Getting Rid of Your VPN – Rob Allen – PSW #925

Paul Asadoorian

1. CISA wants critical infrastructure to operate ‘weeks to months’ in isolation during conflict

   This is why CISA needs funding: "CISA’s new “CI Fortify” push tells critical infrastructure operators to assume they’ll have to run weeks to months isolated from the internet, vendors, and telecom during conflict, especially under Chinese threat activity like Volt Typhoon and Salt Typhoon. The guidance focuses on two pillars: isolation (being able to safely cut OT off from IT and third parties while still serving “critical customers” like bases and hospitals) and recovery (rigorous backups, documentation, and manual fallbacks when systems are degraded or destroyed). CISA will run targeted technical assessments with selected energy, water, transport, and comms providers to test how well they can maintain minimum service levels in that disconnected state and then rapidly rebuild once connectivity returns." at least its just one reason.

2. Some kids are bypassing age verification checks with a fake mustache

   Age verification for the Internet will not work out: "This is not the first known bypass that kids have figured out in recent months since the rise in rollouts of age-verification checks. Some kids have found that pointing their webcam at adult-looking characters in video games also worked, or in other cases, simply pulling obscure or funny faces was enough to skirt the checks altogether." - So many silly laws get passed to "protect the children", but really do nothing to protect the children, or address threats to children that simply do not exist. Less laws, more common sense please.

3. Student hacked Taiwan high-speed rail to trigger emergency brakes

   His lawyer is saying that the transmission was an "accident" LOL: "Investigators say the TETRA-based system has been in service for about 19 years and that critical radio parameters had not been rotated in that period, which allowed the attacker to bypass seven verification layers intended to protect signaling. THSR identified that the emergency signal originated from a beacon ID that was not scheduled, suspected unauthorized cloning, and worked with police, who used TETRA logs and CCTV to trace the activity back to Lin’s residence, where they seized an SDR, 11 handheld radios, and a laptop; a 21‑year‑old accomplice reportedly supplied some of the needed THSR parameters"

4. Paramiko Security Audit – Quarkslab’s blog

   I use this module, its great, good to see a commitment to security:

   Findings The audit identified 30 issues total: 2 high severity, 6 medium severity, 6 low severity, and 16 informational. High-severity findings included insecure RSA signature parameters (HIGH-21) and acceptance of insecure Triple DES key sizes (HIGH-28). Medium-severity issues involved deprecated cryptographic methods like weak Diffie-Hellman groups and GSS-API key exchange methods. Low-severity findings included MD5 use for key derivation, Ed25519 exception handling bugs, and UDP socket instantiation.

   Outcome Despite the findings, no critical security concerns were raised for Paramiko or Cryptography. All previously identified vulnerabilities have been remediated, demonstrating the project's commitment to security improvements. The engagement included detailed static analysis, targeted testing enhancements, and CI/CD pipeline security review.

5. AI Scholar — Living security research intelligence

   "AI Scholar tracks offensive-security papers from arXiv, OpenAlex, and Crossref. Start with Atlas for the map, Digests for curated briefings, or the feed below when you want raw search, dossiers, and provenance trails." - Blog post on the creation of this site: https://0x434b.dev/from-a-stale-readme-to-a-security-research-intelligence-platform/ * Found this using it: https://github.com/bjtu-SecurityLab/FORGE

6. ‘Copy Fail’ is a real Linux security crisis wrapped in AI slop

   This article is way off base and states things that I do not agree with:

   • "The result is a case study that underscores the challenges that occur when the relentless hunt for defects collides with marketing impulses and inflated AI-generated language that was long on bluster but lacked technical details. Theori dubbed the high-severity vulnerability “Copy Fail” with a vanity domain containing AI-generated content" - The AI generated content told us what we need to know about the vulnerability, include the PoC exploit, enough details for me.
   • "Theori’s disclosure turned heads among other vulnerability researchers who noted the defect’s broad potential impact, but also for lacking details about the proof-of-concept exploit." - They didn't read all the articles, this post has all the details on the exploit: https://xint.io/blog/copy-fail-linux-distributions

   Why are they trying to make a big deal about nothing? Perhaps they just needed something sensational to promote Cyberscoop LOL.

