Back to (or Start) Fundamentals? – Rajesh Khazanchi – PSW #923

Jeff Man

1. What would you like to ask Iranians right now if they could get online?

   Our friend and fellow hacker Chris Kubecka has made contact with certain Iranian hackers that have figured out how to circumvent the Internet blackout in Iran. Interested yet? She's asking what questions you might have for Iranians right now?

   Admittedly, this is a somewhat different "news" article, but what a fascinating opportunity to understand this conflict from those directly affected.

2. Vercel Employee’s AI Tool Access Led to Data Breach

   Stolen OAuth tokens, which are at the root of these breaches, "are the new attack surface, the new lateral movement," a researcher notes.

3. Maryland property search tool goes offline after cyber threat

   This is a little too close to home...I actually use this site!

4. AI arms race: are Anthropic and OpenAI handing hackers the ultimate weapon?

   "Claims that new AI models can outperform humans at some hacking tasks has sparked widespread alarm about the future of digital security." Ya think???

5. Claude Mythos and the AI Cybersecurity Wake-Up Call

   "AI does not create new vulnerabilities, it exposes existing ones, making the chronic underinvestment that boards have tolerated for years an immediate and material business risk."

   Wait for it.... "The immediate priority is strengthening cybersecurity fundamentals: Strong foundations provide significant protection against AI-enabled attacks, and most organizations urgently need to build those foundations."

   Genius.

6. How Criminal Data Threatens Trust in AI

   Giving my friend Chris a second shoutout but why not?

Larry Pesce

1. Mirai Botnet exploits CVE-2025-29635 to target legacy D-Link routers
2. Flipper Zero Transmits APRS With No Extra Parts
3. Vercel April 2026 security incident
4. Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking
5. Vercel OAuth breach analysis: Context.ai compromise, MITRE T1199 trust-chain attack, IOC for Google Workspace admins
6. MacOS Native Tools Enable Stealthy Enterprise Attacks
7. A Tale Of Cheap Hard Drives And Expensive Lessons

Lee Neely

1. Dutch navy frigate tracked by mailing it a Bluetooth tracker

   The location of a Dutch navy vessel was exposed for roughly 24 hours after a postcard containing a Bluetooth tracker was sent to the ship. The Dutch Ministry of Defense had posted instructions for sending mail to sailors and soldiers; journalist Just Vervaart took advantage of that information to send the gadget embedded in the postcard. The tracker reportedly remained active for a day.

   This story indicates the complexity of maintaining operational security with a backdrop of modern technology. Remember the aircraft carrier and "secret" military bases discovered by the use of fitness trackers used by soldiers running the perimeter? While we may not be conducting sensitive operations, we do have sensitive information, and we need to continuously monitor our controls to ensure it's not easily exfiltrated. I'm remembering claims stating that while information was strongly secured (access, in-transit and storage) one need only take a screenshot with their cell phone, which now often includes OCR capabilities. Also consider the use case of processing corporate information on personally owned devices. Are your protections up to speed with the current risks in either of these scenarios?

2. Cyberattack at French identity document agency may have exposed personal data

   France's Interior Ministry has disclosed a that cybersecurity incident affecting the country's National Agency for Secure Documents (ANTS) may have compromised personal information. ANTS processes passport, national identity card, residence permit, and driver's license applications.

   The ANTS compromise is one of metadata rather than the sensitive attached documents themselves. So, while the data can't be used to access ANTS, that data includes sufficient information for ID theft/profiling, and users should take protective steps.

3. Serial-to-IP Devices Hide Thousands of Old & New Bugs

   Researchers have identified 20 new vulnerabilities in popular models of serial-to-IP converters — devices that sit at the heart of modern industrial networks. Even more worryingly, the same researchers counted thousands of known vulnerabilities in these very same devices' software stacks.

