Cloud Visibility, Fortibleed, hacking things the easy way – Sandy Bird – PSW #932

Paul Asadoorian

1. Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager

   In less than a year, there have been 7 vulnerabilities in this product added to the CISA KEV. All exploited in the wild, and almost certain they were all exploited as 0-days. Let that sink in. I'm struggling to come up with great defensive recommendations other than treat all of your Cisco SD-WAN devices as already compromised...

2. An update on FortiBleed — what’s happening with victim orgs

   There is way too much information both online and in my head about Fortibleed. We could easily dedicate an entire show to this topic. Here's a summary (off the top of my head, NOT AI):

   • Threat actor left all of their tools and data exposed to the Internet
   • The TTPs are many, and include scan, identify, exploit, and capture activities, similar to other campaigns that target the network edge
   • They have a large GPU cluster that cracks SHA-256 hashes
   • They detect honeypots and have some pretty advanced analytics and filtering of the device fingerprints and credentials
   • They lived off the land on Fortinet devices, mostly collecting credentials
   • This is important: If you are running versions of FortiOS PRIOR to 7.2.11, 7.4.8, or 7.6.1, you are storing passwords that can be cracked
   • If you are running FortiOS 7.2.11, 7.4.8, or 7.6.1 or later, you are using PBKDF2, much better, however see next
   • Once you apply the upgrade to FortiOS 7.2.11, 7.4.8, or 7.6.1 or later, the SHA-256 hashes still exist in the full config backup (in case you had to revert, you will still be able to log in)
   • The SHA-256 hash exists in the full config backup until the admin logs in, and not just one admin, but all of the admin accounts
3. CVE-2026-5667: The Secret Life of Probe Requests – Mitsubishi MAC-577IF-2E WiFi Adapter

   "The researcher noticed Mitsubishi MAC-577IF-2E Wi-Fi adapters (used with air conditioners, water heaters, rice cookers, etc.) broadcasting a probe request for "DefaultSSID" all over the city. Devices that have never been configured by their owners sit in perpetual setup mode, begging for that SSID on-air — indefinitely . The attack chain is straightforward: stand up a rogue AP matching "DefaultSSID," capture the WPA2 half-handshake, crack the (weak default) password offline, then reconnect and hit the device's HTTP interface. Authentication was just HTTP Basic Auth, with credentials stored in a public GitHub repo. At that point, a Python library by a prior researcher gave full control — power on/off, temperature changes — the whole stack ."

4. Squidbleed (CVE-2026-47729)

   Pretty amazing vulnerability find that slipped past humans for 29 years, then uncovered by Mythos. It requires certain conditions to work. Not sure the use case for Squid proxies today, but we used to use it to save bandwidth back in the day in addition to monitoring for URLs that people visited and could enforce rules. We ran it on FreeBSD, and had T1s to provide Internet access at the time.

5. CVE-2026-25860 – OpenClinic GA Reflected XSS to RCE

   This still carries a 5.8 Medium CVSS, and is an example of why you can't rely on CVSS alone. You need enrichment and threat intel. And here's how an XSS turns into RCE: "This is where it gets good. Because the XSS executes within an authenticated session, the injected JavaScript abuses a misconfigured admin settings page (configparameters.jsp) to overwrite the readPictureApplication parameter, a command string later passed to another function. One POST to set the command, one GET to pull the trigger. That's your RCE."

6. How Cloudflare responded to the “Copy Fail” Linux vulnerability

   "Cloudflare published a great writeup on "Copy Fail" (CVE-2026-31431), a Linux local privilege escalation in the kernel crypto API where an out-of-bounds write in algifaead lets any unprivileged user open an AFALG socket, splice in a setuid binary like /usr/bin/su, and write shellcode into it 4 bytes at a time to get root, and the root cause traces back to a 2017 optimization that never enforced write boundaries. The slick part is the response: before the kernel patch was ready, they shipped an eBPF-LSM program to block AFALG bind calls for everything except an allow-list, and their behavioral detection flagged exploit attempts within minutes with no signature update. The takeaway is to disable algifaead if you don't need it, and to stop letting unprivileged users reach kernel attack surface like the crypto API by default."

