Zero Days Are Not Just Fiction – PSW #863

There is a lot more to uncover than has been published so far. Yes, there is a GPT that can help you search the chat logs. Its just okay. Deeper analysis shows the groups are targeting network devices, VPNs, and many other devices, including printers). They break in and scan the internal network (which should be easy to detect, but doesn't always happen). They also do bruteforce attacks. Basically all the things that we tell you to pay attention to, but most people do not. You need to manage ALL of your credentials and patch ALL of your devices.

Several new vulnerabilities have been uncovered in GRUB2. This is a huge pain in the butt for so many people, including you if you run Linux (and even if you don't think you run Linux, you are running Linux, and perhaps using GRUB2). The big change here is with respect to Secure Boot, there will be no DBX update. Why? Because the DBX is stored in an NVRAM variable that only holds 32kb of data and we may run out of space. What will be updated instead? SBAT. What is SBAT? I had my LLM friends describe it in simpler terms for us to discuss:

• "SBAT (Secure Boot Advanced Targeting) is a newer mechanism designed to enhance the security of the boot process, particularly for Linux systems. It works alongside the existing DBX (Forbidden Signatures Database) but offers more flexibility and efficiency. While DBX contains a list of specific signatures or hashes that are not allowed to run, SBAT uses metadata to block entire generations of vulnerable modules25. This approach allows for more granular control and can prevent a wider range of potential security threats without exhausting the limited space available in DBX3. SBAT is particularly useful for managing Linux boot loaders and kernels, enabling easier revocation of vulnerable components without the need to update the entire UEFI firmware"

It means that Secure Boot is at risk on systems that use GRUB2. The next logical question is how do you check if you are running a patched version of GRUB2 and if your SBAT is up-to-date? For starters, here are some commands:

• $ mokutil --list-sbat-revocations
• $ grub-install --version

I tested these commands on my system, and they work! The problem is that you have to interpret the results. If there is no SBAT policy on your system, that is a red flag. GRUB2 released patches, but your Linux distro has to accept those patches and put out a new version of GRUB2, which means your bootloader is going to change. Oh boy...

If you haven't watched the new series "Zero Day" with Robert DeNiro, you should! While there is not as much tech in it as I would have liked, it's still worth a watch. And while the critics are tearing it to shreds (and some have valid points), I highly recommend it if you work in cybersecurity or are aspiring to work in the field. Without spoilers, here are some facts and points:

• The show mentions TAO, and while TAO has been re-branded, I give the show a bit of a pass for mentioning it. They could have gone into more detail, but that would be a bit of inside baseball.
• The malware that attacks the US is certainly plausible enough, and the part I want people to take away from this show is that cyber-attacks are scary and can have far-reaching consequences.
• Threat actors communicate using AM radio signals. This is neat. While I don't believe it works from inside a SCIF, again, it's just a TV show.
• Also, it's just a TV show. Too many articles and reviews drag in real-world politics. Just stop, its for entertainment, stop dragging politics into everything, its counterproductive.
• There are scenes where messages are being decoded. These are neat, and I won't give too much away here but there is a splash of "Hollywood hacking" that will likely bother some of you hackers and crypto people.
• The show explores MANY sub-themes, including disinformation, mental health, drug abuse, politically motivated executions, spies, tech giants, and more. It bites off a little more than it can chew.

Social engineering at its finest (or worst perhaps): "The spam barrage, it turned out, was simply a decoy. It created the opportunity for the threat actors—most likely part of a ransomware group known as Black Basta—to contact the affected employees through the Microsoft Teams collaboration platform, pose as IT help desk workers, and offer assistance in warding off the ongoing onslaught." - perhaps we need better validation for IT workers? A code word? Something...

This reminds me that I need to deploy Pi-hole again, as I love this project. Also, it is much better to have it using HTTPS, and Scott put together a nice guide.

Jericho brings up some great points here, including the fact that there are 200 CWEs that are not assigned to any CVEs. Clearly, more effort needs to be put into the CWE system. The other problem is that not all CVEs have a CWE. This needs to be fixed, even for older CVEs, because they come back up as being exploited in the wild, reference a CVE entry, and the metadata is not correct and/or missing. These improvements would be welcomed by the community.

