Transcript
My name is Matt Radlach, I'm one of your hosts. I am David Gibson, the other one of your hosts. It's awesome to have you guys here today for another episode. We've got a lot of fun stuff to talk about. We're going to jump through a lot of our usual segments today. So we'll start off by talking about some good news. We'll jump on into our newest segment, AIV. We'll certainly leave you with a couple of vulnerable vulnerabilities before we jump on the highway to the danger zone and talk about all the latest happenings of threat actors and things that you might be concerned about. So for those of you that are here for the first time, we always like to start out the show by talking about some good news, as oftentimes in cybersecurity, it's all doom and gloom. And we almost always have some good things to say. One, the Beast Ransomware is a service group which has been active since early 2025. They left their toolkit exposed on a cloud server that they were hosting in Germany. Now that exposure led to their entire sole set being leaked, including their backup deletion and disabling tools, their reconnaissance and credential theft and exfiltration toolkits. All of it were often commonly used by other ransomware gangs being completely exposed to investigators. And I guess the lesson learned here is that even the bad guys can have a misconfig every once in a while. Yeah, but I'm sure, you know, they trust everybody. Yeah, right. And if you make it easy for an investigator, they don't even need a warrant to search a publicly exposed site, right? Very true. What's going on with the Department of Justice? Well, so we got some good news. The guys took down four big botnets. It was a partnership between the Department of Justice, Canada, Germany, and even private sector firms like AWS and many others. These were botnets for hire. A lot of them were used for DDoS. They came from a lot of Android TVs, apparently, that are part of proxy networks when you sell them. They could throw 3 million devices and they could throw 30 terabits a second, which is a huge amount of data. One researcher compared it to the combined populations of UK, Germany, and Spain, all simultaneously typing a website address and then hitting enter at the same second. So glad that's no longer out there. Yeah, for sure. You know, and for those of you that tuned into our last episode, we covered this story about Leakbase and Operation Leak on our last episode. While Russian, there's an update, Russian authorities have arrested the alleged head of Leakbase. For those of you who don't know, Leakbase is a site that hosted hundreds of thousands of stolen records and credentials that were available for sale. And the 33-year-old from Taginrog, Russia, was known online by the personality Chucky or SQL RIP. What's interesting about this to us is we don't often see Russia as leading the charge for taking down cyber criminals. So I wonder if this is either A, a shift in their policy or B, just someone they don't like. Or maybe both. Yeah, maybe a little bit of both. Now we'll jump into our newest segment, AIvey, that's surely going to leave you saying AIvey. Meta declared a severity one incident based on the actions that were mistakenly taken by an AI agent. The agent made a post on an internal forum without human approval, and one employee ultimately acted on the agent's guidance and gave access to sensitive data to a team of Meta engineers. Now Meta says that no user data was mishandled or accessed maliciously, but did emphasize how the AI agent had an autonomous action in a production environment that it wasn't supposed to. I knew what I was supposed to do, but I didn't do it. I don't know. Where are we going with this? Yeah, I'm not sure. Now, speaking of other things, leaving you saying AIvey, a zero day in Claude's Chrome extension, which I have henceforth named Claude Chrome, has allowed attackers to inject malicious AI prompts if they got a user tricked into visiting a fraudulent webpage. Now no additional user interaction was required. The vulnerability, which was nicknamed Shadow Prompt, changed together two issues, one related to an origin trust allowing any wildcard character to be placed in front of Claude.ai and its subdomains, and a cross-site scripting bug in the captcha hosted on Claude.ai. What attackers could do is embed vulnerable captchas in an iframe that would allow the system to be exploited and run JavaScript, allowing it to take actions on behalf of the user with Claude or continue the conversation with Claude that the user was having in their browser without the user being aware. Very similar to the reprompt vulnerability, just a different attack vector that we talked about recently by Varonis Threatlabs. Yeah, hard to sanitize that input, especially when you've got something in a web browser that's designed to look at all those places, right? Yeah, and load all the frames of the site no matter what happens. Totally. Now, speaking of things with Anthropic, what's going on with the blueprints and things behind it? You've talked about it pretty broadly this week. Yeah, so this is an AI story about human error, or I don't know, it's a human error story about AI. But it has to do with the code for Claude, or code for Claude code, the Claude code code, and it was leaked. And how that happened was a version of the npm package for Claude, you know, you can install