Airsnitch, Claude, Hacking Firewalls – PSW #916

Paul Asadoorian

1. Felix “FX” Lindner – From Security Weekly Episode 217 – October, 2010

   RIP "FX", you will be missed, We interviewed "FX" in 2010, and I could not find it in the archives. Thankfully, I have my own copy and was able to re-post it here as a YouTube video with cleaned up audio. Note: There was no video for this interview (if there was, I could not find it), so just a static image is overlaid.

2. 100+ Kernel Bugs in 30 Days

   What if you were to discover all the signed Windows drivers, then analyze them for vulnerabilities using AI? You'd end up with this. It's awesome. It should be a concern for IT security teams...

3. GitHub – HackingLZ/gibson: Network monitoring tool that maps process-to-network connections, identifies cloud providers, and detects beaconing activity. Zero-flag agent binary for deployment, aggregation server, offline ASN lookup.

   This looks like stuff I've used or learned about in the past. Also, in the past it was difficult to map a process on a host to a connection on the network and determine the level of potential evil for that connection. Now we have an open-source project to do just that! Screenshots look awesome, but I have not validated or tested this project in any way, so let me know how it works out.

4. Iranian APT Activity During Geopolitical Escalation: Recommendations for Nozomi Customers and Critical Infrastructure Owners
5. The “P” in PAM is for Persistence: Linux Persistence Technique – Black Hills Information Security, Inc.

   Somehow I forgot about this and just happily trust PAM: "What would happen if we replaced PAM with a malicious version? In theory, because PAM receives clear text credentials during authentication, we could swap the PAM with a modified version that adds a universal password (skeleton key) to all user accounts. If we did this, we would be able to bypass the user’s password with our own, even if the user changes their password. Furthermore, we could even capture the user’s password pre-encryption and exfiltrate it for later use. "

6. Firewall Vulnerability Exploitation: Why the Edge is Fraying

   So much this: "Modern firewalls (Fortinet FortiOS, Palo Alto PAN-OS, Cisco IOS-XE, Sophos) run Linux underneath, enabling root RCE that's invisible to admins. Attackers hook auth, persist via symlinks past updates, and pivot to AD/ESXi." Don't forget VPNs, for example, Ivanti hardware appliances do not provide users with access to the underlying Linux. But attackers have access to this layer...

7. To update blobs or not to update blobs
8. Sometimes, You Can Just Feel The Security In The Design (Junos OS Evolved CVE-2026-21902 RCE)

   This is a feature, not a vulnerability! If there ever was such a thing, this would be the example we use.

9. An upcoming California law requires operating system providers to enforce basic mandatory age verification

   not sure this is verification, or just simply asking for the users birthday. However, its a problem for Linux, also, WHY?????!!?!?!

10. Florida woman imprisoned for massive Microsoft license fraud scheme

    Millions of dollars in fake licenses...

11. Trump Bans Anthropic AI in Federal Agencies Amid Growing Security Concerns

    Banning things never seems to really work out, I find bans, in general, to be more statement making and political than actually solving a problem in most cases.

12. TPMS Flaw in Toyota, Mercedes, and Other Major Brands Enables Covert Vehicle Tracking

    Interesting: "By correlating the four tire IDs that “appear” together within short time windows, the team could reliably group them into a unique car “fingerprint.” Using similarity metrics such as the Jaccard index, they could match tire IDs to vehicles and reconstruct driving and parking patterns over weeks."

13. Total Recall – Retracing Your Steps Back to NT AUTHORITYSYSTEM – MDSec
14. CISA replaces acting director after a bumbling year on the job

    The Tesla part of the story is just wow.

15. US cybersecurity agency CISA reportedly in dire shape amid Trump cuts and layoffs

    Some notes:

    • CISA is critically understaffed after Trump administration cuts.
    • Lost ~33% of staff (from ~3,400 to 2,400), eliminating counter-ransomware, election security, and software security programs.
    • No permanent director since 2025.
    • Ongoing DHS shutdown (started Feb 14, 2026) furloughs ~60-67% of remaining workforce to 38% capacity. Threat response limited to imminent risks only.
    • FY2026 budget slashes CISA funding by ~$500M, targeting cyber ops and risk management.
16. What’s That String? That Time a Weird String Revealed a Whole Operation – GreyNoise Labs

    GreyNoise Labs analyzed a suspicious URL-encoded, backwards Base64, encoded string observed in network traffic, revealing a sophisticated PHP webshell and cryptostealer operation. I will just let that sink in for a moment. The decoded payload executed remote code from 45.145.228.125, targeting ThinkPHP configs to extract MySQL credentials via regex patterns. It enumerated databases/tables, sampled data, and performed string replacements (likely crypto wallet swaps) using user rules before uploading loot to c2c.deepgtp.net:39010

17. GitHub – vanhoefm/airsnitch

    I have not tested this, but will let Larry explain...

