Is Vuln Management Dead? – HD Moore – PSW #880

Paul Asadoorian

1. Threat Actors Distribute Compromised SonicWall SSL VPN NetExtender to Steal Sensitive Data
2. GIMP Heap Overflow Re-Discovery and Exploitation (CVE-2025–6035)
3. hak5peaks/Hackers-Nightlight: Turning smart lights into Wifi Hacking implants.

   This is awesome: "Hackers nightlight V2 is inspired by the open source project's idea of creating a covert penetration testing tool to help uncover hardware vulnerabilities, test network security and response readiness. Hackers nightlight V2 brings new custom hardware packed inside of the same discrete light bulb format, containing a brand new webUI with focus on ease of use, and a suite of new abilities and tools." - A hacking toolkit in a lightbulb!

4. Zyxel NWA50AX Pro – Discovery of an Nday Variant

   I like the approach: Reviewing the IoT devices web server config, then CGI modules, then running the web server in a Docker container for analysis. I can't wait to try this approach.

5. This Week In Security: That Time I Caused A 9.5 CVE, IOS Spyware, And The Day The Internet Went Down

   Make sure you update your Meshtastic devices: "It was discovered that the flashing procedure of several hardware vendors was resulting in duplicated public/private keys. Additionally, while triaging this issue, it was discovered that the Meshtastic usage of the rweather/crypto library was failing to properly initialize the internal randomness pool on some platforms, leading to possible low-entropy key generation. When users with an affected key pair sent Direct Messages, those message could be captured and decrypted by an attacker that has compiled the list of compromised keys."

6. The Jitter-Trap: How Randomness Betrays the Evasive

   This is not a new thing, I've worked on this before: "Varonis Threat Labs introduced Jitter-Trap, a novel technique for detecting stealthy cyberattack activities, especially during the post-exploitation and command-and-control (C2) phases. Attackers often use advanced frameworks (like Cobalt Strike, Sliver, Empire, Mythic, and Havoc) to maintain access and evade detection by introducing randomness—called "jitter"—into their beacon communications."

7. EmenstaNougat/ESP32-BlueJammer: The ESP32-BlueJammer

   "The ESP32-BlueJammer (Bluetooth jammer, BLE jammer, WiFi jammer, RC jammer) disrupts various devices using an ESP32 and nRF24 modules, causing plenty of noise and sending unnecessary packets (DoS). It interrupts: The whole 2.4GHz broadband! Everything that works on 2.4GHz is being interfered, like: audio in speakers being transmitted over bluetooth, microphones on 2.4GHz, smartphone connections, WiFi, RC Drones (etc.), IoT devices, smart gadgets, wireless keyboard & mouse, just anything on 2.4GHz! Ideal for controlled disruption and security testing. Based on 2,4GHz communication. It has a big range (over 30Meters+ - may vary on your antenna and hardware setup!) on newest Bluetooth versions with casual 2.4GHz antennas, you can easily increase this aswell by taking some simple "bigger" router antennas. An amplifier (2.4GHz) may be an good option too! Remember that jamming is illegal and should not be used with malicious intent!" - Add this to the list of things I want to build...

8. Jürgen Schmidhuber：The Father of Generative AI Without Turing Award

   Interesting: "Schmidhuber argues that the history of AI is often misrepresented, with many early European contributions overlooked in favor of a Silicon Valley-centric narrative. He has publicly debated prominent AI researchers (the so-called "Deep Learning Trio": Yann LeCun, Geoffrey Hinton, Yoshua Bengio) for not adequately crediting prior work, including his own. Despite his significant impact, Schmidhuber has not received the Turing Award, a point of industry discussion but not personal concern for him. He criticizes the award’s recipients for republishing others’ work without proper attribution and calls for greater scientific integrity in AI research."

9. 7h30th3r0n3/Raspyjack: Small offensive network toolkit for Raspberry Pi (+ Waveshare 1.44″ LCD HAT) inspired by sharkjack fonctionnalities. For redteam and educational purposes only.

   Parts have been ordered and I will be building one of these...

10. Exploiting Erlang OTP with Zip files: CVE-2025-4748 – GreyNoise Labs

    "There’s a new Erlang OTP vulnerability, CVE-2025-4748. It’s an Absolute Path Traversal vulnerability involving a Zip archive, which I have a lot of practice with. It affects Erlang OTP, which a coworker has already written about recently and noted the necessary steps to set up an environment. This is a “local” vulnerability (unless you’re unpacking a Zip archive as part of a network call), but is still fun to play with."

