Talkin' Bout [Infosec] News | GitHub bans vindictive security researcher

This episode covers a CISA contractor’s accidental exposure of AWS GovCloud credentials and internal system details on GitHub, the FBI’s efforts to patch vulnerable routers, and a critical NGINX vulnerability with public proof-of-concept code. The team also discusses Microsoft’s handling of a disputed Azure Backup security finding, the challenges of vulnerability disclosure and CVE assignment, and GitHub’s ban of security researcher Nightmare Eclipse following the publication of unpatched Windows vulnerability research.

Join us LIVE on Mondays, 4:30pm EST.
A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
https://www.youtube.com/@BlackHillsInformationSecurity

Chat with us on Discord! -
https://discord.gg/bhis
🔴live-chat

Chapters

(00:00) - PreShow Banter™ — Getting to Chili's
(05:45) - GitHub bans vindictive security researcher - 2026-05-26
(07:09) - Story # 1: CISA Admin Leaked AWS GovCloud Keys on Github
(10:45) - Story # 2 - PoC Code Published for Critical NGINX Vulnerability
(12:53) - Story # 3 - Anthropic’s restricted Claude Mythos model may be coming to Claude Code
(16:16) - Story # 4 - The FBI just remotely reset thousands of home and small office routers – and your TP-Link could be on the hitlist
(22:37) - Story # 5 - Drupal to Release Emergency Core Security Updates Amid Fears of Rapid Exploitation
(25:52) - Story # 6 - Microsoft rejects critical Azure vulnerability report, no CVE issued
(28:09) - Story # 7 - GitHub bans vindictive security researcher dropping Windows zero-days: “I will make sure your bones are shattered”
(30:41) - Story # 8a - A Hacker Group Is Poisoning Open Source Code at an Unprecedented Scale
(32:16) - Story # 8b - TeamPCP breached GitHub’s internal codebase via poisoned VS Code extension
(35:21) - Story # 10 - Ubiquiti patches three max severity UniFi OS vulnerabilities
(37:51) - Story # 11 - Pizza Hut's AI system caused 'cascading' problems and $100M in damages, franchisee alleges in new suit
(43:55) - Story # 12 - Data Leak at German Hospital
(45:00) - Story # 13 - Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware
(47:50) - Story # 14 - Chicken News
(50:07) - Story # 15 - New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released
(51:04) - Story # 15b - Might someone pass along that Crowdstrike and Nessus are having a moment?

Links
Story # 1 - CISA Admin Leaked AWS GovCloud Keys on Github
Story # 2 - PoC Code Published for Critical NGINX Vulnerability
Story # 3 - Anthropic’s restricted Claude Mythos model may be coming to Claude Code
Story # 4 - The FBI just remotely reset thousands of home and small office routers – and your TP-Link could be on the hitlist
Story # 5 - Drupal to Release Emergency Core Security Updates Amid Fears of Rapid Exploitation
Story # 6 - Microsoft rejects critical Azure vulnerability report, no CVE issued
Story # 7 - GitHub bans vindictive security researcher dropping Windows zero-days: “I will make sure your bones are shattered”
Story # 8a - A Hacker Group Is Poisoning Open Source Code at an Unprecedented Scale
Story # 8b - TeamPCP breached GitHub’s internal codebase via poisoned VS Code extension
Story # 10 - Ubiquiti patches three max severity UniFi OS vulnerabilities
Story # 11 - Pizza Hut’s AI system caused ‘cascading’ problems and $100M in damages, franchisee alleges in new suit
Story # 12 - Data Leak at German Hospital
Story # 13 - Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware
Story # 14 - Chicken News
Story # 15 - New Windows ‘MiniPlasma’ zero-day exploit gives SYSTEM access, PoC released
Story # 15b - Might someone pass along that Crowdstrike and Nessus are having a moment?

Click here to watch this episode on YouTube.

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits

https://poweredbybhis.com

Brought to you by:

Black Hills Information Security

https://www.blackhillsinfosec.com

Antisyphon Training

https://www.antisyphontraining.com/

Active Countermeasures

https://www.activecountermeasures.com

Wild West Hackin Fest

https://wildwesthackinfest.com

Creators and Guests

Host

Bronwen Aker

Bronwen Aker is a BHIS Technical Editor who joined full-time in 2022 after years of contract work, bringing decades of web development and technical training experience to her roles in editing pentest reports, enhancing QA/QC processes, and improving public websites, and who enjoys sci-fi/fantasy, Animal Crossing, and dogs outside of work.