Bill Swearingen

1. Hacktivists claim to have hacked Homeland Security to release ICE contract data

   A group of hacktivists calling themselves “Department of Peace” claimed to have hacked the Department of Homeland Security (DHS), leaking allegedly stolen documents online. ¯(ツ)/¯

2. US Government iPhone-Hacking Toolkit Is Now in the Hands of Foreign Spies and Criminals

   The toolkit, dubbed Coruna, contains multiple exploits capable of surreptitiously compromising Apple devices running older versions of iOS. Researchers say the codebase appears as a professionally developed platform, raising concerns that a tool originally built for covert government use may have escaped controlled channels.

3. neato-brainslug

   Repair your Neato Robot Vacuum to be controlled via locally after the shutdown of the Neato servers. The scope of this project is to give your robot at least the same functionality as when you bought it, however as the project is in a development state.

4. Cisco says hackers have been exploiting a critical bug to break into big customer networks since 2023

   Cisco says hackers have been exploiting the Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability bug in one of its popular networking products used by large enterprises for at least three years, prompting the U.S. government and its allies to urge organizations to take action. CISA issues emergency directive to secure Cisco SD-WAN https://www.cisa.gov/news-events/news/immediate-action-required-cisa-issues-emergency-directive-secure-cisco-sd-wan-systems

5. Israel Spent Years Hacking Tehran Traffic Cameras to Track Khamenei Before Strike: Report

   According to the Financial Times, citing sources familiar with the operation, many of the Iranian capital’s traffic cameras had been compromised, allowing Israeli intelligence analysts to access the feeds remotely and track the daily routines of senior Iranian officials and their security details.

6. BRO UPGRADE YOUR … Solar Panel?

   Following our findings published last year, which exposed data leaks, including WiFi credentials, location, and energy data in solar inverters from Sunways and APsystems, we now present a critical vulnerability in APsystems inverters: a remote firmware injection that allows for total system compromise.

7. Leakbase has been Leaked

   The forum, known as LeakBase, had established itself as a central hub in the cybercrime ecosystem, specializing in the trade of leaked databases and so-called “stealer logs” – archives of stolen credentials harvested through infostealer malware. On 3 March, law enforcement authorities carried out coordinated enforcement actions across multiple jurisdictions, including arrests, house searches and “knock-and-talk” interventions. Around 100 enforcement actions were conducted worldwide, including measures against 37 of the most active users of the platforms.

8. MCPwner is a Pwning MCP Server

   MCPwner is a Model Context Protocol (MCP) server that integrates security testing tools into LLM-driven workflows. It provides a unified interface for secret scanning, static analysis (SAST), software composition analysis (SCA), and vulnerability research including 0-day discovery.

   Instead of manually chaining tools and pasting outputs into your LLM, MCPwner standardizes and streams results directly into the model's working context. This enables continuous reasoning, correlation, and attack path discovery across the entire security research lifecycle - from identifying known vulnerabilities to uncovering novel attack vectors.

9. Frida Hooking Tutorial – Android Game Hacking

   In this walkthrough, we're exploring the process of Android game hacking using Frida, a powerful dynamic instrumentation toolkit. Our objective is to reverse engineer an Android game, Assault Cube, to create a God Mode cheat. We'll get into the Java and native components of an APK (Android Package Kit) and use Frida for hooking and modifying functions.

