1 00:00:00,000 --> 00:00:02,319 Cipherceval: So here's a fun question for you. 2 00:00:02,319 --> 00:00:03,759 Cipherceval: What do you call a security 3 00:00:03,759 --> 00:00:05,200 Cipherceval: appliance that's supposed to 4 00:00:05,200 --> 00:00:06,639 Cipherceval: protect your entire firewall 5 00:00:06,639 --> 00:00:08,880 Cipherceval: infrastructure, but can be taken 6 00:00:08,880 --> 00:00:10,439 Cipherceval: over by an unauthenticated 7 00:00:10,439 --> 00:00:12,919 Cipherceval: attacker with a single HTTP 8 00:00:12,919 --> 00:00:14,080 Cipherceval: request? 9 00:00:14,080 --> 00:00:15,400 Cipherceval: Because this week, Cisco 10 00:00:15,400 --> 00:00:18,539 Cipherceval: disclosed not one, but two Cvss 11 00:00:18,539 --> 00:00:20,800 Cipherceval: ten point zero vulnerabilities 12 00:00:20,800 --> 00:00:22,440 Cipherceval: in their Secure Firewall 13 00:00:22,440 --> 00:00:24,079 Cipherceval: management center. 14 00:00:24,079 --> 00:00:26,239 Cipherceval: And when that thing that manages 15 00:00:26,239 --> 00:00:27,559 Cipherceval: all of your firewalls is the 16 00:00:27,559 --> 00:00:29,199 Cipherceval: thing that's vulnerable, I don't 17 00:00:29,199 --> 00:00:29,879 Cipherceval: know. 18 00:00:29,879 --> 00:00:33,039 Cipherceval: Red alerts start going off in my head, but that's just a start. 19 00:00:33,039 --> 00:00:36,100 Cipherceval: We've also got a nation state group mass producing AI 20 00:00:36,100 --> 00:00:40,060 Cipherceval: generated malware so fast, the researchers are calling it a 21 00:00:40,060 --> 00:00:42,600 Cipherceval: distributed denial of detection. 22 00:00:42,600 --> 00:00:45,520 Cipherceval: Google just dropped the largest Android security update in 23 00:00:45,520 --> 00:00:48,719 Cipherceval: almost eight years one hundred and twenty nine vulnerabilities, 24 00:00:48,719 --> 00:00:53,600 Cipherceval: including a zero day that CISA has already flagged. 25 00:00:53,600 --> 00:00:57,520 Cipherceval: Chinese state linked hackers are burrowing into South American 26 00:00:57,520 --> 00:01:00,359 Cipherceval: telecom infrastructure with three brand new malware 27 00:01:00,359 --> 00:01:03,840 Cipherceval: families, and LexisNexis, a company that called itself one 28 00:01:03,840 --> 00:01:06,760 Cipherceval: of the largest protectors of private data in the world. 29 00:01:06,760 --> 00:01:07,959 Cipherceval: Uh, well, they got breached 30 00:01:07,959 --> 00:01:09,579 Cipherceval: because their password was 31 00:01:09,579 --> 00:01:11,920 Cipherceval: Lexis1234. 32 00:01:11,920 --> 00:01:14,120 Cipherceval: Yeah, we got a lot to talk about. 33 00:01:21,647 --> 00:01:25,608 Cipherceval: But hey, welcome back to Exploit brokers by Forgebound Research. 34 00:01:25,608 --> 00:01:31,487 Cipherceval: I'm your host, Cipherceval, this is HN episode sixty five. 35 00:01:31,487 --> 00:01:34,207 Cipherceval: As always, I'm sharing information and awareness here. 36 00:01:34,207 --> 00:01:35,447 Cipherceval: Talk to your own security team 37 00:01:35,447 --> 00:01:36,768 Cipherceval: for anything specific to your 38 00:01:36,768 --> 00:01:37,647 Cipherceval: environment. 39 00:01:37,647 --> 00:01:40,328 Cipherceval: If this is your first time here, consider subscribing. 40 00:01:40,328 --> 00:01:43,727 Cipherceval: I know that a lot of my audience who watches isn't subscribed. 41 00:01:43,727 --> 00:01:44,447 Cipherceval: Do me a favor guys. 42 00:01:44,447 --> 00:01:45,647 Cipherceval: If you're on YouTube. 43 00:01:45,647 --> 00:01:47,287 Cipherceval: Now, if you're listening on a 44 00:01:47,287 --> 00:01:48,567 Cipherceval: podcast platform, leave a 45 00:01:48,567 --> 00:01:49,048 Cipherceval: review. 46 00:01:49,048 --> 00:01:51,608 Cipherceval: It genuinely helps other people find the show. 47 00:01:51,608 --> 00:01:54,968 Cipherceval: And again, if you're watching on YouTube, please also smash that 48 00:01:54,968 --> 00:01:57,847 Cipherceval: like button and hit the bell icon because we've got five 49 00:01:57,847 --> 00:02:00,447 Cipherceval: stores today and every single one of them matters. 50 00:02:00,447 --> 00:02:01,768 Cipherceval: Let's get into it. 51 00:02:01,567 --> 00:02:02,328 Cipherceval: All right. 52 00:02:02,328 --> 00:02:05,188 Cipherceval: We're starting with something that should be on every network 53 00:02:05,188 --> 00:02:06,768 Cipherceval: team's radar right now. 54 00:02:06,768 --> 00:02:10,328 Cipherceval: On March fourth, Cisco published a security advisory bundle 55 00:02:10,328 --> 00:02:12,568 Cipherceval: covering forty eight vulnerabilities in their 56 00:02:12,568 --> 00:02:14,228 Cipherceval: firewall product line. 57 00:02:14,228 --> 00:02:16,987 Cipherceval: But two of them are still sitting at the very top of the 58 00:02:16,987 --> 00:02:20,228 Cipherceval: severity scale, and they're the ones we need to talk about. 59 00:02:20,228 --> 00:02:27,108 Cipherceval: The first one is CVE-2026-20079, 60 00:02:27,108 --> 00:02:28,427 Cipherceval: and it's an authentication 61 00:02:28,427 --> 00:02:29,348 Cipherceval: bypass. 62 00:02:29,348 --> 00:02:31,228 Cipherceval: To give some context, the Cisco 63 00:02:31,228 --> 00:02:32,627 Cipherceval: Secure Firewall Management 64 00:02:32,627 --> 00:02:35,147 Cipherceval: Center, or FMC, is the 65 00:02:35,147 --> 00:02:36,987 Cipherceval: centralized control plane that 66 00:02:36,987 --> 00:02:38,467 Cipherceval: manages your entire fleet of 67 00:02:38,467 --> 00:02:39,668 Cipherceval: Cisco firewalls. 68 00:02:39,668 --> 00:02:41,427 Cipherceval: Think of it as the brain. 69 00:02:41,427 --> 00:02:44,987 Cipherceval: It pushes policies, monitors traffic, controls your firewall 70 00:02:44,987 --> 00:02:47,348 Cipherceval: threat, defensive devices. 71 00:02:47,348 --> 00:02:49,828 Cipherceval: Everything runs through the FMC. 72 00:02:49,828 --> 00:02:52,427 Cipherceval: This vulnerability exists because of an improperly 73 00:02:52,427 --> 00:02:55,668 Cipherceval: initialized system process that gets created at boot time. 74 00:02:55,668 --> 00:02:58,627 Cipherceval: An attacker and this is a scary part. 75 00:02:58,627 --> 00:03:02,747 Cipherceval: An unauthenticated attacker, no credentials needed, can send 76 00:03:02,747 --> 00:03:07,268 Cipherceval: specially crafted HTTP requests to the FMC web interface and 77 00:03:07,268 --> 00:03:09,508 Cipherceval: bypass authentication entirely. 