If you are releasing your software independent of the hardware, why encrypt it in the first place? It means the key has to be somewhere, and researchers typically figure this out. As the article states, with hardware, you can store keys in more secure places (e.g., the TPM). If there is a VM image, the key typically sits in the bootloader and can be extracted, just as they show in this post. Is it worth it?

While this post is amazing in its own right based on technical details, the higher level thing that gets me is new bugs in old solftware. These may never get patched, and many may not even be looking for bugs in older software (for lots of reasons, such as the vendor or project may not respond to your bug report for older software). However, the team at Quarkslab is looking and did find and exploit new bugs in old software. Which begs the question, how do we adjust our vulnerability management to deal with this? I believe we need to change a couple of things, including how we treat EOL/EOS software and just older software in general. If its older than 5 years, has never been updated, is no longer supported, and to our knowledge doesn't contain any vulnerabilties, we're good? The answer is no, everything is not fine. Older and EOL software has to be identified and updated.

Ransomware in my backyard! (I live in Anne Arundel County). Not much detail revealed yet Here is the official announcment from this past weekend: https://www.aacounty.org/county-executive/news/anne-arundel-county-close-county-buildings-monday-february-24-2025

Some PR person keeps peppering me with this news - so I thought I'd add it here. Security or privacy concern? Will/does this happen in the US?

Oh, wrong DISA. Still pretty bad, though. WTF though - the filing of the breach was made this week, but the breach happened over a year ago.

I think I only want to mention the dark/down side of AI... Artificial Intelligence (AI) aggregator OmniGPT has reportedly suffered a security breach that exposed the personal information of 30,000 individuals. The breach became public knowledge on February 9, 2025, when threat actor Gloomer listed the stolen data for sale on the infamous hacking forum BreachForums.

I mostly posted this because I know one of the authors - Nick Ascoli from Flare. Nothing earth shattering in the report. Credential theft and lack of 2FA compromised lots of juicy PII that could be used for nefarious purposes.

Snicker....they said, "total pwnage". But really, who attacks networks anymore??? A related article right beside the headline reads, "Your Network is Gone: How to Secure What’s Left in the New Era of Cloud and Remote Work".

SSA National Slam the Scam Day - March 6, 2025.

SSA is providing tips on preventing scams, including reporting for social security-related scams.

Apple is removing Advanced Data Protection (ADP) end-to-end encryption (E2EE) for iCloud storage from the roster of services it offers customers living in the UK. The move is a response to the UK government’s demand for access to customer data to comply with the UK Investigatory Powers Bill. Some iCloud data, including health information, iMessages, and FaceTime calls, will retain E2EE protection. ADP is an opt-in feature. Apple will not turn it off, but UK customers who attempt to enable ADP will see an error message. UK customers who already use ADP will need to disable it themselves. Apple notes that “we have never built a backdoor or master key to any of our products or services and we never will.”

This doesn't eliminate encryption of Apple's iCloud data; it reduces the items Apple cannot access for UK users. Given that UK users already using ADP will be contacted at a future date about turning that off, this feels like a stopgap, hold off on disabling until required or an alternate solution is available. In today's risk climate, you should be working to encrypt your data wherever stored, using available mechanisms, particularly when storing personal data in someone else's system, you should not only encrypt it, but also, if possible, control access to that encryption. ADP does that for iCloud services.

Australia’s Department of Home Affairs has published a Protective Security Policy Framework (PSPF) Direction prohibiting the use of products and services from Kaspersky Lab on government systems and devices. Department of Home Affairs Secretary Stephanie Foster has “determined that the use of Kaspersky Lab, Inc. products and web services by Australian Government entities poses an unacceptable security risk to Australian Government, networks and data, arising from threats of foreign interference, espionage and sabotage.” Australian government agencies have until April 1 to comply with the order, which includes removing existing instances of Kaspersky products from systems and devices. Australia joins the US, the UK, and Canada in banning Kaspersky from government systems.