Claude by npm, contained a source map. Now, that's a mistake, human error. Source maps should not be included, because they essentially allow you to unpack and deobfuscate the JavaScript. This led to kind of easy access to 2000 TypeScript files and more than half a million lines of code to be leaked. And the code is itself pretty interesting. Like it revealed that there's like, the Claude code has a dream mode where it kind of, you know, marinates on stuff in the background. There's like an undercover mode, where it can be like a stealth contributor to an open source repo. Really interesting stuff. But there are probably going to be a lot of consequences to, to this, you know, a lot of potential people looking for ways to exploit and fuzz and, you know, I think this is going to lead to the unfortunate discovery of some vulnerabilities and backdoors that's going to hurt before it gets better. Less than I think the, like, someone copying it and making a better one. Yeah. Yeah, I, it's pretty crazy. And then just beware of everybody that attackers are kind of seeding source code, you know, the source code still out there, like once it's once it's out there, it's really it's can't put the genie back in the bottle. But attackers are putting it up on sites and trojaning it. So, you know, if you're curious, don't, I would avoid downloading it, you know, from from anywhere. But yeah, I good comment. I wondered what, you know, if there was some reason that they might do this intentionally to somebody in the in the chat did that I it's hard to imagine that they would, but, you know, it's some interesting stuff about about that organization lately, I don't wonder how it could be a very clever whistleblower. Speaking of things that can leave you exposed, though, let's talk about a few vulnerable vulnerabilities. Now, one that was the most interesting to me, David, you were pretty passionate about this when we were prepping the show. What's this zero click telegram flaw? I know a lot of people use telegram to for especially cryptic or what they hope is cryptic communication. Yeah, so this is this one is is definitely interesting. If exploited, it would lead to a full system hijack in Android or Linux telegram clients. The way it works is it uses malicious animated stickers. So your phone gets, you know, candy gram, and then it's that's it, you know, your system's taken over. Originally, it was assigned a 9.8 and you know, at about 10 point scale. So pretty severe, but telegram argued that it's impossible to upload a malicious sticker because they have some stuff going back on the server side, and they scan all these stickers before they can get out there. So they lowered it to a 7.0. I think it's a little hard to be sure if the server side mitigations will really eliminate these vulnerabilities in the client code. We won't know really if you can be exploited until the full disclosure comes in July. Telegram denies that this is a vulnerability, so there's no patch. In the meantime, if you're worried about this, you can use one of the other clients Android or Linux. And you can also I think you can turn turn off the media auto downloading and I guess beware of candy gram stickers. And that was a preview of our newest segment, pardon the interruption where unexpected things happen from our families, we'll have to make sure that we get a animation for that from our production team. Anyway, so what's interesting about about this is it seems like there's, we're blind to whether or not something could be mitigated on the telegram side. Yes, it that we have to trust that that that client side vulnerability is mitigated upstream. Now what about Netscale? We've talked about this guy, right? Probably a dozen times since we started hosting the show. Yes. The bottom line with this one is patch your net scalers and patch them now. There, there are, there's a critical vulnerability in both the ADC and gateway components has to do with insufficient input validation. Why this is so urgent right now is security researchers or security firms are seeing active recon on these vulnerabilities on their honeypots. And I guess what they're seeing is that the attackers are checking for targets that have SAML and IDP enabled. So I guess the federated off and which I guess is required for the to exploit the vulnerability there. So long story short, patch your net scalers. Yes. And patch them now. Well speaking of some dangerous things to cover before we break for today, HackerOne has been hacked. Yeah. So I wonder if someone got a bounty for that. HackerOne of course manages the bug bounty programs for a lot of well-known companies. And apparently they use a third party to administer the employee benefits, which is called Navia. And Navia was compromised due to a BOLA broken object level authorization vulnerability and one of its API endpoints. And this vulnerability gave attackers access to read benefits data for not just HackerOne, but 2.7 million people across the client base. So it's much bigger. Obviously HackerOne is, you know, it's kind of notable in this instance. BOLA is actually the number one threat in OWASP API security top 10. And so if you were potentially doing a bug bounty on Navia, it might be the first thing you scan for, which isn't ironic at all. Let's jump on into the next one. So this was interesting. Now I've got a quick quiz question for our producers. Has there