7. ESP32 Simulator Online – Cirkit Designer
8. The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)

   CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel & WHM with a CVSS score of 9.8 that affects all currently supported versions. watchTowr Labs discovered the flaw involves CRLF (Carriage Return Line Feed) injection in the login and session loading processes, allowing unauthenticated remote attackers to gain full root administrator access without passwords. labs.watchtowr

   What is cPanel?

   cPanel is the world's most popular web hosting control panel software that provides a graphical interface and automation tools for managing web servers, websites, email accounts, databases, and domain names. It's primarily used by shared hosting providers, web hosting resellers, and managed hosting companies to allow their customers to easily manage hosting accounts without command-line knowledge. Approximately 1.5 million cPanel instances are exposed online, making it a critical infrastructure component for the hosting industry. ground

   Active Exploitation

   This was a zero-day vulnerability actively exploited in the wild since at least February 23, 2026 according to KnownHost CEO Daniel Pearson. Around 30 servers experienced unauthorized access attempts at KnownHost alone. ground

   Impact & Remediation

   The vulnerability affects cPanel's session handling mechanism, essentially providing "keys to the kingdom" for shared hosting environments where thousands of websites may reside on single servers. cPanel released patches on April 28, 2026 including version 136.0 with added sanitization functions to prevent injection attacks. Canada's cybersecurity agency warned that exploitation is highly probable. reddit

   Its Bad

   Authentication bypass grants complete control over WHM servers - attackers can steal data, upload malware, delete websites, and potentially compromise all hosted accounts on affected systems. The widespread use of cPanel in shared hosting amplifies the risk significantly. Administrators should immediately patch, audit access logs for suspicious activity on vulnerable endpoints (ports 2083 and 2087), and consider credential resets if compromise is suspected. PoC exploits are now publicly available. esentire

9. PromptMink: How North Korea Tricked Claude Into Installing npm Malware

   and the malware was vibe code, awesome: "An early @validate-sdk/v2 README contained a leftover assistant prompt the operator forgot to delete: "also obfuscate the README a bit?" A test package (pino-pretty-logger v1.0.4) shipped unobfuscated TypeScript declarations describing the entire stealer interface in verbose JSDoc. The Rust NAPI-RS module first tested in @slackgram/logger was "verbosely commented in an LLM-like manner." The error handling in @validate-sdk/v2 v1.22.30 resembles "the kind of informative messaging commonly written by LLMs (but not as often by human developers)."

10. fast16 – Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet
    • SentinelOne’s piece lays out fast16 as a previously unknown, state‑grade sabotage framework from 2005 that quietly corrupts high‑precision engineering and scientific computations, predating Stuxnet by about five years. sentinelone
    • Core story - Researchers traced a weird ShadowBrokers “fast16” reference back to a Windows kernel driver, fast16.sys, plus a Lua‑powered carrier module compiled in 2005. Instead of stealing data, the driver patches floating‑point routines in memory so targeted apps keep running but return subtly wrong results, consistently, across all infected systems. The pattern matching points to mid‑2000s precision suites like LS‑DYNA, PKPM, and MOHID, which are used in crash simulations, structural analysis, and hydrodynamics modeling—i.e., workloads tied to aerospace, energy, and potentially nuclear research. securityaffairs
    • Why it matters - fast16 effectively weaponizes math trust: every box in the lab agrees on the same wrong answer, undermining research, design, and even safety‑critical engineering over long time horizons. Combined with its early embedded Lua VM and presence in NSA “Territorial Dispute” deconfliction signatures, it forces a rewrite of the cyber‑sabotage timeline and suggests that highly tailored, physical‑world‑impact tooling was in play well before Stuxnet and Flame hit the public record. reddit

Larry Pesce

1. Student Arrested in Taiwan for using SDR and Handheld Radios to Halt Four High Speed Trains with TETRA Hack
2. Why Has the US Banned Foreign-Made Routers?
3. Student hacked Taiwan high-speed rail to trigger emergency brakes
4. Australian police officers can be tracked due to a security flaw in tasers and body-worn cameras
5. Some kids are bypassing age verification checks with a fake mustache
6. Microsoft Edge stores all your saved passwords unencrypted in memory
7. Exclusive: US officials weigh cutting deadlines to fix digital flaws amid worries over AI-powered hacking, sources say
8. Exclusive: US officials weigh cutting deadlines to fix digital flaws amid worries over AI-powered hacking, sources say

Lee Neely

1. Security: CVE-2026-41940 – cPanel & WHM / WP2 Security Update 04/28/2026

   cPanel Critical Flaw Exploited Worldwide, and New Detection Script is Available

   Make sure that you've updtaed your cPanel installs, and implemented cPanel's security best practices, to include their recommended security settings checklists. Check with your hosting provider to learn what their update plans are. If you're using cPanel add-on modules make sure they are not EOL and up to date. Where feasible, enable auto-update. 

