FIRESTARTER – PSW #924

Paul Asadoorian

1. Copy Fail — 732 Bytes to Root

   This works BTW. Privilege escalation on pretty much all OSes is a huge problem. Once an attacker has a foothold, pretty much game over...

2. GitHub fixes RCE flaw that gave access to millions of private repos

   Whoops, single git pull gives you root, lovely. It was fixed very quickly.

3. ps5-linux/ps5-linux-loader: Linux payload implementing the HV exploit and a custom bootloader

   I am super interested in turning a PS5 into a Linux computer, just because apparently now you can...

4. Social Engineering: Building Your Own BadUSB – Hackers Arise

   Neat article, nothing really new here, but I liked the thought put into it, such as this: "Ironically, the hardest part is often not the electronics but the shell. A believable enclosure matters. One practical trick is to buy the cheapest flash drive available in a local electronics store, remove its internal storage board, and reuse only the casing. Another elegant option is to simply 3D-print a flash drive enclosure that matches the dimensions of the chosen controller. Because many Arduino boards come with micro-USB connectors, the port often needs to be resoldered or adapted to a standard USB-A plug. A fake flash drive with a micro-USB connector would immediately look suspicious. If the board itself is not mechanically strong enough to support direct insertion stress, the USB plug can be fixed to the shell while the controller board connects internally using rigid wires. This transfers unplugging force to the casing instead of the PCB."

5. NCSC launches SilentGlass, a plug-in device to secure HDMI and DisplayPort links

   I am curious why we need this device, so I asked AI, good discussion points here:

   SilentGlass addresses a class of hardware-layer threats targeting HDMI/DisplayPort interfaces — threats defined across several well-established research threads. Here's the underlying research that motivated it:

   • "A Monitor Darkly" (Ang Cui, Red Balloon Security) - The most direct foundational work is Ang Cui and Jatin Kataria's DEF CON 2019 research "A Monitor Darkly," which demonstrated that monitor firmware (running on the monitor's internal MCU) is exploitable. They showed monitors can be compromised to intercept, manipulate, or exfiltrate pixel data — effectively making the monitor itself a persistent implant. This is the canonical "compromised monitor as attack vector" research. tomshardware
   • Van Eck Phreaking / TEMPEST - Wim van Eck's 1985 paper established that electromagnetic emanations from display cables can be intercepted at range to reconstruct screen content. This is the basis for NSA/NATO TEMPEST standards. SilentGlass is a modernized, affordable mitigation for this class of signal-leakage threat. linkedin
   • HDMI DDC/CEC Channel Exploitation - HDMI's Display Data Channel (DDC) and Consumer Electronics Control (CEC) are bidirectional communication channels embedded in the cable. Researchers have demonstrated these upstream channels can be used to send commands or exfiltrate data — turning a "display-only" cable into a two-way attack vector. The NCSC specifically calls out that monitors "can process and store sensitive data" and are exploitable for espionage. helpnetsecurity
   • Air-Gap Exfiltration via Display Signals - Ben-Gurion University researchers (Mordechai Guri et al.) published multiple papers — including "BRIGHTNESS" and "AirHopper" — showing how video signals from air-gapped systems can be used as covert exfiltration channels. The NCSC's concern about espionage via display links aligns directly with this research body. linkedin

   The NCSC's own advisory describes monitors as "highly likely" targets for espionage, disruption, and financial crime — positioning SilentGlass as a hardware enforcement point where software mitigations are insufficient. helpnetsecurity

6. Sandworm Uses SSH-over-Tor Tunnel for Stealthy Long-Term Persistence
7. CVE-2026-42167 Allows Auth Bypass And RCE In ProFTPD – ZeroPath Blog
8. Alleged Silk Typhoon hacker extradited to the United States to face charges

   This is rare, but it happens. Curious how this will pan out.

9. 89 vulnerabilities in XAPI / Citrix XenServer
10. VMware to KVM migration guide – common pitfalls and how to avoid them

    Using this to make a note that Claude and Linux KVM/libvirt is an awesome combination. I've completely left the VMWare environment and use KVM. Claude is really great at setting up VMs, converting them, making scripts to make my life easier, etc... For lab VMs I even give Claude console access and/or SSH access to VMs, using Python Expect library, and it can configure things for me. So I can say, "hey Claude, go to this VM for this vendor and configure this feature", and it just does it. I don't have to be an expert on every lab target anymore!

