SignalGate and How Not To Protect Secrets – PSW #867

Neat: "In this blogpost, we give a high-level explanation on how HQC works and how you can do automatic testing of implementations of this standard with internal test suits. This allowed us to find two critical bugs in the last version of HQC's reference implementations (right before its standardization) which led to CVE-2024-54137." - I won't pretend to understand this article, but I like how people are finding bugs in the things BEFORE they become a problem in the real world.

"Only one customer was found to be exposed to the Github Actions issue, though no information was leaked. This customer was promptly notified by NodeZero Rapid Response. Horizon3.ai has seen no evidence of customers using vulnerable configurations of Apache Tomcat, even if the versions in use are within the vulnerable range." - I agree, these two vulnerabilities may not have been worth the hype. However, consider the following:

• Just because some people do not run with vulnerable configurations, doesn't mean the people should not be checking to ensure they are not vulnerable if the impact and severity of the vulnerability is high. I think Horizon3.ai missed an opportunity to say (unless they did and I missed it): "We provide value to our customers by continuously testing for vulnerabilities to ensure that 1) they are not vulnerable and 2) they do not enable a vulnerable configuration in the future". I have no hidden agenda, I'm just helping Horizon3.ai because they seem like a solid company and have conducted awesome technical and research posts.
• This doesn't mean we should ignore vulnerabilities that don't live up to the hype. We should check, and continue to check, our systems to make sure we are not vulnerable. It's about the impact, not necessarily the probability or likelhood.

I really like this usage of WebUSB to give users an SDR interface using a browser. It lowers the barrier to entry when trying to understand new things. Look, I've spent A LOT of time trying to get firmware, software, and devices to work prior to using them for their actual intended purpose! Removing this is great. Once you've mastered this part, then make sure you spend the time and struggle for days to get something to work. It build character and one day you will thank me.

Curious if/how this works: "The phishing triage agent in Microsoft Security Copilot being unveiled today can handle routine phishing alerts and cyberattacks, freeing up human defenders to focus on more complex cyberthreats and proactive security measures. This is just one way agents can transform security." - Now jailbreaking vulnerabilities become important for attackers as its not just about tricking some public LLM, its about tricking the AI Microsoft implemented to handle phishing attacks. Neat!

I saw this too. Love this article. There was not vulnerability in ChatGPT in this case, it was a 3rd party interface to ChatGPT that was vulnerable. Big difference! We can't just blindly follow the news or the hype cycle, we have to conduct our own research. And read Jericho's blog and listen to this podcast (preferably both).

I (and Michael Larabel from Phoronix more so) just want to point out that vulnerabilities in GRUB2 have not been addressed by pretty much any of the Linux distros: "While public one month and the patches were committed to the GRUB Git codebase, no new tagged GRUB version has yet to be published. In fact, no new GRUB releases since the GRUB 2.12 release already 15 months ago." - I just updated my systems this morning. I just checked grub, here's what I found:

• Version: 2.12-3
• Build date: Fri 04 Oct 2024 05:22:36 AM EDT

This means the distro maintainers have not backported any patches from Feb 2025 yet either, if they did, the package build date would have changed. Also keep in mind the vulnerabilities in GRUB2 can also be used to bypass Secure Boot. Also of note: If Microsoft has not updated the DBX or SBAT, attackers can use this to bypass Secure Boot on Windows by installing a vulnerable bootloader! UPDATE: LLMs don't have great answers, best I can do is to have your review this entry that would block all versions of grub from running on your systems:

• grub,99999,Banned,20250101000000Z,https://your.org/sbat-revocation

Use with caution, I did not test this AT ALL (and it came from ChatGPT).

"This repository contains a chaotic JavaScript script that: Plays an audio file of a cat song. Spawns spinning cat GIFs all over the page. Flashes a neon green screen intermittently (warning). Makes all elements on the page spin. Perfect for XSS demonstrations or just to prank your friends!" - I could not get the audio to play. However, this would make a great Ducky script!

Awesome bypass technique: "we can see the Teams process is created successfully without WDAC intervention. However, because I replaced the Teams /resources/app/ directory with Loki C2 Agent’s code, the Electron-based Teams application now executes Loki C2 Agent’s JavaScript inside the trusted Teams process."

