Transcript
I'm one of your hosts. My name is Matt Radulak, and I'm joined by my esteemed colleague and co-host. David Gibson. Hey, good to see you, Matt. How are you? We'll go through our usual segments today. We'll start out with some good news. We'll jump on to our newest segment, AIvey, that'll surely leave you saying AIvey. We'll talk about some vulnerable vulnerabilities, jump on the highway to the danger zone. And then as always, if you throw questions into the chat or the Q&A, David and I will try to get to them at the end of the show. For those of you that are here for the first time, we always like to start out State of Cybercrime by talking about some good news. As often in time, there is always a doom and gloom outlook to cybersecurity and the eventual demise to our robot overlords. But there is a lot of good things happening in cyber as well, and we always like to cover it at the start of the show. First and foremost, though, we got to talk about some of the international coalitions. Can't have an episode of State of Cybercrime where we don't talk about multiple countries' law enforcement's working together. And in Operation Power Off, an international coalition of law enforcement across more than 20 countries, namely like Australia, Austria, Belgium, Brazil, Lithuania, Portugal, Sweden, Thailand, UK, US, and more, aimed to disrupt distributed denial of service for higher services, was successful in seizing 53 domains and making four arrests, impacting nearly 75,000 cybercriminals. What law enforcement was able to do was access backend databases containing information on more than 3 million users. Now this crackdown does help stop low-skill, large-scale attacks, and is certainly another win for the good guys. Yay, good guys. And what's going on here, David, a little bit of criminal versus criminal? Spy versus spy, as they might say? Yes, this is ransomware with a side of beef. It's two threat actors, actually, so this involved multiple threat actors, but Zero APT is a new threat actor, or was a new threat actor, trying to make a name for itself. Apparently this is a thing, right? You have to have some cred. And the way it was going about trying to make a name for itself is by going after other ransomware groups like Everest, Ransom House, and Crybit. Well, they actually managed to hack Crybit, and they released a sample of data, and they threatened to release more, but they disclosed that they had two admins, a few affiliates, some victims, like 20 at the time, and they had the ransomware demands out there. Well, Crybit hacked back, and they leaked the full Zero APT operational dataset very quickly, like the next day, and included all the logs, the source code, the system files. They also revealed that the 190 plus victims that Zero APT had initially bragged about were totally fabricated, and that no data was ever exfiltrated for many of these victims, and they'd been unable to recover as a result of this. So apparently their infrastructure was running on an Analytics parent OS and an Android phone, and all the download links they had that they sent out were false. But anyway, quite a story there when ransomware actors are going up against each other. Yeah, I was going to say, I guess fake it until you make it applies in cybercrime as well. I guess so. The relaunch of the Crime Network, which is a platform for buying and selling illegal services, substances, and stolen data, was shut down by German authorities, leaving its more than 100,000 users scrambling to find new places to spend nearly the 4 million euros that was traced and seized through the network. And while this reboot was unsuccessful, I'm wondering if maybe they should turn it off and on three more times before they can get the Cybercrime Network to go mainstream again. Could be. Could be. Now in our newest segment, AIV, we're surely going to leave you saying AIV. And AIV is right. A startup, PocketOS, lost its production databases and its backups in less than 10 seconds after Cursor, powered by Anthropic, took autonomous action. The agent, while attempting to fix a credential issue, used an extremely over-permissive API token to delete a storage volume, wiping all the data. Seconds later, it confessed to its wrongdoing and ran another destructive command. Now what this highlights for me is that if you're not looking at your agents and limiting not just what they can say, but their agency and what they can do, you could very easily wind up in the same boat, shaking your head and sitting there and saying AIV. Very easily. As you work more and more with different agentic coding, it's easy to see how this stuff can happen. It moves very quickly. And there are mistakes. Speaking of mistakes, what's going on with the breaches in Mexican government? This was one of the largest breaches ever. Hundreds of millions of government and citizen records. The