We Left It Vulnerable On Purpose – Rob Allen – PSW #910

Paul Asadoorian

1. Pccomponentes “Breach”: How Infostealer Logs Enable Convincing Credential Stuffing
2. Command Injection in Vivotek Legacy Firmware: What You Need to Know
3. Drone Hacking Part 1: Dumping Firmware and Bruteforcing ECC
4. Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025
5. Dangling DNS: The Most Overlooked Attack Surface in the AI Era
6. Inside a Malicious Push Network: What 57M Logs Taught Us
7. GRUB 2.14 Release Analysis: A Deep Dive into Next-Generation Bootloader Security, Performance, and Enterprise Features
8. A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here? – Project Zero
9. Mandiant releases rainbow table that cracks weak admin password in 12 hours

   While certainly not new, this new release, according to some, accomplishes the following:

   • Full, documented datasets downloadable by anyone as opposed to generating them yourself, finding (usually smaller) tables online for free, or paying someone for the tables.
   • Integration instructions for common tools (RainbowCrack variants, ntlmv1‑multi preprocessing, etc.).
   • A cost profile tuned for commodity hardware, making Net‑NTLMv1 cracking a <12‑hour, sub‑$600 exercise rather than requiring custom rigs or paid services.

   Agree or disagree? I also find it interesting that Google itself gives you the outdated/legacy gsutil command to download them. This is the command that is running in the background on my Linux system:

   • gcloud storage cp -r gs://net-ntlmv1-tables/tables .

   Also, keep in mind that you will need at least 8TB of space to store them. Also, if you have not stocked up on storage, its too late, AI has already driven prices through the roof for RAM and storage, though I did manage to find a few remaining deals..

   • Original article from Google/Mandiant: https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables
10. LilyGO T-Display S3 Pro LR1121 devkit adds Sub-GHz and 2.4GHz LoRa, audio support

    Really awesome Meshtastic device as Lilygo has taken the T-Display S3 and added a LoRa radio, antennas, and a battery. For around $65, its a nice looking device: https://lilygo.cc/products/t-display-s3-pro-lr1121

11. VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun

    Before you poo-poo this, I believe it's actually awesome. This did not look like a script kiddie using AI, this looks more like an advanced team that actually knows how to use AI to assist with development. Their process: "From a methodology perspective, the actor used the model beyond coding, adopting an approach called Spec Driven Development (SDD), first tasking it to generate a structured, multi-team development plan with sprint schedules, specifications, and deliverables. That documentation was then repurposed as the execution blueprint, which the model likely followed to implement, iterate, and test the malware end-to-end."

12. The Ongoing Risk of USB Drives

    I'm not certain exactly how this technology works, but here is what Crowdstrike is claiming to defend against BadUSB:

    • Precise device access: Security teams can allow, restrict, or block removable media based on device attributes, organizational policy, and business need.
    • Protection against untrusted and malicious devices: Threat actors frequently rely on rogue USB drives or manipulated firmware to deliver malware or compromise systems. Falcon Device Control blocks these devices from interacting with endpoints before harmful activity occurs.
    • Safe enablement of legitimate workflows: Falcon Device Control provides flexible options such as read-only access or conditional permission. This supports productivity while maintaining strong governance.

    Given that, what happens when a device such as an IP-KVM or Webcam conducts BadUSB attacks? These do have to register as a keyboard at some point. I like the Kaspersky approach of requiring the user to enter a pin when a HID device is attached. I am also curious if they can detect USB device ID spoofing. The thing with a KVM is that its just a Linux device that you would normally allow HID access, so blocking this in the way Crowdstrike descibes would not be all that effective, yes/no?

13. GNU InetUtils Security Advisory: remote authentication by-pass in telnetd

    This is a great find; vulnerable code has been there since 2015. AI actually provided an accurate summary:

    "telnetd constructs the login command line from a template that, on non-Solaris systems, expands to something like: PATH_LOGIN " -p -h %h %?u{-f %u}{%U}". The %U expansion pulls directly from the client’s USER environment variable, which can be controlled via telnet -a/--login, and is not sanitized before being passed as the final argument(s) to login. If the attacker sets USER="-f root" and uses telnet -a localhost, telnetd ends up running /usr/bin/login -p -h -f root, which tells login to skip authentication and log in as root."

    Also, this totally works on the latest release of Manjaro. Like a champ:

    • sudo systemctl start telnet.socket
    • USER='-f root' telnet -a localhost
    • And just like that, I was root!
14. WhisperPair: Hijacking Bluetooth Accessories Using Google Fast Pair

    WhisperPair is a set of attacks against poorly implemented Google Fast Pair in Bluetooth audio accessories that allow attackers to forcibly pair with devices and, in some cases, track users via Google’s Find My Device/Find My-style network. Some facts:

    • Many Fast Pair accessories do not properly check whether they are in pairing mode before accepting Fast Pair pairing messages, even though the specification requires this check.
    • This logic flaw lets an attacker behave as a Fast Pair “seeker” and kick off pairing with a vulnerable accessory that is already in use, without any user interaction.
    • An attacker with any Bluetooth-capable device (phone, laptop, Raspberry Pi, etc.) can quickly force-pair to vulnerable earbuds/headphones at realistic ranges (tested up to about 14 m, median ~10 seconds).
    • Once paired, the attacker can fully control the accessory: play loud audio or abuse the microphone to record nearby conversations, effectively turning it into a remote listening bug.1
    • Some Fast Pair accessories participate in Google’s crowdsourced Find Hub network so they can be located if lost.
    • If such an accessory has never been paired with an Android device, an attacker can onboard it to their own Google account, becoming the “owner” by writing the first Account Key, and then track the victim’s movements as they carry the accessory.
    • Victims may eventually receive an unwanted tracking notification, but it misleadingly attributes tracking to their own device, which users may dismiss as a glitch.
    • The vulnerability stems from accessories treating Fast Pair messages as valid regardless of pairing state, turning an intended usability enhancement into a large-scale security and privacy weakness.
    • Multiple vendors, devices, and chipsets are affected, and products passed both vendor QA and Google certification, revealing systemic failures across implementation, validation, and certification
15. Shadow, Ghost, and Phantasmawhatever Vulnerabilities – The Reality

    Jericho's articles are a great read. I am pulling this out of context purely as a discussion point: " If there was a CVE assignment for every known or documented insecure behavior, it means one for every router with HTTP as a non-default option, any software that offers FTP even if not a default, etc. The amount of noise would make CVE even more worthless than it is." - My gut reaction is to disagree. Perhaps it would create A LOT of CVE entries, but if the point of CVE is to have a reference for as many vulnerabilities as possible, then why not? Who gets to decide what is a vulnerability and what is not? Perhaps context matters, as in, don't add it for all applications and devices, but only those that are popular and important? But again, who decides what's important and what's not? Do we need a different type of CVE record that catalogues this behavior? I don't have all the answers, but I am in favor of more CVE records and more importantly, properly funding resources for existing and expanded programs that deal with vulnerability databases and disclosure.

16. Fortinet admins report patched FortiGate firewalls getting hacked

    I'm not certain of the source of this information, but Bleeping Computer claims that the original patch does not work and attackers are still able to exploit patched Fortinet devices. If so, this is kind of a big deal:

    • Fortinet customers believe they are safe, but they are not, and attackers can still compromise vulnerable devices
    • There is no new patch to fix the old patch that fixed the original vulnerability
    • There are still about 11k vulnerable Fortinet devices exposed to the Internet

    I actually wrote about this vulnerability here: https://eclypsium.com/blog/network-edge-vulnerabilities-and-exploits-defined-2025/ - Its an authentication bypass, which is pretty bad.

17. Making a firmware data diode from a £10 network switch

    Really cool: "This article explains how to turn a cheap unmanaged Ethernet switch into a firmware-defined data diode that enforces one-way network traffic using only EEPROM configuration changes on the switch."

18. Flipper Zero NFC parser for Bambu Lab’s filaments

    Neat project, you could probably use your phone with an app, however, using the Flipper Zero is cooler and allows for others to contribute more easily.

19. Don’t Judge a PNG by Its Header: PURELOGS Infostealer Analysis

    Neat technique: "The decoded PowerShell script acts as the first stage downloader. Instead of fetching an executable from some disposable domain, it downloads a PNG image from archive.org, a legitimate and well-known website. When analysts review network logs and see traffic to archive.org, it typically doesn’t typically raise flags. The attackers are using the site's reputation as cover. But this isn't actually a standard PNG. Well it is, but with extras. The attackers embedded a Base64-encoded payload after the IEND chunk of the PNG, which marks the official end of the image data. The file still renders as a valid image in any viewer. The actual malware sits between two custom markers, BaseStart- and -BaseEnd." - Not a new technique, but using archive.org is a newly observed behavior.

20. When the Lab Door Stays Open: Exposed Training Apps Exploited for Fortune 500 Cloud Breaches

    This is an amazing project, discovery, and research: "This research shows that intentionally vulnerable training apps (like DVWA, Juice Shop, bWAPP, Hackazon) are very often exposed to the internet, tied to real cloud identities, and actively exploited as initial access for full cloud compromise." It gets better:

    • Compromising a vulnerable on purpose app that is deployed to the cloud gives an attacker a foothold in the cloud, and in some cases API keys and access to more cloud resources
    • The author developed a tool that uses LLMs and Python to discover these conditions
    • The tool, called SigInt (https://github.com/noamYaffe1/SigInt) doesn't just look for DVWA-style apps, you can point it at a live site or Github repo, it will build a profile, then scan the Internet for that specific app (or at least use Shodan).

    Love this project so much!

21. Fixing Breadboards for Wide Microcontrollers – Pico & ESP32 Edition

    Awesome project: "This project describes how to modify a standard solderless breadboard so it properly fits wide microcontroller boards like the Raspberry Pi Pico and common ESP32 dev boards, while restoring ample prototyping space around them. It does this by reusing the original breadboard’s metal spring contacts inside a custom 3D‑printed body that preserves a full 63×5 contact layout plus dual side power rails, but with the inner rows spaced to match the wider MCUs so that four holes per pin remain accessible for wires and components."

22. Introducing ÆSIR: Finding Zero-Day Vulnerabilities at the Speed of AI

    "Trend Micro’s ÆSIR is an AI-augmented vulnerability research platform designed to find zero-days in AI infrastructure at machine speed while keeping humans in control of direction, validation, and disclosure. It has already yielded 21 CVEs across NVIDIA, Tencent, MLflow, and MCP tooling since mid‑2025, with multiple patch-bypass cycles caught and remediated."