Podcasts about infosec

Using AI Gemma 3 Locally with a Single CPU Installing AI models on modes hardware is possible and can be useful to experiment with these models on premise https://isc.sans.edu/diary/Using%20AI%20Gemma%203%20Locally%20with%20a%20Single%20CPU%20/32556 Mystery Google Chrome 0-Day Vulnerability Google released an update for Google Chrome fixing a vulnerability that is already being exploited, but has not CVE number assigned to it yet https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html SOAPwn: Pwning NET Framework Applications Through HTTP Client Proxies And WSDL Watchtwr identified a common vulnerability in SOAP implementations using .Net https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/

Possible exploit variant for CVE-2024-9042 (Kubernetes OS Command Injection) We observed HTTP requests with our honeypot that may be indicative of a new version of an exploit against an older vulnerability. Help us figure out what is going on. https://isc.sans.edu/diary/Possible%20exploit%20variant%20for%20CVE-2024-9042%20%28Kubernetes%20OS%20Command%20Injection%29/32554 React2Shell: Technical Deep-Dive & In-the-Wild Exploitation of CVE-2025-55182 Wiz has a writeup with more background on the React2Shell vulnerability and current attacks https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive Notepad++ Update Hijacking Notepad++ s vulnerable update process was exploited https://notepad-plus-plus.org/news/v889-released/ New macOS PackageKit Privilege Escalation A PoC was released for a new privilege escalation vulnerability in macOS. Currently, there is no patch. https://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html

Microsoft Patch Tuesday Microsoft released its regular monthly patch on Tuesday, addressing 57 flaws. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20December%202025/32550 Adobe Patches Adobe patched five products. The remote code execution in ColdFusion, as well as the code execution issue in Acrobat, will very likely see exploits soon. https://helpx.adobe.com/security.html Ivanti Endpoint Manager Patches Ivanti patched four vulnerabilities in End Point Manager. https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024?language=en_US Fortinet FortiCloud SSO Vulnerability Due to a cryptographic vulnerability, Forinet s FortiCloud SSO authentication is bypassable. https://fortiguard.fortinet.com/psirt/FG-IR-25-647 ruby-saml vulnerability Ruby fixed a vulnerability in ruby-saml. The issue is due to an incomplete patch for another vulnerability a few months ago. https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3

nanoKVM Vulnerabilities The nanoKVM device updates firmware insecurely; however, the microphone that the authors of the advisory referred to as undocumented may actually be documented in the underlying hardware description. https://www.tomshardware.com/tech-industry/cyber-security/researcher-finds-undocumented-microphone-and-major-security-flaws-in-sipeed-nanokvm Ghostframe Phishing Kit The Ghostframe phishing kit uses iFrames and random subdomains to evade detection https://blog.barracuda.com/2025/12/04/threat-spotlight-ghostframe-phishing-kit WatchGuard Advisory WatchGuard released an update for its Firebox appliance, fixing ten vulnerabilities. Five of these are rated as High. https://www.watchguard.com/wgrd-psirt/advisories

AutoIT3 Compiled Scripts Dropping Shellcodes Malicious AutoIT3 scripts are usign the FileInstall function to include additional scripts at compile time that are dropped as temporary files during execution. https://isc.sans.edu/diary/AutoIT3%20Compiled%20Scripts%20Dropping%20Shellcodes/32542 React2Shell Update The race is on to patch vulnerable systems. Various groups are aggressively scanning the internet with different exploit variants. Some attempt to bypass WAFs. https://blog.cloudflare.com/5-december-2025-outage/ https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ Apache Tika XXE Flaw Apache s Tika library patched a XXE flaw. https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

Nation-State Attack or Compromised Government? [Guest Diary] An IP address associated with the Indonesian Government attacked one of our interns' honeypots. https://isc.sans.edu/diary/Nation-State%20Attack%20or%20Compromised%20Government%3F%20%5BGuest%20Diary%5D/32536 React Update Working exploits for the React vulnerability patched yesterday are not widely available Array Networks Array AG Vulnerablity A recently patched vulnerability in Array Networks Array AG VPN gateways is actively exploited. https://www.jpcert.or.jp/at/2025/at250024.html

Attempts to Bypass CDNs Our honeypots recently started receiving scans that included CDN specific headers. https://isc.sans.edu/diary/Attempts%20to%20Bypass%20CDNs/32532 React Vulnerability CVE-2025-55182 React patched a critical vulnerability in React server components. Exploitation is likely imminent. https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components Unveiling 3 PickleScan Vulnerabilities The PyTorch AI model security tool, PickleScan, has patched three critical vulnerabilities. https://jfrog.com/blog/unveiling-3-zero-day-vulnerabilities-in-picklescan/

