Digging For Vulnerability Gold – PSW #909

Paul Asadoorian

1. Signal creator Moxie Marlinspike wants to do for AI what he did for messaging
2. VoidLink: The Cloud-Native Malware Framework
3. How I Reverse Engineered a Billion-Dollar Legal AI Tool and Found 100k+ Confidential Files
4. EDRStartupHinder: EDR Startup Process Blocker
5. Tiny device, total access: IP-KVMs are now a hackers’ dream

   I own a JetKVM and NanoKVM. Here are some more things that are raising conerns about these devices:

   • All of those attack vectors you've ignored because an attacker requires physical access are now in play, including: * BadUSB - Many of these devices use BadUSB functionality (e.g. USB Gadgets) to inject keystrokes. Now an attacker does not have to deploy their own BadUSB device, they can just use the KVM you installed instead. * Booting from removable media - Perhaps you haven't enabled Bitlocker or set a BIOS password because you don't travel with your desktop computer that sits in your home or office. A KVM allows an attacker to boot from removable media and may even allow access to your BIOS. Now the attacker controls the boot chain on your device.
   • Some devices now have 5G - If you thought you would detect the usage of KVM devices via your network, think again. New models from GL-iNet have 5G capabilities, which means you won't find them on your network.
   • Authentication - Some devices require just a password, making it even easier to brute force guess to gain access. Most of the inexpensive devices (JetKVM and NanoKVM, for example) do not have MFA available.

   You may just put these devices on a separate network. However, you still need to access that network. And if access is possible, attackers may find a way in.

6. Reverse engineering my cloud-connected e-scooter and finding the master key to unlock all scooters

   Estonian security researcher Rasmus Moorats bought an e-scooter. The company ended up going Chapter 11. The app and cloud that controlled the scooter started to lose functionality, so reverse engineering ensued. While trying to discover how to control his own scooter, he found a default BT key that could be used to control ALL scooters. He ended up making an app to control his scooter without the official app or cloud. I love this research so much. I hate that companies can get away with this.

7. ESP32-DIV v2: I Built Something Better Than Flipper – CiferTech

   Really cool open-source/open hardware alternative to the Flipper Zero. Nice work, now I want to build one!

8. Authentication Bypass via System-Level Username in ZimaOS

   One of the best vulnerabilities so far this year: "The application is checking the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password." I actually have one of these devices: "ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. "

9. Pwning Claude Code in 8 Different Ways

   Claude Code is amazing, but be careful as the security controls can be bypassed: "Claude Code used an allowlist for certain commands plus manual approval for everything else, but tried to keep allowlisted commands “safe” using regex blocklists on arguments. The central design flaw is relying on complex regex blocklists to detect “dangerous” arguments or patterns, which missed options, shell features, and parsing quirks of underlying tools." - While they fixed it, letting an AI agent run commands on your system is not recommended...

10. CVE-2025-64155: 3 Years of Remotely Rooting the FortiSIEM

    CVE-2025-64155 is a critical unauthenticated arbitrary file write in Fortinet FortiSIEM’s phMonitor service that can be reliably turned into RCE as admin and then escalated to root on affected appliances. Weaponized exploit code can be found here: https://github.com/horizon3ai/CVE-2025-64155.

11. Attackers Exploit Zero-Day in End-of-Life D-Link Routers

    Evidence that attacking EOL devices is all the rage today, even relating it back to GhostDNS from 2019. Vulncheck says: "Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the GhostDNS malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC)."

12. Microsoft patches zero-day, kills legacy Windows drivers

    Important Secure Boot notes here:

    • " If an endpoint's KEK/DB still holds the older Microsoft 2011-era certificates that are expiring (June and October 2026), an attacker can exploit the timing window before certificate rollover is complete to: Load bootloaders signed by the old (soon-to-be-untrusted) key. Prevent future Secure Boot policy updates from being applied, "stranding" the machine in a vulnerable state."
    • ""Once the ancient 2011 certificates expire later this year, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes,"

    Basically, you will lose the ability to use the new DB/DBX updates, which means older (vulnerable) software will still work with SB and attackers will take advantage of this. This is what I was saying about Windows 10, if you stay on it, Secure Boot is meaningless. I wish people would just come out and say that rather than making confusing statements.

13. GitHub – zoicware/RemoveWindowsAI: Force Remove Copilot, Recall and More in Windows 11

    This script looks awesome: "The current 25H2 build of Windows 11 and future builds will include increasingly more AI features and components. This script aims to remove ALL of these features to improve user experience, privacy and security." - As some of you may already know, I run Linux on my desktop. However, I have this plan to purchase and install these Ikea cabinets to give a new home to two of my 3D printers. Then I want a shelf on the wall to hold a laptop, and my Surface Pro would be perfect. Running Windows, because Bambustudio on Linux has limitations (E.g. repair/mesh repair function). I will do a full re-install of Windows 11 and remove all of the crap. Then the kids can print "stuff".

Aaran Leyland

1. Doomsday for Cybercriminals — Data Breach of Major Dark Web Forum

Lee Neely

1. BreachForums Breach Exposes 324K Cybercriminals

   Resecurity has analyzed a database of 323,986 forum member records alleged to identify administrators, moderators, and users of the latest incarnation of a cybercrime forum called BreachForums. The company's threat intelligence team believes the database and associated leaked data contain information that may be useful to law enforcement pursuing cybercriminals. https://www.resecurity.com/blog/article/doomsday-for-cybercriminals-data-breach-of-major-dark-web-foru

   It seems the tables have turned, in this case the breach forum is itself breached. That said, releasing the database is not without risk; the database was released by "James" and Resecurity hints they know who that is. If they can figure it out, so can others. If you want to analyze the data, obtain a clean copy from Resecurity, as there are other copies which contain malware.