11. iOS 26 Adding Two New Wi-Fi Features, Allows AirDrop and AirPlay Alternatives

    What could go wrong?

    • "Apple was working on a feature that would sync captive Wi-Fi network sign-in information across the iPhone, iPad, and Mac. This means that if you are asked to fill out a web form on one Apple device before connecting to a public Wi-Fi network at a hotel, airport, or coffee shop, that information would automatically be shared with your other Apple devices."
    • "Apple is making a Wi-Fi Aware framework available to developers, allowing for App Store apps to offer peer-to-peer connections between Wi-Fi devices, without an internet connection or access point. Wi-Fi Aware will allow for third-party apps to offer new built-in features for high-speed file transfers, media streaming, screen sharing, and more."
12. Qilin ransomware gang now offers a “Call Lawyer” feature to pressure victims

    This is so weird: "A notable feature is the “Call Lawyer” function, which provides legal consultation to increase pressure during ransom negotiations. Additionally, with network propagation capabilities and a DDoS option introduced in April 2025, Qilin enhances its adaptability for various attack scenarios."

13. Iran confirmed it shut down internet to protect the country against cyberattacks

    I've heard:

    • Israel launched a disinformation campaign by hacking TV stations to spread propaganda
    • Anti-missile systems were compromised before the attack (unconfirmed?)
    • CCTV cameras were hacked to view the damage done by attacks (apparently Iran hacked Israel's cameras to view the damage from one missile that slipped past defenses)
    • And then there is this report that Iran shut down the Internet, now I am thinking it was to stop the propaganda campaign; however, there are likely other motives
14. Multiple Brother Devices: Multiple Vulnerabilities (FIXED) (Rapid7)

    "Rapid7 conducted a zero-day research project into multifunction printers (MFP) from Brother Industries, Ltd. This research resulted in the discovery of 8 new vulnerabilities. Some or all of these vulnerabilities have been identified as affecting 689 models across Brother’s range of printer, scanner, and label maker devices. Additionally, 46 printer models from FUJIFILM Business Innovation, 5 printer models from Ricoh, 2 printer models from Toshiba Tec Corporation, and 6 models from Konica Minolta, Inc. are affected by some or all of these vulnerabilities. In total, 748 models across 5 vendors are affected." - So much to consume here, the most severe vulnerability apparently cannot be fixed with a patch, which begs so many questions.

15. Remote Code Execution on 40,000 WiFi alarm clocks

    I like how they got the firmware: Use strings on the Android APK, find the URL, then download it. So much easier than hardware lol

16. Canadian telecom hacked by suspected China state group

    "On Monday, Canada's Cyber Center said that three network devices operated by an unnamed Canadian telecom company “were compromised by likely Salt Typhoon actors in mid-February 2025.” The hackers exploited CVE-2023-20198 to retrieve running configuration files from the devices and modified at least one of the files to create a GRE tunnel allowing traffic collection from the network the devices were connected to." - Are we not patching Cisco vulnerabilities from 2023? Why not?

Larry Pesce

1. Hack Turns Nissan Leaf Into Giant RC Car
2. FCC Probes Biden-Era ‘Cyber Trust Mark’ Program Over ‘Concerning’ Ties to China
3. John Deere Must Face FTC Lawsuit Over Its Tractor Repair Monopoly, Judge Rules
4. “Localhost tracking” explained. It could cost Meta 32 billion.
5. New Linux udisks flaw lets attackers get root on major Linux distros
6. NREL Maps Out US Data Infrastructure
7. ‘Suspended animation’: US government upheaval has frayed partnerships with critical infrastructure

Lee Neely

1. Canadian telecom hacked by suspected China state group

   n a jointly published statement, the Canadian Centre for Cybersecurity and the US Federal Bureau of Investigation (FBI) are warning that a group of Chinese state-sponsored threat actors known as Salt Typhoon have exploited a known, critical vulnerability to compromise a Canadian telecommunications firm. The vulnerability, CVE-2023-20198, which has a CVSS score of 10.0, has also been exploited by the threat actors to target the networks of US telecommunications companies, including Verizon, Lumen, AT&T, and most recently Viasat.

