Holiday Hack Challenge, AI, Internet of Trash – Ed Skoudis – PSW #903

Paul Asadoorian

1. Raspberry Pi just got up to $25 more expensive
2. Defeating ESP32 Security: Extracting Flash Encryption and Secure Boot Keys
3. NullPxl/banrays: Glasses to detect smart-glasses that have cameras. Ray-BANNED
4. Sliver C2 Insecure Default Network Policy (CVE-2025-27093)
5. Hitchhiker’s Guide to Attack Surface Management
6. ShadowV2 Casts a Shadow Over IoT Devices
7. Breaking the BeeStation: Inside Our Pwn2Own 2025 Exploit Journey
8. Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem)
9. Firmwhere? Rediscovering a Vulnerability in Vivotek Legacy Firmware

   A remotely exploitable command injection vulnerability in legacy Vivotek IP camera/NVR firmware that allows unauthenticated RCE via a CGI endpoint, affecting devices still running out‑of‑support firmware and relying on default credentials or weak network segmentation. How much Internet Of Crap will be left hanging out on the Internet? It reminds me of space junk, once its there, it just keeps floating in orbit forever.

10. Detecting CVE-2024-1086: The decade-old Linux kernel vulnerability that’s being actively exploited in ransomware campaigns

    CVE-2024-1086 is a decade-old Linux kernel netfilter (nftables) use-after-free that enables local privilege escalation to root and has been actively exploited in ransomware campaigns, prompting inclusion in CISA’s Known Exploited Vulnerabilities catalog. It affects kernels introduced as far back as 3.15, with urgent patching recommended for 5.14–6.6; fixes are available in 5.15.149+, 6.1.76+, and 6.6.15+. Keep your kernels current. I live on the edge and am running 6.17.1 :)

11. CVE-2018-25126 – Shenzhen NVMS-9000 firmware hardcoded API credentials and OS command injection

    This is just a strange CVE entry:

    • It was added on 11/14/25, yet the vulnerability is 7 years old
    • The CVE number is from 2018
    • The references section has links to older posts and exploits from 7 years ago
    • This has been known to be exploited in the wild
    • Vulncheck is the CNA

    The vulnerability is concerning as it impacts the supply chain for firmware used on over 80+ models of DVRs and such. Looks like Vulncheck is updating the CVE database with critical vulnerabilities that did not previously have a CVE assigned.

12. Asus Warns of New Critical Vulnerability in Routers with AiCloud

    Not much to go on here, other than a bunch of vulnerabilities that were patched by Asus. It is also rumored that Asus suffered a breach. Are these things related ala F5?

13. How to know if your Asus router is one of thousands hacked by China-state hackers
    • STRIKE (SecurityScorecard) describes a long‑running, stealthy campaign compromising outdated and often end‑of‑life ASUS WRT routers globally, with tens of thousands of unique IPs observed over roughly six months.​
    • The infrastructure is attributed with low‑to‑moderate confidence to China‑nexus actors, with a notable concentration of victims in Taiwan and additional clusters in Southeast Asia, Russia, Europe, and the US, but effectively none in mainland China.​
    • Initial access relies on a chain of at least six known vulns in ASUS firmware, mainly OS command injection and auth‑bypass issues in AiCloud and web UI components: CVE‑2023‑41345/6/7/8, CVE‑2023‑39780, CVE‑2024‑12912, and CVE‑2025‑2492 (improper auth control, CVSS 9.2).​
    • After compromise, actors deploy persistent backdoors and abuse legitimate features (e.g., AiCloud, SSH) for long‑lived access, making the router a covert proxy or relay for C2 and possible collection, without upgrading firmware or visibly breaking service.​
    • Nearly all infected routers present a unique self‑signed TLS cert with a 100‑year validity (from April 2022), which became the primary fingerprint used to enumerate over 50,000 infected IPs.​
    • About 99% of services presenting this cert are ASUS AiCloud endpoints on specific AC/AX‑series WRT models, many of which are unpatched or end‑of‑life
14. Your IP Address Might Be Someone Else’s Problem (And Here’s How to Find Out)

    “GreyNoise IP Check,” a free, no‑login tool that lets anyone see whether their current public IP has been observed scanning the internet or belongs to known business-service infrastructure. It’s positioned as a way for non-experts and “family tech support” types to quickly assess whether a home or visited network might be compromised without poking at individual devices. This is a great resource, curious if we can hit this via API and what the limits would be as I'd integrate this into various tools as well.

