — user revives it with custom hardware and Python scripts to run offline

    An engineer got curious about how his iLife A11 smart vacuum worked and monitored the network traffic coming from the device. That’s when he noticed it was constantly sending logs and telemetry data to the manufacturer — something he hadn't consented to. So the company sent a remote kill signal to it.

13. Risk of Tor Browser on Windows

    By default it installs to your Desktop folder, which is by default mirrored to OneDrive at Microsoft. Microsoft has access to your OneDrive content for cybersecurity analysis via privacy carve outs. The Tor folder contains sensitive content. The solution is to install at root of C: drive.

14. Chicago firm that resolves ransomware attacks had rogue workers carrying out their own hacks, FBI says

    Employees of DigitalMint, a company that specializes in negotiating ransoms in cyber attacks, were part of a small crew the feds say conducted five hacks that scored more than $1 million.