11. SonicOS affected by multiple vulnerabilities

    For the most severe vulnerability there is not enough information to triage, frustrating that this is all we get: "A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions." - Analyze the CVSS score is interesting, it says AV is A, which means "the attacker must be on the same network segment (LAN, Wi-Fi, VLAN) as the target not exploitable directly from the internet, but not requiring local machine access either." UI:R also means that the victim requires interaction. So confused, which access control mechanism does this refer to? Why are they being to light on details?

12. A Route to Root in a 4G Industrial Router
13. Why are top university websites serving porn? It comes down to shoddy housekeeping.

    Wait, why are you using CNAMES to point to external domains that you do not control? Ask me about the Wordpress instance we had for this that was not a solution. For example, universities have many clubs or groups. They need a website. We had an instance of WP that allowed students to use a subdomain, like mtnbiking.example.edu. Problem was, it was ALWAYS being hacked. We did have other external domains too, and housekeeping is important. Its a tough problem to solve for colleges and universities.. AI summary:

    Turns out prestigious .edu domains — Berkeley, Columbia, WashU — have been moonlighting as adult content sites, and no, this wasn't a student project. Scammers exploited "dangling" CNAME records: old DNS entries pointing to long-expired external domains that attackers simply... bought. The result? Hundreds of hijacked subdomains across 34+ universities serving explicit content and scareware, all under the trusted halo of a .edu address. reddit

    Basically, your alma mater forgot to clean up after itself, and now someone else is using its good name to sell something your parents definitely didn't pay tuition for. The lesson, as always: patch your DNS, not just your software. news.ycombinator

14. I Tested The Banshee Against Flipper Zero: Results Are Insane

    This device is insane, I want one!

15. The Internet Changes Before the Advisory Drops

    GreyNoise found that unusual scanning activity on their sensor network consistently precedes CVE disclosures with an 11-day median lead time. That's a head start most defenders never get.

    Key Numbers: - 147.8M sessions, 18 vendors, 103 days (Dec 2025 – Mar 2026) - ~50% of activity surges preceded a CVE within 3 weeks — 36% above chance (p=0.0015) - CVSS 10.0 vulns like Cisco CVE-2026-20127 showed signals 39 days out

    The Signal: Watch session volume intensity, not just new IPs. When existing scanners hit a vendor harder than normal, that's your warning. Both channels spiking together (sessions + new IPs) is a high-confidence escalation signal.

    Most Interesting Finding: Cisco and SonicWall showed a "countdown compression" pattern — surges arriving at shorter and shorter intervals before disclosure, like a heartbeat accelerating before a CVE drops.

    Who's Doing It: Four distinct attacker infrastructure clusters — from broad residential botnets to tight dedicated VPS operators. Concentrated infrastructure (few IPs, thousands of sessions each) = much closer to disclosure (7.5-day mean vs. 21-day mean for botnets).

    Why It Matters Now: Mandiant says mean time-to-exploit is now negative 7 days. Verizon DBIR shows 8x increase in network device exploitation YoY. Salt Typhoon hit three vendors in this study (Cisco, Ivanti, Fortinet). The window to act is shrinking.

    Debate: Half of surges don't precede a CVE — so how do you operationalize a 50% false positive rate without alert fatigue?

16. Zero Day Initiative — CVE-2026-33824: Remote Code Execution in Windows IKEv2

    CVE-2026-33824 is a critical (CVSS 9.8) remote code execution vulnerability in Windows' built-in VPN handshake service, called IKEv2. The short version: an attacker on the internet can send specially crafted packets to UDP port 500 or 4500 on a vulnerable Windows machine — no login, no user clicking anything required — and take over the system with full SYSTEM privileges. nvd.nist

    The root cause is a double-free memory bug in ikeext.dll, triggered during fragment reassembly of IKE messages. The service mishandles a pointer, frees the same memory twice, corrupts the heap, and game over. zerodayinitiative

    What makes this particularly scary for enterprises is that Always On VPN deployments using IKEv2 device tunnels are directly in the blast radius. Any Windows server with IPsec/VPN exposed to the internet is potentially owned with a single exploit sequence. directaccess.richardhicks

    It was patched in Microsoft's April 2026 Patch Tuesday — so if you haven't patched, do it now. If you can't patch immediately, block UDP 500 and 4500 at the perimeter. Detection-wise, look for IKEEXT service crashes and unusual traffic on those two ports. sentinelone

17. Advisory: AirSnitch Vulnerabilities in Sophos AP6 and APX Series Access Points

    I give Sophos credit for issuing an advisory and stating: "There is currently no complete mitigation for this class of attacks and no remediation/fix available at this time. Apply the workarounds and network design protections below, and ensure you implement the specific workarounds relevant to each attack variant present in your environment." - Curious to get Larry's take on the workarounds and specifics that would help prevent or somewhat mitigate the vulnerability.

