I find this story to be fascinating for several reasons:

• Ivanti mis-calculated, if you will, the severity of the vulnerability stating: "The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service."
• Ivanti patched it anyhow in Feb 2025
• Since the release of the patch threat actors, and this is just speculation, reverse-engineered the patch and then discovered a way to reliably exploit the vulnerability
• Ivanti then filed a CVE, CVE-2025-22457, since the original patch was thought to just be fixing a "bug" and not a vulnerability

This situation supports the notion that I've been pushing for some time: You just need to patch. You don't have a crystal ball and you can't know if something will be exploited in the future and there is nothing that really, truly, helps you determine exploitability (EPSS tries, but in this case, it wouldn't have helped). What you need is great systems administration. Apply the patches as they come out and don't get hung up on scores and predictions, because attackers are preying on this practice. We also don't know how many bugs were patched that attackers turned into vulnerabilities and developed exploits. We got this one because Mandiant found it. What about the rest? More evidence that you should just be patching. Your work is not done once you've deployed some technology, it continues until you unplug it or remove it entirely.

I am disappointed in this article, as it feels as though the author just asked an LLM to put it together. It's too bad, as it has potential and comes from a company that I totally respect. Take the final take-away statement: "To build a resilient security posture, organizations should adopt a multi-layered approach, leveraging penetration testing, red teaming, and bug bounty programs as complementary strategies—ensuring continuous assessment, proactive threat mitigation, and enhanced defense against evolving cyber threats." - I believe this is something we've known for a long time. What people struggle with is when you are ready for each of these activities, and what you can do to determine when you are ready. When are you ready?

This headline is misleading. It points to two different reports from a cybersecurity vendor. The reports are absolutely beautiful to look at. However, the data leaves much to be desired and seems to rely heavily on user surveys. I was hoping for something that discussed and measured the technical controls implemented by EDR, the bypass techniques, and how attackers are leveraging the bypass techniques today. I just couldn't wade through all of the infographics, charts, quotes, and such to get to what someone would really want to know. I do believe that malware is "winning", but why and what can we do better are the real questions to be addressed.

Explanation of bypassing kernel protection mechanisms such as control flow and Hypervisor-Protected Code Integrity (HVCI), even when implemented in hardware. Some good reading here (With a reference to this article as well: https://connormcgarr.github.io/hvci/). LLM's interpretation of the control mechanisms that are discussed:

• HVCI: Ensures only signed drivers can be loaded into the kernel, using Extended Page Tables to prevent the allocation of new executable pages without hypervisor approval.
• kCFG: A software-based CFI mechanism that protects forward control-flow edges by maintaining a bitmap of valid call targets.
• kCET: A hardware-based shadow stack implementation that safeguards return addresses on the stack from tampering, effectively mitigating Return-Oriented Programming (ROP) attacks.

This is really neat: "We term this vulnerability Tool Poisoning Attack - where seemingly innocent tools contain hidden malicious instructions. This is particularly dangerous because (1) Users have no visibility into the full tool descriptions, (2) AI models are trained to follow these instructions precisely, and (3) malicious behavior is concealed behind legitimate functionality." and for context: The Model Context Protocol (MCP) has been taking over the AI agent landscape, allowing users to connect agentic systems with new tools and data sources. MCP enables users to add new tools and capabilities into agentic systems, using a plugin-like architecture based on MCP servers."

Also, along the lines of MCP, this is something to test if you are doing reverse engineering: "ghidraMCP is an Model Context Protocol server for allowing LLMs to autonomously reverse engineer applications. It exposes numerous tools from core Ghidra functionality to MCP clients."

This is really great research and very promising. My concern is how we are protecting the Linux kernel, as without protections an attacker can simply disable, unload, or blind modules like this that are meant to detect malicious software and kernel modules. Secure Boot is one way to do this, requiring that the kernel modules are signed in order to run. But wait, Secure Boot is still broken on Linux. But also, lets make things more difficult for attackers and not get hung up on things that can be bypassed, because everything will be bypassed...

The router targeted was EOL, and we all know how I feel about EOL devices, vulnerabilities, and exploits. One interesting thing here is the ability to persist in NVRAM, which means an attacker can persist through firmware upgrades. So, if you did have a new firmware version, your router would still be pwned.

https://github.com/reapermunky/Veriduct - And just like that both the blog post and the Github repo are gone. Much like the research that was presented. Fortunately I saved a copy of the blog post (though I did not clone the repo, won't make that mistake again!). Here's the jist: "Veriduct is a framework that quietly dismantles the core principle of digital security: That presence is a prerequisite for control. It doesn’t hide files. It doesn’t encrypt them in place. It doesn’t use steganography, obfuscation, or polymorphic payloads. Instead, it shatters files into SHA-256 — hashed fragments — each indistinguishable from meaningless noise — and stores them independently. There is no metadata, no structure, and no discernible pattern. The original data is not encrypted or disguised. It is absent — until reassembled by a specific key map. The file is not hidden. It is gone. Until you call it back into existence." - Perhaps it was not true at all and you really cannot do this? Will we ever know?