15. OnSolve CodeRED cyberattack disrupts emergency alert systems nationwide
    • Crisis24’s legacy OnSolve CodeRED emergency alert platform was hit by a cyberattack that forced it offline nationwide and led to the theft of user data, including clear‑text passwords.
    • The CodeRED system, used by U.S. state and local governments and public safety agencies for emergency notifications and weather alerts, was compromised and ultimately decommissioned, disrupting alerting capabilities across multiple jurisdictions. Crisis24 says the attack was contained to the CodeRED environment and did not spread to other corporate systems.
    • Attackers stole personal data from CodeRED user profiles, including names, physical addresses, email addresses, phone numbers, and passwords, with some passwords exposed in clear text. At the time of the article, there was no evidence the stolen data had been publicly posted, but the risk of credential reuse abuse is high.1
    • Because the attack damaged the platform, Crisis24 is rebuilding CodeRED on a new system using backups taken on March 31, 2025, meaning newer accounts and changes may be missing. Numerous agencies have reported outages or degradation of their emergency alert systems and are working to restore services for residents.1
    • The INC Ransomware gang, a RaaS group active since mid‑2023, claimed responsibility, stating it breached OnSolve on November 1, 2025, encrypted files on November 10, and is now selling the stolen data after no ransom was paid. The group published screenshots on its leak site showing customer information and associated clear‑text passwords as proof of access
16. Tenda N300 Wi-Fi 4G LTE Router 4G03 Pro impacted by vulnerabilities VU#268029

    I believe they were able to get this published, even though it only affects one vendor and one product, because there is no patch for this vulnerability. If we started issuing VINCE's for all of these situtations (vulnerability found, its critical, but there is no patch), we'd have A LOT more VINCE's being issued. Is this a good thing or a bad thing? Not sure this is the right place to track them, especially given how spotty the coverage is.

17. An Evening with Claude (Code)

    A vulnerability in Claude Code’s Bash command safety checks that allowed remote code execution (RCE) via carefully crafted sed usage, ultimately fixed in version 2.0.31 as CVE‑2025‑64755

18. Everest Ransomware Claims ASUS Breach and 1TB Data Theft

    unconfirmed, but all the recent Asus news has me wondering just what is going on...