Larry Pesce

1. carlossless – An Interesting Find: STM32 RDP1 “Decryptor”
2. Meet Bionode – Nomadic Research Labs
3. APT37 hackers use new malware to breach air-gapped networks
4. Announcing BLEPTD: Open Source BLE Privacy Threat Detector – Break Stuff for Fun
5. AirSnitch – How Worried Should You Be?
6. (21) Aida Baradari on X: “Today, we’re introducing Spectre I, the first smart device to stop unwanted audio recordings. We live in a world of always-on listening devices. Smart devices and AI dominate our world in business and private conversations. With Deveillance, you will @be_inaudible. https://t.co/WdxmnyFq1I” / X

Lee Neely

1. Security update for Gardyn Home and Gardyn Studio

   The US Cybersecurity and Infrastructure Security Agency (CISA) has published an Industrial Control System (ICS) advisory for multiple vulnerabilities in Gardyn Home Kit, a smart, indoor, vertical hydroponic gardening system.

   If I'm tracking, you have an insecure (cleartext) connection, default credentials, successful MiTM attack, RCE and lateral movement.  Two bits of good news. First no evidence yet of active exploitation, second there are fixes which deploy easily. The fix is to update to version 619 or later of the Gardyn firmware and version 2.11.0 or later of the mobile app.

2. CISA warns that RESURGE malware can be dormant on Ivanti devices

   The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its malware analysis report for RESURGE malware. The updated report provides "deeper technical insight into RESURGE to provide network defenders with enhanced understanding and tools to identify, mitigate, and respond to RESURGE." CISA analysis indicates "that RESURGE can remain latent on systems until a remote actor attempts to connect to the compromised device ... [and] assesses that RESURGE may be dormant and undetected on Ivanti Connect Secure devices and remains an active threat." RESURGE involves the exploitation of CVE-2025-0282, a critical stack-based buffer overflow/out-of-bounds write vulnerability in certain versions of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways.

   RESURGE hooks the web process looking for a specific connection attempts, indefinately. It uses a fake Ivanti certificate to make sure that interaction is with the agent not legitimate Ivanti software. Most definitely grab the IoCs for the persisitant malware and see if you have remnants. Also watch for the transmission of the fake Ivanti certificate as it's sent unencrypted. Reference the updated CISA AR25-087A malware analysis report for the latest IoCs and information. 

   https://www.cisa.gov/news-events/analysis-reports/ar25-087a

   https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282

3. Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel

   Executive Summary We uncovered a High severity security vulnerability CVE-2026-0628 in Google's implementation of the new Gemini feature in Chrome. This vulnerability allows the attacker to tap into the browser environment and access files on the local operating system.

   The introduction of AI into the browser reintroduces some attack planes as it's operating at a high privilege level, potelntially exfiltrating data, bypassing same-origin policy and triggering privileged browser functions. Beyond updating to the latest Chrome, comnsider carefully before adding or enabling AI extensions to browsers.

4. National Tax Service Coins Stolen Twice After Mnemonic Code Leak

   South Korea's National Tax Service has apologized for inadvertently publishing a recovery phrase that allowed seized cryptocurrency to be stolen. On February 26, the Tax Service announced that it has seized cash and luxury items from individuals who were delinquent on their taxes. The seized funds included 6.9 billion Korean won (€4.03 million / US$4.7 million) in virtual assets. The announcement was accompanied by a photograph that included a seed phrase that could be used to access cryptocurrency funds. In an odd turn of events, the seized virtual funds were stolen twice. The first time, the funds taken from the crypto wallet and then returned; the thief claimed to have been acting "out of curiosity." Several hours later, the funds were stolen again and have not been returned.

   Remember the Hawaiian Emergency Management Agency report in 2018 with the password on a yellow sticky in the background? Yeah, same idea, be careful what you include when publishing photos and videos, to include meta (EXIF) data. Make sure you include a review process when publishing information and if you're redacting information, make sure it is securely done so it can't be revealed.

5. AirSnitch – How Worried Should You Be?

   Researchers from the University of California, Riverside, have presented a paper detailing new classes of machine-in-the-middle (MitM) cyberattacks that allow Wi-Fi clients to attack other clients on the same network by bypassing Wi-Fi access point (AP) client isolation mechanisms. Dubbed "AirSnitch," the series of attacks break past the isolation meant to protect against ARP poisoning and ICMP redirects; "every tested router and network was vulnerable to at least one attack," including routers from Netgear, Tenda, D-Link, TP-Link, ASUS, Ubiquiti, LANCOM, and Cisco, plus those running DD-WRT and OpenWrt.

