Research Saturday

This week, we are joined by John Hammond, Principal Security Researcher at Huntress, who is sharing his PoC and research on "CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild." A critical 9.0 severity vulnerability (CVE-2025-30406) in Gladinet CentreStack and Triofox is being actively exploited in the wild, allowing remote code execution via hardcoded cryptographic keys in default configuration files. Huntress researchers observed compromises at multiple organizations and confirmed hundreds of vulnerable internet-exposed servers, urging immediate patching or manual machineKey updates. Mitigation guidance, detection, and remediation scripts have been released to help users identify and secure affected installations. The research can be found here: ⁠CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Deepen Desai, Zscaler's Chief Security Officer and EVP of Cyber and AI Engineering, taking a dive deep into Mustang Panda's latest campaign. Zscaler ThreatLabz uncovered new tools used by Mustang Panda, including the backdoors TONEINS, TONESHELL, PUBLOAD, and the proxy tool StarLoader, all delivered via phishing. They also discovered two custom keyloggers, PAKLOG and CorKLOG, and an EDR evasion tool, SplatCloak, highlighting the group's focus on surveillance, persistence, and stealth in cyberespionage operations.4o. The research can be found here: Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1 Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2 Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, Dave speaks with Max Gannon of Cofense Intelligence to dive into his team's research on "The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders." Threat actors continuously develop new tactics, techniques, and procedures (TTPs) to bypass existing defenses. When defenders identify these methods and implement countermeasures, attackers adapt or create more sophisticated approaches. This research explores how cybercriminals are leveling up their credential phishing tactics using Precision-Validated Phishing, a technique that leverages real-time email validation to ensure only high-value targets receive the phishing attempt. The research can be found here: The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders⁠⁠⁠⁠⁠ Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Lucija Valentić, Software Threat Researcher from ReversingLabs, who is discussing "Atomic and Exodus crypto wallets targeted in malicious npm campaign." Threat actors have launched a malicious npm campaign targeting Atomic and Exodus crypto wallets by distributing a fake package called "pdf-to-office," which secretly patches locally installed wallet software to redirect crypto transfers to attacker-controlled addresses. ReversingLabs researchers discovered that this package used obfuscated JavaScript to trojanize specific files in targeted wallet versions, enabling persistence even after the malicious package was removed. This incident highlights the growing threat of software supply chain attacks in the cryptocurrency space and underscores the need for vigilant monitoring of both open-source repositories and local applications. The research can be found here: ⁠⁠Atomic and Exodus crypto wallets targeted in malicious npm campaign Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by ⁠Shaked Reiner⁠, Security Principal Security Researcher at ⁠CyberArk⁠, who is discussing their research on"Agents Under Attack: Threat Modeling Agentic AI." Agentic AI empowers LLMs to take autonomous actions, like browsing the web or executing code, making them more useful—but also more dangerous. Threats like prompt injections and stolen API keys can turn agents into attack vectors. Shaked Reiner explains how treating agent outputs like untrusted code and applying traditional security principles can help keep them in check. The research can be found here: ⁠Agents Under Attack: Threat Modeling Agentic AI Learn more about your ad choices. Visit megaphone.fm/adchoices