78 00:03:09,508 --> 00:03:10,788 Cipherceval: From there, they can execute 79 00:03:10,788 --> 00:03:12,388 Cipherceval: scripts and commands with root 80 00:03:12,388 --> 00:03:14,288 Cipherceval: level access to the underlying 81 00:03:14,288 --> 00:03:15,668 Cipherceval: operating system. 82 00:03:15,467 --> 00:03:18,467 Cipherceval: That's the golden goose of hacking right there. 83 00:03:18,467 --> 00:03:21,948 Cipherceval: Unauthenticated remote root access to the device that 84 00:03:21,948 --> 00:03:24,147 Cipherceval: manages all of your firewalls. 85 00:03:24,147 --> 00:03:24,668 Cipherceval: Now, 86 00:03:24,467 --> 00:03:31,707 Cipherceval: the second one is CVE-2026-20131, and it's a 87 00:03:31,707 --> 00:03:33,228 Cipherceval: completely separate issue. 88 00:03:33,228 --> 00:03:36,068 Cipherceval: This one is a remote code execution vulnerability caused 89 00:03:36,068 --> 00:03:40,487 Cipherceval: by an insecure deserialization of Java byte streams in the 90 00:03:40,487 --> 00:03:42,707 Cipherceval: FMC's web management interface. 91 00:03:42,707 --> 00:03:44,307 Cipherceval: An attacker sends a crafted 92 00:03:44,307 --> 00:03:46,388 Cipherceval: serialized Java object and the 93 00:03:46,388 --> 00:03:48,268 Cipherceval: system processes it without 94 00:03:48,268 --> 00:03:49,668 Cipherceval: proper validation. 95 00:03:49,668 --> 00:03:51,108 Cipherceval: That gives them arbitrary code 96 00:03:51,108 --> 00:03:52,747 Cipherceval: execution, again with root 97 00:03:52,747 --> 00:03:53,707 Cipherceval: privileges. 98 00:03:53,707 --> 00:03:59,427 Cipherceval: Now, both of these carry a CVSS score of 10.0 out of 10 . 99 00:03:59,427 --> 00:04:01,147 Cipherceval: Both are rated with a scope of 100 00:04:01,147 --> 00:04:04,108 Cipherceval: "Changed", which in cvss terms 101 00:04:04,108 --> 00:04:06,367 Cipherceval: means that exploiting the FMC 102 00:04:06,367 --> 00:04:07,987 Cipherceval: can compromise other components 103 00:04:07,987 --> 00:04:09,828 Cipherceval: under its management, meaning 104 00:04:09,828 --> 00:04:11,508 Cipherceval: your actual firewall devices in 105 00:04:11,508 --> 00:04:12,388 Cipherceval: this case. 106 00:04:12,388 --> 00:04:15,068 Cipherceval: And here's the kicker no workarounds patch. 107 00:04:15,068 --> 00:04:17,067 Cipherceval: Only Cisco has released fixed 108 00:04:17,067 --> 00:04:18,747 Cipherceval: versions, and that's the only 109 00:04:18,747 --> 00:04:19,908 Cipherceval: path forward. 110 00:04:19,908 --> 00:04:22,247 Cipherceval: Now I want to connect this to 111 00:04:22,247 --> 00:04:23,427 Cipherceval: something we talked about last 112 00:04:23,427 --> 00:04:24,148 Cipherceval: episode. 113 00:04:24,148 --> 00:04:27,247 Cipherceval: We covered the Cisco SD-WAN 114 00:04:27,247 --> 00:04:32,747 Cipherceval: vulnerability, CVE-2026-20127, 115 00:04:32,747 --> 00:04:34,387 Cipherceval: where the Five Eyes intelligence 116 00:04:34,387 --> 00:04:36,288 Cipherceval: agencies revealed that an APT - 117 00:04:36,288 --> 00:04:38,348 Cipherceval: A.P.T. - had been exploiting it 118 00:04:38,348 --> 00:04:42,267 Cipherceval: since 2023 for years, quietly on 119 00:04:42,267 --> 00:04:43,387 Cipherceval: network infrastructure that 120 00:04:43,387 --> 00:04:44,887 Cipherceval: doesn't have traditional EDR 121 00:04:44,887 --> 00:04:45,947 Cipherceval: coverage. 122 00:04:45,947 --> 00:04:48,588 Cipherceval: And that's the pattern worth paying attention to. 123 00:04:48,588 --> 00:04:51,827 Cipherceval: Cisco found these new FMC vulnerabilities internally 124 00:04:51,827 --> 00:04:53,588 Cipherceval: during security testing. 125 00:04:53,588 --> 00:04:58,148 Cipherceval: They say there's no evidence of in the wild exploitation yet. 126 00:04:58,148 --> 00:05:02,048 Cipherceval: But as the stack pointed out, we happen to know that Cisco zero 127 00:05:02,048 --> 00:05:05,827 Cipherceval: days get quietly exploited for years before anyone notices. 128 00:05:05,827 --> 00:05:12,987 Cipherceval: The researcher behind CVE-2026-20079, Brandon Sakai, 129 00:05:12,788 --> 00:05:17,588 Cipherceval: was also behind a similar FMC flaw discovered last August. 130 00:05:17,588 --> 00:05:19,228 Cipherceval: These appliances are living on 131 00:05:19,228 --> 00:05:20,987 Cipherceval: the edge, literally and 132 00:05:20,987 --> 00:05:21,908 Cipherceval: figuratively. 133 00:05:21,908 --> 00:05:26,228 Cipherceval: If your organization is running Cisco secure FMC on premises. 134 00:05:26,228 --> 00:05:27,747 Cipherceval: This is the kind of thing worth 135 00:05:27,747 --> 00:05:29,187 Cipherceval: escalating today, not next 136 00:05:29,187 --> 00:05:29,627 Cipherceval: sprint. 137 00:05:29,627 --> 00:05:30,827 Cipherceval: Update your stuff. 138 00:05:30,827 --> 00:05:33,708 Cipherceval: A patch does you no good if it's not installed. 139 00:05:33,507 --> 00:05:34,267 Cipherceval: All right. 140 00:05:34,267 --> 00:05:37,108 Cipherceval: Staying on the nation state theme for a moment, because this 141 00:05:37,108 --> 00:05:41,307 Cipherceval: next story is honestly, it's one of the stranger things that I've 142 00:05:41,307 --> 00:05:42,788 Cipherceval: covered on this show. 143 00:05:42,788 --> 00:05:46,767 Cipherceval: Bitdefender published research on March 5th documenting a 144 00:05:46,767 --> 00:05:49,548 Cipherceval: campaign by APT36. 145 00:05:49,548 --> 00:05:53,168 Cipherceval: That's the Pakistan linked group, also known as Transparent 146 00:05:53,168 --> 00:05:57,307 Cipherceval: Tribe, and they've basically turned AI coding tools into a 147 00:05:57,307 --> 00:05:58,827 Cipherceval: malware assembly line. 148 00:05:58,827 --> 00:06:00,267 Cipherceval: Bitdefender is calling the 149 00:06:00,267 --> 00:06:02,267 Cipherceval: output "vibeware" and the 150 00:06:02,267 --> 00:06:03,548 Cipherceval: strategy behind it is 151 00:06:03,548 --> 00:06:06,427 Cipherceval: "Distributed Denial of Detection." 