GPS, PCI, ARCH, OH MY! – PSW #931

David Johnson

1. ToorCamp 2026!

   Awww yeah it's camp time!

Larry Pesce

1. Supply Chain Attack Compromising Arch Linux AUR Packages with Infostealer and Rootkit – Truesec
2. Fedora Linux 43 exposes 20-year-old Microsoft Outlook security failure
3. The Evil MSI Background is Back! – SANS Internet Storm Center
4. Receiving US Nuclear Detection Satellite Signals with RTL-SDR, Discovery Dish and Discovery Drive
5. The U.S. Military Quietly Turned GPS Into a Global ‘Numbers Station,’ Evidence Suggests
6. Spy Tech: The GPS Numbers Station
7. Russia develops costly Starlink jamming system: Here’s the catch
8. Smart Bulb WiFi Server Hosts “Banned” Literature
9. Hacking Group Claims Major Hack of Novo Nordisk, Attempted $25 Million Extortion – Slashdot
10. Honda Civics and the Evil Valet

Lee Neely

1. Google Threat Intelligence Group Report: PRC Threat Actor Maintained Presence on Networks for More Than a Year

   Google Threat Intelligence Group (GTIG) has published a report describing "a sophisticated campaign attributed to UNC6508, a People's Republic of China (PRC)-nexus threat actor, targeting institutions in the North American academic, medical, and military research community." The threat actor maintained presence in targeted networks for more than a year.

   The earliest known compromise occurred in September 2023, where externally facing servers were exploited to deploy the INFINITERED custom malware to capture legitimate credentials. Google provides prevention, detection and remediation guidance which applies to more than just this sector. This includes SIEM, Audit, Log monitoring as well as MFA, device bound session credentials, alerts for compromised passwords, patching/updates as well as YARA rules and IoCs for the detection of the INFINITERED malware.  Leverage this to both prevent and minimize dwell time. You really want to be sure you can detect and respond to malicious activity as rapidly as possible, you don't want to be explaining, to management, why they were in your system for a year undetected.

2. Feds snooze as US datacenter law set to lapse with no replacement in site

   The Federal Data Center Enhancement Act (FDCEA), which passed in 2023, will expire on September 30, 2026 and there does not appear to be any effort made to extend its duration or create an alternative. The FDCEA establishes standards for data centers that are entirely or partially owned, operated, or maintained by US federal agencies. Its provisions address facility availability and uptime; use of sustainable energy; protection from power failure, physical intrusions, and natural disasters; and IT security.

   This may get lost with all the dust-up over creating, or blocking, AI data center building in the US. While the objections cite environmental concerns, advocates point out the result is likely those capabilities developing in other countries. Existing control frameworks, such as NIST 800-53, include controls around heating, cooling and fire supression, and even resiliency, but don't include environmental concerns. Even without this specific legislation, federal data centers will still have to follow the most restrictive of any applicible federal, state, county or city regulations, which will likely keep them on their toes. 

3. Controversial FISA spying law expires tonight. The spying will continue.

   The US Foreign Intelligence Surveillance Act (FISA) expired on June 12, 2026 when legislators failed to pass a short-term extension to the warrantless surveillance law. FISA, which was enacted in 2008, allows US intelligence agencies to gather data, from US citizens as well as residents of other countries, in an effort to identify foreign hackers, spies, and possible terrorists. The law's critics have called for changes, citing its misuse. Legislators have been seeking to amend FISA to require agencies to obtain warrants prior to accessing information of US citizens. However, because Section 702 surveillance operates under yearlong certifications approved by the FISA Court, intelligence agencies are still able to use surveillance tools until March 2027, but cannot seek any new orders under the law.

   This is a matter for the legislative branch, not the executive, and the core beef is the abuse/protection of US Citizen's privacy rights. Expect a renewal of this or similar legislation in the future, even so, agencies can fall back on other surveillance avenues such as  Executive Order 12333 which allows for surveillance around the world and also includes restriction on use/access to US Citizen data.

4. Inside the FBI’s Kinetic Cyber Range

   In 2025 the Operational Technology Division of the FBI built a 22,000-square-foot "Kinetic Cyber Range" (KCR) in Huntsville, Alabama to train personnel to handle cyber incidents and investigations in a simulated small town. The KCR contains a wide variety of areas ranging from residential and commercial — houses, a hotel, a gas station with a grocery market, an arcade, a data center, real vehicles — to government and critical infrastructure buildings including a courthouse, a power company, and a hospital. Every space is set up with realistic physical conditions as well as "functioning systems, networks, and devices designed to behave as they would in the real world," down to Active Directory, email, and firewalls on a network, a home full of IoT devices, or a data center containing over 200 Windows and Linux servers.

   Having a kinetic range, with "real" sysetms as well as role players is a boon to developing cyber skills, both in offense and defense. Note this environment also includes working in real environments, the data center is cold, dark and noisy, as it would be in a real-world situation. This range also teaches soft skills, such as working under stress, where communicating clearly, and judgetment and restraint are as critical as expertise.  This is vrey cool and brings back fond memories of using the SANS CyberCity kinetic range.