I created a similar lab environment years ago. Good to see that this type of work is being continued. You can use this Github repo to spin up vulnerable Docker containers and test Nuclei scripts. Love it.

We talked about this type of defense before with Hal Pomeranz. The thing is attackers could bypass detections in the Kernel, even if they are written in Rust, by modifying the kernel, or via a Bootkit or UEFI malware. Get in before the kernel and this can be bypassed. See my other story about GRUB being vulnerable on 99% of Linux installs out there.

How do we keep track of these? Curious from the IT side if an update to a CVE makes its way into vulnerability and patch management: "CVE-2019-16261 describes a critical vulnerability in the Tripp Lite PDUMH15AT with firmware 12.04.0053, allowing unauthenticated users to send POST requests to the /Forms/ directory to: - Change admin or manager passwords - Shut off power to an outlet - Disable/enable services Through my own experimentation, I have discovered that this vulnerability is also effective on Tripp Lite UPS systems, including my Tripp Lite SU750XL, and applies to firmware 12.04.0052. This suggests the issue extends beyond just PDUs, as mentionned in the CVE, to the network cards equipped in Tripp Lite PDU's and UPS's (like my SNMPWEBCARD55) with vulnerable firmware versions 12.04.0053 and below." - Its pretty serious as an attacker could first change the passwords, then turn off the power or get creative about the process if the devices run Linux or similar type OS...

Turn any reddit username into an OSINT profile to uncover activity patterns, privacy risks, and hidden insights from reddit data.

yeah we have talked about this before, but now I have one! (two actually)

SignalGate. The United States has designed systems to secure and ensure secrecy. What exactly happened here? Malcolm Nance (A Former NSA Collection Operator) Explains Trump's Massive Security Breach. What does this tell you about Signal?

Navigate the Common Vulnerabilities and Exposures (CVE) jungle with ease using CVEMAP, a command-line interface (CLI) tool designed to provide a structured and easily navigable interface to various vulnerability databases. Find out publicly available PoCs for any CVE, Use cvemap with the -poc option.

• [PAUL] - I've used this tool extensively and can confirm its great! Check this out from one of my presentations: ** cvemap -age 20 -s critical -f kev,poc - Get the last 20 days of CVEs, only those that are 9.0 CVSS or above, indicate if its in the CISA KEV and if there is a PoC exploit available

A sensitive compartmented information facility (SCIF /skɪf/), in United States military, national security/national defense and intelligence parlance, is an enclosed area within a building that is used to process sensitive compartmented information (SCI) types of classified information.

SCIFs can be either permanent or temporary and can be set up in official government buildings (such as the Situation Room in the White House), onboard ships, in private residences of officials, or in hotel rooms and other places of necessity for officials when traveling.[1] Portable SCIFs can also be quickly set up when needed during emergency situations.[2][3]

Because of the operational security (OPSEC) risk they pose, personal cell phones, smart watches, computer flash drives (aka, "thumb drives"), or any other sort of personal electronic device (PED), cameras (analog or digital) other than those that are U.S. Government property and which are used only under strict guidelines, and/or any other sort of recording or transmitting devices (analog or digital) are expressly prohibited in SCIFs.[4][5]

There is growing concern about the disposition of genetic data if 23andMe were to file for bankruptcy.

"The SpyX family of mobile spyware is now, by our count, the 25th mobile surveillance operation since 2017 known to have experienced a data breach, or otherwise spilled or exposed their victims’ or users’ data"

This news is almost a year old - but apparently just disclosed this past week.

Oh, shoot - they DID file for bankruptcy! Now, what?

Here's some good news! The number of breached healthcare records reported in the first half of 2024 is only 45 million - but that's down almost 10% from the same time period last year!

Meanwhile in other news...

"...the vulnerable endpoint, last updated on Sept. 27, 2014, allowed an unauthenticated attacker network access via HTTP."

I think we need a new t-shirt that says, "We drink because you don't patch your systems". Who's with me?

irony noun iro·​ny ˈī-rə-nē

1. a: the use of words to express something other than and especially the opposite of the literal meaning b: a usually humorous or sardonic literary style or form characterized by irony c: an ironic expression or utterance 2 a (1): incongruity between the actual result of a sequence of events and the
   normal or expected result (2): an event or result marked by such incongruity b: incongruity between a situation developed in a drama and the accompanying words or actions that is understood by the audience but not by the characters in the play (called also dramatic irony) 3: a pretense of ignorance and of willingness to learn from another assumed in order to make the other's false conceptions conspicuous by adroit questioning
   (called also Socratic irony)

Here's another take on the incident.