   The flaws, when assigned a CVE, have high (9.8-10.0) CVSS scores, so we need to make sure everything is properly deployed. These types of devices, which are actually pretty cool for the teams using them, should fall under your IoT/OT protections, and as such should be isolated, not easily reached for any attempted exploit, and particularly not Internet accessible. While you're at it, seek to understand the use cases; it's good to know the problems these are solving.

4. Deadline: New York Banks Attesting to Asset Inventories, MFA

   Financial institutions conducting business within the state of New York faced a deadline last week for attesting to their adoption of multifactor authentication and affirming that they are keeping accurate inventories of their IT assets, including an up-to-date list of devices and plans for end-of-life management for those devices. The April 15, 2026 deadline is the last of several requirements established by 2023 amendments to New York's Cybersecurity Rule. Cybersecurity requirements already implemented include a 72-hour window for reporting cybersecurity incidents, improved vulnerability management practices, and stronger governance.

   These requirements should be table stakes for all of us: (phishing resistant) MFA, accurate inventory, lifecycle management, vulnerability management, governance, and appropriate incident reporting in a timely fashion. Even if you're not obligated by regulators, rest assured you will be reporting incidents to management and beyond. Remember, these are intended as minimums based on risks from when the legislation was drafted, so you should be reviewing current threats and raising the bar accordingly. For example, we shouldn't just be implementing MFA; we should already have or be upgrading to phishing resistant MFA.

5. Four arrested in latest ‘PowerOFF’ DDoS-for-hire takedown

   More than 20 countries participated in a coordinated takedown of multiple platforms selling cheap access to distributed denial-of-service (DDoS) attacks. Europol said four people were arrested and 25 search warrants were executed but did not provide detail on the raids or those detained. More than 50 domains were seized and European authorities said they identified about 75,000 users of the DDoS service.

   Anyone else thinking of the big red EPO button in the data center? Seriously, good on Europol, DoJ, and all the other participating authorities. It's been a minute since we've talked about DDoS; DDoS is going to remain an attack vector as long as it works. You can impact this by making sure that your protections are (still) in place, particularly for new services or services which didn't have a solution when you last checked. Be sure to ask for any reporting capability — particularly real-time — because you want visibility for your defenders.

6. Bluesky confirms DDoS attack is cause of continued app outages

   Social media platform Bluesky reported on April 16, 2026 that "intermittent app outages" starting the night before were the result of a distributed denial-of-service (DDoS) attack, which the company was working to mitigate. Users experienced intermittent interruption of feeds, notifications, threads, and search functions. Additional updates state that the attacks are ongoing, but the application has remained stable since 9pm PDT on April 16, and there has been no evidence of unauthorized access to private user data. The company has not confirmed attribution nor other details of the attack, and promises additional updates. 

   If you're wondering how to justify DDoS protections before they are needed, Bluesky is a great example of what it's like to be under a sustained DDoS attack and trying to mitigate that attack while it's underway. Don't overlook the fact that even with mitigations, some underlying services still need time to recover, possibly needing restarts. Also take a look at stories about users moving to competing services that are not currently impacted. Consider whether that should be part of your BCP conversation. I'm hoping Bluesky publishes information we can leverage in our own shops.

7. Microsoft Defender Zero-days are Being Exploited

   Three zero-day vulnerabilities in Microsoft Defender are reportedly being actively exploited. An individual has recently posted proof-of-concept exploits for all three. Researchers at Huntress say they are "observing the use of [the individual's] BlueHammer, RedSun, and UnDefend exploitation techniques." BlueHammer and RedSun are local privilege escalation vulnerabilities; UnDefend could be exploited to cause denial-of-service conditions and block definition updates. The PoC exploit for BlueHammer was released on April 3, and Microsoft addressed the vulnerability in its Patch Tuesday release last week, describing it (CVE-2026-33825) as being due to insufficient granularity of access control, and giving it a severity rating of Important. PoC exploits for RedSun and UnDefend were released on April 16.

   CVE-2026-33825 has a CVSS score of 7.8, and is fixed with Defender 4.18.26030.3011 and above. The update (released April 14) should be automatically deployed, so this shouldn't be hard to address, but just don't let it slide as the weakness is being exploited.