Today we are joined by Crystal Morin, Cybersecurity Strategist from Sysdig, as she is sharing their work on "UNC5174's evolution in China's ongoing cyber warfare: From SNOWLIGHT to VShell." UNC5174, a Chinese state-sponsored threat actor, has resurfaced with a stealthy cyber campaign using a new arsenal of customized and open-source tools, including a variant of their SNOWLIGHT malware and the VShell RAT. Sysdig researchers discovered that the group targets Linux systems through malicious bash scripts, domain squatting, and in-memory payloads, indicating a high level of sophistication and espionage intent. Their evolving tactics, such as using spoofed domains and fileless malware, continue to blur attribution and pose a significant threat to research institutions, critical infrastructure, and NGOs across the West and Asia-Pacific regions. The research can be found here: UNC5174's evolution in China's ongoing cyber warfare: From SNOWLIGHT to VShell Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Nick Cerne, Security Consultant from Bishop Fox, to discuss "Rust for Malware Development." In pursuit of simulating real adversarial tactics, this blog explores the use of Rust for malware development, contrasting it with C in terms of binary complexity, detection evasion, and reverse engineering challenges. The author demonstrates how Rust's inherent anti-analysis traits and memory safety features can create more evasive malware tooling, including a simple dropper that injects shellcode using lesser-known Windows APIs. Through hands-on comparisons and decompiled output analysis, the post highlights Rust's growing appeal in offensive security while noting key OPSEC considerations and tooling limitations. The research can be found here: Rust for Malware Development Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are sharing an episode of our monthly show, Only Malware in the Building. We invite you to join Dave Bittner and cohost Selena Larson as they explore "The new malware on the block." Welcome in! You've entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today's most interesting threats. Your host is Selena Larson, Proofpoint intelligence analyst and host of their podcast DISCARDED. Inspired by the residents of a building in New York's exclusive upper west side, Selena is joined by N2K Networks Dave Bittner —and our newest totally unbiased co-host, Archy, a highly sophisticated AI robot who swears they have no ulterior motives (but we're keeping an eye on them just in case). Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode, we talk about the latest shake-ups in the fake update threat landscape, including two new cybercriminal actors, fresh Mac malware, and the growing challenge of tracking these evolving campaigns. Learn more about your ad choices. Visit megaphone.fm/adchoices

Zach Edwards from Silent Push is discussing their work on "New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks." Silent Push analysts uncovered significant infrastructure used by the Lazarus APT Group, linking them to the $1.4 billion Bybit crypto heist through the domain bybit-assessment[.]com registered just hours before the attack. The investigation revealed a pattern of test entries, VPN usage, and fake job interview scams targeting crypto users, with malware deployment tied to North Korean threat actor groups like TraderTraitor and Contagious Interview. The team also identified numerous companies being impersonated in these scams, including major crypto platforms like Coinbase, Binance, and Kraken, to alert potential victims. The research can be found here: Silent Push Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Jon Williams, Vulnerability Researcher from Bishop Fox, discussing "Tearing Down (Sonic)Walls: Decrypting SonicOSX Firmware." Bishop Fox researchers reverse-engineered the encryption protecting SonicWall SonicOSX firmware, enabling them to access its underlying file system for security research. They presented their process and findings at DistrictCon Year 0 and released a tool called Sonicrack to extract keys from VMware virtual machine bundles, facilitating the decryption of VMware NSv firmware images. This research builds upon previous work, including techniques to decrypt static NSv images and reverse-engineer other encryption formats used by SonicWall. The research can be found here: Tearing Down (Sonic)Walls: Decrypting SonicOSX Firmware Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Tom Hegel, Principal Threat Researcher from SentinelLabs research team, to discuss their work on "Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition." The latest Ghostwriter campaign, linked to Belarusian government espionage, is actively targeting Ukrainian military and government entities as well as Belarusian opposition activists using weaponized Excel documents. SentinelLabs identified new malware variants and tactics, including obfuscated VBA macros that deploy malware via DLL files, with payload delivery seemingly controlled based on a target's location and system profile. The campaign, which began preparation in mid-2024 and became active by late 2024, appears to be an evolution of previous Ghostwriter operations, combining disinformation with cyberattacks to further political and military objectives. The research can be found here: Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition Learn more about your ad choices. Visit megaphone.fm/adchoices

Jim Walter, Senior Threat Researcher on SentinelLabs research team, to discuss their work on "HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code." Over the past six months, new ransomware groups like FunkSec, Nitrogen, and Termite have emerged, while established threats such as Cl0p and LockBit 4.0 have resurfaced. Two prominent Ransomware-as-a-Service (RaaS) operations, HellCat and Morpheus, have gained traction, with research indicating that affiliates of both are using nearly identical ransomware payloads. Despite similarities in their encryption techniques and ransom notes, there is no conclusive evidence linking HellCat and Morpheus to the Underground Team, though shared tools or affiliates may be involved. The research can be found here: HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code Learn more about your ad choices. Visit megaphone.fm/adchoices