In short governments are evaluating the ties between Kaspersky and the Russian government and how the extrajudicial directions from a foreign government can affect them (meaning threats of foreign government influence, espionage and sabotage), in this case deciding those actions would violate Australian law. This sort of assessment should be made when selecting products, and reviewed regularly, particularly after any mergers or acquisitions.

A high-severity security flaw impacting the Craft content management system (CMS) has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2025-23209 (CVSS score: 8.1), which impacts Craft CMS versions 4 and 5. Other flaws recently added to the KEV catalog include a Palo Alto Networks PAN-OS File Read Vulnerability (CVE-2025-0111), a Microsoft Power Pages Improper Access Control Vulnerability (CVE-2025-24989), an Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability (CVE-2024-20953), and an Adobe ColdFusion Deserialization Vulnerability (CVE-2017-3066).

blog post by independent researcher Eric Daigle details his discovery of a critical (CVSS score 10.0) vulnerability in Enterphone MESH door entry panels, namely a set of default credentials to a system administration interface exposed to the internet. Daigle easily found both the product manual containing these default credentials and many buildings' TCP/IP control pages using simple Google searches. For years it's been expected to change default passwords on installation, and for years, that has failed to happen. The new SOP is becoming a forced change on install; regrettably that isn't the case universally, so, you still need to include verifying they are changed in your procedures for installing new software and hardware.  Moreover, your network scanners should be able to check for default credentials, you should be leveraging this capability, think trust-but-verify.

Cisco has confirmed that Salt Typhoon threat actors did exploit one known vulnerability in a Cisco product in their campaign to compromise US telecommunications companies’ networks. Cisco released a patch for the remote code execution vulnerability (CVE-2018-0171) affecting Smart Install for Cisco IOS and IOS XE software in March 2018. Cisco Talos also notes that “in all the other incidents we have investigated to date, the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials.” While there have been claims that the Salt Typhoon threat actors are abusing three additional Cisco vulnerabilities,

The takeaway is to not only make sure your boundary control devices are updated in a timely fashion, note the exploited flaw here is from 2018, but you're also using best practices with the credentials, such as MFA and strong passwords which are rotated when compromised. Don't forget to limit where the management interfaces can be accessed from and turn off Smart Install.

Google announced the preview availability of software-based quantum-safe digital signatures in Google Cloud Key Management Service (Cloud KMS), aligning with Post-Quantum Cryptography (PQC) standards published by the National Institute for Standards and Technology (NIST) in August 2024. The available signatures involve "ML-DSA-65 (FIPS 204), a lattice-based digital signature algorithm, and SLH-DSA-SHA2-128S (FIPS 205), a stateless hash-based digital signature algorithm," with the roadmap also including future support for FIPS 203 and implementation of quantum-safe keys in Hardware Security Modules (HSM). Google intends this as a proactive measure against possible future attacks on public-key encryption using quantum computers, including the risk of "harvest now, decrypt later" attacks. 

As your signature/certificate issuing systems, such as Google's Cloud KMS and Cloud HSM, start supporting PQC algorithms you should be testing them to see where you have compatibility issues. It's far easier to change your issuing process to use a new algorithm, issuing updated certificates as they expire, than to do a mass re-issuance process. This is also a good time to make sure you're using the strongest non-PQC options available where compatibility is an issue.

If you're processing any type of PII, including PHI, make sure that you know where it is, have validated security controls in place, including supporting policies, and audits. The basics, beyond a risk and vulnerability assessment, include encryption in transit and at rest, limiting access to those with a valid need to know, strong authentication - ideally MFA, and regular training for users and system administrators, and monitoring of system activities. With the ongoing healthcare targeted attacks and breaches, HHS OCR is on the lookout for those not doing the required protections, so make sure you're doing your due diligence and documenting your decisions.

Researchers from OPSWAT have detailed a pair of vulnerabilities in the Mongoose Object Data Modeling (ODM) library for MongoDB and Node.js. The first of the critical vulnerabilities, CVE-2024-5390, could be exploited to achieve remote code execution; an updated version of Mongoose was released in November 2024 to address that issue. Subsequent analysis of that fix revealed that it did not adequately address the issue; CVE-2025-23061 was identified as a bypass in mid-December 2024. Another update to Mongoose released in January 2025 addressed that issue.