breach apparently lasted over two and a half months or so. The attackers used both Claude, Code, and ChatGPT, OpenAI 4.1. Millions of records of a lot of different types here. Tax records, vehicle registry records, license plates, names, taxpayer IDs, births, deaths, marriages, property owner records. There's just a trove of sensitive information that the attackers got. Going through the logs, I guess OpenAI and Anthropic, the attackers apparently used more than 1,000 prompts that they were able to see that were different requests that led to 5,000 or so commands, actually more than 5,000 commands that were executed during the hack. So 75% of the hacking activity was generated and executed by the models. It took the hackers about 40 minutes apparently to jailbreak the guardrails. What they did was they pasted a 1,000 line hacking cheat sheet and asked Claude to save it to a file. That apparently bypassed some of the guardrails in place there. ChatGPT was used definitely to make sense of the stolen documents and according to one source to kind of pick up where Claude stopped working to do lateral movement. What is interesting to me is first of all, all of this activity was logged, but also it was hard to kind of detect the activity because the attackers spread the prompts out over multiple sessions and multiple services. So this is going to be an interesting game to try to catch and prevent this sort of thing in the future. Yeah, and I also wonder too, you know, is this like smurfing but at the prompt and response level like, you know, breaking up the transactions for hiding from oversight is the son of the same concept? Yes. A very important question. There was no UFO evidence in the release data to my knowledge. Yeah, as you say, I haven't gotten to comb through it yet on that one, but probably something we'll have to maybe think about for a new segment, we'll tell our producers UFO or not. So Mythos is really grabbing a lot of attention. So much so, we're actually going to be hosting a full blown webinar to talk about Mythos and its impact called the Data First Forum. So I'm going to ask our producers to drop a link to the Data First Forum in the chat. We're only going to tease the topic here today. Mythos, it's really generated a lot of buzz online. Questions being asked like, can it replace traditional volume scanning and security testing? Or is it kind of just a myth? Mythos is an AI model that was designed to find and test and exploit software vulnerabilities. And access to the pilot has been pretty limited under this project called Project Glasswing. A lot of critics are concerned about its misuse, but also its overall viability. You know, so I'd be curious to see what people say in the chat. Is Mythos overhyped? Or are people really using it to find and fix software vulnerabilities? And so I wonder if in time, you know, Mythos is going to leave us saying AI-yay or AI-they? Yeah, this has been a really interesting, I think, discussion over the last few, I guess, when did it start? Like, you know, like about probably a month ago or so, maybe more. But a lot of folks have tested other different models, and large or small. And many of them seem to approach or, you know, are in parity with Mythos in terms of vulnerability detection. And a lot of it seems to depend on the scaffolding, right? And the toolage, more so than the size of the model, which I thought it was Mythos. But maybe folks are in the chat are saying Mythos. I'm not really sure. Yeah, Mythos, or Meethos, Meethos. I always think of Mithril, but... Yeah, and you know, Mythos, I mean, I guess it could be a tomato-tomato thing as well. Yeah. Yeah, maybe, I don't know if our producers have time to put a poll together, but maybe we could put a poll together and ask everyone how they would pronounce, is it Meethos, Meethos, Meethos, I mean, you know, could even be Mythos. Let's not get into the semantics here today. Yeah, some people seem to be educated and know it's Greek. And so I guess this is a solved problem. Yeah, we'll ask Claude how to pronounce it. Yeah, that's right. And we could get an autonomous answer from, you know, how do you pronounce yourself? The other thing I'll say is I actually had a chance to chat with some of the product team at Varonis, as obviously, you know, we work very close with, you know, Anthropic and other companies like AWS and Microsoft. And there's definitely, what their feedback was, it's definitely a step forward, but not a gigantic leap in the sense that this isn't like a transformative technology yet. Just to share some feedback from people that write software and have to find and eliminate vulnerabilities on a day-to-day basis. I think it's safe to say it was transformative marketing. Yeah, and yeah, good marketing for sure. Now, speaking of vulnerabilities, let's jump onto our next segment, Vulnerable