Jeff Man

1. State announces $7 million settlement with contractor Deloitte over RIBridges cyber breach

   Paul & Larry's backyard...case closed.

2. Vimeo Confirms User and Customer Data Breach

   Some user emails were compromised. Why is this a story? ShinyHunters is threatening to release data, but what data???

3. LPL Claims Hackers Accessed Client Accounts Through Advisors’ Devices

   This is a little too close to home since they are my financial advisors (I checked and I'm not impacted). ShinyHunters is being blamed...another ransomware as a result of phishing attack.

4. Defending Against China-Nexus Covert Networks of Compromised Devices

   China's out to get us and we're all gonna die.

5. Fighting Fire with Fire: Project Glasswing and AI-Powered Cyber Defense in Health Care, Financial Health and Other Critical Infrastructure

   A decent summary of "Project Glasswing" which is a "coalition of leading technology and cybersecurity providers united around a single urgent objective: deploying frontier artificial intelligence (AI) capabilities using Anthropic’s unreleased Mythos Preview AI model for defensive cybersecurity before malicious actors can exploit similar capabilities offensively to attack first party and open source software."

6. Project Glasswing Securing critical software for the AI era

   In case you haven't seen it...

7. Cold War: Great Seal

   The Seal with the hidden microphone that was mentioned early in the show.

Larry Pesce

1. Eavesdropping via fiber-optic cables
2. Firestarter malware survives Cisco firewall updates, security patches
3. Agricultural spray drones reportedly stolen from New Jersey facility
4. UNC6692 Hackers Exploit Microsoft Teams to Deploy SNOW Malware
5. American utility firm Itron discloses breach of internal IT network
6. Cyber Command, NSA chief warns foreign adversaries likely to target midterms
7. (20) Brendan Dolan-Gavitt on X: “Can anyone think of a non-sketchy reason my wifi router would accept an unauthed UDP packet on port 20002 with a port-knock mechanism and add a firewall rule allowing Dropbear ssh on TCP 20001 — but ONLY if the country is set to Singapore?” / X
8. GitHub fixes RCE flaw that gave access to millions of private repos
9. GitHub ‘No Longer a Place For Serious Work’, Says Hashicorp Co-Founder – Slashdot

Lee Neely

1. Fast16 Cyber Sabotage Framework is Older than Stuxnet

   Researchers from SentineOne's SentinelLABS have deciphered a cyber sabotage framework they are tracking as fast16, which "selectively targets high-precision calculation software, patching code in memory to tamper with results." The core components of fast16 date back to 2005, making it at least five years older than Stuxnet.

   This resets our understanding of how far back this type of, state sponsored, covert exploit was developed/deployed. The good news is the Sentinel Labs story includes both IoCs and Yara rules to detect the malware. While the signature for the svcmgmt.exe binary was uloaded to VirusTotal about ten years ago, there appear to be almost no detections.

2. CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline

   CISA) added four CVEs to the Known Exploited Vulnerabilities (KEV) catalog. All four have mitigation deadlines of Friday, May 8, 2026 for Federal Civilian Executive Branch (FCEB) agencies. Two of the vulnerabilities affect SimpleHelp remote support software v5.5.7 and earlier: a critical privilege elevation vulnerability (CVE-2024-57726) and a high-severity arbitrary code execution vulnerability (CVE-2024-57728); both were initially disclosed in early January 2025. A high-severity improper limitation of a pathname to a restricted directory vulnerability (CVE-2024-7399) in Samsung MagicINFO 9 Server version prior to 21.1050, initially disclosed in August 2024. And a high-severity command injection vulnerability (CVE-2025-29635) in D-Link DIR-823X 240126 and 240802 was disclosed in early 2025. The Akamai Security Intelligence and Response Team (SIRT) recently detected this vulnerability being actively exploited. That these year old issues were added to the KEV shows enough of these vulnerabilities remain and are being targeted. SO, go through your inventory and make sure that you've applied the relevant updates. Note the fix for the impacted D-Link devices is replacement as they are EOL, even so make sure the management interface remains NOT Internet accessible.  Remember SimpleHelp requires action on the server and endpoints.