CVE-2024-53900, search injection flaw for Mongoose 8.8.3, CVSS score 9.1, and CVE-2025-23061 search injection flaw for Mongoose 8.9.3, CVSS score 9.0 are both addressed with the Mongoose 8.9.5 update. The flaw comes down to improper input validation, fortunately the fix is to apply the update.

Google plans to stop using SMS for multi-factor authentication (MFA) codes for Gmail and move to QR codes instead. SMS poses numerous security concerns; it’s been nearly nine years since the US National Institute of Standards and Technology (NIST) recommended that SMS no longer be used for MFA. Gmail spokesperson Ross Richendrfer explained how the new system will work: “Instead of entering your number and receiving a 6-digit code, you’ll see a QR code being displayed, which you need to scan with the camera app on your phone.”

Back in 2016, NIST 800-63 advised against using SMS for MFA, largely due to sim-swapping and SS7 redirection risks. Today add the telecom provider (Salt Typhoon) attacks, it's not any better. Given the only choice of MFA being SMS, select it, but it's time to retire SMS / phone call verification and move to alternate options. Google is keeping the specifics of the change close, only indicating this change will be rolled out in the next few months. If you're already using a using a non-SMS verification mechanism, you will continue to use that mechanism.

Threat actors leveraged the feature by creating malicious QR codes and deceiving potential victims into scanning them to allow Signal messages to synchronize with the attacker’s device. It is a simple trick that does not require a full compromise of the target’s device to monitor their secure conversations.

Idriss Qibaa, a “professional when it comes to the banning and unbanning of Instagram accounts" who ran “Unlocked 4 Life,” claimed he made more than $600,000 a month, from over 200 people who pay him monthly to maintain access to their accounts. Part of the “Unlocked 4 Life” extortion scheme included threatening to murder victims if they didn’t cooperate. Qibaa was running the same grift on X, YouTube, TikTok, Snapchat, and Telegram.

Meta’s complaint is a look into how easy it is to manipulate its own reporting and moderation features. The company says Qibaa got people’s Instagram accounts banned by simply submitting fake reports claiming they were violating the platform’s terms. When Qibaa submitted the misleading reports, Meta alleges, Instagram disabled the account on the same day, and in some cases, reinstated it on the same day, too.

The MAS project is donation-free because "profiting from piracy is not good," the pirates say

China has announced a global call for new cryptographic algorithms to counter the security threats posed by quantum computing, signaling a move away from US-led efforts in the field.

Finally we find out why he was banned from DEF CON--rampant sexual harassment, violent threats, and lies.

The company will reportedly switch to using QR codes.

An ongoing PayPal email scam exploits the platform's address settings to send fake purchase notifications, tricking users into granting remote access to scammers.

It's very scary to make Europe 100% dependent on the goodwill of the American government merely because it is convenient. So let’s not.

So far they have made one topological qubit, and are developing a chip with 8 qubits. Breaking encryption will require something like 1 million qubits, so don't panic yet. However, there is a clear roadmap to scale this processor up to 1 million qubits.

The new chip uses "topological qubits," which should be less noisy than the types of qubits used in other quantum processors. Phil Venables, VP at Google and CISO at Google Cloud, suggests a practical quantum computer will arrive between 2032 and 2040. That means we need to be migrating to post-quantum cryptography now.

He downloaded free software from to create AI images from text prompts. This included malware that was not detected by his antivirus. The attacker gained access to 1Password. All his private data was published online, 44 million internal Disney Slack messages were published, and he lost his job.

This could happen to any of us. What should we do to prevent it? The only recommendation here is to have two-factor authentication on your password manager.

Repositories that were even public, even briefly, were indexed and cached by Microsoft’s Bing search engine. Anyone can get that data by asking Copilot the right question.

We discovered over 200 repositories with fake projects on GitHub. Using them, attackers distribute stealers, clippers, and backdoors. They claim to be Telegram bots, tools for hacking the game Valorant, Instagram automation utilities, and Bitcoin wallet managers. At first glance, all the repositories look legitimate.