Vulnerabilities, and talk about a few things that are going on. First and foremost, what's going on in Copilot Studio, David? But so Copilot Studio, Indirect Prompt Injection Vulnerability. So Indirect Prompt Injection Vulnerability is a little bit different than a direct one where you're typing in the prompt injection instructions. The indirect is reading the prompt injection instructions from other content. And in this case, it was a SharePoint form. So by putting malicious instructions in a SharePoint form, you could have an agent behind it query, actually conduct instructions. And the instructions in this exploit were to query and exfiltrate data via an Outlook address. By the way, all this reminds me still of SQL injection, but it's a lot more kind of crazy and a lot less deterministic. But the interesting thing is you've got untrusted input. And the vulnerability in Copilot Studio is that they joined this untrusted input and kind of concatenated it with the agent's system instructions. And so this specific vulnerability has been patched. This kind of, and I don't know whether vulnerability is the right word for it. It's like this sort of execution path where you can put instructions in a SharePoint form and have that be executed by an agent as instructions. Another, and the reason I say that is, you know, because there are probably other paths that we'll uncover that will exploit the same potentially an architectural problem. And I say that because the safety mechanisms flagged the behavior as suspicious on the output. But it really needs to be flagged, I think, on the inputs and the actions. It's on the output side, it's really hard to execute control because the instructions look legitimate at that point. The model's already been fooled. So it, and the other, another interesting thing about this is it was assigned to CDE, which for prompt injection has been, hasn't been the norm, but it could be a sign of things to come. But just, we've said this a couple of times now, enforce the input trust boundaries by default if you can, and have runtime guardrails and action guardrails that intercept the tool calls before they execute stuff. We can put the CDE in the chat as well. I think we had some issues with the, oh there we go, thanks Frank. All right, I think the poll actually crashed Matt's machine, is this just in? So I'll keep going here. Actually, I can't keep going without sharing my slides, I guess. So I think I'll dance, or how about I sing everybody a song while I figure out how to share the slides, how would that be? All right, let me see if I can now share. What song would you like me to sing? Okay, here we go. All right, so we've got a zero-click vulnerability that was discovered in Outlook. We can paste that in, it's 2026-403-61. This would allow remote code execution when you are sending an email without interaction, so this is pretty scary. It apparently is a flaw in Outlook rendering and that preview engine, and this can be triggered when the email is just read or previewed. So this is a patch that people should do immediately because Microsoft claims that the exploits are high. So the next vulnerability is two Linux, actually three vulnerabilities that add up to two attacks in Linux. These are local privilege escalation, so it's not remote. You have to be on the box, essentially, you have to have a shell in or be on the console. But it's interesting, there are two of these that we'll be talking about, two versions of CopyFail and one is DirtyFrag. And they were responsibly disclosed, but DirtyFrag was leaked before patches were available to it. So CopyFail is definitely being exploited in the wild, and DirtyFrag may be as well. Now, CopyFail is a logic bug, it lets a user write into the page cache of any readable file, like SU, right, or SUDU, and that it bypasses things like Tripwire and other integrity checks without changing the physical disk, because it writes into cache, it doesn't change the physical disk. And so this bug here allows you to essentially write into things like SU and SUDU, it gets you root. DirtyFrag does the same thing, but it is a little bit more advanced because some of the mitigation steps that were in place for CopyFail don't work with DirtyFrag. So Linux distributions have started releasing patches, I think Frank just put in the CVEs, so definitely patch as soon as a version becomes available. One thing to note is that it hasn't been proven to be effective in escaping a container yet. So, you know, standard Linux hosts are the ones that they would be most worried about. Matt, welcome back. I was going to say, did you cover ZeroClick? Wow, thank you so much. You know, I think because I was mispronouncing one way or the other, that mythical thing earlier, the AI zonked me right off of the webinar. It can't be a coincidence. I'm like, I got a little hair standing up on the back of