7. Nearly Half of LG Smart TV Apps Contain Residential Proxy SDKs

   This is so shady: "Spur Intelligence Labs scanned 6,038 apps across LG webOS and Samsung Tizen platforms and found that 2,058 of them contain embedded residential proxy SDKs . In plain terms, these apps quietly route third-party internet traffic through your home TV and its IP address, without most users ever realizing it. The apps involved are not the kind you would think to audit. Screensavers, fish tanks, clocks, casual games. Thin, low-friction apps that are designed to blend into the background. Under that surface, SDKs from companies like Bright Data, Massive, and Honeygain (an Oxylabs subsidiary) are monetizing the TV's internet connection in the background . Bright Data alone is tied to 367 proxy-flagged apps in the dataset, and in many cases the proxy company itself appears to be the publisher, shipping lightweight apps at scale as a distribution vehicle for its SDK ." - Its a clear indicator that attackers are poised to live in areas we don't, under normal circumstances, control or have visibility into. They chose LG and Samsung because those companies try to run a locked down environment and don't have good policies about what apps can do. They also don't want users messing around with the device or having control, e.g. ever tried to remove apps only to have your TV tell you to pound sand?

8. I Accidentally Logged as Admin Into a Threat Actor Website

   Pretty neat, love it when this happens, its great intel.

9. Marking Your Own Homework (Check Point Remote Access VPN IKEv1 Authentication Bypass CVE-2026-50751)

   This comment speaks volumes: "If you are out of luck and running an End-Of-Support version, you get what you deserve as a former paying customer: no hotfix at all."

10. 2021 Honda Civic infotainment system can be jailbroken via USB

    Test keys strike again. When the keys are public, it defeats the purpose.

11. TP-Link Domain Takeover: How We Captured Enterprise Network Traffic via an Unregistered Domain

    Sometimes it's this easy, not that analyzing all the firmware is that easy, but security comes down to the management of assets. It's super easy to forget about a domain, and attackers are there to take advantage of that. In this case, thankfully, it was a researcher who reported it responsibly and even transferred the domain back to them. Nice work!

12. The Blight Reaches Microsoft: 73 Repos Disabled in 105 Seconds
13. Boot Naked Linux · … and another thing …
14. Proxmox secure boot: June apocalypse
15. A washing machine story
16. vemu – Multi-Architecture Embedded System Emulator
17. We May Be Living Through the Most Consequential Hundred Days in Cyber History, and Almost Nobody Has Noticed
18. GreatXML a bitlocker that seems to only work if you ever had Defender Offline Scan

    https://git.projectnightcrawler.dev/NightmareEclipse/GreatXML

19. Microsoft WinRE allows for bypass of UEFI/BIOS password enforcement

    Interesting: "In UEFI-based systems, the UEFI boot manager supports the BootNext variable, which specifies a one-time boot target stored in non-volatile memory (NVRAM). The UEFI trust model assumes that only privileged software or the platform owner can modify NVRAM variables; however, the BootNext variable itself is not authenticated and takes precedence over the normal BootOrder configuration during the next boot cycle. When Secure Boot is enabled, firmware validates the integrity and signature of the boot application specified by BootNext before execution. The UEFI specification does not explicitly mandate a full platform reset when the BootNext variable is configured, leaving reset-handling and user authentication flows to the specific implementation. Consequently, the effectiveness of pre-boot security controls (such as UEFI/BIOS password protections and BitLocker full-disk encryption) can be bypassed via recovery environments like WinRE, provided a user has the privileges required to initiate such recovery."

Jeff Man

1. Massive data breach exposes personal information of 3 million Texans

   Even the data breaches are bigger in Texas! The good news - the compromise seems to have been detected early on by the Texas Cyber Command.

2. Password manager maker LastPass says hackers stole customer support case data during Klue breach

   Call me old-fashioned, but isn't a password manager the electronic equivalent of "all your eggs in one basket"?

   Not to worry - it's third party breach from a market research firm (Klue). Does that make them Klueless???

3. India’s Tata Electronics hit by cyber breach claiming to expose Apple, Tesla trade secrets

   Save the Tata!!! (Can I say that?) They didn't discover the breach....they learned that data they had was being publicly posted on World Leaks.

4. Looming AI-fueled threats require urgent cybersecurity improvements, Five Eyes members say

   "Executives should focus on risk assessment and “foundational” security practices, the advisory said." There go those pesky fundamentals again...

5. Policymakers struggle to factor cybersecurity into federal funding programs

   Yes, Virginia - cybersecurity does cost money.

6. AI could breach government and business defenses in months, US and its intelligence partners warn

   or.... "[did] breach government and businesses...months [ago]

7. Five Eyes cyber security agencies statement

   Here's the actual statement

8. Secure Ideas Hires Jeff Man to Launch PCI Practice and Expand Industry Outreach

   Apologies for the shameless plug - just wanted to put this out there. BONUS: we were officially listed as a QSA Company today!

Larry Pesce

1. Nintendo confirms data stolen in WebMD subsidiary cyberattack
2. Linux Finally Eliminates The strncpy API After Six Years Of Work, 360+ Patches – Phoronix
3. Advancing Product Security: New IoT Guidance and New Engagement

Lee Neely

1. Canada’s spy service received judge’s OK to target malware-infected devices

   Canadian Security Intelligence Service (CSIS) obtained a warrant to access servers, home routers, and Internet of Things (IoT) devices infected with malware to "neutralize two foreign-run botnets."