   CVE-2023-20198, CVSS score 10.0 and CVE-2023-20273, CVSS score 7.2, are being used together to obtain access and escalate privileges. CVE-2023-20198 was reported on the NIST KEV 10/16/2023, with a due date of 10/20/2023 due to exploit activity observed at that time. Cisco released software updates in October of 2023, there isn't an effective workaround. Make sure that you're applying the updates to your boundary control and network equipment. Where services are critical, such as telecom, broadband or satellite, make sure that you have redundancy and fail-over, not only to support the required service level but also so you can patch without service interruption.

   Cyber threat bulletin: People's Republic of China cyber threat activity: https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-prc-cyber-actors-target-telecommunications-companies-global-cyberespionage-campaign

2. Critical Citrix NetScaler bug fixed, upgrade ASAP! (CVE-2025-5777) – Help Net Security

   Citrix has fixed a critical out-of-bounds read vulnerability in NetScaler ADC and NetScaler Gateway. The flaw, CVE-2025-5777 "could potentially allow unauthorized attackers to steal valid session tokens from the memory of Internet-facing NetScaler devices via malformed requests." CVE-2025-5777 bears resemblances to CVE-2023-4966, known as CitrixBleed. In the same security bulletin, Citrix also addressed CVE-2025-5349, a high-severity improper access control vulnerability affecting NetScaler ADC and NetScaler Gateway.

   Historically, attackers have been quick to leverage vulnerabilities in Citrix Netscaler services, so rapid application of the fix is prudent. After applying the patches to your NetScaler devices, be sure to terminate any active ICA and PCoIP sessions to invalidate any possibly stolen session tokens. Session termination, using the kill sessions command, rather than a reboot, is required to prevent those sessions from being restored using existing tokens.

3. Removal of unwanted drivers from Windows Update

   In a June 19 Hardware Dev Center blog, Microsoft writes that they will "clean up" legacy drivers on Windows Update to improve compatibility and strengthen security. The first set of drivers that will be pulled are those that already have replacements on Windows Update. Microsoft writes, "the rationale behind this initiative is to ensure that we have the optimal set of drivers on Windows Update that cater to a variety of hardware devices across the Windows ecosystem, while making sure that Microsoft Windows security posture is not compromised."

   They are working to remove expired/legacy drivers. Six-month notification will be provided to those whose drivers will be unpublished/expired. Partners with drivers which are removed can request they be republished but require a business justification. While not stated, those drivers will likely be expected to meet current security requirements, as Microsoft is stating compatibility and security are the core drivers, no pun intended, behind this project.

4. The Roadmap to Community Cyber Defense: A Path Forward from the Cyber Resilience Corps – CLTC

   The CLTC is proposing a mechanism for filling gaps in cyber security through the use of volunteer organizations and low-cost cybersecurity services, to achieve security goals, particularly for community organizations. Elements include not only how to organize and simplify over time, but also guidance for states to create a regional cyber support ecosystem. As one involved in multiple nonprofits with limited to no cybersecurity budget, having an organized approach to leverage available free, or nearly free, resources coupled with an overall approach is a big win.

5. CISA Warns of Active Exploitation of Linux Kernel Privilege Escalation Vulnerability

   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed a security flaw impacting the Linux kernel in its Known Exploited Vulnerabilities (KEV) catalog, stating it has been actively exploited in the wild. The vulnerability, CVE-2023-0386 (CVSS score: 7.8), is an improper ownership bug in the Linux kernel that could be exploited to escalate privileges.

   CVE-2023-0386 had patches released in January 2023, and initial POC exploits appeared in May of 2023. While the description of the exploit is hard to follow, it's easy to perform and your linux distro is likely included, so make sure you're running the latest supported kernel. Aside from the patch, one mitigation is to block the loading of the OverlayFS kernel module, but test as that can have operational impacts.

6. 23andMe fined £2.31 million for failing to protect UK users’ genetic data

   The UK's Information Commissioner's Office (ICO) has fined 23andMe £2.31M (US$3.13M) "for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023." For several months in mid-2023, a threat actor conducted a credential stuffing attack that compromised personal information of nearly 160,000 UK residents. The ICO found that 23andMe lacked multi-factor authentication for access to stored raw genetic data. The ICO also cited 23andMe's "inadequate" response to the incident. Since the breach, 23andMe has filed for bankruptcy and is expected to be sold to a new owner.