This week we are joined by Silas Cutler, Principal Security Researcher at Censys, asking the important question of "Will the Real Volt Typhoon Please Stand Up?" The FBI's disruption of the KV Botnet in December 2023, attributed to the Chinese threat group Volt Typhoon, targeted infected systems but did not affect the botnet's control infrastructure. Despite law enforcement efforts and technical exposure, the botnet's infrastructure has remained largely stable, with only changes in hosting providers, raising questions about whether another party operates the botnet. Censys scanning data from 2024 shows a shift in the botnet's control servers, indicating a response to disruption attempts, while the botnet's operators have shown limited efforts to obscure their infrastructure. The research can be found here: Will the Real Volt Typhoon Please Stand Up? Learn more about your ad choices. Visit megaphone.fm/adchoices

This week we are joined by Phil Stokes, threat researcher at SentinelOne's SentinelLabs, discussing their work on "macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed." Apple recently pushed an update to its XProtect tool, blocking several variants of the DPRK-linked Ferret malware family, which targets victims through the "Contagious Interview" campaign. The malware uses fake job interview processes to trick users into installing malicious software, and new variants, including FlexibleFerret, remain undetected by XProtect. SentinelOne's research reveals a deeper investigation into this malware, which uses social engineering to expand its attack vectors, including targeting developers through platforms like GitHub. The research can be found here: macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Selena Larson from Proofpoint, and co-host of the "Only Malware in the Building" podcast, as she discusses the research on "Why Biasing Advanced Persistent Threats over Cybercrime is a Security Risk." The cybersecurity industry has historically prioritized Advanced Persistent Threats (APTs) from nation-state actors over cybercrime, but this distinction is outdated as cybercriminals now employ equally sophisticated tactics. Financially motivated threat actors, especially ransomware groups, have evolved to the point where they rival state-backed hackers in technical capability and impact, disrupting businesses, infrastructure, and individuals on a massive scale. To enhance security, defenders must shift focus from an APT-centric mindset to a broader approach that equally prioritizes combating cybercrime, which poses an immediate and tangible risk to global stability. The research can be found here: Why Biasing Advanced Persistent Threats over Cybercrime is a Security Risk Learn more about your ad choices. Visit megaphone.fm/adchoices

Nati Tal, Head of Guardio Labs, discussing their work on "“DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising." Guardio has uncovered a large-scale malvertising campaign dubbed “DeceptionAds,” which tricks users into running a malicious PowerShell command under the guise of proving they're human. This fake CAPTCHA scheme delivers Lumma info-stealer malware while bypassing security measures like Google's Safe Browsing. Even after disclosure and takedown efforts, the campaign resurfaced—raising concerns about the effectiveness of existing defenses against ad-driven cyber threats. The research can be found here: “DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising Learn more about your ad choices. Visit megaphone.fm/adchoices

Mark Manglicmot, SVP of Security Services from Arctic Wolf, is sharing their research on "Cleopatra's Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software." Arctic Wolf Labs discovered an ongoing exploitation campaign targeting Cleo Managed File Transfer (MFT) products, beginning on December 7, 2024. Threat actors used a malicious PowerShell stager to deploy a Java-based backdoor, dubbed Cleopatra, which features in-memory file storage and cross-platform compatibility across Windows and Linux. Despite Cleo's previous patch for CVE-2024-50623, attackers appear to have leveraged an alternative access method, exploiting the software's autorun feature to execute payloads and establish persistent access. The research can be found here: Cleopatra's Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, Dave Bittner is joined by Juan Andres Guerrero-Saade (JAGS) from SentinelOne's SentinelLabs to discuss the work his team and Tinexta Cyber did on "Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels." Tinexta Cyber and SentinelLabs have been tracking threat activities targeting business-to-business IT service providers in Southern Europe. Based on the malware, infrastructure, techniques used, victimology, and the timing of the activities, we assess that it is highly likely these attacks were conducted by a China-nexus threat actor with cyberespionage motivations. The relationships between European countries and China are complex, characterized by cooperation, competition, and underlying tensions in areas such as trade, investment, and technology. Suspected China-linked cyberespionage groups frequently target public and private organizations across Europe to gather strategic intelligence, gain competitive advantages, and advance geopolitical, economic, and technological interests. The research can be found here: Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Ismael Valenzuela, VP of Threat Research & Intelligence, and Jacob Faires, Principal Threat Researcher, from Blackberry discussing the team's work on "LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign." In April 2024, BlackBerry uncovered a significant evolution of the LightSpy malware campaign, attributed to Chinese cyber-espionage group APT41. The newly introduced DeepData framework, a modular Windows-based surveillance tool, expands data theft capabilities with 12 specialized plugins for tasks like communication surveillance, credential theft, and system intelligence gathering. The campaign targets a wide range of communication platforms, including WhatsApp, Signal, and WeChat, with advanced techniques for monitoring and stealing sensitive information from victims across the Asia-Pacific region. The research can be found here: LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign Learn more about your ad choices. Visit megaphone.fm/adchoices