I actually met the Jscrambler team a while back and was impressed with their talent and product. So it will come as no surprise that they were able to uncover a skimming operation, in JavaScript. Basically the malicious JavaScript overlays the official Stripe iframe, allowing you to enter your credit card details, which are then sent to the attacker. But wait! Before they get sent to the attacker, the attackers used the Stripe API to validate the card, so they only get "good" cards. Pretty neat. Also of note, this was not an issue with Stripe. Also, this type of fraud is hard to detect for folks like Stripe.

" details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT, Computer Vision, Audio, and TV chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication." - Many deal with Android, one is a generic WLAN vulnerability on chips used in streaming devices/TVs, phones and tablets

@Paul - trigger warning. This article touches on lots of the things you've been discussing about vulnerabilities and CVEs over the past couple months.

Who needs a court order to access an iPhone??? Just wait for a vulnerable app to disclose all your sensitive data.

Disclaimer: This is not an endorsement of Backslash Security. I'm just intrigued that a company is trying a new/different approach to the traditional idea of code review. Does it work? Is it worth it? You tell me.

Since I'm on the media mailing list for RSA Conference, I got slammed the other day with all the Innovation Sandbox Finalists once they were announced.

I saw this one and wanted to give a shout out to our friend Sounil Yu (and Gadi Evron).

Congratulations and good luck!

P.S. I hope I can make it to your 3-minute pitch. #DFIU

Also a shout out to another member of the PSW family - Darwin Salazar. Darwin posted a complete list of the Innovation Sandbox finalists here.

PSA If you will be attending RSA Conference next week, I'd love for you to stop by one of my day job's networking events, say hello, and checkout the services that OBS Global provides to its clients.

Of course, we can chat PCI - and there will be the required drinks available to play the PCI game with me in person!

Some controversy over the authenticity of this breach and whether data has actually been compromised. "This one feels kind of off, and the asking price seems very low for the size and richness of the purported content." - Casey Ellis (PSW Family)

Too soon and/or poor sportsmanship to beat up on Oracle? (I think not....) Oracle did finally own up to the recent breach (one of the recent breaches). This article provides a timeline of who said what and denied what and when.

I would be remiss if I didn't add an article about this. My colleagues on the NSA Information Assurance alumni mailing list are collectively asking, "WTF?" In my ten years at NSA I served under four different directors. Directors are always a senior leader from one of the military branches. Traditionally, a civilian Deputy Director provides continuity whenever there is a change at the DIRNSA (Director of NSA) level. But wait, she was canned as well. DIRNSA also is the head of the US Cyber Command. It's hard not to mix politics with cybersecurity discussions when a politicial decision directly impacts the US cybersecurity mission. Is there a method to the madness or just madness???

Critical CVE-2025-30065 deserialization of trusted data vulnerability in the avro-parquet module of Apache Parquet could lead to arbitrary code execution Patch now by upgrading to version 1.15.1.

Take steps to rapidly upgrade Parquet 1.15.1. There is no current evidence of a POC or exploitation, but with the press this is getting, expect that to change quickly. Next review the OWASP's deserialization cheat sheet to see if you can implement any added controls around deserialization.

US food giant WK Kellogg Co is warning employees and vendors that company data was stolen during the 2024 Cleo data theft attacks. Cleo software is a managed file transfer utility that was targeted by the Clop ransomware gang en masse at the end of last year. This attack leveraged two zero-day flaws tracked as CVE-2024-50623 and CVE-2024-55956, allowing the threat actors to breach servers and steal sensitive data. WK Kellogg is the latest identified victim of this attack.

If you're using file transfer utilities, take a lead from WK Kellogg and have an in depth conversation about their security and mitigations. Make sure that you've implemented all the best practices, to include making sure that your solution is appropriate with today's targeting of file transfer services to capture sensitive data or disrupt operations.

Chrome 136, released to the Beta channel on April 3, 2025, includes partitioning for link history, contextualizing the CSS :visited pseudo-class with additional information. This change aims to prevent attackers from exploiting :visited history to detect or "sniff" a user's browsing habits, then potentially using that information for unwanted advertiser profiling, cross-site tracking without cookies, fingerprinting, targeting by phishing campaigns, and other privacy violations. Side-channel attacks abusing :visited to steal users' browser history have been observed for over 20 years.

Facing potential layoffs of at least 500 probationary employees, the NIST last week announced that it will defer enrichment of all CVEs prior to Jan. 1, 2018.