Here's one take on the incident.

This item has garnered some attention this week in the media. Here's the original article, though you need to sign-up to read the whole thing....#source

Here's the details.

Don't you love when serious vulnerabilities responsibly disclosed and there's a fix available?

NIST has published an update regarding the backlog of vulnerabilities submitted for analysis to the National Vulnerability Database (NVD). NIST says while "we are currently processing incoming CVEs at roughly the rate we had sustained prior to the processing slowdown in spring and early summer of 2024, […] CVE submissions increased 32 percent in 2024, and that prior processing rate is no longer sufficient to keep up with incoming submissions. As a result, the backlog is still growing."

A point which may be missed is CVE submissions for 2024 were up 32% over 2023, partly due to the increase of CVE Numbering Authorities (CNAs) meaning the work subcontracted out last year will likely need to be rescoped and funding increased. Even so, after 25 years of CVE's they remain a valued, impactful, public-private program providing value to the cyber security community. A remarkable achievement.

Earlier this year, WhatsApp notified 90+ people that they had been targeted with spyware from Paragon Solutions. With input from a collaborator, Citizen Lab says "we mapped out server infrastructure that attribute to Paragon’s Graphite spyware tool. We identified a subset of suspected Paragon deployments, including in Australia, Canada, Cyprus, Denmark, Israel, and Singapore."

Paragon, with it's "Graphite" malware positions itself as being more ethical than the infamous NSO Group. Even so both are being used to target civilians. The WhatsApp flaw which it leveraged was addressed with a server side fix last year by Meta. The protections for both remain the same, use locked down, travel or burner devices for users travelling in risky areas. Keep all devices and their apps updated, only load apps from a vetted app store and lock down privacy settings.

Wiz Research discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover.

This attack vector has a CVSS score of 9.8. It is fixed in Ingress NGINX Controller version 1.12.1 and 1.11.5. You need to both update to the latest version and enasure tehe admission webhook endpoint is not exposed externally, even so you may want to add ACLs to further resctrict access to only authorized devices.

US FCC chair Brendan Carr announced that the FCC’s new Council on Security will investigate the extent to which Chinese companies placed on the US’s "Covered List" are operating within the US. The designation means the companies may not receive federal funds, be used by government contractors, or provide products or services to US critical infrastructure. Specifically, the FCC imposed operational restrictions on Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, Dahua Technology Company, China Mobile International USA Inc., China Telecom (Americas) Corp., Pacifica Networks Corp./ComNet (USA) LLC, and China Unicom (Americas) Operations Ltd.

Cisco Talos has detected an ongoing advanced persistent threat campaign involving a group with ties to China that is targeting Taiwan’s critical infrastructure. The group, which Talos identifies as "UAT-5918 is an advanced persistent threat (APT) group that targets entities in Taiwan to establish long-term persistent access in victim environments. UAT-5918 usually obtains initial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet.

The Talos report includes a chart of APT tool and tactics, techniques, and procedures (TTP) overlap between APT groups as well as a chart of targeted countries and sectors.

Get your threat hunters on the IOCs from the Talos blog. Next, take note of the fact these guys are exploiting existing (unpatched) vulnerabilities. In other words, timely patching is critical. Look to leverage your EDR and allow-listing on services to prevent/detect attempted malware execution. Even so you need to fix the vulnerable code too.

The newest version of Google’s browser includes a fix for a critical use-after-free flaw in Lens that could be exploited to crash the browser or infect a vulnerable computer with malware. The flaw can be exploited by “a remote attacker to potentially exploit heap corruption via a crafted HTML page.”

CVE-2025-2476, use after free in Google Lens, CVSS score 8.8, is addressed in 134.0.6998.117/.118 and the current stable update for desktop is now 134.0.6998.165/.166, released March 21st, also has the fix. This is also the base version for your other Chromium browsers like Brave, Opera, etc. It's getting to the point where you want to make sure you've updated/restarted browsers weekly to keep them current, fortunately they are a lot better at picking up where they left when restarted.