5. Statement on the US government directive to suspend access to Fable 5 and Mythos 5

   On June 12, 2026, Anthropic disabled Fable 5 and Mythos 5 for all customers in order to comply with an export control directive sent by the US Department of Commerce at 5:21 p.m. ET that day, which ordered the company to suspend access to both models "by any foreign national ... including foreign national Anthropic employees." Fable 5 had been publicly released three days earlier, but Mythos remained restricted to specific partner companies.

   Tricky balance of enabling a competitive edge while preventing ones adversaries from obtaining the same advantage. When working with foreign nationals you need to understand what is considered a deemed export as well as risks to your IP when handled by non-citizens. In my career that was significant as we were working with federal inforamtion, both unclassified and classified. Regardless of which side you're on, appreciate that this is an indication that AI jailbreaks are being taken seriously by DoC, and they are worried about loss of our IP/competitive edge. Anthropic is working to educate and clarify the risks to DoC by documenting controls, which include defense in depth, likelihood of jailbreak, to include difficulty, mitigtaions, and 30 day data retentaion. This should be resolved quickly.

6. Maine Disables Data Breach Portal Due to Fake Submissions

   The Office of the Maine Attorney General announced it has temporarily disabled its data breach portal in response to fake submissions. Maine is one of a small number of US states in which the Attorney General requires organizations experiencing data breaches to report the total number of individuals affected nationwide — not just the number of impacted state residents — when notifying authorities.

   Remember how we had to implement recaptcha, or similar measures, to reduce spam being submitted through comment and feedback forms? This is almost the same thing, the Main AG is working to raise the bar to make sure reports are genuine.

   If you have a VDP system, you're probably wondering if there is something similar to curtail AI slop. I'm wondering how effective it'd be to use AI to detect AI in thees scenarios.

7. Novo Nordisk reports cyberattack as UK gives Wegovy pill the nod

   Danish pharmaceutical company Novo Nordisk has disclosed a cyberattack that compromised information of healthcare professionals and patients involved in clinical trials. The company took several of its systems offline following the incident, which is currently being investigated with the assistance of external cybersecurity experts.

   If you're involved in a clinical trial, you may wish to ask how your information is protected. In this case Novo Nordisk has protected participant informtion. In this case the data stolen can be used to influence participating Healthcare providers, enabling BEC or other business schenanagans. About all you can do is make sure that your protections are up to date and folks are keeping a watchful eye out for malicious activity.

8. Fired IT worker jailed for 21 months after sabotaging old school district

   A disgruntled IT worker faces 21 months behind bars after being found guilty of sabotaging his former employer’s systems for more than a year and half. Ezekiel Dean Potter, 34, was fired from his IT support job at Iowa’s SaydelU Community School District (SCSD) in April 2023. He was found guilty of causing various technical damages to SCSD’s systems between May 2023 and January 2025.

   Potter launched a series of damaging and disrupting cyberattacks against various components of SCSD's IT systems, including irretrievably deleting the district's Facebook page, deleting data related to the district's Apple School Manager account, attempting to reset usernames and passwords associated with SCSD's GoDaddy account, and disrupting SCSD's access to its Schoology learning management software account via the District’s Google administrator account.

   Having been responsible for some of the services deleted at SCSD, I would be extremely upset by this series of events, wanting a far more severe sentence and financial penalty, and likely lose site of protections I could implement. Make sure that you go through and see what you can do to maintain backup copies of data stored in services.

9. Ukrainian Man Pleads Guilty in US to Conti Ransomware Charges

   Oleksii Oleksiyovych Lytvynenko has pleaded guilty to conspiracy to commit wire fraud in connection with a scheme to deploy Conti ransomware. Lytvynenko who is Ukrainian, was living in Ireland and was extradited to the US. Lytvynenko and his alleged co-conspirators "used the Conti ransomware to terrorize people and businesses in the United States and around the world, causing millions of dollars in damage."

   The Conti ransomware gang ceased operating under its original name in 2022, with former members moving to other ransomware and cybercrime operations. In this case, onde of the authors of the loader for the ransomware was caught and being held accountable for his actions.

10. Arch Linux locks down AUR signups amid wave of malicious commits

    About 1,500 package build files in the Arch User Repository (AUR) have been poisoned with infostealer and rootkit malware since June 11, up from initial estimates closer to 400. AUR is a community-maintained repository of package build files for Arch Linux.

    This has been named the Atomic Arch campaign. The AUR stewardship process allows community members to maintain packages, and allows for a request to take ownership of an abandoned/orphanded package. The attackers took advantage of this to take over packages already trusted in this system. This time the build instructions were jacked up, not the build itself, a reminder that their integrity needs to be as judiciously maintained as your package. For those using Arch Linux, review the list of affected packages, check for the IoCs in the Whanos prelimary analysis report (https://ioctl.fail/preliminary-analysis-of-aur-malware/ ) and report any findings. You may also wish to use the aur_ckeck.sh tool to find instances of the atomic-lockfile malware. As this is a rootkit, you may need to reinstall Arch from scratch to avoid any remnants left by normal cleaning processes.