   SANS instructors James Leyte-Vidal and Larry Pesce hosted a webinar on Monday, March 2, 2026, evaluating the impact of the findings. Their recommended mitigations include immediately implementing VLAN segmentation and IP spoofing prevention; in the near-term, requesting per-client GTK randomization, implementing MAC spoofing prevention, and centralizing controller decryption; and in the long term, standardizing to MACsec and IEEE 802.11

   https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf

6. New Dohdoor malware campaign targets education and health care

   Cisco Talos has published a threat spotlight describing a campaign of multi-stage cyberattacks ongoing since December 2025, targeting primarily US education institutions and healthcare facilities with persistent backdoor malware. The attackers gain initial access through social engineering and phishing via email, leading to the execution of a PowerShell script that downloads a Windows batch script dropper, which in turn "orchestrates a DLL sideloading technique to execute the malicious DLL while simultaneously conducting anti-forensic cleanup." The DLL operates as a loader to "download, decrypt, and execute malicious payloads within legitimate Windows processes," ultimately connecting to a command-and-control (C2) IP address resolved through DNS-over-HTTPS (DoH, giving the DLL its nickname, “Dohdoor”) and evading EDR to inject a payload believed to be Cobalt Strike Beacon into legitimate binaries. Talos provides indicators of compromise (IoCs), as well as a ClamAV signature and SNORT security identifiers.

7. OAuth redirection abuse enables phishing and malware delivery

   The Microsoft Defender Security Research Team has published a blog describing their observation of "phishing-led exploitation of OAuth’s by-design redirection mechanisms." The scheme targets both public and private sector organizations and "uses silent OAuth authentication flows and intentionally invalid scopes to redirect victims to attacker-controlled infrastructure without stealing tokens." The researcher identified and removed several malicious OAuth applications but cautioned that "related OAuth activity persists and requires ongoing monitoring."

   This attack is clever. It uses invalid OAUTH information, forcing a redirect to the error site, ensuring a re-authentication event, no SSO, then a malicious ZIP is downloaded. The IoCs from Microsoft include domains and URL patterns which you can filter out to limit this type of attack. Also review Redirect URI and OAUTH 2 best practices to make sure that you've stacked the deck in favor of your users.

Sam Bowne

1. What’s the Point of School When AI Can Do Your Homework?

   The creator of the AI agent “Einstein” wants to free humans from the burden of academic labor. Critics say that misses the point of education entirely.

2. Trump orders government to stop using Anthropic in battle over AI use

   US President Donald Trump has said he would direct every federal agency to immediately stop using technology from AI developer Anthropic. Anthropic has been in use by the US government and military since 2024 and was the first advanced AI company to have its tools deployed in government agencies doing classified work.

3. $4.8M in crypto stolen after Korean tax agency exposes wallet seed

   They published a photo of the Ledger wallet with the seed written on paper.

4. Hacker Used Anthropic’s Claude to Steal Mexican Data Trove

   The unknown Claude user wrote Spanish-language prompts for the chatbot to act as an elite hacker, finding vulnerabilities in government networks, writing computer scripts to exploit them and determining ways to automate data theft. In a month, he stole 150 gigabytes of Mexican government data.

5. AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks

   By sending pings, an attacker can redirect traffic to gain AITM status on networks with client isolation, just like old-fashioned ARP poisoning. I don't see any big risk here. This article, with wild exaggerations, bounced around the echo chamber. It's a nothingburger.

6. Cloudflare One is the first SASE offering modern post-quantum encryption across the full platform

   Secure Access Service Edge (SASE) is a cloud-native architecture that converges software-defined wide area networking (SD-WAN) and cloud-native security functions—such as Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Firewall-as-a-Service (FWaaS), and Zero Trust Network Access (ZTNA)—into a single, unified service. At the end of 2024, the National Institute of Standards and Technology (NIST) sent a clear signal: the era of classical public-key cryptography is coming to an end. NIST set a 2030 deadline for depreciating RSA and Elliptic Curve Cryptography (ECC) and transitioning to PQC that cannot be broken by powerful quantum computers.

7. Carelessness versus craftsmanship in cryptography

   Two popular AES libraries, aes-js and pyaes, “helpfully” provide a default IV in their AES-CTR API, leading to a large number of key/IV reuse bugs

8. The DJI Romo robovac had security so poor, this man remotely accessed thousands of them

   He reverse engineered DJI’s protocols using Claude Code. He simply extracted his own DJI Romo’s private token, and those servers gave him the data of thousands of other people as well.