Authorities in seven African countries have arrested a total of more than 300 people in as part of Operation Red Card, a four-month international operation that “targeted mobile banking, investment and messaging app scams.” Authorities also seized nearly 1,850 devices. The operation was orchestrated through INTERPOL’s African Joint Operation against Cybercrime (AFJOC) and involved authorities in Benin, Côte d'Ivoire, Nigeria, Rwanda, South Africa, Togo and Zambia.

The criminals concealed their earnings in digital assets (think crypto currency) to try and reduce detection/tracing available through conventional currency systems.  Part of the attack involves a SIM box scheme which reroutes international calls to appear as local ones, also used for large-scale SMS phishing attacks.

With 23andMe, which has been facing mounting financial difficulties and operational challenges, is filing for bankruptcy, their big asset is their database and collection of DNA samples.

In the wake of these challenges, California Attorney General Rob Bonta issued a consumer alert on Friday, urging residents to consider deleting their genetic data from the company’s platform. Citing concerns over 23andMe’s financial instability and the sensitive nature of its genetic database, Bonta recommended that customers use their rights under California’s privacy laws to delete their data and have any stored samples destroyed.

The article outlines how to delete your 23andMe data including test sample, revoking permission for using your data for research. You can download your own copy of your data/reports if you wish. You don't need to be a Californian to follow this process.

Cloudflare published a blog post on Thursday, March 20, 2025 announcing that all HTTP ports on api.cloudflare.com will be closed, rejecting all unencrypted connections in order to eliminate the risk of API requests' cleartext traffic, including API keys or tokens, being exposed and intercepted. HTTP connections will no longer return a 403 Forbidden response, as the interface will be entirely closed. This transition coincides with modifying api.cloudflare.com to be able to "change IP addresses dynamically, in line with on-going efforts to decouple names from IP addresses, and reliably managing addresses in [Cloudflare's] authoritative DNS." 

This change is specific to Cloudflare's APIs, even so, it's a really good motivator to make sure that you're not making any unencrypted API calls. Then, if you have the access, make sure the called APIs can't fall back to weak encryption.

The FBI Denver field office issued a warning on March 7, 2025 noting recent prevalence of scams employing compromised online file converter, downloader, and combiner tools. While the sites may perform their function, the new file returned to the user may contain malware meant to steal personal information or infect their system with ransomware.

It's really easy to find an online service to convert files from one format to another. Problem is files aren't just files anymore, they include lots of meta data as well as embedded scripting/execution capabilities. Work with users to provide vetted file conversion/combining services, they should be well kown, have positive reviews and outstanding security posture. Make sure endpoint protections are up for detecting this sort of threat.

Based on Cloudflare's observed traffic between September - November 2024, 41% of successful logins across websites protected by Cloudflare involve compromised passwords.

The Windows API call UuidFromStringA() converts a UUID string to its binary format. So an array of UUIDs can be decoded to raw bytes and injected in memory as a shellcode.

It demonstrated real-time quantum key distribution (QKD) between the satellite and multiple compact, mobile ground stations. The satellite transmitted approximately 250 million quantum photons per second. For each satellite pass, the system generated up to 1 Mbits of secure keys. Using the satellite as a trusted relay, the team demonstrated successful secure key sharing and encrypted communication between Beijing and Stellenbosch—two cities separated by 12,900 km.

This is the 25th mobile surveillance operation since 2017 known to have experienced a data breach.

It was an "AI sandbox". Our goal: let federal software devs test out AI tools in a safe way. They demonstrated the tool as if it were amazing. Musk's GSA head Stephen Ehikian asked GSAi to "write me a website." The output was not compliant with federal law. It said "Welcome to Our Company" on it and did not resemble a federal website at all.

On 21st March 2025, a user named rose87168 posted on BreachForums, claiming access to Oracle Cloud’s login servers and offering sensitive data. Oracle, later on the same day, responded with a categorical denial: “There has been no breach of Oracle Cloud.”

While the threat actor was able to share a sample list of customer details, the threat actor also provided evidence of the attack by uploading a file created on "login.us2.oraclecloud.com" and archiving the public URL, with the attacker's email within the text file.

An emotion-inspiring message: "spam complaint," and an overlooked warning: password manager didn't automatically fill in the password.