Nati Tal, Head of Guardio Labs, sits down to share their work on “CrossBarking” — Exploiting a 0-Day Opera Vulnerability with a Cross-Browser Extension Store Attack. Guardio Labs has uncovered a critical vulnerability in the Opera browser, enabling malicious extensions to exploit Private APIs for actions like screen capturing, browser setting changes, and account hijacking. Highlighting the ease of bypassing extension store security, researchers demonstrated how a puppy-themed extension exploiting this flaw could infiltrate both Chrome and Opera's extension stores, potentially reaching millions of users. This case underscores the delicate balance between enhancing browser productivity and ensuring robust security measures, revealing the alarming tactics modern threat actors employ to exploit trusted platforms. The research can be found here: “CrossBarking” — Exploiting a 0-Day Opera Vulnerability with a Cross-Browser Extension Store Attack Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Kyla Cardona and Aurora Johnson from SpyCloud discussing their research "China's Surveillance State Is Selling Citizen Data as a Side Hustle." Chinese technology companies, under CCP mandate, collect vast amounts of data on citizens, creating opportunities for corrupt insiders to steal and resell this information on dark markets. These stolen datasets, aggregated into "Social Work Libraries" (SGKs), mirror lower-tech versions of CCP internal security databases. Kyla and Aurora discuss how Chinese cybercriminals use these SGKs and their implications compared to Western, European, and Russian cybercrime ecosystems. With expertise in Chinese OSINT and cybersecurity policy, both researchers bring deep insights into the geopolitical and technical dynamics of China's digital landscape. The research can be found here: “Pantsless Data”: Decoding Chinese Cybercrime TTPs A Deep Dive Into the Intricate Chinese Cybercrime Ecosystem China's Surveillance State Is Selling Citizen Data as a Side Hustle Learn more about your ad choices. Visit megaphone.fm/adchoices

Karlo Zanki, Reverse Engineer at ReversingLabs, discussing their work on "Malicious PyPI crypto pay package aiocpa implants infostealer code." ReversingLabs' machine learning-based threat hunting system identified a malicious PyPI package, aiocpa, designed to exfiltrate cryptocurrency wallet information. Unlike typical attacks involving typosquatting, the attackers published a seemingly legitimate crypto client tool to build trust before introducing malicious updates. ReversingLabs used its Spectra Assure platform to detect behavioral anomalies and worked with PyPI to remove the package, highlighting the growing need for advanced supply chain security tools to counter increasingly sophisticated threats. The research can be found here: Malicious PyPI crypto pay package aiocpa implants infostealer code Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Asheer Malhotra and Vitor Ventura from Cisco Talos, and they are discussing "Operation Celestial Force employs mobile and desktop malware to target Indian entities." Cisco Talos revealed Operation Celestial Force, an espionage campaign by the Pakistani threat group "Cosmic Leopard," targeting Indian defense, government, and technology sectors. Active for at least six years, the operation has recently increased its use of mobile malware and commercial spyware for surveillance. The research can be found here: Operation Celestial Force employs mobile and desktop malware to target Indian entities Learn more about your ad choices. Visit megaphone.fm/adchoices