152 00:06:06,427 --> 00:06:06,627 Cipherceval: Let 153 00:06:06,627 --> 00:06:08,908 Cipherceval: me break that down to give context. Vibe 154 00:06:08,908 --> 00:06:12,507 Cipherceval: coding is that trend where people use large language models like 155 00:06:12,507 --> 00:06:16,468 Cipherceval: Klod, and they use that to write code by describing what they 156 00:06:16,468 --> 00:06:19,088 Cipherceval: want in natural language. Basically 157 00:06:19,088 --> 00:06:24,028 Cipherceval: vibing with an AI to produce software, APT36 has taken 158 00:06:24,028 --> 00:06:27,668 Cipherceval: that concept and applied it to malware and at scale. What 159 00:06:27,668 --> 00:06:29,307 Cipherceval: they're doing is using AI tools 160 00:06:29,307 --> 00:06:30,788 Cipherceval: to rapidly generate malware 161 00:06:30,788 --> 00:06:32,588 Cipherceval: variants across multiple programming 162 00:06:32,588 --> 00:06:34,307 Cipherceval: languages, not just Python 163 00:06:34,307 --> 00:06:36,588 Cipherceval: or C. We're talking niche languages 164 00:06:36,588 --> 00:06:38,848 Cipherceval: like Nim, Zig, and Crystal 165 00:06:38,848 --> 00:06:41,548 Cipherceval: alongside Rust, Go and .NET. 166 00:06:41,548 --> 00:06:41,747 Cipherceval: And 167 00:06:41,747 --> 00:06:44,048 Cipherceval: the reason they're doing this is clever. Most 168 00:06:44,048 --> 00:06:48,067 Cipherceval: EDR products and antivirus engines have weaker behavioral models 169 00:06:48,067 --> 00:06:51,968 Cipherceval: and signature coverages for less common runtimes. By 170 00:06:51,968 --> 00:06:53,487 Cipherceval: porting the same malicious logic 171 00:06:53,487 --> 00:06:55,427 Cipherceval: across multiple languages, they're 172 00:06:55,427 --> 00:06:56,548 Cipherceval: essentially resetting the 173 00:06:56,548 --> 00:06:58,827 Cipherceval: detection baseline every time. 174 00:06:58,827 --> 00:06:59,108 Cipherceval: Now, 175 00:06:59,108 --> 00:07:02,307 Cipherceval: here's the part that makes it genuinely weird. The 176 00:07:02,307 --> 00:07:03,908 Cipherceval: malware is bad. Like 177 00:07:03,908 --> 00:07:06,187 Cipherceval: objectively bad. Bitdefender 178 00:07:06,187 --> 00:07:09,867 Cipherceval: found samples where a credential stealer had a placeholder 179 00:07:09,867 --> 00:07:12,848 Cipherceval: instead of an actual command and control server address, 180 00:07:12,848 --> 00:07:16,307 Cipherceval: meaning it could never exfiltrate any data. Another 181 00:07:16,307 --> 00:07:18,947 Cipherceval: tool had a status reporting function that reset its 182 00:07:18,947 --> 00:07:23,507 Cipherceval: own timestamp every time it ran, so the infected host always appeared 183 00:07:23,507 --> 00:07:26,867 Cipherceval: online, regardless of its actual state. These 184 00:07:26,867 --> 00:07:31,708 Cipherceval: kind of bugs are pretty common when you're doing things that 185 00:07:31,708 --> 00:07:34,627 Cipherceval: are syntactically correct but logically unfinished. That 186 00:07:34,627 --> 00:07:36,627 Cipherceval: is AI output. But 187 00:07:36,627 --> 00:07:38,187 Cipherceval: here's the thing, and this is 188 00:07:38,187 --> 00:07:39,947 Cipherceval: what Bitdefender is warning about. 189 00:07:39,947 --> 00:07:40,108 Cipherceval: The 190 00:07:40,108 --> 00:07:44,427 Cipherceval: strategy isn't about quality, it's about volume. APT36 191 00:07:44,427 --> 00:07:47,468 Cipherceval: is producing new malware variants daily. They're 192 00:07:47,468 --> 00:07:48,747 Cipherceval: flooding target environments 193 00:07:48,747 --> 00:07:50,367 Cipherceval: with disposable polyglot 194 00:07:50,367 --> 00:07:51,468 Cipherceval: binaries. And 195 00:07:51,468 --> 00:07:54,767 Cipherceval: the idea is that even if ninety percent of them get caught, 196 00:07:54,767 --> 00:07:58,987 Cipherceval: the remaining ten percent only need to work once. Distributed 197 00:07:58,987 --> 00:08:03,148 Cipherceval: denial of detection overwhelm the defenders not with sophistication, 198 00:08:03,148 --> 00:08:05,307 Cipherceval: but with noise. And 199 00:08:05,307 --> 00:08:06,588 Cipherceval: some of it does work. 200 00:08:06,627 --> 00:08:08,548 Cipherceval: Bitdefender identified a tool 201 00:08:08,548 --> 00:08:10,708 Cipherceval: called LuminousCookies that 202 00:08:10,708 --> 00:08:12,588 Cipherceval: successfully bypassed app bound 203 00:08:12,588 --> 00:08:14,387 Cipherceval: encryption to steal browser 204 00:08:14,387 --> 00:08:15,788 Cipherceval: stored credentials from Chrome 205 00:08:15,788 --> 00:08:16,827 Cipherceval: and Edge. 206 00:08:16,827 --> 00:08:18,348 Cipherceval: It does this by injecting itself 207 00:08:18,348 --> 00:08:19,908 Cipherceval: into the browser's own process 208 00:08:19,908 --> 00:08:21,387 Cipherceval: memory, pretending to be a 209 00:08:21,387 --> 00:08:23,028 Cipherceval: legitimate component to get the 210 00:08:23,028 --> 00:08:24,267 Cipherceval: decryption keys. 211 00:08:24,267 --> 00:08:25,668 Cipherceval: That's not trivial. 212 00:08:25,668 --> 00:08:27,187 Cipherceval: The targets here are Indian 213 00:08:27,187 --> 00:08:28,267 Cipherceval: government networks and 214 00:08:28,267 --> 00:08:29,987 Cipherceval: diplomatic missions, and the 215 00:08:29,987 --> 00:08:32,028 Cipherceval: campaign uses trusted cloud 216 00:08:32,028 --> 00:08:33,187 Cipherceval: platforms for command and 217 00:08:33,187 --> 00:08:33,707 Cipherceval: control. 218 00:08:33,707 --> 00:08:35,307 Cipherceval: Google sheets, slack. 219 00:08:35,307 --> 00:08:37,427 Cipherceval: Discord, Supabase. 220 00:08:37,427 --> 00:08:40,107 Cipherceval: What the security community calls living off trusted 221 00:08:40,107 --> 00:08:44,707 Cipherceval: services, or LOTS that C2 traffic blends right in with 222 00:08:44,707 --> 00:08:46,628 Cipherceval: legitimate API requests. 223 00:08:46,707 --> 00:08:49,467 Cipherceval: Now, if you've been following the show, you know we've been 224 00:08:49,467 --> 00:08:53,707 Cipherceval: tracking this AI-in-offense trend across multiple episodes. 225 00:08:53,707 --> 00:08:55,427 Cipherceval: HN63, covered the Fortigate 226 00:08:55,427 --> 00:08:56,947 Cipherceval: campaign using AI for attack 227 00:08:56,947 --> 00:08:57,908 Cipherceval: planning. 