Varun Puri, CEO and cofounder of Yoodli, joins the show to talk about using AI role play to transform how people practice for high stakes conversations, from sales calls to job interviews to tough manager chats. He breaks down how Yoodli went from a consumer public speaking tool to a serious enterprise platform used by teams at Google, Snowflake, Databricks, and more, all while staying anchored in one mission, helping humans communicate with confidence. We dig into product led growth, honest feedback loops, and why real human communication will matter even more as AI makes information instant.Key takeaways• Why Yoodli started with public speaking anxiety and grew into an AI role play simulator for any important conversation, not just conference talks or pitch decks• How watching real user behavior inside companies like Google pulled the team into enterprise without abandoning their consumer product• A simple approach to product feedback, talk to end users constantly, then prioritize changes by business impact, renewal risk, and how many people benefit• What it really takes to move from consumer to enterprise, new roles, new processes, and a very different mindset around reliability, security, and expectations• Why Varun draws clear ethical lines, using AI to coach and prepare people, not to replace human judgment in hiring, promotion, or high trust decisionsTimestamped highlights[00:35] What Yoodli actually does today, from solo practice to training sales and go to market teams inside large enterprises[01:43] The original vision, helping people who are scared of public speaking, and the insight that interviews, sales calls, and manager talks are all just role plays[03:37] How the team listens to end users, the channels they rely on, and why the consumer product is still their testing ground for new ideas and experiments[05:20] Following users into the enterprise, why it was an addition and not a full pivot, and how product led growth inside companies like Google works in practice[07:42] The early shock of selling to enterprises, learning about new roles, SLAs, InfoSec, and bringing in leaders from Tableau and Salesforce to build a real B2B engine[11:10] Two paths for AI in sales, tools that try to replace humans versus tools that make humans better, and why Varun has drawn a hard line on what Yoodli will not do[15:26] A future where information is commoditized and instant, and why communication and presence become the real edge for top performers in that world[20:48] Designing for trust and adoption, how Yoodli keeps practice private by default, when data is shared, and why control has to sit with the end userA line worth saving“In a world where AI makes everyone smarter and faster, the thing that will be at the biggest premium is how you communicate as a human with other humans.”Practical ideas you can use• Keep a consumer like surface in your product so you can experiment faster than your enterprise roadmap would ever allow• Treat feedback from large customers like a queue you rank by renewal risk, strategic value, and number of users helped, not as a list you must clear• Look for product led growth signals inside your user base, if thousands of people in one company are using you, someone there probably wants a team level solution• Draw explicit boundaries for your AI product, write down what you will not automate, so you can build trust with users and buyers over the long termCall to actionIf you care about the future of sales, interviewing, and communication in an AI rich world, this conversation is worth a listen. Follow the show, leave a quick rating, and share this episode with a founder, product leader, or sales leader who is thinking about AI in their workflow. And if you want feedback on your own speaking, check out what Varun and his team are building at Yoodli.

SmartTube Android App Compromise The key a developer used to sign the Android YouTube player SmartTube was compromised and used to publish a malicious version. https://github.com/yuliskov/SmartTube/issues/5131#issue-3670629826 https://github.com/yuliskov/SmartTube/releases/tag/notification Two Years, 17K Downloads: The NPM Malware That Tried to Gaslight Security Scanners Over the course of two years, a malicious NPM package was updated to evade detection and has now been identified, in part, due to its attempt to bypass AI scanners through prompt injection. https://www.koi.ai/blog/two-years-17k-downloads-the-npm-malware-that-tried-to-gaslight-security-scanners Stored XSS Vulnerability via SVG Animation, SVG URL, and MathML Attributes Angular fixed a store XSS vulnerability. https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49

This episode is sponsored by Aembit. Visit aembit.io/idac to learn more.Jeff and Jim welcome David Goldschlag, CEO and Co-founder of Aembit, to discuss the rapidly evolving world of non-human access and workload identity. With the rise of AI agents in the enterprise, organizations face a critical challenge: how to secure software-to-software connections without relying on static, shared credentials.David shares his unique background, ranging from working on The Onion Router (Tor) at the Naval Research Lab to the DIVX rental system, and explains how those experiences inform his approach to identity today. The conversation covers the distinction between human and non-human access, the risks of using user credentials for AI agents, and why we must shift from managing secrets to managing access policies.This episode explores real-world use cases for AI agents in financial services and retail, the concept of hybrid versus autonomous agents, and practical advice for identity practitioners looking to get ahead of the agentic AI wave.Visit Aembit: https://aembit.io/idacConnect with David: https://www.linkedin.com/in/davidgoldschlagConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comTimestamps00:00 - Intro00:51 - Pronunciation of Aembit and the extra 'E'01:56 - David's background: From NSA to Enterprise Security04:58 - The meaning behind the name Aembit06:00 - David's history with The Onion Router (Tor)10:00 - Differentiating Non-Human Access from Workforce IAM11:39 - The security risks of AI Agents using human credentials14:15 - Manage Access, Not Secrets16:00 - Use Cases: Financial Analysts and Retail24:00 - Hybrid Agents vs. Autonomous Agents30:38 - Will we have agentic versions of ourselves?36:45 - How Identity Practitioners can handle the AI wave38:33 - Measuring success and ROI for workload identity43:20 - A blast from the past: DIVX and Circuit City52:15 - ClosingKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Aembit, David Goldschlag, Non-human access, Workload Identity, AI Agents, Machine Identity, Cybersecurity, IAM, InfoSec, Tor, DIVX, Zero Trust, Secrets Management, Authentication, Authorization