19. How your dashcam can be hacked, and how to protect yourself from the attack
    • Researchers showed that an initial “drive‑by” attacker at fixed locations (e.g., gas stations, drive‑throughs) could infect nearby dashcams, and then move the entire attack logic onto the camera itself so infected devices actively scan for and compromise other dashcams in nearby cars, worm‑style, especially in dense traffic.
    • Once compromised, dashcams yield high‑resolution interior/exterior video, audio, timestamps, and GPS data, enabling reconstruction of routes, parking locations, conversations, passengers, and bystanders.
    • Aggregated data can be funneled to a central collector either via on‑board LTE, via the normal smartphone‑to‑cloud sync path, or by relaying through other compromised dashcams; weak cloud protections and exposed identifiers can further ease direct cloud data theft.
    • Attackers can automate analysis: extract GPS metadata, run computer vision for signage and text, apply music‑ID services, and use speech‑to‑text plus LLMs to summarize every trip’s route and conversation topics, then de‑anonymize owners via configured identifiers or patterns of frequent locations such as home and work.
20. The Dual-Use Dilemma of AI: Malicious LLMs
    • “malicious LLMs” like WormGPT 4 and KawaiiGPT exemplify the dual‑use dilemma of AI: the same capabilities that help defenders (good writing, code generation, automation) are being intentionally weaponized to make cybercrime cheaper, faster, and more accessible. It highlights that these models are built or configured without safety controls, marketed specifically to criminals, and directly used to generate phishing content, malware scaffolding, lateral movement scripts, and full ransomware workflows, including ransom notes and exfiltration code.
    • WormGPT 4 is presented as a commercial, subscription-based “uncensored” LLM aimed at cybercrime-as-a-service, advertised on underground forums and Telegram, with a focus on professional-quality BEC/phishing and instantly generated ransomware tooling (for example, PowerShell scripts with AES-256 encryption and optional C2/exfiltration via Tor). KawaiiGPT, by contrast, is a free, GitHub-hosted tool positioned as easy to install and run on common Linux systems, lowering the technical bar by providing ready-to-use spear-phishing emails, SSH-based lateral movement scripts, and Windows data exfiltration code that relies on standard Python libraries to blend in with legitimate activity.
    • The authors stress that these tools “democratize” offensive capability: low-skill attackers can now launch campaigns that previously required strong coding and language skills, compressing the attack lifecycle from hours or days to minutes of prompting. This erodes traditional detection heuristics based on poor grammar or simplistic code, and shifts the threat model toward scale and speed of AI-generated attacks rather than only bespoke, expert-crafted intrusions

Jeff Man

1. Penn and Phoenix Universities Disclose Data Breach After Oracle Hack

   The University of Pennsylvania and the University of Phoenix confirmed on Tuesday that they are among the many victims of the recent cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution.

2. Retail giant Coupang data breach impacts 33.7 million customers

   "Coupang noted that payment information, including credit card data and account information such as passwords, was not exposed." Oh, never mind...

3. Cyber Breach vs Data Leak: What’s the Difference?

   But does it matter? Motive vs. intent?

4. A data breach at analytics giant Mixpanel leaves a lot of open questions

   Is a data breach a cyber breach or a data leak??? The CEO called it an "unspecified security incident". But wait, there's more... "One of its affected customers is OpenAI, which published its own blog post two days later, confirming what Mixpanel had failed to explicitly say in its own post, that customer data had been taken from Mixpanel’s systems."

5. CGI expands its Winnipeg presence and Canadian footprint with the acquisition of Online Business Systems

   Personal/professional note. The times they are a changin'!

6. Switching to Offense: US Makes Cyber Strategy Changes

   Would love to get my comprades take on this...

Lee Neely

1. Data breach hits ‘South Korea’s Amazon,’ potentially affecting 65% of country’s population

   South Korean online retailer Coupang has acknowledged that a cybersecurity incident resulted in the compromise of personal data belonging to nearly 34 million customers, more than half of the country's population.

   Coupang is the go-to online retailer in South Korea, enhanced by their Rocket Delivery service for same-day and pre-dawn delivery.   Two things to consider here. First, as an employeer, this is a reminder that insider threat is still very much a thing, and with all the attention on zero-days/ransomware/etc. it's not as sexy, and it's easy to overlook. Make sure you're maintaining not only your insider threat education but also data exfiltration detection and prevention activities. Second, as a regulator, while South Korea has legal requirements for protection of personal information, including punative fines, these don't appear sufficient in their current form to stem the tide of breaches, it's time to enlist industry partners to make sure there is an effective program, providing both support to secure, detect and prevent breaches of systems as well as meaningful consequences.

2. Australian Man Sentenced to Prison for Wi-Fi Attacks at Airports and on Flights

   An Australian man has been sentenced to prison after he was caught launching Wi-Fi attacks at airports and on flights, the Australian Federal Police (AFP) announced.