Adam Khan, VP of Security Operations at Barracuda, joins to discuss his team's work on "The evolving use of QR codes in phishing attacks." Cybercriminals are evolving phishing tactics by embedding QR codes, or “quishing,” into PDF documents attached to emails, tricking recipients into scanning them to access malicious websites that steal credentials. Barracuda researchers found over half a million such emails from June to September 2024, with most impersonating brands like Microsoft, DocuSign, and Adobe to exploit urgency and trust. To counter these attacks, businesses should deploy multilayered email security, use AI-powered detection tools, educate employees on QR code risks, and enable multifactor authentication to safeguard accounts. The research can be found here: Threat Spotlight: The evolving use of QR codes in phishing attacks Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Andrew Morris, Founder and CTO of GreyNoise, to discuss their work on "GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI." GreyNoise discovered two critical zero-day vulnerabilities in IoT-connected live streaming cameras, used in sensitive environments like healthcare and industrial operations, by leveraging its AI-powered detection system, Sift. The vulnerabilities, CVE-2024-8956 (insufficient authentication) and CVE-2024-8957 (OS command injection), could allow attackers to take full control of affected devices, manipulate video feeds, or integrate them into botnets for broader attacks. This breakthrough underscores the transformative role of AI in identifying threats that traditional systems might miss, highlighting the urgent need for robust cybersecurity measures in the expanding IoT landscape. The research can be found here: GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI Learn more about your ad choices. Visit megaphone.fm/adchoices

Shawn Kanady, Global Director of Trustwave SpiderLabs, to discuss their work on "Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader." Trustwave SpiderLabs has uncovered Pronsis Loader, a new malware variant using the rare programming language JPHP and stealthy installation tactics to evade detection. The malware is capable of delivering high-risk payloads like Lumma Stealer and Latrodectus, posing a significant threat. Researchers highlight its unique capabilities and infrastructure, offering insights for bolstering cybersecurity defenses. The research can be found here: Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore episode: Noah Pack, a SANS Internet Storm Center Intern, sits down to discuss research on "What happens when you accidentally leak your AWS API keys?" This research is a guest diary from Noah and shares a project he worked on after seeing an online video of someone who created a python script that emailed colleges asking for free swag to be shipped to him. The research states "In this article, I will share some research, resources, and real-world data related to leaked AWS API keys." In this research, Noah shares what he learned while implementing his experiment. The research can be found here: What happens when you accidentally leak your AWS API keys? [Guest Diary] Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Ami Luttwak, Co-Founder and CTO from Wiz, sharing their work on "Wiz Research Finds Critical NVIDIA AI Vulnerability Affecting Containers Using NVIDIA GPUs, Including Over 35 percent of Cloud Environments." A critical vulnerability in the NVIDIA Container Toolkit, widely used for GPU access in AI workloads, could allow attackers to escape containers and gain full access to host environments, jeopardizing sensitive data. Wiz estimates that at least 33% of cloud environments are affected and urges immediate updates to NVIDIA's patched version. This discovery highlights the broader issue of young, under-secured codebases in AI tools, emphasizing the need for stronger security measures and collaboration. The research can be found here: Wiz Research Finds Critical NVIDIA AI Vulnerability Affecting Containers Using NVIDIA GPUs, Including Over 35% of Cloud Environments Learn more about your ad choices. Visit megaphone.fm/adchoices

This week we are joined by, Blake Darché, Head of Cloudforce One at Cloudflare, to discuss their work on "Unraveling SloppyLemming's Operations Across South Asia." Cloudforce One's investigation into the advanced threat actor "SloppyLemming" reveals an extensive espionage campaign targeting South and East Asia, with a focus on Pakistan's government, defense, telecommunications, and energy sectors. Leveraging multiple cloud service providers, SloppyLemming employs tactics like credential harvesting, malware delivery, and command-and-control (C2) operations, often relying on open-source adversary emulation tools like Cobalt Strike. Despite its activities, the actor's poor operational security (OPSEC) has allowed investigators to gain valuable insights into its infrastructure and tooling. The research can be found here: Unraveling SloppyLemming's operations across South Asia Learn more about your ad choices. Visit megaphone.fm/adchoices