Hunting for SharePoint In-Memory ToolShell Payloads A walk-through showing how to analyze ToolShell payloads, starting with acquiring packets all the way to decoding embedded PowerShell commands. https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Hunting%20for%20SharePoint%20In-Memory%20ToolShell%20Payloads/32524 Android Security Bulletin December 2025 Google fixed numerous vulnerabilities with its December Android update. Two of these vulnerabilities are already being exploited. https://source.android.com/docs/security/bulletin/2025-12-01 4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign A group or individual released several browser extensions that worked fine for years until an update injected malicious code into the extension https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign

Fake adult websites pop realistic Windows Update screen to deliver stealers via ClickFix The latest variant of ClickFix tricks users into copy/pasting commands by displaying a fake blue screen of death. https://www.acronis.com/en/tru/posts/fake-adult-websites-pop-realistic-windows-update-screen-to-deliver-stealers-via-clickfix/ B2B Guest Access Creates an Unprotected Attack Vector Users may be tricked into joining an external Teams workspace as a guest, bypassing protections typically enabled for Teams workspaces. https://www.ontinue.com/resource/blog-microsoft-chat-with-anyone-understanding-phishing-risk/ Geoserver XXE Vulnerability CVE-2025-58360 Geoserver patched an external XML entity (XXE) vulnerability. https://helixguard.ai/blog/CVE-2025-58360

Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications Spyware attacks messaging applications in part by triggering vulnerabilities in messaging applications but also by deploying tools like keystroke loggers and screenshot applications. https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-threat-actors-target-users-messaging-applications Stop Putting Your Passwords Into Random Websites Yes. Just Stop! https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites-yes-seriously-you-are-the-problem/ Fluentbit Vulnerability https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover Happy Thanksgiving. Next podcast on Monday after Thanksgiving.

Conflicts between URL mapping and URL based access control. Mapping different URLs to the same script, and relying on URL based authentication at the same time, may lead to dangerous authentication and access control gaps. https://isc.sans.edu/diary/Conflicts%20between%20URL%20mapping%20and%20URL%20based%20access%20control./32518 Sha1-Hulud, The Second Coming A new, destructive variant of the Shai-Hulud worm is currently spreading through NPM/Github repos. https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised Hacklore: Cleaning up Outdated Security Advice A new website, hacklore.org, has published an open letter from former CISOs and other security leaders aimed at addressing some outdated security advice that is often repeated. https://www.hacklore.org

Use of CSS stuffing as an obfuscation technique? Phishing sites stuff their HTML with benign CSS code. This is likely supposed to throw of simple detection engines https://isc.sans.edu/diary/Use%20of%20CSS%20stuffing%20as%20an%20obfuscation%20technique%3F/32510 Critical Oracle Identity Manager Flaw Possibly Exploited as Zero-Day Early exploit attempts for the vulnerability were part of Searchlight Cyber s research effort https://www.securityweek.com/critical-oracle-identity-manager-flaw-possibly-exploited-as-zero-day/ ClamAV Cleaning Signature Database ClamAV will significantly clean up its signature database https://blog.clamav.net/2025/11/clamav-signature-retirement-announcement.html

Oracle Identity Manager Exploit Observation from September (CVE-2025-61757) We observed some exploit attempts in September against an Oracle Identity Manager vulnerability that was patched in October, indicating that exploitation may have occurred prior to the patch being released. https://isc.sans.edu/diary/Oracle%20Identity%20Manager%20Exploit%20Observation%20from%20September%20%28CVE-2025-61757%29/32506 https://slcyber.io/research-center/breaking-oracles-identity-manager-pre-auth-rce/ DigitStealer: a JXA-based infostealer that leaves little footprint https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/ SonicWall DoS Vulnerability Sonicwall patched a DoS vulnerability in SonicOS https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0016 Adam Wilson: Automating Generative AI Guidelines: Reducing Prompt Injection Risk with 'Shift-Left' MITRE ATLAS Mitigation Testing

Unicode: It is more than funny domain names. Unicode can cause a number of issues due to odd features like variance selectors and text direction issues. https://isc.sans.edu/diary/Unicode%3A%20It%20is%20more%20than%20funny%20domain%20names./32472 FortiWeb Multiple OS command injection in API and CLI A second silently patched vulnerability in FortiWeb is already being exploited in the wild. https://fortiguard.fortinet.com/psirt/FG-IR-25-513 DLink DIR-878 Vulnerability DLink disclosed four different vulnerabilities in its popular DIR-878 router. The router is end-of-life and DLink will not release patches https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10475 Operation WrtHug, The Global Espionage Campaign Hiding in Your Home Router A new report, Operation WrtHug, has uncovered a massive, coordinated effort that has compromised thousands of ASUS routers worldwide. https://securityscorecard.com/blog/operation-wrthug-the-global-espionage-campaign-hiding-in-your-home-router/