Host

Corey Ham

Corey Ham has been with Black Hills Information Security (BHIS) since 2021 delivering red teaming and OSINT services. Currently, Corey leads the ANTISOC team at BHIS, providing subscription-based continuous red teaming to BHIS clients. Outside of his time at BHIS, you can find him out in the woods or up on a mountain somewhere.

Host

Hayden Covington

Hayden Covington joined Black Hills Information Security (BHIS) in the Summer of 2022 as a SOC Analyst. He chose BHIS after hearing many great things over the years and seeing the quality of work, as well as finding people who have the same passion for the field as he does. His favorite part of the job so far has been the community. Previously, Hayden worked in a SOC for a Naval contractor, where he also served as their SOAR project manager and SME, as well as insider threat lead. When he’s not working, Hayden can be found doing anything athletic (like triathlons!), as well as enjoying video gaming and Formula 1.

Host

Wade Wells

Wade Wells has been working in cybersecurity for a decade, focusing on detection engineering, threat intelligence, and defensive operations. Wade currently works as a Lead Detection Engineer at 1Password, where he helps build and mature scalable detection programs. Outside of his day-to-day work, Wade is deeply involved in the security community through teaching, mentoring, podcasting, and running local events

Guest

Alethe Denis

Alethe Denis is a Senior Security Consultant II at Bishop Fox specializing in red team social engineering, physical security bypass, and open-source intelligence (OSINT). With extensive experience conducting security assessments for both private and public sector organizations — including critical infrastructure — she brings a rare combination of technical depth and human-focused attack simulation to every engagement. Alethe developed and owns Bishop Fox’s Tabletop Facilitation service line, designing realistic, scenario-driven exercises that help organizations stress-test their incident response capabilities. A recognized leader in the DEF CON community, Alethe serves as Global DEF CON Groups Coordinator and Deputy Lead for DEF CON Groups Singapore, working to grow and support the international security community. She earned a DEF CON Black Badge at DEF CON 27 after winning the 10th annual Social Engineering Capture the Flag (SECTF) contest, compromising a Fortune 500 target using only a telephone. She and her teammates have also earned bronze, silver, Most Valuable OSINT, and Black Badge awards across multiple TraceLabs capture-the-flag competitions, including first place in the August 2020 DEF CON edition of the TraceLabs Missing Persons OSINT CTF. Alethe has appeared on the “Darknet Diaries” podcast and has taken the stage at venues as varied as San Diego Comic-Con and the DEF CON main stage. She regularly supports conferences throughout the year with talks and workshops.

Producer

Meagan Bentley

What is Talkin' Bout [Infosec] News?

A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
Join us live on YouTube, Monday's at 4:30PM ET

Corey Ham: 00:03

Is this thing on? Where's my chicken tendies? Where's my triple dipper combo or whatever? I don't know what Chili's is, but people are into that thing. If you like Chili's, paste in the chat your favorite order from Chili's.

Corey Ham: 00:22

I don't I there's not Chili's where I live, so I don't know what that is.

Alethe Denis: 00:27

If anybody says it's their chips and salsa, I've got beef with them on that one.

Corey Ham: 00:32

Why are they really, really bad at chips and salsa? That's fair.

Bronwen Aker: 00:38

I can't even remember how many years it's been since I was to a Chili's.

Corey Ham: 00:43

I've just discovered oh, no. But it says it's permanently closed. Yeah. They don't exist in my region. I would have to drive.

Corey Ham: 00:51

Oh, no. It's also permanently closed. How far would I have to drive to get to a Chili's? Let's see.

Bronwen Aker: 00:56

I know that the chain lives on in the video game

Corey Ham: 01:03

What? Where is this going?

Bronwen Aker: 01:05

The video game

Corey Ham: 01:06

just It's definitely still a real thing. It's just not in the Pacific Northwest.

Alethe Denis: 01:10

It's really Okay. Restaurant. Unfortunately, in California, they're everywhere.

Corey Ham: 01:15

Okay. So I would have to drive or ride my bike because that's how I get places. Let's find out how far it would take me. It would be a three day bike ride, 767 miles, but it would probably be insanely beautiful because it would go through Eastern Oregon and then Northern California. It would be incredible.