   ICO is really watching protections of personal information. Make sure you're not only implementing MFA and robust access controls, but also properly obtaining permission for collection of the data you have. If you haven't checked your protection, disposal and access controls on PII recently against all applicable privacy standards, GDPR, CCPA/CPRA, HIPAA, GLBA, COPPA, etc. it's time.

7. Data of more than 740,000 stolen in ransomware attack on Michigan hospital network

   Michigan-based McLaren Health Care has begun notifying more than 743,000 people that their data were compromised during a 2024 ransomware attack. The threat actors had access to McLaren's systems between July 17 and August 3, 2024. The compromised data include both personally identifiable information (PII) and protected health information (PHI). While the incident was detected in August 2024 and disclosed later that same month, the investigation to determine who was affected did not conclude until early May 2025. This is the second ransomware attack McLaren has suffered in the past several years; a July 2023 incident compromised data belonging to 2.2 million individuals.

   The information disclosed included names, driver's license numbers and medical information. Victims are being given one year of credit monitoring services. Two things jump out, first the investigation taking ten months, second that they were successfully compromised twice within twelve months. I'm not unsympathetic, this had to be horrible for McLaren, and today's table stakes are such that you need to be expedicious in your investigation and comprehensive in your mitigations to maintain the confidence of both consumers and regulators.

8. WordPress Motors theme flaw mass-exploited to hijack admin accounts

   Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme "Motors" to hijack administrator accounts and gain complete control of a targeted site. The malicious activity was spotted by Wordfence, which had warned last month about the severity of the flaw, tracked under CVE-2025-4322, urging users to upgrade immediately.

   CVE-2025-4322, privilege escalation/account takeover flaw, has a CVSS score of 9.8. In short, the plugin didn't properly validate a user before allowing a password change, so an arbitrary user could change any password including the administrator. If you're using the Motors theme, make sure you're on 5.6.68 or higher. Double check if your theme updates are automatic, your content providers may not wish those to update without oversight.

9. Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages

   The April 2025 cyber attacks targeting U.K. retailers Marks & Spencer and Co-op have been classified as a "single combined cyber event." That's according to an assessment from the Cyber Monitoring Centre (CMC), a U.K.-based independent, non-profit body set up by the insurance industry to categorize major cyber events. "Given that one threat actor claimed responsibility for both M&S and Co-op, the close timing, and the similar tactics, techniques, and procedures (TTPs)." CMC declined to include the recent Harrods breach in the combined event. The threat actors believed to be responsible for the attacks appear to have turned their attention to US insurance companies.

   The group leverages their English-speaking members to pull off advanced social engineering attacks obtaining unauthorized access. Not unlike a marketing campaign, this group focuses on a single target at a time. Rather than worry about you being a target or not, make sure that you're prepared for social engineer, to include fake IT support calls/emails. Ask what's trending in your email quarantine/spam filters and reward reporting.

10. Asana warns MCP AI feature exposed customer data to other orgs

    On June 4, Asana identified a bug in its Model Context Protocol (MCP) server and took the server offline to investigate. While the incident was not the result of an external attack, the bug could have exposed data belonging to Asana MCP users to users in other accounts.

    The flaw allowed a user to access their allowed data types from other customers, due to incomplete access control enforcement. You need to have your Asana admin review logs for MCP access and review AI generated summaries/answers and report immediately any data which appears to be from another organization.

    See UpGuard blog for timeline and mitigations: https://www.upguard.com/blog/asana-discloses-data-exposure-bug-in-mcp-server

Sam Bowne

1. Publishers facing existential threat from AI, Cloudflare CEO says

   Ten years ago, Google crawled two pages for every visitor it sent a publisher. Now the ratio is 18:1. For AI companies, it's thousands to one and rapidly increasing. Publishers need to take action to make sure they are fairly compensated for their content. Cloudflare is working on a new tool that will stop content scraping.