   Interesting compromise. Do you wait for consumers to clean infected defivices in a fast moving attack, or do you clean or isolate them for you to turn the tide? In this case Canada obtained permission to intervene, and that permission was kept off the radar so the threat actors would not catch on. Problem is reaching into privately ownded devices and wiping data, including cleanup of malware, is considered criminal mischief under Canada's criminal code, so they needed the court's sign-off. This is similar to the FBI's efforts in 2023 to wipe the KV-botnet malware from US SOHO routers. Main difference is that the DOJ & FBI were operating under seach-and-seizure authority as law enforcement agencies, while CSIS is an intelligence service operating under a threat reduction measure to activly disrupt a threat, rather than just collect intelligence on it, a recent power which went int effect in 2019, unused before now. It will be interesting to see how this is used in the future.

2. FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed – Claim Your Ethical Disclosure

   Russian-speaking threat actors have breached Fortinet firewalls at organizations in nearly every country in the world. In all, nearly 74,000 Fortinet devices were compromised across more than 21,000 domains, and the credentials have been leaked online. The database of stolen information was discovered by security researcher Bob Diachenko, who found and accessed the threat actors' operational infrastructure. affected organizations include Oracle, Chevron, Lenovo, Federal Express, a NATO defense contractor, and Fortinet.

   This attack has breached Fortinet devices in 194 countries. Hudson Rock has published a lookup tool to see if your device is compromised, in addition Fortinet is proactively contacting impacted customers. If you have a FortiGate appliance, affected or not, you shuold take the recommended actions.

3. Windows and Linux users: The deadline to update Secure Boot keys is near

   Certificates for the cryptographic keys in the Secure Boot process on computers running Windows and Linux will expire on June 24, 2026. Users must ensure their certificates are upgraded in order to protect against attacks on the UEFI (Unified Extensible Firmware Interface), including bootkits, which inhabit a machine where the firmware initializes the boot process, outside the operating system.

   The certificates should be updated on supported operating systems through the normal update cycles. For your Windows systems you can check Windows Security Settings -> Device Security -> Secure Boot - look for a green checkmark. On Linux use mokutil --db to display the certificates and make sure they're updated.

4. Dozens of America’s largest companies have no simple way to report security flaws

   Research by cybersecurity journalist Zack Whittaker shows that among the 100 highest-revenue companies in the United States, about a third do not have a reporting channel for cybersecurity vulnerabilities

   Whittaker recommends companies look into the security[.]txt project by EdOverflow and read Luta Security CEO Katie Moussouris's blog to learn about bug bounties and disclosure programs. Researchers can look for security contact information at disclose.io by Casey Ellis and at findsecuritycontacts.com.  If you don't have a VDP, leverage the resources above as well as NIST SP 800-216 , Recommendations for Federal Vulnerability Disclosure Guidelines and  CISA's Vulnerability Disclosure Policy Template introduced in Binding Operational Directive 20-01.

5. I Could’ve Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.

   They fixed it without ever responding to me. I had to call FIFA, MediaKind, HBS, CISA, and the FBI at 3am Tokyo time just to get someone to listen.

   The researcher registered a new account in the publicly available FIFA Agent Platform, requiring only an ID and an email address, and noted that the account was also added to FIFA's Microsoft Entra tenant. She tried to log into the Football Data Platform as well and was denied due to insufficient privileges, but discovered that only the client side involved any protection; the backend APIs served "whatever you asked for" without any checks. This included the official live production panel for managing the streaming of every FIFA World Cup 2026 match: controls to start, stop, and schedule video feeds of all camera angles, plus the full infrastructure of live video feed ingest URLs, broadcast output URLs, preview feeds, and stream keys.

   A couple of takeaways here. First, separation of access. Second, don't blow off security reports.

6. Texas Parks & Wildlife Data Breach Affects 3 Million Individuals

   The Texas Parks and Wildlife Department (TPWD) has disclosed a data breach affecting roughly 3 million individuals. TPWD has published a notice disclosing a data security incident affecting a vendor that handles the system for hunting and fishing licenses. No information has been given about the timing or nature of the attack; Texas Cyber Command first alerted the TPWD to the activity, and investigation indicates that data belonging to over 3 million Texans over the age of 18 may have been stolen, including "driver license information, passport numbers (if provided), email addresses, phone numbers and residential addresses."

   Third party security strikes again. I used to have a schedule for making sure each of our third-party service providers were up-to-speed when it came to current security settings.