Bronwen Aker: 01:37

That sounds nice.

Corey Ham: 01:38

I'm gonna do that. I'll see you guys in a month.

Alethe Denis: 01:42

All for all for chili queso. Duotech today is a

Bronwen Aker: 01:46

matter of quality, not quantity. Sorry. You know, if you ever do get down this way, Corey, let me know, we will make

Corey Ham: 01:57

sure break up

Bronwen Aker: 01:58

the smoker and have just yeah. I'll make homemade baked beans from scratch.

Corey Ham: 02:04

We'll Oh my goodness.

Bronwen Aker: 02:05

Do the whole schmear.

Corey Ham: 02:08

Okay. That sounds way better than Chili's. The the trip plans have changed. Yeah. I'm definitely not going to Chili's anymore.

Corey Ham: 02:17

But I think you live farther away than my nearest Chili's, unfortunately. Let's see.

Bronwen Aker: 02:21

Stab. Yeah.

Corey Ham: 02:23

That would add another 300 miles. It would be 1,059 miles.

Bronwen Aker: 02:29

Well yeah. I mean That's lot. For me to drive from from my house to Sacramento is easily eight hours by car. Yikes. So

Corey Ham: 02:40

And I only travel by bike, so that definitely extends the timeline quite significantly.

Alethe Denis: 02:44

I I will say significantly in the middle. Yeah.

Corey Ham: 02:48

Over the weekend, I rode my bike to the Pacific Ocean, and I talked to a guy there that was, he was riding from Canada to Mexico. And I was like, that's a that's a lot of riding. That was the whole conversation. I think he was kinda lonely. It's kinda like, riding from Canada to Mexico would take.

Corey Ham: 03:11

He said he he budgeted a month. I was like, that's pretty good. That's pretty good pace.

Alethe Denis: 03:15

That seems a little ambitious by my standards.

Corey Ham: 03:17

Because, yeah, that's like 80 to a 100 miles a day, which is pretty I mean, that's a that's a commit.

Bronwen Aker: 03:23

That is a definite commit. I mean, a gazillion years ago, I did walk Hadrian's Wall, which I was averaging but the first day was the longest. I was, like, 15 miles, but it was all flat. And then later on, the average was seven to 10 miles a day.

Corey Ham: 03:42

That sounds amazing. I wanna go do this.

Bronwen Aker: 03:44

It was it was awesome.

Corey Ham: 03:46

The the wandering through fields feeling like you're in lord of the rings, I'm assuming?

Bronwen Aker: 03:50

Yeah. You do a lot of that, and and it's kind of embarrassing. I I blizzard my feet badly on that particular excursion, so I wound up having to do a little bit of cheating. There's a a bus line that runs along the well, you know, it I you should have seen. I had so many they call me

Corey Ham: 04:17

Oh, blisters are blisters are one way trip. Once you blister up, you can't go back. It takes weeks to heal. Yeah.

Bronwen Aker: 04:24

Well, actually, I was pretty good by the end of the week. But that that first day, oh my god. I got to I it's a it's a whole long story, but, the thing you wanna do is you wanna walk from west to east so that the wind is at your back. Even though Sycamore Gap no longer has a sycamore because a deranged teenager chopped down a multi 100 year tree, it's still very scenic. There are tons of Roman sites where they had garrisons and and various other things that are museums all along that way.

Bronwen Aker: 05:07

And it's it's really if you wanna do just the walk, yes, tons and tons of sheep pastures. And it's about 80 something miles. So

Corey Ham: 05:22

Alright. Well, I think we've stalled long enough. John Strand has abandoned us. We must continue without him.

Bronwen Aker: 05:29

Hey. You know, he's jet setting. That jet lag is not to be messed with.

Corey Ham: 05:34

That's true. Alright. You can roll the finger, Meagan. Let's do this.

Alethe Denis: 05:37

Alright. Give me one second because there might be

Corey Ham: 05:41

Have to download more RAM first. I get it. I've been there.

Bronwen Aker: 05:45

Rolling in three two.

Corey Ham: 06:02

Hello, and welcome to Black Hills Information Security's talking about news. It's Tuesday. I'm scared. I thought we only do this show on a Monday. But yesterday was Memorial Day in The US, which means we weren't here.