2. Protect Yourself From Meta’s Latest Attack on Privacy

   Researchers recently caught Meta using an egregious new tracking technique to spy on Android users. They used a listening port on the loopback address to circumvent the application sandbox and export tracking cookies (see next article). Using Web bugs, they spy on you, recording how visitors use a website and respond to ads, and siphoning potentially sensitive info like financial information from tax filing websites and medical information from hospital websites, all in service of the company’s creepy system of surveillance-based advertising. Even users who blocked or cleared cookies, hid their IP address with a VPN, or browsed in incognito mode could be identified.

   Recommended defense measures include using a Privacy-Focused Browser, avoiding in-app browsers, and deleting unneeded apps.

3. Disclosure: Covert Web-to-App Tracking via Localhost on Android

   We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes. They also expose users' browsing histories. Both Facebook and Yandex removed this code after being notified that these practices were going to be published.

4. CoinMarketCap suffered a front-end breach involving malicious JavaScript

   The breach involved the injection of malicious JavaScript code into the site’s rotating “Doodles” feature, asking users to “verify wallet,” a pop-up meant to steal their funds. Attackers appeared to have backend access and set an expiration time on the exploit, which could have been planned in advance.

5. Scoop: WhatsApp banned on House staffers’ devices

   The Office of Cybersecurity has deemed WhatsApp a high-risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved with its use.

   The chief administrative officer has in recent years set at least partial bans on DeepSeek, ByteDance apps and Microsoft Copilot. It has also heavily restricted staffers' use of ChatGPT, instructing offices to only use the paid version, ChatGPT Plus.

6. Cluely, a startup that helps ‘cheat on everything,’ raises $15M from a16z

   Cluely helps users “cheat” on job interviews, exams, and sales calls. The startup was co-founded earlier this year by 21-year-old Roy Lee and Neel Shanmugam, who were suspended from Columbia University for developing an undetectable AI-powered tool called “Interview Coder” to help engineers cheat on technical interviews.

7. Scale AI exposed sensitive data about clients like Meta and xAI in public Google Docs, BI finds

   Scale AI is an American company that provides data labeling and model evaluation services to develop applications for artificial intelligence. Scale AI routinely uses public Google Docs for work with Google, Meta, and xAI. This exposed thousands of files — some marked confidential, others exposing contractor data. Scale AI says it's conducting a "thorough investigation."

   My question is: where were compliance standards? How can such huge, important companies have no management of third-party risk?

8. This German startup lands €10M to turn cockroaches and other insects into AI-enabled, controllable bio-robots for high-risk zones

   Founded in 2024, SWARM Biotactics is a German bio-robotics company pioneering “a new category of robotics” using controllable living insects. The company’s technology consists of cockroaches equipped with custom-built backpacks that enable control, sensing, and secure communication.

9. Researchers say AI hacking tools sold online were powered by Grok, Mixtral

   “WormGPTs” are usually cobbled together from open-source models and other toolsets and can generate code, search for and analyze vulnerabilities, and are then marketed and sold online. But two of them appear to be just using jailbreak prompts on top of Grok and Mistral. These products dramatically demonstrate the fundamental insecurity of LLMs, which are all persistently vulnerable to prompt injection.

10. One of the Best Hackers in the Country is an AI Bot

    Xbow's AI product topped HackerOne’s US leaderboard, finding security bugs from more than a dozen well-known companies, including Amazon, Walt Disney, PayPal, and Sony. While Xbow’s algorithm does well in finding things like common coding errors and security issues, it does poorly at realizing when a flaw results from product design logic. It also requires human supervision to filter out AI hallucinations.

11. BMW ConnectedDrive lets me control my returned rental car (Sixt)

    I rented a BMW. I created my own BMW ID and] paired it with the car. When returning the car, I told the Sixt representative that I had linked my BMW ID — they assured me that the vehicle would be reset. But later I still had full remote access, with live location tracking, remote lock/unlock, honking (hehe), and turning lights on/off.

12. Is Sergio Gor A Russian Spy? Bizarre Claim About Top White House Official Goes Viral

    UPDATE: Brian Krebs explained his error here: https://www.linkedin.com/posts/bkrebs_i-posted-earlier-about-some-research-into-activity-7341511931389689856-LbSV/

    He mistook a dot for a dash. I don't think this story is worth talking about on the show. I'm leaving it here just in case others want to know what happened.

    Brian Krebs, the famous cybersecurity investigative reporter, published an article claiming that Sergio Gor, Director of the White House Presidential Personnel Office, is a Russian spy. He then apologized and deleted it.