KongTuke Activity This diary investigates how a recent Kong Tuke infections evolved all the way from starting with a ClickFix attack. https://isc.sans.edu/diary/KongTuke%20activity/32498 Cloudflare Outage Cloudflare suffered a large outage today after an oversized configuration file was loaded into its bot protection service https://x.com/dok2001 Google Patches Chrome 0-Day Google patched two vulnerabilities in Chrome. One of them is already being exploited. https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html

Online video games have evolved into vast financial ecosystems where real and virtual value mix at scale. This presentation shows how these spaces serve as efficient laundering channels, converting illicit funds from organized crime, sanctions evasion, terrorist financing, and digital fraud into assets that appear legitimate. Illicit value typically enters via card not present transactions, stolen digital wallets, and scam revenues before it is routed into platform marketplaces. From there, funds convert into tradeable virtual assets such as cosmetics, currencies, loot boxes, and content bundles, which can be divided into thousands of rapid microtransactions. Widely cited estimates place illicit financial flows at 2 to 5 percent of global GDP (roughly $800 billion to $2 trillion a year), while in game spending will reach $74.4 billion in 2025, providing liquidity, speed, and plausible deniability. About the speaker: Stephen Flowerday is a Professor in the School of Computer and Cyber Sciences at Augusta University. His research focuses on cybersecurity management, cybercrime, behavioral information security, and human-centric cybersecurity at the intersection of technology, processes, and people. His work has been supported by IBM, THRIP, the NRF, SASUF, Erasmus, and GMRDC. He serves as an associate editor and frequent reviewer for leading journals and conferences, and has reviewed grants for the Israeli NSF, the South African NRF, the U.S. NSF, and Bahrain's DHE.

Decoding Binary Numeric Expressions Didier updated his number to hex script to support simple arithmetic operations in the text. https://isc.sans.edu/diary/Decoding%20Binary%20Numeric%20Expressions/32490 Tea Token NPM Pollution The NPM repository was hit with around 150,000 submissions that did not contain any useful contributions, but instead attempted to fake contributions to earn a new tea coin. https://aws.amazon.com/blogs/security/amazon-inspector-detects-over-150000-malicious-packages-linked-to-token-farming-campaign/ IBM AIX NIMSH Vulnerabilities IBM patched several critical vulnerablities in the NIMSH daemon https://www.ibm.com/support/pages/node/7251173

Fortiweb Vulnerability Fortinet, with significant delay, acknowledged a recently patched vulnerability after exploit attempts were seen publicly. https://isc.sans.edu/diary/Honeypot+FortiWeb+CVE202564446+Exploits/32486 https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/ https://fortiguard.fortinet.com/psirt/FG-IR-25-910?ref=labs.watchtowr.com Flnger.exe and ClickFix Attackers started to use the finger.exe binary to retrieve additional payload in ClickFix attacks https://isc.sans.edu/diary/Finger.exe%20%26%20ClickFix/32492

In this episode of the Identity at the Center podcast, hosts Jeff and Jim broadcast from InfoSec World 2025, sharing lively discussions on identity management, AI security, and identity's evolving role in information security. They are joined by Ross Young and G Mark Hardy, co-hosts of the CISO Tradecraft podcast, who share their journeys into cybersecurity, illuminating how identity intersects with cybersecurity topics like deep fakes, AI implications, and non-human identities. The conversation also covers practical advice for securing budget approvals for identity projects and speculations on the role of AI in cybersecurity's future. The episode wraps up with each guest sharing personal ideas for potential new podcast ventures.The CISO Tradecraft podcast: CISOTradecraft.comConnect with Ross: https://www.linkedin.com/in/mrrossyoung/Connect with G Mark: https://www.linkedin.com/in/gmarkhardy/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapters00:00 Introduction and Welcome00:16 Live from InfoSec World 202500:52 Shoutouts and Day Jobs01:37 Meeting Ross and G Mark from the CISO Tradecraft podcast02:22 Ross's Journey into Cybersecurity04:24 G Mark's Cybersecurity Career Path07:44 Top Concerns for CISOs Today09:53 The Role of Identity in Cybersecurity16:18 Challenges and Trends in Identity Management24:33 Pitching Identity Projects to CISOs32:21 The Role of AI in Automating SOC Operations33:23 AI's Impact on Developer Efficiency35:48 The Future of AI-Assisted Coding37:42 Challenges and Opportunities in AI and Cybersecurity39:46 The Importance of Human Expertise in AI Development48:17 The Role of Identity in Information Security49:44 Introduction to CISO Tradecraft Podcast55:24 Podcasting Tips and Personal Interests01:00:48 Conclusion and Final ThoughtsKeywords:Identity at the Center, IDAC, CISO Tradecraft, InfoSec World 2025, cybersecurity leadership, identity security, IAM, AI security, Jeff Steadman, Jim McDonald, Ross Young, G. Mark Hardy, InfoSec, CISOs, cyber career development, non-human identity, deepfakes, security automation