Corey Ham: 06:13

And so now we're here with our skeleton crew of people who actually survived the weekend, apparently. I guess it took some people out. We've got me. We've got Alethe, and we've got Bronwen. How's it going?

Alethe Denis: 06:27

Doing well. How about you?

Corey Ham: 06:30

I'm alive. That's what I've been telling people. I feel like that's as that's that's as aggressive as I'm willing to go. You know? Like, I don't wanna get I am alive.

Corey Ham: 06:37

It is true. That's you know, I don't wanna be I don't wanna be mean.

Bronwen Aker: 06:41

If you're not alive, you look awfully good for a corpse. I'll say that much.

Corey Ham: 06:45

Thank you. Yeah. That's the goal. That's my bar is like look better than a zombie. So that's always how I'm trying to live.

Corey Ham: 06:53

Stories this week. We've got some good stuff. We had our routers patched by the FBI. That's nice. We also leaked our GovCloud keys.

Corey Ham: 07:01

Oops. We also got our NGINX web servers exploited by Mythos. There's all kinds of fun stories. I think let's dip into the SZA GovCloud thing. I think that's probably I mean, it's kind of a quick hit, but basically, there was an article on Craig's Krebs on security that essentially a contractor for SZA had posted their repository containing high privileged AWS GovCloud accounts and information about a large number of internal CISA systems.

Corey Ham: 07:37

And that's bad. That is generally not recommended to publish your stuff on GitHub to the public. When you're typically company agency.

Bronwen Aker: 07:46

Or form is rule, yep.

Corey Ham: 07:48

So yeah, basically this is someone from GitGuardian that reported it. Honestly, my biggest question with this is why doesn't GitHub just automatically take this down? For non legacy repos, I know there's secret scanning on GitHub. I know there's, like, capabilities to do this. I'm really confused why I can still in 2026 create a repo that has sensitive exposed data in it.

Corey Ham: 08:18

Like, I feel like it just shouldn't be that hard to lock that down. I don't know. Am I crazy? Why don't we have guardrails for this?

Bronwen Aker: 08:25

Well, yes, you are crazy, but not about this.

Corey Ham: 08:31

I don't get yeah. I don't know.

Alethe Denis: 08:33

You would

Bronwen Aker: 08:33

you would think it seems like they're policing all the wrong things.

Corey Ham: 08:37

It's just a text file called important AWS tokens dot TXT. Like, why is that? I don't get why that is a thing. But, yeah, basically, spokesperson from CISA said the agency is aware of the report exposure and is continuing to investigate the situation. There is no indication that any sensitive data was compromised as a result of this incident.

Corey Ham: 08:59

While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences. So basically, y'all are about to lose access to GitHub. I'm sorry. That sucks. I

Alethe Denis: 09:14

think we're gonna see more managed GitHub repos and companies not allowing contractors to have their personal GitHub in the mix, which I think is what happened here. It says this contractor created theirs back in September 2018 and then just used it for the work they were doing.

Corey Ham: 09:30

Yep. I will say I do think Git GitHub is kind of a nightmare when it comes to managing, like, accounts. It's like, hey. Who's a squeezy hacker 17? Is that should they have access to our GitHub?

Corey Ham: 09:43

Like, because it uses your Git username, like for enterprise access. I mean, obviously you could force people to create their own Git accounts or GitHub accounts for their job. And that's probably the way to go, But it's not great. You'd think they would pull a Microsoft and have it be integrated with, you know, Entre ID or something. I don't know.

Corey Ham: 10:03

Weird that it's just

Alethe Denis: 10:04

I had this problem in the past with engineers that I hired that they want to keep the activity on their own personal GitHub so that they can keep that keep their little green boxes. Keep their streak,

Corey Ham: 10:18

their shower curtain or their

Alethe Denis: 10:19

this point, like you're basically asking people to separate their personal work from their professional work. And I think a lot of people are gonna have an issue with that. But security wise, I don't really see another option.

Corey Ham: 10:31

Totally. It's kind of one of those areas of like, oh, our developers, they're not subject to security policies because they're developers and they're special. But that probably shouldn't be a thing.

Bronwen Aker: 10:42

Special.

Corey Ham: 10:46

Yeah. So let's move on. There was also an NGINX critical vulnerability with POC code published. This is CVE twenty twenty six forty two thousand nine hundred forty five with a CVSS of 9.2, not a 10, At least from our perspective and our customers, this wasn't that exploitable. It requires a certain configuration to be exploitable, and none of our customers matched those criteria.