8. CISA tells feds to patch 13-year-old Apache ActiveMQ bug

   CISA has added a 13-year-old vulnerability in Apache ActiveMQ Classic to the KEV catalog. The improper input validation / code injection vulnerability (CVE-2026-34197) affects Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The issue was discovered by researchers at Horizon3, who wrote that the flaw allows "an attacker [to] invoke a management operation through ActiveMQ’s Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands, ... [and that] the vulnerability requires credentials, but default credentials (admin:admin) are common in many environments."

   Improper input validation, the gift that keeps on giving. Good on Horizon3 for leveraging AI capabilities to find an old flaw. That this flaw has existed for 13 years provides some insight as to how hard it is to identify and fix all input to be properly validated. You need to update to ActiveMQ 5.19.4 or 6.2.3. Then look for default credentials (e.g., admin:admin).

   https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

9. Vercel April 2026 security incident

   Vercel, the cloud platform-as-a-service (PaaS) company known for creating and maintaining the Next.js framework, published a security bulletin on April 19 disclosing a security incident. An attacker took over a Vercel employee's Google Workspace account through a compromise in a third-party OAuth application made by Context.ai.

   While this is a third-party compromise, indicating there are some things out of your control, Vercel has identified steps you can take to raise the bar in your environment. These include MFA, best practices for environment variables, activity log review, as well as deployment protection and rotating deployment protection settings and tokens. Lastly, make sure you've got the OAuth IoC, just in case.

Sam Bowne

1. We Asked Claude to Audit Sagredo’s qmail. It found a RCE

   "Find vulnerabilities in latest version of qmail: https://github.com/sagredo-dev/qmail. Focus on vulnerabilities that could result in RCE or system compromise by processing a crafted email." That was the entire prompt.

2. AI’s New Training Data: Your Old Work Slacks And Emails

   Defunct startups are being liquidated for their Slack archives, Jira tickets, and email threads—operational exhaust that AI labs now treat as premium training data.

3. Package Manager Guard (PMG)

   PMG intercepts every package install and checks it for malware before code executes. Install it once, and every npm install, pip install, and poetry add is protected automatically.

4. BIP 360: to enable Pay-to-Merkle-Root: a proposed first step in advancing Bitcoin quantum resistance

   They better get moving to become quantum-resistant by 2029.

5. ZionSiphon malware designed to sabotage water treatment systems

   It can adjust hydraulic pressures and raise chlorine levels to dangerous levels, targeting Israel. A logic error makes it non-functional but future ZionSiphon releases could fix the flaw to unleash its power in attacks.

6. China’s researchers unveil 2,372°F lithium battery ‘firewall’ to prevent EV fires

   The material is based on a silica aerogel insulation sheet.

7. Mozilla: Anthropic’s Mythos found 271 security vulnerabilities in Firefox 150

   Anthropic’s Opus 4.6 model found only 22 security-sensitive bugs when analyzing Firefox 148 last month.

8. Sam Altman’s Creepy Eyeball-Scanning Company Gets in Bed With Zoom and Tinder

   Tinder and Zoom announced partnerships with Altman’s World, the company behind the creepy, eyeball-scanning orb that is meant to prove users are human.

9. Florida Man Working as a Ransomware Negotiator Pleads Guilty to Conspiracy to Deploy Ransomware and Extort U.S. Victims

   Martino abused his role at a U.S.-based cyber incident response company to assist BlackCat actors.

10. Contrary to popular superstition, AES 128 is just fine in a post-quantum world

    Grover's algorithm doesn't benefit from parallel processing as much as classical algorithms do, so it will still take 2**104 calculations to crack a 128-bit key.

11. EU age verification app can be hacked in 2 minutes, claims security expert

    By deleting specific values tied to the PIN from the app’s configuration files and restarting it, an attacker can set a new PIN while still retaining access to credentials created under the previous profile.