228 00:08:57,908 --> 00:09:02,148 Cipherceval: HN64 covered multiple instances of AI enhanced attacks and 229 00:09:02,148 --> 00:09:03,707 Cipherceval: malware using AI. 230 00:09:03,707 --> 00:09:07,227 Cipherceval: And now we're seeing APT36 take it to the production line. 231 00:09:07,227 --> 00:09:10,508 Cipherceval: The pattern is clear AI isn't making attackers smarter per se, 232 00:09:10,508 --> 00:09:13,628 Cipherceval: it's making them faster and harder to keep up with. 233 00:09:13,427 --> 00:09:16,908 Cipherceval: So let's shift gears into something that affects basically 234 00:09:16,908 --> 00:09:18,508 Cipherceval: everyone watching this. 235 00:09:18,508 --> 00:09:20,187 Cipherceval: On March third, Google released 236 00:09:20,187 --> 00:09:22,467 Cipherceval: its March 2026 Android security 237 00:09:22,467 --> 00:09:24,587 Cipherceval: bulletin, and this one is a 238 00:09:24,587 --> 00:09:25,288 Cipherceval: monster. 239 00:09:25,288 --> 00:09:28,748 Cipherceval: 129 vulnerabilities patched in a single month. 240 00:09:28,748 --> 00:09:30,067 Cipherceval: This is the highest number since 241 00:09:30,067 --> 00:09:32,187 Cipherceval: April 2018, almost eight years 242 00:09:32,187 --> 00:09:32,548 Cipherceval: ago. 243 00:09:32,548 --> 00:09:34,268 Cipherceval: That's not normal. 244 00:09:34,268 --> 00:09:36,048 Cipherceval: The headline vulnerability is 245 00:09:36,048 --> 00:09:41,827 Cipherceval: CVE-2026-21385, a memory 246 00:09:41,827 --> 00:09:43,028 Cipherceval: corruption flaw in an open 247 00:09:43,028 --> 00:09:44,427 Cipherceval: source Qualcomm display driver 248 00:09:44,427 --> 00:09:45,467 Cipherceval: component. 249 00:09:45,268 --> 00:09:47,508 Cipherceval: It's caused by an integer overflow. 250 00:09:47,508 --> 00:09:49,347 Cipherceval: When adding user supplied data 251 00:09:49,347 --> 00:09:50,508 Cipherceval: without checking available 252 00:09:50,508 --> 00:09:51,508 Cipherceval: buffer space. 253 00:09:51,508 --> 00:09:56,947 Cipherceval: And here's what matters it affects 234 Qualcomm chipsets. 254 00:09:56,947 --> 00:09:58,107 Cipherceval: That's not a typo. 255 00:09:58,107 --> 00:10:01,628 Cipherceval: 234 different system on chip 256 00:10:01,628 --> 00:10:03,528 Cipherceval: models from budget devices to 257 00:10:03,528 --> 00:10:04,628 Cipherceval: flagships. 258 00:10:04,628 --> 00:10:07,388 Cipherceval: Google's Threat analysis group discovered this vulnerability 259 00:10:07,388 --> 00:10:11,187 Cipherceval: and reported it to Qualcomm on December 18th, 2025. 260 00:10:11,187 --> 00:10:14,148 Cipherceval: Qualcomm notified device manufacturers on February 2nd, 261 00:10:14,148 --> 00:10:18,268 Cipherceval: 2026, and Google's bulletin says there are indications that 262 00:10:18,268 --> 00:10:25,947 Cipherceval: CVE-2026-21385 may be under limited targeted exploitation. 263 00:10:25,947 --> 00:10:27,788 Cipherceval: That language limited targeted 264 00:10:27,788 --> 00:10:29,467 Cipherceval: exploitation is the phrase that 265 00:10:29,467 --> 00:10:30,748 Cipherceval: shows up when we're talking 266 00:10:30,748 --> 00:10:32,807 Cipherceval: about commercial spyware 267 00:10:32,807 --> 00:10:34,148 Cipherceval: vendors, the kind of companies 268 00:10:34,148 --> 00:10:35,447 Cipherceval: that sell surveillance tools to 269 00:10:35,447 --> 00:10:36,827 Cipherceval: governments and those 270 00:10:36,827 --> 00:10:38,107 Cipherceval: governments use them against 271 00:10:38,107 --> 00:10:39,368 Cipherceval: journalists, activists, 272 00:10:39,368 --> 00:10:40,668 Cipherceval: political opponents. 273 00:10:40,508 --> 00:10:44,707 Cipherceval: We've seen this pattern before with NSO groups Pegasus , Intellexa’s 274 00:10:44,707 --> 00:10:46,587 Cipherceval: Predator and others. When 275 00:10:46,587 --> 00:10:51,668 Cipherceval: Google's tag, the threat analysis group, discovers a flaw, 276 00:10:51,668 --> 00:10:54,827 Cipherceval: it's already been exploited in a targeted fashion. It's 277 00:10:54,827 --> 00:10:57,347 Cipherceval: almost always that ecosystem. 278 00:10:57,148 --> 00:11:00,427 Cipherceval: CISA added this to its known Exploited Vulnerabilities 279 00:11:00,427 --> 00:11:04,028 Cipherceval: catalog on March third, giving federal agencies a deadline of 280 00:11:04,028 --> 00:11:05,827 Cipherceval: March twenty fourth to patch. 281 00:11:05,827 --> 00:11:08,628 Cipherceval: Qualcomm declined to say when the earliest known exploitation 282 00:11:08,628 --> 00:11:11,827 Cipherceval: occurred or how many people were affected, which tells you 283 00:11:11,827 --> 00:11:14,988 Cipherceval: something about the sensitivity here beyond the zero day. 284 00:11:14,988 --> 00:11:16,788 Cipherceval: The March update also patches a 285 00:11:16,788 --> 00:11:18,207 Cipherceval: critical system component 286 00:11:18,207 --> 00:11:19,107 Cipherceval: vulnerability. 287 00:11:19,107 --> 00:11:27,868 Cipherceval: CVE-2026-0006 scored at a whopping 9.8 . 288 00:11:27,868 --> 00:11:30,788 Cipherceval: That allows remote code execution without any privileges 289 00:11:30,788 --> 00:11:32,187 Cipherceval: or user interaction. 290 00:11:32,187 --> 00:11:33,947 Cipherceval: Let me say that again remote 291 00:11:33,947 --> 00:11:36,028 Cipherceval: code execution, no privileges 292 00:11:36,028 --> 00:11:36,707 Cipherceval: required. 293 00:11:36,707 --> 00:11:38,347 Cipherceval: No user interaction. 294 00:11:38,347 --> 00:11:40,947 Cipherceval: That's as bad as it gets for mobile operating system. 295 00:11:40,947 --> 00:11:42,408 Cipherceval: That's as bad as it gets for any 296 00:11:42,408 --> 00:11:43,827 Cipherceval: kind of operating system or 297 00:11:43,827 --> 00:11:44,628 Cipherceval: software. 298 00:11:44,628 --> 00:11:47,748 Cipherceval: Now the update is split across two patch levels. 299 00:11:47,748 --> 00:11:51,467 Cipherceval: 2026-03-01 covers 63 300 00:11:51,467 --> 00:11:53,107 Cipherceval: vulnerabilities in the 301 00:11:53,107 --> 00:11:54,628 Cipherceval: framework, system and Google 302 00:11:54,628 --> 00:11:55,827 Cipherceval: Play components. 303 00:11:55,827 --> 00:12:00,908 Cipherceval: 2026-03-05 adds another 66, 304 00:12:00,908 --> 00:12:02,687 Cipherceval: hitting the kernel, Qualcomm, 305 00:12:02,687 --> 00:12:04,427 Cipherceval: ARM, and other hardware level 306 00:12:04,427 --> 00:12:05,548 Cipherceval: components. 307 00:12:05,548 --> 00:12:07,388 Cipherceval: And here's the Android's ecosystem. 308 00:12:07,388 --> 00:12:10,347 Cipherceval: Perennial problem Google releases the patches, but device 309 00:12:10,347 --> 00:12:13,427 Cipherceval: manufacturers control when you actually get them. 310 00:12:13,427 --> 00:12:15,748 Cipherceval: If you're on a pixel, you're probably patched. 