3. FCC: Router ban includes portable hotspots, but not phones with hotspot features

   The FCC has clarified that the agency's ban on routers made outside the country includes mobile hotspots. While the FCC made no formal announcement, it did add information to the "Is my device a consumer-grade router under the National Security Determination?" section on an FAQ page dedicated to the ban.

   This is an update to the FCC's "FCC Covered List" which is a list of communications equipment that are deemed to pose a risk to the national security of the U.S. The idea is to ban devices which have hidden neferious purposes, it also helps pave the way for consumer device labeling and certification, such as the U.S. Cyber Trust Mark.

4. ADT detects cybersecurity incident – ADT

   ADT confirmed that it experienced a data breach on April 20. The company detected unauthorized access to "certain cloud-based environments" containing data belonging to current and prospective customers, and responded by immediately activating response protocols, "terminating the intrusion, launching a forensic investigation with leading third-party cybersecurity experts, and notifying law enforcement." The data accessed included names, phone numbers, and addresses, with a subset also including dates of birth and the last four digits of Social Security numbers or Tax IDs, and all affected individuals have been notified directly. ADT characterizes the scope of the attack as "limited," and has not verified any threat actor's claims, but the breach listing on Troy Baker's havibeenpwned estimates the affected accounts at 5.5 million.  

   While reputation risk is not the factor it used to be, protection, to include customer information, are core to ADT's service offering.

5. V1: ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices

   The US Cybersecurity and Infrastructure Security Agency (CISA) alongside the UK National Cyber Security Centre (NCSC) is directing federal agencies to take new steps for threat hunting, mitigation, and reporting of persistent malware introduced by the exploitation of flaws in Cisco Firepower and Secure Firewall products with Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.

   Regardless of if you're a FCEB, read the Emergency Directive for information on both the fixes and FIRESTARTER, lots of good stuff here and they're a quick read. The FIRESTARTER report has links to the Yara rules your threat hunters need. The flaw also exists in unsupported/EOL ASA devices, which means, when the discussion stops, just replace them rather than trying to fix them. Beyond applying the updates, CISA requires FCEB's to obain a core dup and upload it to their Malware Next Generation (MNG) analysis platform to check for evidence the FIRESTARTER back door, this service is available to non-FCEBs, use it. If detected at a minimum you need to power-cycle the device after the update, better stiill, re-image it. Consider power cycling your ASA & FTD devices, not only after the update, but also if you didn't when you previously applied it. FIRESTARTER Backdoor: https://www.cisa.gov/news-events/analysis-reports/ar26-113a

6. Italy extradites alleged Chinese state hacker to US

   Authorities in Italy have extradited a Chinese national to the US to face charges of charges of wire fraud, aggravated identity theft and unauthorized access to protected computers. Xu Zewei appeared in US District Court in Houston, Texas on Monday, April 27, 2026. A November 2023 indictment alleges that Xu had a role in cyber intrusions that were part of the HAFNIUM campaign, which infected thousands of machines worldwide, and intrusions targeting COVID-19 research.

   HAFNIUM is also known as Silk Typhoon or APT40 (2021 Exchange Server breach, 2022 Tarrask Malware) - they were in the news in March 2025 when 12 members were charged with attacks on the Treasury and other U.S. Government agencies which lead to Xu's arrest in Italy last July. If convicted he faces 77 years in prison..

7. Critical infrastructure giant Itron says it was hacked

   Itron says they were "notified" that they were hacked, but no details are provided. Nor are they providing details about the attack. Their actions hint to a data breach rather than ransomware. While it's great that someone let them know they had an issue, and I wish them luck with their recovery, we all need to be certain we can detect our own issues, to include dark web monitoring. Not sure I want to sit in a board meeting and say "Someone else, not sure who, will let us know if we have a problem."

8. Unprecedented SMS Blaster Arrests

   Canadian authorities arrested three men and confiscated three SMS blasters, believed to be the first known use of this technology in Canada. As described in the Toronto Police Service (TPS) press release, "an SMS blaster works by mimicking a legitimate cellular tower," intercepting mobile traffic by tricking devices in range to connect to the SMS blaster instead, allowing attackers to send "fraudulent text messages that appear to come from trusted organizations," including links for conducting SMS phishing. A TPS investigation dubbed "Project Lighthouse" began in November 2025, and led to the discovery of vehicles operating SMS blasters in multiple locations in the Greater Toronto Area.