   The detection script is included in the cpanel.net security alert.

   cPanel Recommended Security Settings: https://docs.cpanel.net/knowledge-base/security/recommended-security-settings/

2. Pro-Iran group turns Ubuntu DDoS into shakedown

   Ubuntu's servers are back online following about two days of outages caused by a "sustained, cross-border" distributed denial-of-service (DDoS) attack starting on April 30. This incident prevented users from accessing the distribution's website and resources for remediation following the simultaneous unrelated disclosure and published proof-of-concept exploit code for a privilege escalation flaw in the Linux kernel. Users were also reportedly prevented from downloading and updating the OS.

   In case you missed it, Ubuntu 26.04 LTS was just released, so you likely have teams working on certifying the new version, which may have reverted to other package sources. Make sure they're using legit copies of packages. The Islamic Cyber Resistance in Iraq, aka 313 Team, is claiming responsibility for the attack and is threatening Canonical with extortion. 313 Team is also claiming responsibility for the recent DDoS attacks on BlueSky as well as eBay's Japan and US divisions. Another argument for making sure your DDoS protections are enabled and comprehensive. Canonical and Ubuntu Status page: https://status.canonical.com/

3. Trellix discloses data breach after source code repository hack

   Trellix was formed in January 2022 with the merger of FireEye and McAfee. Other cybersecurity companies have been similarly targeted over the past several months: Checkmarx reported a breach of its GitHub code repository in late April, and Cisco disclosed a breach of its internal development environment.

   Verify your access controls on your source code repositories. Make sure MFA is required for updates, and give careful thought to who can read it. While we've talked a lot about malicious packages replacing legitimate ones, don't forget that you may not want just anyone to be able to download your legitimate code either. While you're looking at things, make sure that you are not ignoring secrets stored in those repositories. Don't make things any easier than they have to be for our adversaries. Heise Security Writeup: https://www.heise.de/en/news/Trellix-Attackers-gained-access-to-source-code-11280868.html

4. TeamPCP Hits SAP Packages With ‘Mini Shai-Hulud’ Attack

   Cybersecurity researchers are reporting a campaign of supply chain attacks targeting packages in the PyPi, npm, and PHP ecosystems, including packages for SAP, PyTorch Lightning, and Intercom that were infected with a worm dubbed "Mini Shai-Hulud" due to similarities with the Shai-Hulud npm worm from September 2025. SAP's mbt v1.2.48, @cap-js/db-service v2.10.1, @cap-js/postgres v2.2.2, and @cap-js/sqlite v2.2.2 packages, whose combined downloads exceed half a million weekly, were poisoned on April 29, 2026.

   Rather than think of a desert planet and cutting off spice production, consider this worm steals developer credentials.  Those credentials were then used to create new GitHub repositories. Check to make sure that you didn't consume one of the poisened SAP packages. Beyond getting the known good package, you need to rotate secrets, (GitHub, cloud providers, Kubernetes, CI, local developer tools, etc.) not just NPM tokens.  Grab the IoCs from the Wiz blog and check your environment. 

   Wiz Blog: https://www.wiz.io/blog/mini-shai-hulud-supply-chain-sap-npm

5. Cyber incident responders who carried out ransomware attacks given 4-year sentences

   Two individuals have been sentenced to four years each in prison for deploying ransomware known as ALPHV BlackCat over a period of several months in 2023. DigitalMint has established new guardrails to ensure that negotiations are accurately audited and logged; these include "structured logging of all negotiation communications; clear audit trails for decision-making; defined oversight mechanisms throughout the engagement lifecycle, and ongoing refinement of processes as expectations evolve."

   DigitalMint has instigated improvements in their processes adding more oversight and transparency to the engagement. Other ransomware negeotiation companies should review these to see where they can also raise the bar. What DigitalMint doesn't indicate is improvements in their screening of staffing. Not only must all actions taken be accountable, transparent and consistent with company values, but, based on my background in government, staff has to be screened, regularly to insure they are also aligned and haven't gone astray. 

   DiditalMint Expectations for Accountability: https://digitalmint.io/resources/the-growing-expectation-for-accountability-in-incident-response/

6. Careful adoption of agentic AI services

   The Five Eyes countries have jointly published Careful adoption of agentic AI services, which provides practical guidance to help organizations that design, develop, deploy and operate agentic AI systems, to make informed risk assessments and mitigations. The guidance concludes with actionable recommendations to help organisations prepare for and defend against emerging and future agentic AI threats.

   I look at guidance like this to make sure I'm not missing anything, as well as find topics of discussion for developers and users to find optimal ways to adopt (and understand) this technology safely and securely.

7. DigiCert breached via malicious screensaver file – Help Net Security

   A targeted social engineering attack against DigiCert’s support channel led to the compromise of internal systems and the unauthorized issuance of EV Code Signing certificates.