311 00:12:15,748 --> 00:12:19,587 Cipherceval: If you're on anything else, it might be weeks or months. 312 00:12:19,587 --> 00:12:22,508 Cipherceval: If you're running an Android device with a Qualcomm chipset, 313 00:12:22,508 --> 00:12:25,508 Cipherceval: which is the vast majority of Android phones out there. 314 00:12:25,508 --> 00:12:28,028 Cipherceval: It's worth checking your patch level, update your stuff, 315 00:12:28,028 --> 00:12:31,988 Cipherceval: especially on your mobile, where the fragmentation problem means 316 00:12:31,988 --> 00:12:34,307 Cipherceval: you can't always assume it's been done for you. 317 00:12:34,107 --> 00:12:34,668 Cipherceval: All right. 318 00:12:34,668 --> 00:12:35,427 Cipherceval: Moving on. 319 00:12:35,427 --> 00:12:37,067 Cipherceval: This next story ties into a 320 00:12:37,067 --> 00:12:38,107 Cipherceval: theme that we've been covering 321 00:12:38,107 --> 00:12:39,868 Cipherceval: for months now the relentless 322 00:12:39,868 --> 00:12:41,508 Cipherceval: targeting of telecommunications 323 00:12:41,508 --> 00:12:42,988 Cipherceval: infrastructure by state 324 00:12:42,988 --> 00:12:44,307 Cipherceval: sponsored actors. 325 00:12:44,307 --> 00:12:48,268 Cipherceval: On March six, Cisco Talos published research on a threat 326 00:12:48,268 --> 00:12:53,347 Cipherceval: cluster they're calling UAT-9244, and the picture they 327 00:12:53,347 --> 00:12:55,148 Cipherceval: paint is deeply concerning. 328 00:12:55,148 --> 00:12:58,687 Cipherceval: To give some context, UAT-9244, 329 00:12:58,687 --> 00:13:00,508 Cipherceval: is a China linked Advanced 330 00:13:00,508 --> 00:13:02,028 Cipherceval: Persistent Threat Group, an apt 331 00:13:02,028 --> 00:13:03,687 Cipherceval: group that has been targeting 332 00:13:03,687 --> 00:13:05,107 Cipherceval: telecom providers in South 333 00:13:05,107 --> 00:13:06,807 Cipherceval: America since at least twenty 334 00:13:06,807 --> 00:13:07,908 Cipherceval: twenty four. 335 00:13:07,908 --> 00:13:11,467 Cipherceval: Talos assesses with high confidence that this cluster is 336 00:13:11,467 --> 00:13:14,768 Cipherceval: closely associated with FamousSparrow and Tropic 337 00:13:14,768 --> 00:13:19,268 Cipherceval: Trooper, both well documented China Nexus, Apt, Apt, or 338 00:13:19,268 --> 00:13:21,788 Cipherceval: advanced persistent threat groups with histories of 339 00:13:21,788 --> 00:13:24,908 Cipherceval: targeting government, telecom and critical infrastructure. 340 00:13:24,908 --> 00:13:28,388 Cipherceval: Now the obvious question is this salt typhoon? 341 00:13:28,427 --> 00:13:29,748 Cipherceval: For those of you who haven't 342 00:13:29,748 --> 00:13:31,768 Cipherceval: followed the Salt Typhoon saga, 343 00:13:31,768 --> 00:13:32,908 Cipherceval: that's the Chinese state 344 00:13:32,908 --> 00:13:34,347 Cipherceval: sponsored group responsible for 345 00:13:34,347 --> 00:13:36,207 Cipherceval: breaching at least nine US 346 00:13:36,207 --> 00:13:38,227 Cipherceval: telecom companies, compromising 347 00:13:38,227 --> 00:13:39,628 Cipherceval: wiretap systems, and more 348 00:13:39,628 --> 00:13:41,388 Cipherceval: recently, being linked to over 349 00:13:41,388 --> 00:13:42,868 Cipherceval: two hundred companies across 350 00:13:42,868 --> 00:13:43,947 Cipherceval: eighty countries. 351 00:13:43,947 --> 00:13:46,908 Cipherceval: Salt Typhoon has been the dominant telecom threat story 352 00:13:46,908 --> 00:13:48,187 Cipherceval: for over a year. 353 00:13:48,187 --> 00:13:52,187 Cipherceval: Now, Talos explicitly addresses this, and their answer is 354 00:13:52,187 --> 00:13:58,668 Cipherceval: careful: while UAT-9244 and Salt Typhoon share the same target 355 00:13:58,668 --> 00:14:01,788 Cipherceval: profile, they could not establish a solid connection 356 00:14:01,788 --> 00:14:03,268 Cipherceval: between the two clusters. 357 00:14:03,347 --> 00:14:05,668 Cipherceval: That's responsible attribution, 358 00:14:05,668 --> 00:14:07,168 Cipherceval: acknowledging the overlap while 359 00:14:07,168 --> 00:14:08,807 Cipherceval: being honest about the limits of 360 00:14:08,807 --> 00:14:09,788 Cipherceval: their evidence. 361 00:14:09,788 --> 00:14:10,788 Cipherceval: What makes this campaign 362 00:14:10,788 --> 00:14:12,467 Cipherceval: interesting, technically, is the 363 00:14:12,467 --> 00:14:16,288 Cipherceval: tool set UAT-9244 is using three 364 00:14:16,288 --> 00:14:18,268 Cipherceval: previously undocumented malware 365 00:14:18,268 --> 00:14:19,868 Cipherceval: families that cover the full 366 00:14:19,868 --> 00:14:21,307 Cipherceval: spectrum of an enterprise 367 00:14:21,307 --> 00:14:22,148 Cipherceval: environment. 368 00:14:22,148 --> 00:14:25,707 Cipherceval: First - TernDoor - a windows back door. 369 00:14:25,707 --> 00:14:30,288 Cipherceval: It's a variant of CrowDoor, which itself is a variant of 370 00:14:30,288 --> 00:14:33,148 Cipherceval: SparrowDoor from FamousSparrow. 371 00:14:33,148 --> 00:14:34,827 Cipherceval: That lineage is clear. 372 00:14:34,827 --> 00:14:36,827 Cipherceval: It uses DLL side loading through 373 00:14:36,827 --> 00:14:38,707 Cipherceval: a legitimate executable, loading 374 00:14:38,707 --> 00:14:40,587 Cipherceval: a malicious DLL that decrypts 375 00:14:40,587 --> 00:14:41,988 Cipherceval: and executes the final payload 376 00:14:41,988 --> 00:14:42,988 Cipherceval: in memory. 377 00:14:42,988 --> 00:14:43,868 Cipherceval: Classic. 378 00:14:43,868 --> 00:14:47,067 Cipherceval: Now it's been refined over multiple iterations, though. 379 00:14:47,067 --> 00:14:50,908 Cipherceval: Next or second, we see - PeerTime - a Linux backdoor that 380 00:14:50,908 --> 00:14:54,707 Cipherceval: communicates using a BitTorrent based peer to peer protocol. 381 00:14:54,707 --> 00:14:59,148 Cipherceval: This is significant because peer to peer C2 makes it much harder 382 00:14:59,148 --> 00:15:01,107 Cipherceval: for defenders to block or track. 