What We’ve Learned from LockBit and Black Basta Leaks (and News) – Ian Gray – PSW #888

Paul Asadoorian

1. Intel Outside: Hacking every Intel employee and various internal websites
2. How Exposed TeslaMate Instances Leak Sensitive Tesla Data
3. Linux Kernel netfilter: ipset: Missing Range Check LPE – SSD Secure Disclosure
4. 2025 BSidesLV CVE Panel – My Comments
5. Breaching WPA2 PSK Wireless Networks – PwnDefend
6. Laser Fault Injection on a Budget: DEFCON 33 Showcase
7. Secure Boot, TPM and Anti-Cheat Engines
8. Should Security Solutions Be Secure? Maybe We’re All Wrong – Fortinet FortiSIEM Pre-Auth Command Injection (CVE-2025-25256)

   So here's the thing:

   • Fortinet said: "Practical exploit code for this vulnerability was found in the wild." and then Watchtowr said: "We’ve been told time and time again that attackers only manage to understand a vulnerability when some horrible security researcher releases an analysis. And yet - somehow - we're seeing in-the-wild exploitation without asking the security community’s permission first. Strange!"

   First, what is "practical exploit code"? This hints that impractical exploit code exists. What does that even mean? Second, the tables have been turned. Before, I felt like security researchers were showcasing all the cool hacks and techniques, and threat actors would take what we made public and exploit it. Now it seems like threat actors are finding cool things, exploiting them, and security researchers are reverse-engineering to show the cool stuff. Threat actors have gotten better; they are pre-scanning the Internet for targets, then patch diffing to find vulnerabilities, then creating exploits for them. Then, they buy/sell/trade/share these tools and try to keep them from being discovered by the rest of us.

9. FBI: Russian FSB spies exploiting a 7-year-old Cisco bug

   Breaking down some of the recent reports of threat actor behavior explains why we are losing the battle. Take these 3 points:

   • "targeting outdated networking gear that accepts legacy, unencrypted protocols like Cisco Smart Install (SMI) and Simple Network Management Protocol (SNMP)."
   • "They've also deployed custom malware for some Cisco devices, such as 2015's SYNful Knock router implant."
   • "There's a super-old critical bug in the Cisco Smart Install feature of Cisco IOS and IOS XE software, tracked as CVE-2018-0171, which the networking giant fixed in March 2018."

   Basic security practices take away this attack surface. For example:

   • getting rid of legacy, unencrypted protocols
   • Arming ourselves with detection and prevention for 10-year-old attacker techniques
   • Patching our systems, especially for any of 2018's vulnerabilities

   However, the point I really want to make is this: Vulnerabilities and attacker techniques are implemented on a timeline that can be pretty random. Sometimes its 10 years after a Blackhat talk that we see in-the-wild usages. Don't wait until something is actively being used to defend against it, its too late. Here's the mind bender: Mike Lynn broke open Cisco IOS hacking in 2005, implants were seen in the wild in 2015, and attackers are observed today using these techniques to implant routers.

10. How web scraping actually works – and why AI changes everything

    We are still in the middle of the web scraping/crawling wars. Here's the crux of the argument: "AI scraping is parasitical behavior that's devastating website traffic. The AIs pull in information (like from this article) and then, instead of sending readers to the site where an author wrote the piece, simply present that information before anyone visits a site." - This article comes from ZDNET, so they are biased as they make a living off websites and ads. LLMs disrupt this model, presenting us the information, hopefully, without any ads or tracking. For security and privacy people this is a win. For those making a living on ad revenue, this is a huge problem. Also, websites, in general, do not like automated crawlers and scrapers and will go to great lengths to stop it. But we just want the information, its all about the information, and just because I want to scrape and crawl information doesn't make me evil.

11. Elastic rejects claims of a zero-day RCE flaw in Defend EDR

    If this is a real vulnerability that can be exploited, then prove it. The researchers claim there is enough evidence to support the reality of an exploitable vulnerability, but they did not provide enough details to Elastic to backup the claim. Vendors need proof and often have to be walked through the entire process step-by-step. You don't have to make the PoC public, but you should provide the PoC to the vendor, with instructions and even videos. I don't want to take sides on this one, but I am not sure what to make of it from here.

12. High-severity WinRAR 0-day exploited for weeks by 2 groups

    Neat: "RomCom, a Russia-aligned threat group also known as Storm-0978, Tropical Scorpius, or UNC2596, exploited a zero-day vulnerability in WinRAR (CVE-2025-8088) discovered by ESET researchers on July 18, 2025. This path traversal vulnerability, leveraging alternate data streams (ADS), allowed attackers to hide and deploy malicious files when extracting seemingly benign RAR archives in vulnerable WinRAR versions. WinRAR patched the flaw on July 30, 2025, and users are strongly advised to upgrade immediately."

13. Vulnerability Discovery with LLM-Powered Patch Diffing

    This is pretty awesome:

    "Prompt 1: Included the decompiled functions and asked the LLM to suggest a name for each function, summarize the function’s purpose, and summarize the changes made to the function. Prompt 2: Included the text of the vendor’s security advisory along with the output from the first prompt and asked the LLM to rank the functions in order of their relevance to the advisory. This ranking was not a one-shot prompt, but followed the iterative methodology used by our open-source raink tool."

14. New zero-day startup offers $20 million for tools that can hack any smartphone

    This seems shady: "Apart from the highest bounty of $20 million, which applies to any mobile operating system, the company also offers bounties for exploits in various software: $15 million for the same type of zero-days for Android devices and for iPhones; $10 million for Windows; $5 million for Chrome; $1 million for Apple’s Safari and Microsoft Edge browsers, among others. It’s unclear who is behind the company, and its customers." - Would you sell them your 0-Day?