SmartApeSG campaign uses ClickFix page to push NetSupport RAT A detailed analysis of a recent SamtApeSG campaign taking advantage of ClickFix https://isc.sans.edu/diary/32474 Formbook Delivered Through Multiple Scripts An analysis of a recent version of Formbook showing how it takes advantage of multiple obfuscation tricks https://isc.sans.edu/diary/32480 sudo-rs vulnerabilities Two vulnerabilities were patched in sudo-rs, the version of sudo written in Rust, showing that while Rust does have an advantage when it comes to memory safety, there are plenty of other vulnerabilities to worry about https://ubuntu.com/security/notices/USN-7867-1 https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw?ref=itsfoss.com SANS Holiday Hack Challenge https://sans.org/HolidayHack

OWASP Top 10 2025 Release Candidate OWASP published a release candidate for the 2025 version of its Top 10 list https://owasp.org/Top10/2025/0x00_2025-Introduction/ Citrix/Cisco Exploitation Details Amazon detailed how Citrix and Cisco vulnerabilities were used by advanced actors to upload webshells https://aws.amazon.com/blogs/security/amazon-discovers-apt-exploiting-cisco-and-citrix-zero-days/ Testing Quantum Readyness A website tests your services for post-quantum computing-resistant cryptographic algorithms https://qcready.com/

Microsoft Patch Tuesday for November 2025 https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+for+November+2025/32468/ Gladinet Triofox Vulnerability Triofox uses the host header in lieu of proper access control, allowing an attacker to access the page managing administrators by simply setting the host header to localhost. https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480/ SAP November 2025 Patch Day SAP fixed a critical vulnerability, fixed default credentials in its SQL Anywhere Monitor https://onapsis.com/blog/sap-security-patch-day-november-2025/ Ivanti Endpoint Manager Updates https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2025-for-EPM-2024?language=en_US

Reasoning—the process of drawing conclusions from prior knowledge—is a hallmark of intelligence. Large language models, and more recently, large reasoning models have demonstrated impressive results on many reasoning-intensive benchmarks. Careful studies over the past few years have revealed that LLMs may exhibit some reasoning behavior, and larger models tend to do better on reasoning tasks. However, even the largest current models still struggle on various kinds of reasoning problems. In this talk, we will try to address the question: Are the observed reasoning limitations of LLMs fundamental in nature? Or will they be resolved by further increasing the size and data of these models, or by better techniques for training them? I will describe recent work to tackle this question from several different angles. The answer to this question will help us to better understand the risks posed by future LLMs as vast resources continue to be invested in their development. About the speaker: Abulhair Saparov is an Assistant Professor of Computer Science at Purdue University. His research focuses on applications of statistical machine learning to natural language processing, natural language understanding, and reasoning. His recent work closely examines the reasoning capacity of large language models, identifying fundamental limitations, and developing new methods and tools to address or workaround those limitations. He has also explored the use of symbolic and neurosymbolic methods to both understand and improve the reasoning capabilities of AI models. He is also broadly interested in other applications of statistical machine learning, such as to the natural sciences.

It isn t always defaults: Scans for 3CX Usernames Our honeypots detected scans for usernames that may be related to 3CX business phone systems https://isc.sans.edu/diary/It%20isn%27t%20always%20defaults%3A%20Scans%20for%203CX%20usernames/32464 Watchguard Default Password Controversy A CVE number was assigned to a default password commonly used in Watchguard products. This was a documented username and password that was recently removed in a firmware upgrade. https://github.com/cyberbyte000/CVE-2025-59396/blob/main/CVE-2025-59396.txt https://nvd.nist.gov/vuln/detail/CVE-2025-59396 JavaScript expr-eval Vulnerability The JavaScript expr-eval library was vulnerable to a code execution issue. https://www.kb.cert.org/vuls/id/263614

Honeypot Requests for Code Repository Attackers continue to scan websites for source code repositories. Keep your repositories outside your document root and proactively scan your own sites. https://isc.sans.edu/diary/Honeypot%3A%20Requests%20for%20%28Code%29%20Repositories/32460 Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads Newly discovered malicious .NET packages attempt to deliver a time-delayed attack targeting ICS systems. https://socket.dev/blog/9-malicious-nuget-packages-deliver-time-delayed-destructive-payloads Side Channel Leaks in Encrypted Traffic to LLMs Traffic to LLMs can be profiled to discover the nature of prompts sent by a user based on the amount and structure of the encrypted data. https://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models/

Binary Breadcrumbs: Correlating Malware Samples with Honeypot Logs Using PowerShell [Guest Diary] Windows, with PowerShell, has a great scripting platform to match common Linux/Unix command line utilities. https://isc.sans.edu/diary/Binary%20Breadcrumbs%3A%20Correlating%20Malware%20Samples%20with%20Honeypot%20Logs%20Using%20PowerShell%20%5BGuest%20Diary%5D/32454 RondoDox v2 Increases Exploits The RondoDox (or RondoWorm) added a substantial amount of new exploits to its repertoire. https://beelzebub.ai/blog/rondo-dox-v2/ Google Chrome Updates Google released an update for Google Chrome addressing five vulnerabilities. https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html Cisco Unified Contact Center Express Remote Code Execution Vulnerabilities Cisco patched two critical vulnerabilities in its Contact Center Express software. These vulnerabilities may lead to a full system compromise. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ

Updates to Domainname API Some updates to our domainname API will make it more flexible and make it easier and faster to get the complete dataset. https://isc.sans.edu/diary/Updates%20to%20Domainname%20API/32452 Microsoft Teams Impersonation and Spoofing Vulnerabilities Checkpoint released details about recently patched spoofing and impersonation vulnerabilities in Microsoft Teams https://research.checkpoint.com/2025/microsoft-teams-impersonation-and-spoofing-vulnerabilities-exposed/ NViso Report: VSHELL NViso published an amazingly detailed report describing the remote control implant VSHELL. The report includes details about the inner workings of the tool as well as detection ideas. https://www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool

Apple Patches Everything, Again Apple released a minor OS upgrade across its lineup, fixing a number of security vulnerabilities. https://isc.sans.edu/diary/Apple%20Patches%20Everything%2C%20Again/32448 Remote Access Tools Used to Compromise Trucking and Logistics Attackers infect trucking and logistics companies with regular remote management tools to inject malware into other companies or learn about high-value loads in order to steal them. https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics Google Android Patch Day Google released its usual monthly Android updates this week https://source.android.com/docs/security/bulletin/2025-11-01

XWiki SolrSearch Exploit Attempts CVE-2025-24893 We have detected a number of exploit attempts against XWiki taking advantage of a vulnerability that was added to the KEV list on Friday. https://isc.sans.edu/diary/XWiki%20SolrSearch%20Exploit%20Attempts%20%28CVE-2025-24893%29%20with%20link%20to%20Chicago%20Gangs%20Rappers/32444 AMD Zen 5 Random Number Generator Bug The RDSEED function for AMD s Zen 5 processors does return 0 more often than it should. https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html SleepyDuck malware invades Cursor through Open VSX Yet another Open VSX extension stealing crypto credentials https://secureannex.com/blog/sleepyduck-malware/

Scans for WSUS: Port 8530/8531 TCP, CVE-2025-59287 We did observe an increase in scans for TCP ports 8530 and 8531. These ports are associated with WSUS and the scans are likely looking for servers vulnerable to CVE-2025-59287 https://isc.sans.edu/diary/Scans%20for%20Port%208530%208531%20%28TCP%29.%20Likely%20related%20to%20WSUS%20Vulnerability%20CVE-2025-59287/32440 BADCANDY Webshell Implant Deployed via The Australian Signals Directorate warns that they still see Cisco IOS XE devices not patches for CVE-2023-20198. A threat actor is now using this vulnerability to deploy the BADCANDY implant for persistent access https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy Improvements to Open VSX Security In reference to the Glassworm incident, OpenVSX published a blog post outlining some of the security improvements they will make to prevent a repeat of this incident. https://blogs.eclipse.org/post/mika l-barbero/open-vsx-security-update-october-2025

X-Request-Purpose: Identifying "research" and bug bounty related scans? Our honeypots captured a few requests with bug bounty specific headers. These headers are meant to make it easier to identify requests related to bug bounty, and they are supposed to identify the researcher conducting the scans https://isc.sans.edu/diary/X-Request-Purpose%3A%20Identifying%20%22research%22%20and%20bug%20bounty%20related%20scans%3F/32436 Proton Breach Observatory Proton opened up its breach observatory. This website will collect information about breaches affecting companies that have not yet made the breach public. https://proton.me/blog/introducing-breach-observatory Microsoft Exchange Server Security Best Practices A new document published by a collaboration of national cyber security agencies summarizes steps that should be taken to harden Exchange Server. https://www.nsa.gov/Portals/75/documents/resources/cybersecurity-professionals/CSI_Microsoft_Exchange_Server_Security_Best_Practices.pdf?ver=9mpKKyUrwfpb9b9r4drVMg%3d%3d MOVEit Vulnerability Progress published an advisory for its file transfer program MOVEIt . This software has had heavily exploited vulnerabilities in the past. https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-CVE-2025-10932-October-29-2025

How to Collect Memory-Only Filesystems on Linux Systems Getting forensically sound copies of memory-only file systems on Linux can be tricky, as tools like dd do not work. https://isc.sans.edu/diary/How%20to%20collect%20memory-only%20filesystems%20on%20Linux%20systems/32432 Microsoft Azure Front Door Outage Today, Microsoft s Azure Front Door service failed, leading to users not being able to authenticate to various Azure-related services. https://azure.status.microsoft/en-us/status Docker-Compose Vulnerability A vulnerability in docker-compose may be used to trick users into creating files outside the docker-compose directory https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q