   It's easy to create "Evil Twin" hotspots, the hardware fits in your coffee cup. And your devices broadcast for their known networks every few seconds. Aside from being aware of Wi-Fi connections where there shouldn't be, review your known/trusted networks regularly, prioritize removing those without authentication. Don't forget your mobile devices. Apple has added Wi-Fi to the password manager on macOS and iOS, making this much easier.

3. Singapore orders Google, Apple to curb govt impersonation on messaging services

   In an attempt to protect users from scams that impersonate Singapore's government, the Singapore Ministry of Home Affairs (MHA) has directed Apple and Google to implement restrictions that prevents the unauthorized use of the "gov[.]sg" sender ID and names of Singaporean government agencies on their messaging platforms. Both Apple and Google have stated they will comply with the request. In September, Meta was directed to implement similar measures in their platform due to attempts to impersonate key govrenment office-holders. Both these requests stem from Singapore's Online Criminal Harms Act (OCHA) which went into effect in February 2024. Even with these measures, users still need to be diligent and verify the legitimacy of messages, expect threat actors to find bypasses.

4. Municipal emergency warning service offline after hackers steal user data

   A ransomware attack against the OnSolve CodeRED emergency notification system has forced parent company Crisis24 to decommission the service's legacy environment; Crisis24 is rebuilding the platform in a new environment. ebuilding from backups is a challenge, let alone rolling back eight months. According to Crisis24, those were the last current backup. Make sure that you're validating your backups regularly. I remember making copies of backups just in case. Don't wait for an incident to discover issues, that is never fun, ask me how I know this.  If you're an OnSolve user, change your password and make sure that you've not reused that password somewhere else, as you're going to need to change that password as well.

5. Critical Vulnerabilities in FluentBit

   Executive Summary A new chain of 5 critical vulnerabilities within Fluent Bit allows attackers to compromise cloud infrastructure. Fluent Bit, an open-source tool for collecting, processing, and forwarding logs is the quiet messenger of modern computing. It is embedded in billions of containers and deployed more than 15 billion times, with over 4 million pulls in the past week alone.

6. CISA: Threat Actors are Targeting Messaging Apps to Deliver Spyware

   CISA recommends that users refer to its recently-updated (11/24) Mobile Communications Best Practice Guidance and to its Guidance for Mitigating Cyber Threats with Limited Resources.

   While the measures are directed at your highly targeted users, many of the recommendations apply across the board, such as moving to end-to-end encrypted messaging, FIDO authenticaton and away from SMS second factor authentication. Note there are iOS and Android specific recomendations as well.

7. Is Your Android TV Streaming Box Part of a Botnet? – Krebs on Security

   Brian Krebs warns that certain Android-based video streaming devices are equipped to hijack users' home networks to relay malicious internet traffic associated with advertising fraud, account takeovers, and possibly distributed denial-of-service (DDoS) botnets. his is a timely warning with seasonal shopping frenzy. These devices are targeted at about $400 and offer an incredible streaming deal. While out of the box they are legitimate, to get the advertised range of channels you need add additional questionable apps, which includes replacing the google play store with an app store which can access the needed apps from a third-party service. Regardless of wording, in the US, unauthorized viewing of streaming content violates the DMCA and can incur legal action, including fines and suspension of your service from your ISP. Beware of devices with suspicious marketplaces, requirements to disable google play protect, devices advertised as unlocked streaming devices, Andorid devices which are not Play Protect certified and unexplained/suspicious Internet traffic.

Sam Bowne

1. Man behind in-flight Evil Twin WiFi attacks gets 7 years in prison

   A 44-year-old man was sentenced to seven years and four months in prison for operating an “evil twin” WiFi network with a Wi-Fi Pineapple to steal the data of unsuspecting travelers during flights and at various airports across Australia.

2. FCC Warns of Hackers Hijacking Radio Equipment For False Alerts

   Hackers have been hijacking US radio transmission equipment to air bogus emergency tones and offensive material, by using default passwords on Barix network audio devices. Several stations in Texas and Virginia were affected, with broadcasts interrupted by simulated alert tones, the Attention Signal and obscene language.