   That these are mobile devices hints they can be in any location, it also highlights the difficulty of tracking and stopping the attacks as well, hat tip to Project Lighthouse/TPS & RCMP. We need to remind users to beware of unexpected text messages, and doubly careful clicking any included links. Investigate settings where messages from unknown senders are filed/marked as spam. When in doubt contact the sender via a known good communication channel rather than the number or web site included in the message.

Sam Bowne

1. US accuses China of “industrial-scale” AI theft. China says it’s “slander.”

   Since the launch of DeepSeek—a Chinese model that OpenAI claimed was trained using outputs from its models—other AI firms have accused global rivals of using a method called distillation to steal their IP.

2. AI Self-preferencing in Algorithmic Hiring: Empirical Evidence and Insights

   LLMs consistently prefer resumes generated by themselves over those written by humans or produced by alternative models, even when content quality is controlled. Candidates using the same LLM as the evaluator are 23% to 60% more likely to be shortlisted than equally qualified applicants submitting human-written resumes.

3. DORA and operational resilience: Credential management as a financial risk control

   On January 17, 2025, the Digital Operational Resilience Act (DORA) entered into application across the EU. Article 9 of the regulation makes credential security a binding financial risk control, with supervisory consequences for institutions that fall short. Least-privilege and MFA are now mandatory, and the compliance perimeter does not stop at the institution's own systems. Institutions must contractually require equivalent authentication standards from their vendors and audit compliance against those requirements.

4. Governments on high alert after CISA snuffs out Firestarter backdoor on fed network

   A US federal agency was successfully targeted by a previously unknown backdoor malware called Firestarter, according to CISA cybersnoops and their UK counterparts – neither of which disclosed the agency's name. CISA said Firestarter was especially sophisticated in that it maintained persistent access to compromised networking devices even after they were updated, allowing attackers to re-enter victims' networks without needing to exploit any new vulnerabilities.

5. Microsoft recommends weak passwords

   This is a real post by Microsoft, and it's still up. I linked the archive because if they have any sense, they will delete it immediately.

   "To mitigate the impact on monthly limits... Password Management: Use common passwords that Microsoft Defender can easily extract and scan, reducing the likelihood of these files being counted as unscannable."

6. Bitwarden CLI npm package compromised to steal developer credentials

   The malicious package was distributed as version 2026.4.0 and remained available between 5:57 PM and 7:30 PM ET on April 22, 2026, before being removed. While it is not known exactly how attackers gained access, Bitwarden told BleepingComputer the incident was linked to the Checkmarx supply chain attack, with a compromised Checkmarx-related development tool enabling abuse of the npm delivery path for the CLI during a limited time window.

7. Checkmarx Security Update: April 22

   Supply-chain attack poisoned many Chackmarx products on April 22

8. Why are top university websites serving porn? It comes down to shoddy housekeeping.

   Hundreds of subdomains from dozens of universities have been hijacked by scammers.

9. Ongoing supply-chain attack ‘explicitly targeting’ security, dev tools

   A very useful summary and timeline of the ongoing attack. On March 23, the Trivy vuln scanner was compromised, adding credential-stealing malware. That gave the attackers a lot of credentials, which they used to poison LiteLLM and Checkmarx products. They also poisoned Bitwarden. "Attackers are deliberately targeting the tools developers are told to trust most: security scanners, password managers, and other high-privilege software wired directly into developer environments. This is why the fallout can get big very quickly."

10. OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years

    Tracked as CVE-2026-35414 (CVSS score of 8.1), the flaw is described as a mishandling of the authorized_keys principals option in certain scenarios involving certificate authorities (CA) that use comma characters. If a certificate contains the principal deploy,root, OpenSSH splits the comma and enables full root access.

11. ‘AI Agent just destroyed our production data and confessed in writing’, founder rings alarm bells

    An AI agent powered by Anthropic’s Claude Opus 4.6 wiped out his company’s production database and backups on Railway using a routine access token. The agent was working on a routine task and encountered a credential mismatch and decided, entirely on its own initiative, to “fix” the problem by deleting a Railway volume. To execute the deletion, the agent went looking for an API token. It found one in a file completely unrelated to the task it was working on.