my neck, David. So anyway, team. That's right, you missed a song. You missed a song. I did Freebird for everybody. Okay, okay, great. So, but what, okay, the real question is, did I miss any dad jokes? Oh, well, yeah, I'll let the audience chime in. I don't even remember them anymore. Okay, because if I did that, I'll have to go back and rewatch the recording. Now, a critical vulnerability was found in GitHub, CVE-2026-3854, which allows for authenticated users to execute commands on GitHub's backend via specifically crafted Git pushes. The flaw stems from a lack of input sanitization in Git push options and allows attackers to inject commands and execute arbitrary code on both GitHub.com and GitHub Enterprise Server. The issue was quickly patched by GitHub, and GitHub is claiming that there were no successful exploits. Still something to be aware of and make sure that you're patched for. Yeah, Wiz actually noted that 88% of instances are still vulnerable to this. So, and I think you can just exploit it with a push, right? So, it's definitely, definitely get on that. In our final segment, the danger zone, we'll talk about a couple of breaches and attacks that everyone should be concerned about, including, and I saw someone in the chat asking this, our headline story about Shiny Hunters and Canvas. Yeah, so since last time, Team PCP has been pretty busy. Last time we talked about how they compromised Trivi, which is the security scanner from Aqua. That breach, by the way, is likely to have hit over 1,000 SaaS environments. So, they've gone on to compromise LightLLM, Telnyx, PYPI, Checkmarks, KICS. They do the breach and others like Shiny Hunters monetize it. For example, the European Commission's AWS infrastructure was breached with a compromised version of Trivi. And then Shiny Hunters published the stolen data. And this included PII, keys, config snapshots, admin URLs. Now, by the way, they claim to have stolen some of the EU data themselves. So, it's a little unclear whether there was a real handoff there. But they have been so successful that one of the members of Team PCP may have defected. And we'll get to that in a second. But before that, we've got a new campaign by Team PCP that's named Mini-ShyHalut. Now, we've been talking about ShyHalut. I was going to say, this is like your favorite topic, any Dune reference at all. Any Dune reference, any sci-fi reference really is okay. Yeah, or Linux vulnerability is also fair game for you, correct. Definitely. But this one, I guess this campaign by Team PCP has been pretty crazy. 400 malicious versions across 172 packages. And the way this happened is they're using GitHub Actions to place malicious code inside a trusted release pipeline, and then use that to steal publishing credentials, and then use that to infect more packages and keep going over and over and over again. So, this is really a worm supply chain attack. I'm not sure what the end is, but I don't like where it's going. And, you know, I don't like where the attack's going. Where our stories are going is to something called PCP Jack. And this is a new malware that exploits, the way it gets in is, pardon me, it exploits exposures and vulnerabilities in cloud web apps. And once it's in, it removes very surgically all the Team PCP processes. And then it steals credentials, keys, establishes persistence, spreads like a worm. It actually, one of the interesting things about it, it downloads parquet files from Common Crawl. And that allows them to identify new targets without doing noisy scanning. Now, because the attack or the removal of all the Team PCP stuff was so surgical, there's a lot of speculation that the author of PCP Jack may have been a previous Team PCP member. And so this is another example of attackers maybe working against each other. No honor among thieves, I guess. So what's the latest with Shiny Hunters, Matt? Well, I mean, can we have an episode of State of Cybercrime and not talk about Shiny Hunters? We have finally phased out Cisco vulnerabilities, Cisco Umbrella vulnerabilities. But now, you know, Shiny Hunters is, I don't even know if 3PETE is the right one. It's just covered in pretty much every episode. So what's interesting about the resurgence or the current surge of Shiny Hunters that I'm excited to share, at least my hypothesis, is around timing. They seem to have really nailed when to attack a company. Now, when we think about the leaks from Mithrisa or Versal, Medtronic, we have, you know, Zara and Carnival and 7-Eleven. We have ADT, we have Vimeo. These are all deadlines that were given to the companies of, we're going to post the data online or encrypt your systems if you don't pay us by these particular times. And they are, you know, for lack of a better word, hot and heavy right now. They're attacking a lot of different organizations. They're carrying out a lot of attacks. And