Corey Ham: 11:13

Also, was a DOS. So we were like, probably shouldn't mess around too hard with that one. But I guess, has anyone else, anyone, any listeners or any Alethe or anyone, have you seen this one, exploited this one? This one's pretty kind of a nothing burger to use my favorite term.

Alethe Denis: 11:31

Yeah. I know nothing to contribute for me. I'm waiting for somebody in the chat to finish writing.

Bronwen Aker: 11:36

But I'm still tripping over the CVE number. 42945.

Corey Ham: 11:44

That's just from mythos this week. Probably. Still. Yeah. It's basically I don't know.

Corey Ham: 11:53

I it's I guess I'm not sure. It was a

Hayden Covington: 11:57

part

Corey Ham: 11:57

of f five's quarterly patch. So it actually got released and published as part of another vendors, which is kind of interesting. Like, f five uses NGINX, so they published this bug. I don't necessarily know if it was AI generate, you know, if it this is actually discovered by AI. They didn't specify, like, the chain of custody on this vulnerability.

Corey Ham: 12:18

But, basically, long story short, patch your NGINX. This is a broader theme right now in security, which is, like, John's joke from a couple weeks ago was that every CVSS score gets a plus one. So with that old math, this is actually a 10.2 CVSS. So over a 10, you should probably patch that immediately. But, yeah, with AIs running around and, you know, exploiting stuff, this unpatched software stuff gets pretty nasty pretty quick.

Bronwen Aker: 12:45

Basically, if you're not doing it already, patch all the things, please.

Corey Ham: 12:50

Yeah. Definitely. We didn't talk about this, or I don't know if it's in the list. But speaking while we're here, there was an article in bleeping computer that said that they might be publishing mythos. I don't know.

Bronwen Aker: 13:05

I hadn't heard that. The last I heard, which was, what, last week, was that mythos was never going to be accessible to the public, which makes no sense at all to me because it's only a matter of time before they wind up they, meaning the frontier model developers, develop something that's even better at finding and creating malware than Mythos is.

Corey Ham: 13:34

Yeah. So this just got dropped into my feed by someone. And, like, basically, the reason this became an article is because some users noticed that when they went to select a model in Claude, it, it gave them the option for Mythos. Oh, were

Hayden Covington: 13:50

you talking about Mythos?

Corey Ham: 13:51

Well, we're trying to. Now you're here. So now we, we gotta go backwards.

Bronwen Aker: 13:57

Yay. Welcome to the party, hates.

Corey Ham: 13:59

Hayden, did you get access to videos?

Hayden Covington: 14:01

Talking about? No. Did you get it? Dude. If I no.

Hayden Covington: 14:05

I if only I would have expensed it right away. I'm sure it's $2,000 a month.

Corey Ham: 14:11

Okay. Queries per week. Well, hold on. In the news article, the screenshot that the whoever, you know, sent to bleeping computer is just a person who's just on a pro plan. So, like Yeah.

Corey Ham: 14:23

I saw that. It's not clear on whether it's, I guess, does it say in the UI if you're on like pro or pro 20 x or whatever? Like, don't know, but probably not. But basically, this isn't a real thing, but some users did see that they were able to select Mythos in their UI.

Hayden Covington: 14:42

Well, Anthropic is notoriously bad at accidentally leaking things ahead of time recently. Like, they leaked model names ahead of time recently. They've leaked things to the UI many times that aren't supposed to be in there yet. So, I mean, this could this I I would guess this is probably just a way to give those, like, Project Glasswing companies access to mythos inside of Cloud Desktop. I don't mean I don't think that this necessarily means that it's coming soon to to us normal people, but it could be.

Hayden Covington: 15:12

Maybe maybe it could be. I I would hope so.

Bronwen Aker: 15:15

Well, okay. I mean I found the article, article, I think. Let me go ahead

Corey Ham: 15:19

and it in the Discord. Yeah. It's, I don't know.

Bronwen Aker: 15:24

Yep. That's one.

Corey Ham: 15:25

Basically, it's kind of a it's kind of a rumor. Like, it it's literally just, like, some users were able to select Mythos in the Claude UI. That's it.

Bronwen Aker: 15:33

Well, they say that they're adding it to Cloud Code.