Enrichment of current CVE's should be prioritized over older ones, albeit CVE's prior to 2018 represent about 34% of the total number of CVEs. Even so, continue cyber hygiene activities, incorporating appropriate scanning/monitoring to identify shortfalls and risks, leverage NIST's KEV, and reserve deep analysis for the exception, not every CVE.

A vulnerability in the WinRAR file archiver solution could be exploited to bypass the Mark of the Web (MotW) security warning and execute arbitrary code on a Windows machine. The security issue is tracked as CVE-2025-31334 and affects all WinRAR versions except the most recent release, which is currently 7.11. In September, 2024, Trend Micro's Zero Day Initiative observed state-affiliated threat actors exploiting a different MotW bypass in open-source archiver 7-Zip (fixed in version 24.09) to deliver malware payloads. Neither WinRAR nor 7-Zip automatically update, so users must download the patched versions. Consider centralized monitoring and patching to ensure the updates are applied.

UK's Investigatory Powers Tribunal (IPT) publicly released the judgment from its closed-door hearing held March 14, 2025, dismissing the Secretary of State's application for ongoing secrecy in the case of Apple's appeal of a Technical Capability Notice (TCN) demanding government access to users' end-to-end-encrypted (E2EE) data. The court "[does] not accept that the revelation of the bare details of the case would be damaging to the public interest or prejudicial to national security," and notes "it may well be possible for some or all future hearings to incorporate a public element, with or without reporting restrictions."

https://www.judiciary.uk/wp-content/uploads/2025/04/Apple-v-Secretary-of-State-for-the-Home-Department.pdf

Indications are they are looking to monitor regular user activity as nefarious users would move to another platform if this backdoor was available.

The Port of Seattle is notifying 90,000 individuals that their personal information was compromised in an August 2024 data breach resulting from a ransomware attack. The incident occurred on August 24 and forced the Port to isolate critical systems, which impacted the Seattle-Tacoma International Airport (SEA Airport), Fishermen’s Terminal, and public marinas it operates.

The Rhysida ransomware gang is taking credit for this attack and the Port refused to pay any ransom demand. Data exfiltrated included names, DOB, SSNs, drivers license and other government ID numbers, as well as medical information, which was initially put up for auction by the gang, later some was released for free. The data doesn't appear to have any payment or traveler related information.

Matthew Bathula allegedly placed keystroke-logging software on hundreds of UMMC computers, using the information gleaned to steal co-workers’ account credentials. The activity had been going on for a decade, although the plaintiffs learned of the situation only recently after being contacted by the FBI and shown evidence of the intrusions.

The keylogging software was installed on shared computers and used to capture not only UMMC credentials but also activate and record cameras, disabling the camera light, as well as capturing personal credentials. UMMC has replaced all affected computers as well as installed keylogger detectors. One of the lessons is to be cautious with a shared computer accessing sensitive information such as online banking. In a word don't, you're not truly sure what is private and what is not.

At the Environmental Protection Agency, Musk’s team is using AI to monitor communication apps and software, including Microsoft Teams, looking for anti-Trump or anti-Musk language. “Be careful what you say, what you type and what you do,” a manager said.

He installed keyloggers on computers over a decade to spy on the women. He won a award as the best instructor of the year in 2015. He has not been charged with a crime. Six women are suing the hospital for negligence, saying they only discovered that they had been spied on in recent months after FBI agents showed them some of Bathula’s photos and videos.

Median dwell time for all cases in 2024 was a swift two day Root cause: compromised credentials (41%) (MFA is essential!), exploiting vulnerabilities (22%), and brute force attacks (21%) Attacker abuse of living-off-the-land binaries (LOLBins) explodes RDP was used by attackers in 84% of cases Remote ransomware rose, where ransomware attackers compromise an unmanaged or under-protected endpoint, and leverage that access to encrypt data on managed, domain-joined machines. In its 2024 report, Microsoft found that 70% of successful attacks involved remote encryption. All the malicious activity – ingress, payload execution, and encryption – occurs on an unmanaged machine, therefore bypassing modern security stacks, with the only indication of compromise being the transmission of documents to and from other machines.

DOGE disruptors plan to rip COBOL out at the SSA and rewrite the code for social security systems from the ground up. DOGE apparently thinks this can be done in a matter of months. That would be wrong.

Kaspersky found thousands of counterfeit Android smartphones sold online with preinstalled malware designed to steal crypto and other sensitive data. They're sold at reduced prices, but are riddled with a version of the Triada Trojan that infects every process and gives the attackers “almost unlimited control” over the device.

NotebookLM uses AI to analyze user-provided documents. Starting today, it will be even easier to use NotebookLM to explore topics, as Google has added a "Discover Sources" feature to let the app look up its own sources.

Screenshots from ChatGPT, Gemini, Claude, and Grok showed that chatbots arrived at similar calculations as the Trump administration.