2. Spanish energy giant Endesa discloses data breach affecting customers

   Spanish energy provider Endesa and its Energía XXI operator are notifying customers that hackers accessed the company's systems and accessed contract-related information, which includes personal details. Endesa is the largest electric utility company in Spain, now owned by Enel Group, that distributes gas and electricity to more than 10 million customers in Spain and Portugal.

   The breach didn't impact service (gas/power) delivery to customers and Endesa is notifying affected customers directly. While Endesa is claiming there is no attempted use of the purloined data, threat actors appear to have 20 million records (1 TB) of Endesa customer database data for sale to a single exclusive buyer. Expect Endesa to implement enhanced security measures after admitting existing security fell short of expectations.

3. Salt Typhoon Hackers Hit Congressional Emails in New Breach

   U.S. officials are investigating a suspected Chinese cyber espionage operation compromising email systems used by congressional staff working on House national security committees.

   These accounts are targeted as they are typically less hardened environments. While truly sensitive email is not present, enough supporting information, which rounds out Open-Source investigations nicely. Make sure that you're considering the security of not only your mainstream email systems but also staff/contractor and supporting services. An incident can quickly offset the cost of not providing someone with a corporate email account. Review email security options to ensure protections are in place commensurate with the information processed.

4. Instagram denies breach amid claims of 17 million account data leak

   Malwarebytes warned that "cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more," and posted a screenshot showing an Instagram password reset email. However, the data in question and recent reports of unsolicited Instagram password reset requests are not related, despite surfacing online simultaneously.

   It's a good time to check the HIBP web site for all your email addresses, as well as make sure that your password practices are up to snuff - you know the drill, use good passwords, don't reuse them, enable MFA and passkeys wherever supported. If you have any doubts about the security of a password for a service, update it, using their password changing mechanism. Disable accounts for services you're no longer using. Keep a record of that action. Sometimes it takes a bit to close an account.

5. Thousands of Irish passports recalled due to printing error

   A recall has been issued for almost 13,000 passports due to a printing error, the Department of Foreign Affairs has confirmed. An issue emerged in recent days with passports issued between December 23rd, 2025, and January 6th, 2026. It is understood the letters IRL are missing from these passports. They may not be accepted as a result at border control.

   Use caution with "move fast and break things" - have a plan for rolling back or fixing what you break. In this case, physical replacement of passports is a bit higher impact than a case where you may have had to update data and possibly send a notification. When things do go sideways, make sure that someone has the customer's back. In this case, the Irish Passport Service has been emailing affected customers, updating their web site and setup a dedicated customer service team for those travelling immediately as well as covering any costs of reissued passports or visas.

6. 34 arrests in Spain during action against the ‘Black Axe’ criminal organisation – Criminal network engaged in a multitude of criminal activities and present in dozens of countries

   Authorities in Spain have arrested 34 individuals in connection with cyber fraud conducted by an international criminal group. According to. investigators, the group is responsible for fraud losses of more than €5,93 million. Law enforcement recovered a small portion of that amount by freezing bank accounts and seizing cash.

   This group is known as Black Axe.  They have a global presence operating in Nigeria and abroad, spread over about 60 zones with 200 members each and has a total membership of about 30,000. They were known for recruiting money mules from impoverished areas with high unemployment rates.

7. California bans data broker reselling health data of millions

   California's Privacy Protection Agency is fining Rickenbacher Data, d/b/a Datamasters, for failing to register as a data broker in the state of California. The decision asserts that Datamasters bought, repackaged, and resold contact data of people with a variety of medical conditions so the information could be used for targeted advertising.

   An indicator that consequences for failing to follow CCPA are real.  Double check the applicibility of CCPA to your datasets. Datamasters claimed they were exempt from CCPA because they didn't operate in California, but it's the processing/obtaining of data which belongs to Californians, without deleting it within 24 hours, which brings CCPA into play. If you are a data broker for Californian data, make sure that you register. With the California Delete Act, expect more enforcement as single point opt-out is implemented in the the new DROP platform.

8. Threat Actors Actively Targeting LLMs

   Threat research from a Greynoise honeypot shows two recent campaigns probing the security of LLM APIs by way of misconfigured proxy servers.

   The action here is to make sure your threat hunters are incorporating IOCs, and that you're taking steps to protect your LLMs, which include only allowing models from trusted repositories, watching for enumeration patterns and rate limiting/blocking suspicious networks and domains.

9. ChatGPT for heal care has HIPAA-compliant controls

   OpenAI announced implementations of ChatGPT models and the OpenAI API for use in healthcare, followed three days later by Anthropic's announcement of a healthcare-focused implementation of the Claude LLM

   https://www.anthropic.com/news/healthcare-life-sciences 

   As with any new technology, you need to understand how data is managed and controlled. In this case ChatGPT and Claude are explicitly implementing HIPAA controls, which you're going to want to verify before allowing HIPAA data use. (I'm avoiding the term governance.) There will be considerable pressure to allow the access immediately. Make sure you're on the same page; the healthcare versions are a different product.

   I'm reminded that as with any new technology, those who figure out how to use it and improve service delivery are the ones which will have jobs in the future.