Enjoy this special encore episode, where we are joined by Jon Williams from Bishop Fox, as he is sharing their research on "It's 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable." SonicWall published advisories for CVE-2022-22274 and CVE-2023-0656 a year apart after finding that NGFW series 6 and 7 devices are affected by two unauthenticated denial-of-service vulnerabilities. The research states "Our research found that the two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern." They also found that when they scanned SonicWall firewalls with management interfaces exposed to the internet, they found that 76% are vulnerable to one or both issues. The research can be found here: It's 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by, Amnon Kushnir from Sygnia, who is sharing their work on "China-Nexus Threat Group ‘Velvet Ant' Leverages a Zero-Day to Deploy Malware on Cisco Nexus Switches." In early 2024, Sygnia observed the ‘Velvet Ant' threat group exploiting a zero-day vulnerability (CVE-2024-20399) to infiltrate Cisco Switch appliances and operate undetected within enterprise networks. This attack enables threat actors to escape Cisco's command interface and install malware directly on the device's OS, bypassing standard security tools. The incident underscores the risks posed by third-party appliances and the importance of enhanced monitoring and threat detection to counter advanced persistent threats. The research can be found here: China-Nexus Threat Group ‘Velvet Ant' Leverages a Zero-Day to Deploy Malware on Cisco Nexus Switches Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are pleased to be joined by Mick Baccio, global security advisor for Splunk SURGe, sharing their research on "LLM Security: Splunk & OWASP Top 10 for LLM-based Applications." The research dives into the rapid rise of AI and Large Language Models (LLMs) that initially seem magical, but behind the scenes, they are sophisticated systems built by humans. Despite their impressive capabilities, these systems are vulnerable to numerous cyber threats. Splunk's research explores the OWASP Top 10 for LLM Applications, a framework that highlights key vulnerabilities such as prompt injection, training data poisoning, and sensitive information disclosure. The research can be found here: LLM Security: Splunk & OWASP Top 10 for LLM-based Applications Learn more about your ad choices. Visit megaphone.fm/adchoices

This week we are joined by Chester Wisniewski, Global Field CTO from Sophos X-Ops team, to discuss their work on "Crimson Palace returns: New Tools, Tactics, and Targets." Sophos X-Ops has observed a resurgence in cyberespionage activity, tracked as Operation Crimson Palace, targeting Southeast Asian government organizations. After a brief lull, Cluster Charlie resumed operations in September 2023, using new tactics such as web shells and open-source tools to bypass detection, re-establish access, and map target network infrastructure, demonstrating ongoing efforts to exfiltrate data and expand their foothold. The research can be found here: Crimson Palace returns: New Tools, Tactics, and Targets  Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, Trevor Hilligoss, VP of SpyCloud Labs, discusses the increasing threat of ransomware, emphasizing the role of infostealer malware in facilitating these attacks. He draws from SpyCloud's 2024 Malware and Ransomware Defense Report, highlighting how compromised identity data from infostealers creates opportunities for ransomware operators. With 75% of organizations experiencing multiple ransomware attacks in the past year, Trevor explores findings from over 500 security leaders in the US and UK, discussing the challenges businesses face and how they can use insights from this research to defend against ransomware and other cybercrimes. The research can be found here: MALWARE AND RANSOMWARE DEFENSE REPORT Learn more about your ad choices. Visit megaphone.fm/adchoices

Joshua Miller from Proofpoint is discussing their work on "Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset." Proofpoint identified Iranian threat actor TA453 targeting a prominent Jewish figure with a fake podcast interview invitation, using a benign email to build trust before sending a malicious link. The attack attempted to deliver new malware called BlackSmith, containing a PowerShell trojan dubbed AnvilEcho, designed for intelligence gathering and exfiltration. This malware consolidates all of TA453's known capabilities into a single script rather than the previously used modular approach. The research can be found here: Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset Learn more about your ad choices. Visit megaphone.fm/adchoices

We are joined by Yves Younan, Senior Manager, Talos Vulnerability Discovery and Research from Cisco, discussing their work on "How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions." Cisco Talos has uncovered eight vulnerabilities in Microsoft applications for macOS that could allow attackers to exploit the system's permission model by injecting malicious libraries. By leveraging permissions already granted to these apps, attackers could gain access to sensitive resources like the microphone, camera, and screen recording without user consent. While Microsoft considers these issues low risk and has declined to fix them, the vulnerabilities pose a potential threat to user privacy and security. The research can be found here: How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions Learn more about your ad choices. Visit megaphone.fm/adchoices

Jonathan Tanner, Senior Security Researcher from Barracuda, discussing their work on "Stealthy phishing attack uses advanced infostealer for data exfiltration." The recent phishing attack, detailed by Barracuda, uses a sophisticated infostealer malware to exfiltrate a wide array of sensitive data. The attack begins with a phishing email containing an ISO file with an HTA payload, which downloads and executes obfuscated scripts to extract and transmit browser information, saved files, and credentials to remote servers. This advanced infostealer is notable for its extensive data collection capabilities and complex exfiltration methods, highlighting the increasing sophistication of cyber threats. The research can be found here: Stealthy phishing attack uses advanced infostealer for data exfiltration Learn more about your ad choices. Visit megaphone.fm/adchoices

