Lasagna DoS, AI Slop, Hacker Ultimatums – PSW #890

Paul Asadoorian

1. BYOVD-DriverKiller/README.en.md at master · alex3O/BYOVD-DriverKiller
2. ImageMagick (WriteBMPImage): 32-bit integer overflow when writing BMP scanline stride → heap buffer overflow
3. TINKYWINKEY KEYLOGGER – CYFIRMA
4. EOL Devices: Exploits Will Continue Until Security Improves

   Attackers are actively exploiting end-of-life (EOL) network devices and IoT gear, targeting areas in IT that lack visibility and regular maintenance, known as the "dusty corners" of infrastructure.

5. Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel
6. Zscaler, Palo Alto Networks, SpyCloud among the affected by Salesloft breach – Help Net Security
7. Introducing ICMP Echo Streams – PacketSmith
8. High-severity vulnerability in Passwordstate credential manager. Patch now.
9. This Week In Security: DEF CON Nonsense, Vibepwned, And 0-days
10. Storm-0501 hackers shift to ransomware attacks in the cloud

    "Storm-0501, a threat actor active since at least 2021, has moved from using traditional on-premises ransomware to launching advanced cloud-based attacks that focus on data theft, exfiltration, and extortion by abusing native cloud features rather than deploying malware encryptors." - We knew this was coming...

11. Elastic EDR 0-day, Part II: Technical Evidence and the Trigger – Ashes Cybersecurity

    As commented on Reddit (where the original post was removed) someone pointed out they were writing a new driver to exploit an existing driver, which is weird. I've not seen confirmation that Elastic's EDR is exploitable, but hoping folks with more experise in this area than I will take a look and give us an answer...

12. Automakers Respond As Open Source Flipper Zero Firmware Raises Security Concerns – Open Source For You

    The latest is that auto manufacturers have responded by saying "There is no problem here". I disagree, everything I've seen up to this point, and discussed with my peers, is that attackers gained access to the source code of the keyfobs and/or vehicles REK systems, reverse engineered it, and are able to predict the next rolling code. Then, the keyfob becomes out-of-sync. This behavior is not observed when using previous attacks such as Rollback or Rolljam.

13. Lasagna leads to unbootable server

    I hope the lasagna came out okay! The power situation was not great, coupled with a bad CMOS battery can make for a bad day..

14. PSA: Secure Boot 2026 June cert expiry can block older NVIDIA GOPs at POST

    This is really interesting, option ROMs loaded from grapics cards have to be signed for Secure Boot. But, if your Secure Boot certs are updated, and your graphics card has an option ROM with a driver signed by the old cert, you won't be able to boot. Most importantly the early stage UEFI firmware that needs the graphics card driver won't have it, which means you can't disable secure boot as you are just staring at a blank screen.

15. ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header

    This is a crazy vulnerability: Bypass authentication by adding a BASIC auth header with a blank value gives you access. Just wow.

16. Cloudflare’s Largest Recorded DDoS attack – breaking a new record

    We need more details!

17. Hackers issue ultimatum to Google after data breach warning

    Things are getting crazy: "Hackers have threatened to leak Google databases unless the company fires two employees, according to a post on Telegram."

18. Hacker Impatience Can Be a Good Thing

    Summary: "Security is not only about erecting barriers but also about dynamic engagement: understanding attacker psychology and readiness to pounce on mistakes can give defenders a crucial edge" - I don't think stalling a ransomeware operation is going to get you very far, but this article seems to think so. Thoughts?

19. Malware warnings about Linux ISO files

    Interesting: "So why do multiple Windows virus scanners report that they find malware in Linux downloads? Putting aside the obvious conspiracy theories about anti-virus vendors not wanting to lose customers, what is probably happening is the scanners are detecting an archive file (the ISO) which contains executable code, and flagging it as suspicious. Some of the code is even able to change the disk layout, which is something that looks nasty from a security point of view. It's entirely understandable that a malware scanner which sees an archive full of executable code that could change the way the system boots would flag it as dangerous."

20. Chasing the Silver Fox: Cat & Mouse in Kernel Shadows – Check Point Research

    Drivers slipping through the cracks: "Check Point Research (CPR) uncovered an ongoing in-the-wild campaign attributed to the Silver Fox APT which involves the abuse of a previously unknown vulnerable driver, amsdk.sys (WatchDog Antimalware, version 1.0.600). This driver, built on the Zemana Anti-Malware SDK, was Microsoft-signed, not listed in the Microsoft Vulnerable Driver Blocklist, and not detected by community projects like LOLDrivers." and this: "This campaign highlights a growing trend of weaponizing signed-but-vulnerable drivers to bypass endpoint protections and evade static detection." - We still haven't fixed this problem, and guess what? Attackers are going after it! Go figure...