383 00:15:01,107 --> 00:15:04,807 Cipherceval: It's compiled for multiple architectures, including ARM , AARCH, 384 00:15:04,807 --> 00:15:08,427 Cipherceval: PowerPC and MIPs, which tells you it's designed to run on 385 00:15:08,427 --> 00:15:12,107 Cipherceval: embedded systems and network appliances, routers, switches, edge 386 00:15:12,107 --> 00:15:16,148 Cipherceval: devices, things that don't have EDR agents. Next 387 00:15:16,148 --> 00:15:20,868 Cipherceval: or third - BruteEntry - a Golang based brute force scanner that 388 00:15:20,868 --> 00:15:24,388 Cipherceval: turns compromised Linux systems and edge devices into what's 389 00:15:24,388 --> 00:15:28,307 Cipherceval: called operational relay boxes or orbs. These 390 00:15:28,307 --> 00:15:30,067 Cipherceval: scan and brute force Tomcat, 391 00:15:30,067 --> 00:15:32,268 Cipherceval: Postgres, and SSH servers 392 00:15:32,268 --> 00:15:34,028 Cipherceval: expanded the attack surface 393 00:15:34,028 --> 00:15:35,467 Cipherceval: from within the target's own 394 00:15:35,467 --> 00:15:36,908 Cipherceval: network. Basically, 395 00:15:36,908 --> 00:15:37,908 Cipherceval: they're turning compromised 396 00:15:37,908 --> 00:15:39,048 Cipherceval: infrastructure into a 397 00:15:39,048 --> 00:15:40,788 Cipherceval: launching pad for further attacks. 398 00:15:40,788 --> 00:15:41,148 Cipherceval: They're 399 00:15:41,148 --> 00:15:44,107 Cipherceval: pivoting laterally or and sometimes vertically. If 400 00:15:44,107 --> 00:15:45,827 Cipherceval: they can get more access through 401 00:15:45,827 --> 00:15:47,508 Cipherceval: some of those lateral attacks. 402 00:15:47,508 --> 00:15:47,827 Cipherceval: Now, 403 00:15:47,827 --> 00:15:49,307 Cipherceval: the combination of all three 404 00:15:49,307 --> 00:15:50,908 Cipherceval: windows endpoints, Linux servers 405 00:15:50,908 --> 00:15:53,028 Cipherceval: and edge devices all simultaneously 406 00:15:53,028 --> 00:15:54,307 Cipherceval: compromised is what 407 00:15:54,307 --> 00:15:55,827 Cipherceval: makes this particularly dangerous 408 00:15:55,827 --> 00:15:57,388 Cipherceval: for telecom environments. 409 00:15:57,307 --> 00:16:00,307 Cipherceval: These companies run massive mixed networks. 410 00:16:00,307 --> 00:16:02,107 Cipherceval: If an attacker has footholds on 411 00:16:02,107 --> 00:16:03,508 Cipherceval: every layer, detection and 412 00:16:03,508 --> 00:16:04,587 Cipherceval: containment becomes 413 00:16:04,587 --> 00:16:06,028 Cipherceval: exponentially harder. 414 00:16:06,028 --> 00:16:08,788 Cipherceval: And this is the broader pattern that we keep seeing. 415 00:16:08,788 --> 00:16:10,408 Cipherceval: Telecom companies are prime 416 00:16:10,408 --> 00:16:11,528 Cipherceval: targets because of what they 417 00:16:11,528 --> 00:16:13,388 Cipherceval: carry call records, metadata, 418 00:16:13,388 --> 00:16:14,788 Cipherceval: and in some cases, the 419 00:16:14,788 --> 00:16:16,628 Cipherceval: infrastructure used for lawful 420 00:16:16,628 --> 00:16:18,548 Cipherceval: intercept, specifically 421 00:16:18,548 --> 00:16:19,548 Cipherceval: wiretaps. 422 00:16:19,548 --> 00:16:21,028 Cipherceval: Whoever controls the telecom 423 00:16:21,028 --> 00:16:23,028 Cipherceval: backbone can potentially surveil 424 00:16:23,028 --> 00:16:24,347 Cipherceval: an entire country's 425 00:16:24,347 --> 00:16:25,748 Cipherceval: communications. 426 00:16:25,548 --> 00:16:26,587 Cipherceval: All right. 427 00:16:26,587 --> 00:16:27,587 Cipherceval: The last story. 428 00:16:27,587 --> 00:16:30,028 Cipherceval: Let's close the story out with a story that. 429 00:16:30,028 --> 00:16:32,508 Cipherceval: Well, honestly, this one made me shake my head. 430 00:16:32,508 --> 00:16:35,107 Cipherceval: Not because of the sophistication of the attack. 431 00:16:35,107 --> 00:16:36,467 Cipherceval: Quite the opposite. 432 00:16:36,467 --> 00:16:38,748 Cipherceval: So on March third, a threat 433 00:16:38,748 --> 00:16:40,227 Cipherceval: actor operating under the name 434 00:16:40,227 --> 00:16:42,227 Cipherceval: FulcrumSec publicly claimed 435 00:16:42,227 --> 00:16:43,668 Cipherceval: responsibility for breaching 436 00:16:43,668 --> 00:16:45,107 Cipherceval: LexisNexis legal and 437 00:16:45,107 --> 00:16:46,107 Cipherceval: professional. 438 00:16:46,107 --> 00:16:47,587 Cipherceval: That's the legal, data and 439 00:16:47,587 --> 00:16:49,807 Cipherceval: analytics division of RELX 440 00:16:49,807 --> 00:16:51,107 Cipherceval: Group, one of the largest 441 00:16:51,107 --> 00:16:52,587 Cipherceval: information companies in the 442 00:16:52,587 --> 00:16:53,268 Cipherceval: world. 443 00:16:53,268 --> 00:16:57,107 Cipherceval: LexisNexis provides research tools, legal databases, and risk 444 00:16:57,107 --> 00:17:00,427 Cipherceval: management solutions used by law firms, government agencies and 445 00:17:00,427 --> 00:17:03,548 Cipherceval: corporations across one hundred and fifty countries. 446 00:17:03,548 --> 00:17:07,127 Cipherceval: According to FulcrumSec's disclosure, initial access was 447 00:17:07,127 --> 00:17:11,127 Cipherceval: gained on February 24th by exploiting a React2Shell 448 00:17:11,127 --> 00:17:14,387 Cipherceval: vulnerability in an unpatched react front end application. 449 00:17:14,387 --> 00:17:17,468 Cipherceval: React2Shell, for those who are unfamiliar, is a known 450 00:17:17,468 --> 00:17:20,667 Cipherceval: vulnerability class in react applications that can allow 451 00:17:20,667 --> 00:17:23,307 Cipherceval: server side code execution through the front end. 452 00:17:23,307 --> 00:17:24,268 Cipherceval: The attacker says this 453 00:17:24,268 --> 00:17:25,548 Cipherceval: vulnerability has been sitting 454 00:17:25,548 --> 00:17:27,468 Cipherceval: there unpatched for months 455 00:17:27,468 --> 00:17:29,107 Cipherceval: despite knowing exploits being 456 00:17:29,107 --> 00:17:30,827 Cipherceval: publicly available. 457 00:17:30,827 --> 00:17:33,667 Cipherceval: But here's where it gets painful. 458 00:17:33,667 --> 00:17:35,228 Cipherceval: Once inside, the attacker found 459 00:17:35,228 --> 00:17:36,948 Cipherceval: that compromised ECS task 460 00:17:36,948 --> 00:17:37,788 Cipherceval: containers. 461 00:17:37,788 --> 00:17:39,428 Cipherceval: That's an Amazon Elastic 462 00:17:39,428 --> 00:17:41,468 Cipherceval: Container Service role that had 463 00:17:41,468 --> 00:17:43,087 Cipherceval: been granted read access to 464 00:17:43,087 --> 00:17:44,627 Cipherceval: essentially everything. 