Alex Delamotte, Threat Researcher from SentinelOne Labs, joins to share their work on "Xeon Sender | SMS Spam Shipping Multi-Tool Targeting SaaS Credentials." SentinelOne's Labs team has uncovered new research on Xeon Sender, a cloud hacktool used to launch SMS spam attacks via legitimate APIs like Amazon SNS. First seen in 2022, this tool has been repurposed by multiple threat actors and distributed on underground forums, highlighting the ongoing trend of SMS spam through cloud services and SaaS. The research can be found here: Xeon Sender | SMS Spam Shipping Multi-Tool Targeting SaaS Credentials Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, N2K's very own Brandon Karpf sits down with Kevin Lentz, Team Leader of the Cyber Pacific Project at the Global Disinformation Lab, and they discuss the recent threatcasting report "Cyber Competition in the Indo-Pacific Gray Zone 2035." This report, developed using the Threatcasting Method, examines how the U.S. and Indo-Pacific allies can coordinate their cyber defense efforts in response to future competition with China. It presents findings, trends, and recommendations based on twenty-five scenarios simulated by a cross-functional group of experts to anticipate and address emerging threats over the next decade. The research can be found here: Cyber Competition in the Indo-Pacific Gray Zone 2035 Learn more about your ad choices. Visit megaphone.fm/adchoices

Tim Peck, a Senior Threat Researcher at Securonix, is discussing their work on "Threat actors behind the DEV#POPPER campaign have retooled and are continuing to target software developers via social engineering." The DEV#POPPER campaign continues to evolve, now targeting developers with malware capable of operating on Linux, Windows, and macOS systems. The threat actors, believed to be North Korean, employ sophisticated social engineering tactics, such as fake job interviews, to deliver stealthy malware that gathers sensitive information, including browser credentials and system data. The research can be found here: Research Update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering Learn more about your ad choices. Visit megaphone.fm/adchoices

Robert Duncan, VP of Product Strategy from Netcraft, is discussing their work on "Mule-as-a-Service Infrastructure Exposed." Netcraft's new threat intelligence reveals the intricate connections within global fraud networks, showing how criminals use specialized services like Mule-as-a-Service (MaaS) to launder scam proceeds. By mapping the cyber and financial infrastructure, including bank accounts, crypto wallets, and phone numbers, Netcraft exposes how different scams are interconnected and identifies weak points that can be targeted to disrupt these operations. This insight provides an opportunity to prevent fraud and protect against financial crimes like pig butchering, investment scams, and romance fraud. The research can be found here: Mule-as-a-Service Infrastructure Exposed Learn more about your ad choices. Visit megaphone.fm/adchoices

Snir Ben Shimol from ZEST Security on their work, "How we hacked a cloud production environment by exploiting Terraform providers." In this blog, ZEST discusses the security risks associated with Terraform providers, particularly those from community sources. The research highlights the importance of carefully vetting providers, regular scanning, and following best practices like version pinning to mitigate potential vulnerabilities in cloud infrastructure management. The research can be found here: The hidden risks of Terraform providers Learn more about your ad choices. Visit megaphone.fm/adchoices

Shachar Menashe, Senior Director of Security Research at JFrog, is talking about "When Prompts Go Rogue: Analyzing a Prompt Injection Code Execution in Vanna.AI." A security vulnerability in the Vanna.AI tool, called CVE-2024-5565, allows hackers to exploit large language models (LLMs) by manipulating user input to execute malicious code, a method known as prompt injection. This poses a significant risk when LLMs are connected to critical functions, highlighting the need for stronger security measures. The research can be found here: When Prompts Go Rogue: Analyzing a Prompt Injection Code Execution in Vanna.AI Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Jason Baker, Senior Threat Consultant at GuidePoint Security, and he is discussing their work on "Worldwide Web: An Analysis of Tactics and Techniques Attributed to Scattered Spider." In early 2024, a current RansomHub RaaS affiliate was identified as a former Alphv/Black Cat affiliate and is believed to be linked to the Scattered Spider group, known for using overlapping tools, tactics, and victims. The high-confidence assessment by GuidePoint's DFIR and GRIT teams is supported by the consistent use of tools like ngrok and Tailscale, social engineering tactics, and systematic playbooks in intrusions. The research can be found here: Worldwide Web: An Analysis of Tactics and Techniques Attributed to Scattered Spider Learn more about your ad choices. Visit megaphone.fm/adchoices