21. A new layer of security for certified Android devices

    "Starting next year, Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices. This creates crucial accountability, making it much harder for malicious actors to quickly distribute another harmful app after we take the first one down. Think of it like an ID check at the airport, which confirms a traveler's identity but is separate from the security screening of their bags; we will be confirming who the developer is, not reviewing the content of their app or where it came from. This change will start in a few select countries specifically impacted by these forms of fraudulent app scams, often from repeat perpetrators." - I would have thought this was already being done...

22. Leave AI Slop out of CVE; Humans Make Mistakes Just Fine

    "Anyone that blindly implements a so-called AI solution without rigorous testing, and not just security and prompt injection, specifically tests around accuracy of information needs to reevaluate their role in the industry. Just because another company has reduced the quality and integrity of their offering by introducing AI slop doesn’t mean you should to. In fact, you should market the opposite message; that humans still do a significant portion of curation and that accuracy and integrity are your mission. That would sell me a lot faster than bragging about bullshit “AI”."

Jeff Man

1. Federal, state officials investigating ransomware attack targeting Nevada

   Another ransomware attack. Nobody has claimed responsibility yet, at least publicly. Not to worry though CISA and FBI are engaged to help with the response.

2. Palo Alto Networks, Zscaler, Cloudflare hit by the latest data breach

   Pretty gutsy to call this the latest breach...but the fallout from the Salesloft Drift supply chain attack keeps expanding.

3. The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft

   Lots of choices for articles - decided to go to a trusted source. Reporting that hackers responsible also stole valid authentication tokens for hundreds of online services that customers can integrate with Salesloft, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI is somewhat chilling (and depressing).

4. Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce

   Overkill? Still want to automate everything and rely on third parties for fundamental IT and IS activities?

5. Credit Bureau TransUnion Confirms Data Breach Affecting Over 4 Million People

   Details are scarce. 4 million customers is only a small percentage of its client base, so not to worry. "The TransUnion hack is the latest in a series of major breaches. Just this week, Google urged 2.5 billion Gmail users to reset their passwords after it was hacked by a group called ShinyHunters.: Wait, what? Dang it...

6. Google Issues Worldwide Gmail Data Breach Warning

   Oh, this is more drift fallout. Google. SalesForce. Palo Alto. Zscaler. Cloudflare. Where does it all end? Whose at fault? Who pays for all of this?

7. Google Confirms Gmail Data Breach Warning Is Fake News

   Whew. That was close. Wait...maybe it's really a setup for phishing attempts. "The company is concerned that the viral nature of the story is creating a “dangerous” sense of panic among users." Now that's clever. Read the headline and when you get the call to help you reset your password....

8. Leveraging data analytics to revolutionize cybersecurity with machine learning and deep learning

   Let's shift gears and talk AI! Note: this is a report on a scientific study of "an innovative approach to cyber security data analysis that leverages Convolutional Neural Network (CNN) technology." You can download the report - but I warn you, there's math in it.

9. Incident response planning cuts the risk of claiming on cyber security insurance

   It almost sounds like if you minimize the impact of a breach you don't need to file a claim. I'm not sure I buy the claim that having to file a claim against your cyberinsurance policy constitutes a risk, still I'm intrigued that a PCI DSS control is getting such an emphasis.

10. Cybersecurity signals: Connecting controls and incident outcomes

    The actual report which analyzes data and explores which cybersecurity controls are most effective at reducing risk. Download it here from March McClellan.

11. NSF announces funding to establish the National AI Research Resource Operations Center

    .gov... the original AI?

Larry Pesce

1. That Supposed ‘Gmail Hack’: Google Says It’s False, but Watch Out for Phishing Anyway
2. Nick Andersen appointed to CISA leadership role
3. Hacking the Amazon Eero mesh router: disassembly, JTAG brute-forcing, and eMMC flash with 23 (!!) partitions. ????????‍????????????????
4. Hacking Amazon’s eero 6 (part 1)
5. Hacking Amazon’s eero 6 (part 2)
6. Ask Hackaday: Now You Install Your Friends’ VPNs. But Which One?
7. EOL Devices: Exploits Will Continue Until Security Improves- Eclypsium