465 00:17:44,627 --> 00:17:46,048 Cipherceval: The production Redshift data 466 00:17:46,048 --> 00:17:49,327 Cipherceval: warehouse, 17 VPC databases, AWS 467 00:17:49,327 --> 00:17:51,468 Cipherceval: Secrets Manager and the 468 00:17:51,468 --> 00:17:52,887 Cipherceval: company's Qualtrics survey 469 00:17:52,887 --> 00:17:53,788 Cipherceval: platform. 470 00:17:53,788 --> 00:17:57,147 Cipherceval: A single task role with keys to the Kingdom that is super level, 471 00:17:57,147 --> 00:17:59,548 Cipherceval: super root level access. 472 00:17:59,548 --> 00:18:02,847 Cipherceval: And that's kind of one of the principles that is usually 473 00:18:02,847 --> 00:18:04,667 Cipherceval: supposed to be practiced. 474 00:18:04,667 --> 00:18:07,288 Cipherceval: The least privilege idea. 475 00:18:07,288 --> 00:18:09,107 Cipherceval: The RDS master password? 476 00:18:09,107 --> 00:18:10,028 Cipherceval: Oh man. 477 00:18:10,028 --> 00:18:13,387 Cipherceval: Lexis1234 I'm going to say that again. 478 00:18:13,387 --> 00:18:15,307 Cipherceval: The master password for a 479 00:18:15,307 --> 00:18:16,827 Cipherceval: database at one of the world's 480 00:18:16,827 --> 00:18:19,147 Cipherceval: largest legal data companies was 481 00:18:19,147 --> 00:18:21,107 Cipherceval: Lexis1234. 482 00:18:21,107 --> 00:18:23,387 Cipherceval: Security by obscurity does not work. 483 00:18:23,387 --> 00:18:26,107 Cipherceval: They might as well have not put a password at all, and neither 484 00:18:26,107 --> 00:18:28,948 Cipherceval: does security by "I'll change the password later." 485 00:18:28,948 --> 00:18:30,508 Cipherceval: That doesn't work either. 486 00:18:30,508 --> 00:18:32,188 Cipherceval: The exfiltrated data reportedly 487 00:18:32,188 --> 00:18:35,307 Cipherceval: includes 3.9 million database 488 00:18:35,307 --> 00:18:37,268 Cipherceval: records across five hundred and 489 00:18:37,268 --> 00:18:39,907 Cipherceval: thirty six redshift tables and 490 00:18:39,907 --> 00:18:41,887 Cipherceval: four hundred and thirty plus VPC 491 00:18:41,887 --> 00:18:43,188 Cipherceval: database tables. 492 00:18:43,188 --> 00:18:44,887 Cipherceval: Around four hundred thousand 493 00:18:44,887 --> 00:18:46,867 Cipherceval: cloud user profiles with names, 494 00:18:46,867 --> 00:18:48,188 Cipherceval: emails, phone numbers, and job 495 00:18:48,188 --> 00:18:48,988 Cipherceval: functions. 496 00:18:48,988 --> 00:18:50,548 Cipherceval: Twenty one thousand enterprise 497 00:18:50,548 --> 00:18:52,228 Cipherceval: customer accounts, law firms, 498 00:18:52,228 --> 00:18:53,268 Cipherceval: universities, government 499 00:18:53,268 --> 00:18:55,928 Cipherceval: agencies fifty three plaintext 500 00:18:55,928 --> 00:18:58,508 Cipherceval: AWS Secrets Manager entries and 501 00:18:58,508 --> 00:18:59,867 Cipherceval: one hundred and eighteen user 502 00:18:59,867 --> 00:19:01,587 Cipherceval: accounts with dot gov email 503 00:19:01,587 --> 00:19:03,627 Cipherceval: addresses belonging to federal 504 00:19:03,627 --> 00:19:05,548 Cipherceval: judges, Department of Justice 505 00:19:05,548 --> 00:19:08,907 Cipherceval: attorneys, SEC staff and federal 506 00:19:08,907 --> 00:19:10,508 Cipherceval: court clerks. 507 00:19:10,508 --> 00:19:15,147 Cipherceval: LexisNexis is used in a lot of places now. 508 00:19:15,147 --> 00:19:16,708 Cipherceval: LexisNexis has confirmed the 509 00:19:16,708 --> 00:19:18,468 Cipherceval: breach, but is characterizing 510 00:19:18,468 --> 00:19:23,748 Cipherceval: the data as "mostly legacy deprecated data from prior to 2020." 511 00:19:23,748 --> 00:19:25,807 Cipherceval: They say no Social Security 512 00:19:25,807 --> 00:19:27,607 Cipherceval: numbers, active passwords or 513 00:19:27,607 --> 00:19:28,788 Cipherceval: financial information was 514 00:19:28,788 --> 00:19:29,708 Cipherceval: compromised. 515 00:19:29,708 --> 00:19:31,708 Cipherceval: And look, maybe that's accurate. 516 00:19:32,708 --> 00:19:36,587 Cipherceval: But as FulcrumSec, pointed out in their rather editorial 517 00:19:36,587 --> 00:19:41,167 Cipherceval: disclosure, which definition of "customer data" excludes 400,000 518 00:19:41,167 --> 00:19:44,147 Cipherceval: named individuals with email addresses and phone numbers? 519 00:19:44,147 --> 00:19:46,827 Cipherceval: I'm pretty sure the definition includes that. 520 00:19:46,827 --> 00:19:50,708 Cipherceval: Now, this is also not the first breach for LexisNexis. 521 00:19:50,708 --> 00:19:52,428 Cipherceval: Last year, a separate incident 522 00:19:52,428 --> 00:19:53,708 Cipherceval: through a compromised GitHub 523 00:19:53,708 --> 00:19:55,887 Cipherceval: account exposed personal data 524 00:19:55,887 --> 00:19:57,647 Cipherceval: belonging to over three hundred 525 00:19:57,647 --> 00:19:58,847 Cipherceval: and sixty four thousand 526 00:19:58,847 --> 00:20:00,708 Cipherceval: individuals, including Social 527 00:20:00,708 --> 00:20:01,907 Cipherceval: Security numbers. 528 00:20:01,907 --> 00:20:06,008 Cipherceval: Two breaches in two years for a company that positions itself as 529 00:20:06,008 --> 00:20:09,667 Cipherceval: one of the largest protectors of private data in the world. 530 00:20:09,667 --> 00:20:11,268 Cipherceval: The cover up is always worse 531 00:20:11,268 --> 00:20:12,307 Cipherceval: than the crime, but in this 532 00:20:12,307 --> 00:20:14,347 Cipherceval: case, the crime itself is pretty 533 00:20:14,347 --> 00:20:14,948 Cipherceval: rough. 534 00:20:14,748 --> 00:20:17,147 Cipherceval: All right, let's bring it home. 535 00:20:17,147 --> 00:20:20,387 Cipherceval: Five stores this week and the through line connecting all of 536 00:20:20,387 --> 00:20:22,508 Cipherceval: them is infrastructure trust. 537 00:20:22,508 --> 00:20:25,748 Cipherceval: We trust our firewall management consoles, our mobile operating 538 00:20:25,748 --> 00:20:29,587 Cipherceval: systems, our telecom backbones, our legal data providers. 539 00:20:29,587 --> 00:20:31,228 Cipherceval: And this week, every single one 540 00:20:31,228 --> 00:20:32,667 Cipherceval: of those trust boundaries got 541 00:20:32,667 --> 00:20:33,548 Cipherceval: tested. 542 00:20:33,548 --> 00:20:34,827 Cipherceval: Here are the five things to be 543 00:20:34,827 --> 00:20:35,988 Cipherceval: aware of coming out of the 544 00:20:35,988 --> 00:20:36,948 Cipherceval: episode. 