3. Quantum physicists have shrunk and “de-censored” DeepSeek R1

   They managed to cut the size of the AI reasoning model by more than half—and claim it can now answer politically sensitive questions once off limits in Chinese AI systems. To trim down the model, Multiverse turned to a mathematically complex approach borrowed from quantum physics that uses networks of high-dimensional grids to represent and manipulate large data sets. Using these so-called tensor networks shrinks the size of the model significantly and allows a complex AI system to be expressed more efficiently.

4. Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem)

   Secrets found on JSONformatter and CodeBeautify include credentials for AD, code repositories, databases, etc. These come from critical national infrastructure, .GOV, finance, tech, aerospace, etc. Watchtowr spent months working with CERT teams trying to notify these people before publication, to little avail.

5. We should all be using dependency cooldowns

   Waiting a week before updating dependencies prevents most supply-chain attacks.

6. Live Updates: Sha1-Hulud, The Second Coming – Hundreds of NPM Packages Compromised

   This outbreak has already outgrown the original Shai-Hulud incident, with more than 800 npm packages confirmed as trojanized and tens of thousands of GitHub repositories affected, spreading rapidly. The malicious versions embed credential-stealing payloads designed to capture developer tokens, leak secrets, and establish persistent footholds across repositories and developer environments. In this second wave, Sha1-Hulud introduces a far more aggressive fallback mechanism: if the malware fails to authenticate or establish persistence, it attempts to destroy the victim’s entire home directory.

7. Detectives Ask for the Public’s Help Identifying ATM Jackpotting Suspects

   On October 3, 2025, at 10:18 p.m., an unknown individual approached the drive-up ATM in the 4200 block of Members Way near Fair Oaks and used a key to open the machine. It remains unclear what actions were taken once it was accessed. The same individual returned on October 4, 2025, at 12:28 a.m., driving a late-model blue Jeep, and again opened the ATM. Around 1:15 a.m., two suspects, including the original individual, arrived in the same Jeep and accessed the machine for about 15 minutes while appearing to record it with their phones. At 2:00 a.m., an unmasked suspect in the same Jeep began withdrawing cash without inserting a card or touching the ATM. He held a phone toward the machine while removing cash, left briefly, and returned at 2:09 a.m., remaining until 2:44 a.m. as withdrawals continued.

8. Is Your Friend or Family Member Spiraling Into AI Psychosis? This Group May Be Able to Help

   The Spiral Support Group is moderated by Allan Brooks, a 48-year-old man in Toronto who experienced a traumatic three-week spiral in which ChatGPT urgently insisted to Brooks that he had cracked cryptographic codes through newly-invented math and become a risk to global national security in the process. “It started with four of us, and now we’ve got close to 200.”

9. Large Language Models Will Never Be Intelligent, Expert Says

   “Yes, an AI system might remix and recycle our knowledge in interesting ways,” Riley writes. “But that’s all it will be able to do. It will be forever trapped in the vocabulary we’ve encoded in our data and trained it upon — a dead-metaphor machine.”

10. ShadyPanda browser extensions amass 4.3M installs in malicious campaign

    A long-running malware operation known as "ShadyPanda" has amassed over 4.3 million installations of seemingly legitimate Chrome and Edge browser extensions that evolved into malware. The infected extensions perform affiliate fraud, search hijacking, or full RCE. While Google has removed them from the Web Store, Koi reports that the campaign remains active on the Microsoft Edge Add-ons platform, with one extension listed as having 3 million installs.

11. Public GitLab repositories exposed more than 17,000 secrets

    After scanning all 5.6 million public repositories on GitLab Cloud, a security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains. He used TruffleHog. The researcher previously scanned Bitbucket, where he found 6,212 secrets spread over 2.6 million repositories. He also checked the Common Crawl dataset that is used to train AI models, which exposed 12,000 valid secrets.