Phishing with Invisible Characters in the Subject Line Phishing emails use invisible UTF-8 encoded characters to break up keywords used to detect phishing (or spam). This is aided by mail clients not rendering some characters that should be rendered. https://isc.sans.edu/diary/A%20phishing%20with%20invisible%20characters%20in%20the%20subject%20line/32428 Apache Tomcat PUT Directory Traversal Apache released an update to Tomcat fixing a directory traversal vulnerability in how the PUT method is used. Exploits could upload arbitrary files, leading to remote code execution. https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog BIND9 DNS Spoofing Vulnerability A PoC exploit is now available for the recently patched BIND9 spoofing vulnerability https://gist.github.com/N3mes1s/f76b4a606308937b0806a5256bc1f918

Send us a textIn this candid and cathartic episode, Ken and Mike unpack the chaos that is Q4 for security professionals. From budget burnouts to end-of-year pentesting sprints, they explore why the final months of the year feel like a perfect storm for stress. Tune in as they share hard-earned lessons, practical advice for maintaining your sanity, and some gentle reminders that not everything needs to ship before Christmas. Whether you're a tired vendor, an overwhelmed engineer, or just trying to make it to PTO, this episode is for you.

Bytes over DNS Didiear investigated which bytes may be transmitted as part of a hostname in DNS packets, depending on the client resolver and recursive resolver constraints https://isc.sans.edu/diary/Bytes%20over%20DNS/32420 Unifi Access Vulnerability Unifi fixed a critical vulnerability in it s Access product https://community.ui.com/releases/Security-Advisory-Bulletin-056-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191 OpenAI Atlas Omnibox Prompt Injection OpenAI s latest browser can be jailbroken by inserting prompts in URLs https://neuraltrust.ai/blog/openai-atlas-omnibox-prompt-injection

Bilingual Phishing for Cloud Credentials Guy observed identical phishing messages in French and English attempting to phish cloud credentials https://isc.sans.edu/diary/Phishing%20Cloud%20Account%20for%20Information/32416 Kaitai Struct WebIDE The binary file analysis tool Kaitai Struct is now available in a web only version https://isc.sans.edu/diary/Kaitai%20Struct%20WebIDE/32422 WSUS Emergency Update Microsoft released an emergency patch for WSUS to fix a currently exploited critical vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287 Network Security Devices Endanger Orgs with 90s-era Flaws Attackers increasingly use simple-to-exploit network security device vulnerabilities to compromise organizations. https://www.csoonline.com/article/4074945/network-security-devices-endanger-orgs-with-90s-era-flaws.html

Infostealer Targeting Android Devices This infostealer, written in Python, specifically targets Android phones. It takes advantage of Termux to gain access to data and exfiltrates it via Telegram. https://isc.sans.edu/diary/Infostealer%20Targeting%20Android%20Devices/32414 Attackers exploit recently patched Adobe Commerce Vulnerability CVE-2025-54236 Six weeks after Adobe's emergency patch, SessionReaper (CVE-2025-54236) has entered active exploitation. E-Commerce security company SanSec has detected multiple exploit attempts. https://sansec.io/research/sessionreaper-exploitation Patch for BIND and unbound nameservers CVE-2025-40780 The Internet Systems Consortium (ISC.org), as well as the Unbound project, patched a flaw that may allow for DNS spoofing due to a weak random number generator. https://kb.isc.org/docs/cve-2025-40780 WSUS Exploit Released CVE-2025-59287 Hawktrace released a walk through showing how to exploit the recently patched WSUS vulnerability https://hawktrace.com/blog/CVE-2025-59287

Register for FREE Infosec Webcasts, Anti-casts & Summits – https://poweredbybhis.com00:00:00 - PreShow Banter™ — AWS Snow Day Party00:11:31 - Online Book Store Takes Down Half of the Internet - BHIS - Talkin' Bout [infosec] News 2025-10-2000:12:12 - Story # 1: F5 says hackers stole undisclosed BIG-IP flaws, source code00:35:11 - Story # 2: Newsom signs age verification law, siding with tech giants over Hollywood00:48:39 - Story # 3: Researchers find a startlingly cheap way to steal your secrets from space00:55:04 - Story # 4: Jeff Bezos Has a Plan to Curb AI's Carbon Footprint: Send Data Centers to Space01:02:22 - Story # 5: SolarWinds Security Chief reflects on the Russian hack that exposed US government agencies

webctrl.cgi/Blue Angel Software Suite Exploit Attempts. Maybe CVE-2025-34033 Variant? Our honeypots detected attacks that appear to exploit CVE-2025-34033 or a similar vulnerability in the Blue Angle Software Suite. https://isc.sans.edu/diary/webctrlcgiBlue+Angel+Software+Suite+Exploit+Attempts+Maybe+CVE202534033+Variant/32410 Oracle Critical Patch Update Oracle released its quarterly critical patch update. The update includes patches for 374 vulnerabilities across all of Oracle s products. There are nine more patches for Oracle s e-Business Suite. https://www.oracle.com/security-alerts/cpuoct2025.html#AppendixEBS Rust TAR Library Vulnerability A vulnerability in the popular, but no longer maintained, async-tar vulnerability could lead to arbitrary code execution https://edera.dev/stories/tarmageddon