545 00:20:36,948 --> 00:20:38,667 Cipherceval: Number one, network security 546 00:20:38,667 --> 00:20:40,407 Cipherceval: appliances are high value 547 00:20:40,407 --> 00:20:41,387 Cipherceval: targets. 548 00:20:41,387 --> 00:20:44,067 Cipherceval: The Cisco FMC vulnerabilities 549 00:20:44,067 --> 00:20:45,528 Cipherceval: follow the same pattern as the 550 00:20:45,528 --> 00:20:47,827 Cipherceval: SD Wan disclosure from the 551 00:20:47,827 --> 00:20:48,988 Cipherceval: previous episode. 552 00:20:48,988 --> 00:20:51,627 Cipherceval: If the management plane of your security infrastructure is 553 00:20:51,627 --> 00:20:55,188 Cipherceval: compromised, well, everything downstream is at risk. 554 00:20:55,188 --> 00:20:56,667 Cipherceval: Keeping management interfaces 555 00:20:56,667 --> 00:20:58,107 Cipherceval: off untrusted networks and 556 00:20:58,107 --> 00:20:59,228 Cipherceval: patching immediately. 557 00:20:59,228 --> 00:21:00,827 Cipherceval: That's the baseline. 558 00:21:00,827 --> 00:21:03,587 Cipherceval: Next number two, AI is changing 559 00:21:03,587 --> 00:21:05,147 Cipherceval: the economics of malware, not 560 00:21:05,147 --> 00:21:06,647 Cipherceval: the sophistication. 561 00:21:06,448 --> 00:21:09,528 Cipherceval: APT36 Vibeware campaign shows 562 00:21:09,528 --> 00:21:10,907 Cipherceval: that the real threat from AI 563 00:21:10,907 --> 00:21:12,127 Cipherceval: assisted malware isn't 564 00:21:12,127 --> 00:21:12,928 Cipherceval: brilliance. 565 00:21:12,928 --> 00:21:14,288 Cipherceval: Its volume. 566 00:21:14,288 --> 00:21:15,708 Cipherceval: Detection teams may need to 567 00:21:15,708 --> 00:21:17,127 Cipherceval: rethink their approach to handle 568 00:21:17,127 --> 00:21:19,268 Cipherceval: floods of low quality, polyglot 569 00:21:19,268 --> 00:21:21,488 Cipherceval: variants, rather than a few high 570 00:21:21,488 --> 00:21:22,807 Cipherceval: quality implants. 571 00:21:23,367 --> 00:21:25,488 Cipherceval: Then. Number three, mobile 572 00:21:25,488 --> 00:21:27,508 Cipherceval: patching remains the ecosystem's 573 00:21:27,508 --> 00:21:28,807 Cipherceval: Achilles heel. 574 00:21:28,807 --> 00:21:29,887 Cipherceval: One hundred and twenty nine 575 00:21:29,887 --> 00:21:31,567 Cipherceval: vulnerabilities in one Android 576 00:21:31,567 --> 00:21:33,208 Cipherceval: update, including an actively 577 00:21:33,208 --> 00:21:35,627 Cipherceval: exploited Qualcomm zero day 578 00:21:35,627 --> 00:21:37,107 Cipherceval: across two hundred and thirty 579 00:21:37,107 --> 00:21:38,208 Cipherceval: four chipsets. 580 00:21:38,208 --> 00:21:41,968 Cipherceval: Google can release patches, but manufacturers and carriers 581 00:21:41,968 --> 00:21:43,448 Cipherceval: control the timeline. 582 00:21:43,448 --> 00:21:46,167 Cipherceval: Check your patch level and keep devices updated. 583 00:21:46,167 --> 00:21:49,607 Cipherceval: It's the simplest thing that makes the biggest difference. 584 00:21:49,607 --> 00:21:53,567 Cipherceval: Then number four telecom targeting is not slowing down. 585 00:21:53,567 --> 00:21:58,647 Cipherceval: UAT-9244 demonstrates that China aligned actors continue 586 00:21:58,647 --> 00:22:02,048 Cipherceval: investing in multi-platform telecom compromise toolkits. 587 00:22:02,048 --> 00:22:05,528 Cipherceval: Windows, Linux and edge devices simultaneously. 588 00:22:05,528 --> 00:22:10,928 Cipherceval: Peer to peer, P2P command and control and orb based expansion 589 00:22:10,928 --> 00:22:13,748 Cipherceval: makes these intrusions exceptionally difficult to 590 00:22:13,748 --> 00:22:16,087 Cipherceval: detect and to contain. 591 00:22:16,567 --> 00:22:20,288 Cipherceval: Lastly, number five, cloud security basics still matter 592 00:22:20,288 --> 00:22:21,607 Cipherceval: more than anything. 593 00:22:21,607 --> 00:22:23,528 Cipherceval: The LexisNexis breach wasn't 594 00:22:23,528 --> 00:22:25,188 Cipherceval: caused by a zero day or an 595 00:22:25,188 --> 00:22:26,327 Cipherceval: advanced attack. 596 00:22:26,327 --> 00:22:31,288 Cipherceval: It was an unpatched application, an overly permissive IAM role, 597 00:22:31,288 --> 00:22:33,008 Cipherceval: and a weak password. 598 00:22:33,008 --> 00:22:35,887 Cipherceval: The fundamentals least privilege, patch management, 599 00:22:35,887 --> 00:22:39,367 Cipherceval: credential hygiene remain the most impactful things any 600 00:22:39,367 --> 00:22:40,688 Cipherceval: organization can do. 601 00:22:40,688 --> 00:22:44,367 Cipherceval: And that's gonna do it for HN65. 602 00:22:44,367 --> 00:22:47,468 Cipherceval: As always, I'm sharing information and awareness here, 603 00:22:47,468 --> 00:22:50,567 Cipherceval: not specifically telling you what to do in your environment. 604 00:22:50,567 --> 00:22:53,928 Cipherceval: Talk to your security team for your specific situation. 605 00:22:53,928 --> 00:22:55,327 Cipherceval: However, if you found this 606 00:22:55,327 --> 00:22:56,968 Cipherceval: episode useful, please share it 607 00:22:56,968 --> 00:22:58,048 Cipherceval: with someone who needs to hear 608 00:22:58,048 --> 00:22:58,367 Cipherceval: it. 609 00:22:58,367 --> 00:23:00,768 Cipherceval: A colleague, a friend, your IT team. 610 00:23:00,768 --> 00:23:02,367 Cipherceval: The more people who are aware of 611 00:23:02,367 --> 00:23:03,567 Cipherceval: what's happening out there, the 612 00:23:03,567 --> 00:23:04,688 Cipherceval: harder it becomes for bad 613 00:23:04,688 --> 00:23:05,528 Cipherceval: actors. 614 00:23:05,528 --> 00:23:07,448 Cipherceval: And that's really what this show is about. 615 00:23:07,448 --> 00:23:09,087 Cipherceval: We're all in this together. 616 00:23:09,048 --> 00:23:10,567 Cipherceval: If you're not already 617 00:23:10,567 --> 00:23:12,288 Cipherceval: subscribed, hit that subscribe 618 00:23:12,288 --> 00:23:13,907 Cipherceval: button on YouTube or follow us 619 00:23:13,907 --> 00:23:15,567 Cipherceval: on your podcast platform of 620 00:23:15,567 --> 00:23:16,367 Cipherceval: choice. 621 00:23:16,367 --> 00:23:17,887 Cipherceval: Leave a review if you can. 622 00:23:17,887 --> 00:23:19,407 Cipherceval: It genuinely helps. 623 00:23:19,407 --> 00:23:22,728 Cipherceval: Stay vigilant, stay curious, and update your stuff. 624 00:23:22,728 --> 00:23:24,567 Cipherceval: I'll catch you in the next one.