it seems as though their operation is growing based off the use of initial access brokers that we saw earlier. Dangerous stuff. And that brings us to Canvas. Yeah. What do you make of this? So, I mean, one, and I'm curious because we got about 500 or so people live today. Anyone in the chat have a family member or a friend that was taking an exam that got to see the ransom note on the screen? I know I caught it shortly thereafter as it went pretty viral on social media. We got a couple thumbs up and a couple people coming in in the chat. You know, I took place at an interview with NPR over the weekend. And the reporter that covers this space said that Canvas is used by about 50% of higher education and a large percentage of K-12 schooling for taking tests, curriculums, and lesson plans. So, the amount of data that they host is quite significant when you think about things like, you know, papers and dissertations. But the timing of this attack is what is so novel to me. Or I kind of had that aha moment where the attackers chose to target a learning management system and exam system during finals. So, talk about an incentive to pay. How can you finish the semester or get your final grade from an accredited institution? If your tests got interrupted, what if the integrity of the tests themselves got compromised and the tests or the answer keys got posted online? I mean, it could set back the higher education system significantly. So, it's no wonder that there was a lot of speculation around paying. You know, the ransomware threat appears as though Canvas has reached some agreement with Shiny Hunters because, you know, at least that's what we've seen so far. Yeah. One of the many sayings in baseball is, it's not who you play, it's when you play them. And this reminded me of that because what happened if this attack had happened in July? Right? Do you think that, you know, the stakes would have been as high? I mean, it still would have been bad, I'm sure, but everybody's graduated by then, right? You've got time to take some new tests there, right? You know, I hope everybody has kind of asked themselves, you know, what is the worst time? What would be the worst time for our organization to be attacked? And because that's probably, that's got to be the way the attackers are thinking on this, right? And you also have to think a lot about catching token abuse because that's like Shiny Hunters MO is like compromising a user, you know, either from their browser or their endpoint or from some type of device. Taking tokens they have for SaaS applications, abusing the blast radius to access and exfiltrate information. It isn't always a sophisticated zero day or getting a domain admin credential that makes Shiny Hunters initial landing and expansion successful. It really is, as someone has put it in the chat, a nightmare of an attacker group to deal with as they really do specialize in, you know, exploiting the blast radius of using the available information from the initial user that they compromise to tell, you know, before asking for, you know, an extortion payment or a ransom payment. And in the case of Canvas, obviously, they also took control of a lot of computer systems in their exam network and other parts of their infrastructure. Yeah, in Canvas, I didn't know this, you know, 275 million users and 9,000 schools. Apparently, the breach vector had to do with the free version, which had some lower authentication hurdles for teachers to join. And then some issues with the some kind of shared tenants may not be the right word, but it was hard, I think, to differentiate between real authenticated users and some of the free tier users. Yeah, the free tier teachers specifically was one that they were worried about. Yeah, so it, it's a, you know, it's, it's, it's a sad thing, right? It's a double whammy, right? Because you've got, you know, they reached a deal with the attackers. The hackers have claimed to return the data and provide proof of shred logs. They claim that customer information, you know, would not be further extorted. Right. So, you know, but can a company really confirm that the data wasn't leaked? I think a lot, too, about like, okay, maybe of, let's say there's 100 pieces of data. It's obviously much more than that. Maybe one is really, really valuable. And that's going to get sold to someone else and say, and shining us because we didn't leak that. You must have leaked that through another channel or another attacker got hold of it. So it's really difficult to predict what's going to what's going to come of this, though. It does appear as though finals are going to finish and people can take their exams. So the semester is going to be able to finish off. Well, thanks so much, everybody, for tuning in for another episode of State of Cybercrime. And we look forward to seeing you next time. Thanks, everybody.