15. GitHub – sensepost/bloatware-pwn: LPE / RCE Exploits for various vulnerable “Bloatware” products

    Nice collection of exploits, mostly for "bloatware" that comes from your motherboard manufacturer. The vulnerabilities, at least some, are from spring 2025. There are few, if any, indications that exploits now exist for these vulnerabilities.

16. .:: Phrack Magazine ::. – APT Down – The North Korea Files

    Another leak, AI summary for some talking points:

    • The article analyzes two primary data dumps from "KIM," a suspected Kimsuky member, obtained in June 2025.
    • Evidence ties KIM directly to multiple high-profile government intrusions, including South Korea’s Defense Counterintelligence Command, Ministry of Foreign Affairs, and the internal government network.
    • The dumps reveal the attacker’s tools, backdoors, and internal manuals, including phishing kits, Linux kernel rootkits, custom Cobalt Strike Beacons, Android payloads, the "RootRot" Ivanti Control backdoor, brute-force tools for South Korean Government PKI certificates, and more.
    • Phishing and credential-harvesting infrastructure are detailed, with a focus on targeted domains and sophisticated redirection to cover tracks.
    • Numerous operational security lapses are identified—such as hardcoded credentials, reused passwords, cleartext configuration files, and developer activity logs—that provide deep insight into the attacker’s behavior, technical capabilities, and network.
    • Further analysis indicates KIM’s possible collaborations with Chinese APTs, reinforcing the notion of tool and knowledge sharing between state-backed threat actors.
    • OSINT findings suggest that KIM often follows Chinese holidays, may be Chinese supporting North Korean and Chinese objectives, but also works largely on Korean Standard Time.
    • The report urges threat hunters and researchers to investigate unexplored files and binaries from the dump, some with unknown hashes, as they may reveal additional TTPs and capabilities.
17. Surge in Scans From Hacked Cisco, Linksys, and Araknis Routers

    This will continue as we never got around to fixing the problem of legacy IoT gear hanging out on the Internet. Attackers love this because:

    • No one looks for compromised consumer routers, there is little visibility, detection, or prevention that exists for these routers
    • The rotuers are EOL, therefore the vulnerabilities will not be patched
    • Attackers can easily scan the Internet as the devices are much more powerful than ever before and scan from different IP addresses, making it difficult to block
18. Exposing Data Exfiltration: Detecting LOLBins, TTPs, and Ransomware Tactics

    Well, okay, this is easy then, we just need to: "...keep tabs on behaviors linked to data staging and data exfiltration by monitoring for the specific activities outlined above, which are linked to various open-source tools, backup utilities, and more."

Jeff Man

1. NIST Releases Control Overlays for Securing AI Systems Concept Paper

   I was approached by an old friend and colleague earlier this week seeking comment on NISTs efforts to provide some framework for adding security to AI systems. This is the announcement.

2. Control Overlays for Securing AI Systems Concept Paper 1 SP 800-53 Control Overlays for Securing AI Systems Concept Paper

   Here is the actual concept paper. (somebody needs to tell NIST that organizations in the private sector are NOT familiar with SP 800-53 controls).

3. NIST’s attempts to secure AI yield many questions, no answers

   The result of the discussion is that I get quoted in my friend's article. What I was trying to convey is that I don't see how organizations ever get a handle on what AI is in their environment (when they struggle today to inventory the traditional systems and applications) so they should assume a worst case scenario in terms of negative impacts associated with AI.

4. Words have meaning, even in IT

   Whilst we were chatting, my friend mentioned his recent article lamenting the re-defining of what he considered to be foundational terms and concepts in our field. I couldn't agree more...

5. Allianz Life data breach affects 1.1 million customers

   In other news, breaches are still happening... "Credit" goes to ShinyHunters and there l33t social engineerings skills.

6. Workday Data Breach Bears Signs of Widespread Salesforce Hack

   Workday appears to have joined the list of major companies that had their Salesforce instances targeted by hackers. The company said the attack was part of a social engineering campaign that hit many large organizations recently.

7. HR giant Workday discloses data breach after Salesforce attack

   "While the company didn't directly confirm it, BleepingComputer has learned that the Workday incident is part of a wave of security breaches linked to the ShinyHunters extortion group, which targets Salesforce CRM instances through social engineering and voice phishing attacks."

8. Developers knowingly push vulnerable code, despite growing breach risk

   "Virtually all companies have experienced some type of intrusion due to vulnerable code, application security firm Checkmarx said in a report released Thursday. Nearly eight in 10 firms reported experiencing such breaches in 2023, but that figure climbed more than 90% last year and reached 98% this year. At the same time, eight in 10 companies said they sometimes or often released software with code they knew was vulnerable, up from two-thirds in 2024. “This isn’t oversight,” Checkmarx said. “It’s strategy.”

   Did you catch that? Strategy. In other words, "we're not going to pay for something we don't have to pay for - we'll take the chance." It's just risk management.

9. The Future of Application Security in the Era of AI

   This is the Checkmarx report referenced in the story about developers releasing vulnerable code as a strategy.

10. To end the data breach epidemic, do we need to rethink data sharing?

    To protect our sensitive data we need to do a better job of sharing it. Disclaimer - this is a veiled sales pitch article, which kind of disappointed me. As I was reading, I thought "homomorphic encryption" has been re-branded as "privacy enhancing technologies" (PETs). They did eventually mention homomorphic encryption as a sub-element of PETs. The newer term isn't quite as offensive as the older term to me, but the whole concept of keeping data private while sharing it is something worth a discussion.