Dick O'Brien from Symantec Threat Hunter team is talking about their work on "Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day." Also going to provide some background/history on Black Basta. CVE-2024-26169 in the Windows Error Reporting Service, patched on March 12, 2024, allowed privilege escalation. Despite initial claims of no active exploitation, recent analysis indicates it may have been exploited as a zero-day before the patch. The research can be found here: Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Selena Larson, Staff Threat Researcher, Lead Intelligence Analysis and Strategy at Proofpoint, as well as host of the "Only Malware in the Building" podcast, as she is discussing their research on "Scammers Create Fraudulent Olympics Ticketing Websites." Proofpoint recently identified a fraudulent website selling fake tickets to the Paris 2024 Summer Olympics and quickly suspended the domain. This site was among many identified by the French Gendarmerie Nationale and Olympics partners, who have shut down 51 of 338 fraudulent websites, with 140 receiving formal notices from law enforcement. The research can be found here: Security Brief: Scammers Create Fraudulent Olympics Ticketing Websites Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Asheer Malhotra and Vitor Ventura from Cisco Talos, and they are discussing "Operation Celestial Force employs mobile and desktop malware to target Indian entities." Cisco Talos revealed Operation Celestial Force, an espionage campaign by the Pakistani threat group "Cosmic Leopard," targeting Indian defense, government, and technology sectors. Active for at least six years, the operation has recently increased its use of mobile malware and commercial spyware for surveillance. The research can be found here: Operation Celestial Force employs mobile and desktop malware to target Indian entities Learn more about your ad choices. Visit megaphone.fm/adchoices

Joshua Miller from Proofpoint joins Dave to discuss findings on "Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware." In mid May, TA453, also known as Charming Kitten, APT42, Mint Sandstorm, and Yellow Garuda, was found sending a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs. The research states that "the email solicited feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review." Proofpoint shares it's findings and what you can expect from the threat group. The research can be found here: Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware Learn more about your ad choices. Visit megaphone.fm/adchoices

Ismael Valenzuela, Vice President Threat Research & Intelligence, from Blackberry Threat Research and Intelligence team is discussing their work on "Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages." BlackBerry has identified Transparent Tribe (APT36), a Pakistani-based advanced persistent threat group, targeting India's government, defense, and aerospace sectors from late 2023 to April 2024, using evolving toolkits and exploiting web services like Telegram and Google Drive. Evidence such as time zone settings and spear-phishing emails with Pakistani IP addresses supports their attribution, suggesting alignment with Pakistan's interests. The research can be found here: Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages Learn more about your ad choices. Visit megaphone.fm/adchoices

Kerri Shafer-Page from Arctic Wolf joins us to discuss their work on "Lost in the Fog: A New Ransomware Threat." Starting in early May, Arctic Wolf's Incident Response team investigated Fog ransomware attacks on US education and recreation sectors, where attackers exploited compromised VPN credentials to access systems, disable Windows Defender, encrypt files, and delete backups. Despite the uniformity in ransomware payloads and ransom notes, the organizational structure of the responsible groups remains unknown. The research can be found here: Lost in the Fog: A New Ransomware Threat Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by a Security Researcher from SpyCloud Labs, James, who is discussing their work on "Unpacking Infostealer Malware: What we've learned from reverse engineering LummaC2 and Atomic macOS Stealer." Infostealer malware has become highly prevalent, with SpyCloud tracking over 50 families and finding that 1 in 5 digital identities are at risk. This research analyzes the workings and intentions behind infostealers like LummaC2 and Atomic macOS Stealer, focusing on the types of data extracted and the broader security implications. The research can be found here: Reversing LummaC2 4.0: Updates, Bug Fixes Reversing Atomic macOS Stealer: Binaries, Backdoors & Browser Theft How the Threat Actors at SpaxMedia Distribute Malware Globally Learn more about your ad choices. Visit megaphone.fm/adchoices