What time is it? Accuracy of pool.ntp.org. How accurate and reliable is pool.ntp.org? Turns out it is very good! https://isc.sans.edu/diary/What%20time%20is%20it%3F%20Accuracy%20of%20pool.ntp.org./32390 Xubuntu Compromise The Xubuntu website was compromised last weekend and served malware https://floss.social/@bluesabre/115401767635718361 Squid Proxy Vulnerability The Squid team fixed an information disclosure vulnerabilty that may leak authentication credentials. https://github.com/squid-cache/squid/security/advisories/GHSA-c8cc-phh7-xmxr Lanscope Endpoint Manager Vulnerablity https://jvn.jp/en/jp/JVN86318557/index.html

Using Syscall() for Obfuscation/Fileless Activity Fileless malware written in Python can uses syscall() to create file descriptors in memory, evading signatures. https://isc.sans.edu/diary/Using%20Syscall%28%29%20for%20Obfuscation%20Fileless%20Activity/32384 AWS Outages AWS has had issues most of the day on Monday, affecting numerous services. https://health.aws.amazon.com/health/status Time Server Hack China reports a compromise of its time standard servers. https://thehackernews.com/2025/10/mss-claims-nsa-used-42-cyber-tools-in.html

TikTok Videos Promoting Malware InstallationTikTok Videos Promoting Malware Installation Tiktok videos advertising ways to obtain software like Photoshop for free will instead trick users into downloading https://isc.sans.edu/diary/TikTok%20Videos%20Promoting%20Malware%20Installation/32380 Google Ads Advertise Malware Targeting MacOS Developers Hunt.io discovered Google ads that pretend to advertise tools like Homebrew and password managers to spread malware https://hunt.io/blog/macos-odyssey-amos-malware-campaign Satellite Transmissions are often unencrypted A large amount of satellite traffic is unencrypted and easily accessible to eavesdropping https://satcom.sysnet.ucsd.edu

New DShield Support Slack Workspace Due to an error on Salesforce s side, we had to create a new Slack Workspace for DShield support. https://isc.sans.edu/diary/New%20DShield%20Support%20Slack/32376 Attackers Exploiting Recently Patched Cisco SNMP Flaw (CVE-2025-20352) Trend Micro published details explaining how attackers took advantage of a recently patched Cisco SNMP Vulnerability https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte Framework BIOS Backdoor The mm command impleneted in Framework BIOS shells can be used to compromise a device pre-boot. https://eclypsium.com/blog/bombshell-the-signed-backdoor-hiding-in-plain-sight-on-framework-devices/ SANS.edu Research: Mark Stephens, Validating the Effectiveness of MITRE Engage and Active Defense https://www.sans.edu/cyber-research/validating-effectiveness-mitre-engage-active-defense/

Clipboard Image Stealer Xavier presents an infostealer in Python that steals images from the clipboard. https://isc.sans.edu/diary/Clipboard%20Pictures%20Exfiltration%20in%20Python%20Infostealer/32372 F5 Compromise F5 announced a wide-ranging compromise today. Source code and information about unpatched vulnerabilities were stolen. https://my.f5.com/manage/s/article/K000157005 https://my.f5.com/manage/s/article/K000156572 https://my.f5.com/manage/s/article/K000154696 Adobe Updates Adobe updated 12 different products yesterday. https://helpx.adobe.com/security.html SAP Patchday Among the critical vulnerabilities patched in SAP s products are two deserialization vulnerabilities with a CVSS score of 10.0 https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2025.html https://onapsis.com/blog/sap-security-patch-day-october-2025/

Microsoft Patch Tuesday Microsoft not only released new patches, but also the last patches for Windows 10, Office 2016, Office 2019, Exchange 2016 and Exchange 2019. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20October%202025/32368 Ivanti Advisory Ivanti released an advisory with some mitigation steps users can take until the recently made public vulnerablities are patched. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025?language=en_US Fortinet Patches https://fortiguard.fortinet.com/psirt/FG-IR-25-010 https://fortiguard.fortinet.com/psirt/FG-IR-24-361

Scans for ESAFENET CDG V5 We do see some increase in scans for the Chinese secure document management system, ESAFENET. https://isc.sans.edu/diary/Heads%20Up%3A%20Scans%20for%20ESAFENET%20CDG%20V5%20/32364 Investigating targeted payroll pirate attacks affecting US universities Microsoft wrote about how payroll pirates redirect employee paychecks via phishing. https://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/ Attacks against Edge via IE Mode Microsoft Edge offers an IE legacy mode to support websites created for Internet Explorer. The old JavaScript engine, which is part of this mode, has been abused in recent attacks, and Microsoft will make it more difficult to enable IE Mode to counter these attacks. https://microsoftedge.github.io/edgevr/posts/Changes-to-Internet-Explorer-Mode-in-Microsoft-Edge/