been an episode in the last 12 months that we didn't mention Shiny Hunters? I'm going to ask our producers to check that out because I don't think that that's possible. As I was prepping the show this morning, there are the modern day, whether they're adapting or morphing, recruiting new members, or they are one of the largest criminal gangs that takes out and targets SaaS applications, government entities around the world. It's, you know, we talk about Shiny Hunters all the time. Well, at this time, it's that the European Commission confirmed a data breach on Europa.eu purportedly by Shiny Hunters. The attackers gained access to an AWS account, stole data from sites that were hosted across Europa.eu. Shiny Hunters is claiming they have more than 350 gigs of data, including databases, employee-related information, and has even posted 90 gigs of said data on their leaker website. So Shiny Hunters has struck again. And for those that were asking in the chat, do we have a fix for the daughter interrupts vulnerability? No, we're just going to make a new segment for the show called Pardon the Interruption, which is bound to happen to any of us when we're hosting a podcast. And also couldn't happen to a better person with the dad joke. So if you have puns or dad jokes that would relate to the interruption, please throw them in the chat now. Oh, they're busting me up. So while they're busting you up, David, what's going on with this Trivi supply chain attack? Well, so Trivi, that's a vulnerability scanner. It's actually open source. It's by Aqua Security. It scans containers, right, the code repos, file systems. So apparently in March, a threat group took over an Aqua service account, and they pushed malicious code in that account that harvests credentials in GitHub's environment, right? And Cisco is just one of the victims, a high profile victim. They cloned over 300 repos out of there. So it's very damaging. The interesting thing about this attack is it leveraged GitHub Actions. GitHub Actions, if you don't know, is really useful, and GitHub lets you create and call automations. And that's how a lot of orgs use Trivi. So they call a specific action in their CICD pipeline. You know, when they do a new version, right, let's call and, you know, do the scanner. Now, when you create a GitHub action, usually you tag it with a version number. And so if you're, this is kind of like a, sort of, it's supposed to be a security mechanism. It's like if you've got an action and a version number, and you put it, you know, you basically call it, you can be confident, like, yeah, I've already vetted this. It's the same as it's always been. And so you don't have to worry about the integrity of that GitHub action, well, unless the attackers use force push to update an existing version of a GitHub action. And that's what they did. So they did it. So, and they'd also did this. So they basically took what everybody thought was like a known trusted version of the GitHub action, changed it. And they did it in a way so that the vulnerability scan looked totally normal. It came back, did all the stuff it was supposed to do, just in the background, it was harvesting all those credentials. So pretty interesting and pretty clever. And I didn't have that one in my database, which is by far the best one that we've seen so far. Now, Axios, which is one of the most widely used JavaScript HTTP libraries was compromised. What's going on here, David? Yeah, so Axios is a popular JavaScript library. And it's used to simplify web requests. It's actually present in 80% of cloud environments. So some North Korean attackers, it's been attributed to them, pretty firmly compromised the maintainers NPM account. And they use that account, it was actually an interesting sequence, they created a clean package called like plain crypto JS, and left it out there for like 18 hours or so and attackers do that so that the package gained some credibility, right? Some mileage out there, it's not like a brand new domain or something, you know. But then what they did is created two new versions of Axios. And that in these new versions, they added the new package as a dependency. And at the same time, they updated that dependency package. So it also installed a rat. And that rat, you know, once the rat was installed, it cleaned itself up and made it look like they were never there. So very scary. This version, this Trojan version was only live for about three hours, but it has about 100 million weekly downloads. So you can do the math. That's a lot of people and anybody that downloaded one of these compromised versions, we can put this in the chat. I guess it's 1.14.1 or 0.30.4 should rotate the credentials and scan for the scan for the IOTs. So careful with those dependencies. I think that's the moral of the story there. Yeah. Wow. Yeah, totally. And so, you know, I think it there's, you know, the broader theme there, like we can see both of these stories really, you know, kind of talk about hacking trust, right? It's like in this case, it's like a trusted dependency or trusted GitHub action. You know, how do we make sure we don't have this supply chain vulnerability here? And but yeah, with that, again, just wanted to say thank you to you, our audience, and David, to you, our co-host. The show is made possible by you. Thank you guys so much for being here. Yeah, thanks, everybody. Great to see you.