   The incident, which took place on April 2, 2026, began when "a threat actor contacted DigiCert's support team via a customer chat channel and delivered a ZIP file disguised as a customer screenshot. The file contained a .scr executable with a malicious payload." While established security measures blocked the malware from being delivered four times, the fifth time, it compromised a support analyst's machine. Reports show on one compromised endpoint EDR settings were below optimal and on another EDR hadn't been installed. Make sure that you're not only installing EDR everywhere, but also that your settings are appropriate, the out-of-box settings are not intrusive, but likely inadequate for long-term defense.

8. Instructure confirms data breach, ShinyHunters claims attack

   Educational tech giant Instructure has confirmed that data was stolen in a cyberattack, with the ShinyHunters extortion gang claiming responsibility. Instructure is a U.S.-based education technology company best known for developing Canvas, a widely used learning management system that helps schools, universities, and organizations manage coursework, assignments, and online learning. Infrastructure claims minimal data was compromised. The ShinyHunters extortion gang claims to have data for 275 million individuals across 9000 schools, suffice to say there will be more to come on what was and was not breached. If you're a Canvas customer, check the infrastructure site for system status. Also review the Application Key Timestamp Notice, it applies to integrated tools. Customers with reissued application keys will have to re-authorize that access one time, even so, they may flag the process as malicious when it is, in fact, legitimate. Application Key Timestamp Notice: https://community.instructure.com/en/discussion/665983/application-key-timestamp-notice

9. Critical MOVEit Automation auth bypass vulnerability fixed (CVE-2026-4670) – Help Net Security

   Progress Software has released updates to address a critical authentication bypass vulnerability (CVE-2026-4670) in MOVEit Automation. The updates also fix a high-severity privilege escalation vulnerability (CVE-2026-5174) in the same product. Progress warns that "exploitation may lead to unauthorized access, administrative control, and data exposure." There have been at least six vulnerabilities in MoveIT since the first critical flaw reported in May 2023. If you have MoveIT, make sure that it's updated. If you're partnering with someone who requires MoveIT, consider suspending file transfers until you can confirm they have updated.  Seriously research alternative file transfer systems, you don't want the publicity shuold you be breached.

Sam Bowne

1. Canadian election databases use “canary traps”—and they work

   Political parties can legally get access to the Canadian electoral list, but they cannot share the list with a third party. The government seeded each copy of the list with unique bogus data, so they were able to identify the source of an unauthorized copy: the Republican Party of Alberta.

2. Feuding Ransomware Groups Leak Each Other’s Data

   0APT and KryBit attacked each other, leaving both in shambles. Both operators will likely have to rebuild, rebrand, and create new infrastructure in order to recover from this.

3. Anthropic’s new Claude Security tool scans your codebase for flaws – and helps you decide what to fix first

   Anthropic has announced Claude Security, a new defensive cybersecurity product. Right now, it's available in public beta to Enterprise-tier Claude users, with availability "coming soon" to Claude Team and Max-tier users. I've found that the default Claude in PAI works very well for my simple PHP code base.

4. US government, allies publish guidance on how to safely deploy AI agents

   The document identifies five broad categories of risk: Privilege: When agents are granted too much access, a single compromise can cause far more damage than a typical software vulnerability. Design and configuration flaws, where poor setup creates security gaps before a system even goes live. Behavioral risks, or cases where an agent pursues a goal in ways its designers never intended or predicted. Structural risk, where interconnected networks of agents can trigger failures that spread across an organization’s systems. Accountability--inadequate logs or audit trailsI've found that the default Claude in PAI works very well for my simple PHP code base.

5. DigiCert hacked with a malicious screensaver file

   A threat actor gained access to DigiCert's backend and stole 27 code signing certificates they later used to sign malware.

6. Shadow IT has given way to shadow AI. Enter AI-BOMs

   While a traditional SBOM includes all of the software packages and dependencies in the organization, an AI-BOM aims to cover the gaps introduced by AI assets by providing visibility across all of the models, datasets, SDK libraries, MCP servers, ML frameworks, agents, agentic skills, prompts, and other AI tools - plus how these AI components interact with each other and connect to workflows.

7. NHS to close-source hundreds of GitHub repos over AI, security concerns

   "Public repositories materially increase the risk of unintended disclosure of source code, architectural decisions, configuration detail, and contextual information that may be exploited – particularly given rapid advancements in AI models capable of large-scale code ingestion, inference, and reasoning (e.g. developments such as the Mythos model)."

8. Cisco Moves to Acquire Astrix Security to Tackle Non-Human Identity Risks

   Astrix Security is a startup focused on securing non-human identities (NHIs) such as API keys, service accounts, and OAuth tokens increasingly used by applications and AI agents. Astrix’s technology is designed to help organizations discover, govern, and secure these identities, including detecting excessive privileges and real-time threats.