Hayden Covington: 15:38

That yeah. How are people using it before then? Or what Yeah. It it just connects to to your brain, and it's like, oh, don't worry. I'll find everything that you want.

Corey Ham: 15:47

You what you do is you you install the Mythos launcher into your environment and then it just sprays it installs it. It's like an EDR. It installs a Mythos agent on every system in your environment. Wonderful. Don't

Hayden Covington: 16:02

worry. You're now secure.

Corey Ham: 16:03

You're now secure through Mythos. You just type the prompt to just recurring every minute. Don't hack me, please.

Bronwen Aker: 16:13

Don't hack me, bro. Don't hack me.

Corey Ham: 16:16

So next article. This one's kind of fun. I apparently, this has happened before. This is the first one I remember, but the FBI decided to patch patch in air quotes a thousands of routers throughout The US and other places. Basically, they they published this, you know, little write up on what they did and how they did it.

Corey Ham: 16:36

But, essentially, these are mostly TP Link routers, toilet paper link for, you know, to expand that acronym. Basically, the were being abused by Russia and probably for, you know, botnet type activities. The FBI went ahead and reset the devices for them. So it's they did actually in in their, like, press release, they basically said that they created a series of commands that it could send to compromised router designed to collect evidence regarding the GRU actors activities. Mhmm.

Corey Ham: 17:16

Sure. Just that.

Bronwen Aker: 17:17

Mhmm.

Corey Ham: 17:18

Two, reset DNS settings, aka remove the DNS resolvers and force the routers to obtain legitimate DNS resolvers. And then, I guess, three, somehow close the door behind them. So, basically, if your router went down last weekend, I have bad news for you. And there's a list of affected routers.

Hayden Covington: 17:39

Weekend. Is that bad?

Corey Ham: 17:41

These are really old routers. Like, most of them are specifically tagged as wireless n routers, which like holy crap that brings me back. Yeah. Yeah. That's a that's an old one.

Hayden Covington: 17:52

Issue with TP Links not too long ago either? Like a major issue with TP Link?

Corey Ham: 17:58

Most of the I mean, any router has major issues. That's just the way it is. But I don't know specifically any major issues with them recently.

Bronwen Aker: 18:07

Well, this is not this

Bronwen Aker: 18:09

is not the first time the FBI has has done stuff. In 2021, they patched, copied, and removed malicious web shells from vulnerable web servers in the Microsoft Exchange proxy log on. And they also what what they were involved in removing lingering web shells with the Hafnium exchange response. So that was 2021.

Corey Ham: 18:42

2021, and then it's happened a handful of times since then.

Bronwen Aker: 18:45

Yes. PlugX botnet disruption, SoHo router botnet disruption. That was, let's see, twenty twenty twenty four and 2023. So they're they're sticking their hands in all kinds of pies.

Corey Ham: 19:02

I mean, I honestly like, of all the things that you could be sketched out by, this is the least sketchy to me. Like, just taking down botnet infrastructure, I'm here for it. That's super I'd be a little bit salty if my router just stopped working, but honestly, it would be, like, better than participating in a Russian botnet. But also you lose your plausible deniability for being a threat actor. Right?

Corey Ham: 19:27

Like, before, if you had the Russian botnet running on your home router, just claim anything that you did that was illegal was definitely the Russians. Now you don't have that defense. It's too bad.

Hayden Covington: 19:38

I mean, you could still claim that. You could just claim it. Just lie.

Corey Ham: 19:42

Just be like, yeah. It's the Russians. Why don't you patch my router for me, please?

Hayden Covington: 19:47

Yeah. Yeah. Pretty much. Exactly. Yeah.

Alethe Denis: 19:50

Think it's cute that they say legitimate users can also reverse the changes by logging into the web management pages and restoring the desired settings. Like all the people that still have this router, none of them are quite

Corey Ham: 20:01

Are not. Yeah. I do love the idea that someone's like, I really like the Russian DNS servers. I was getting a lot of great results back. I am going to log in, set the Russian DNS servers back so I can Google something and just immediately get malware on my computer.

Alethe Denis: 20:19

I bet it's like credit card processing routers at, like, fast food chains all over the place.

Corey Ham: 20:26

Oh, yeah.

Corey Ham: 20:26

Alethe Denis: 20:27

something that just doesn't, you know, get residential type internet No

Corey Ham: 20:32

one even knows they exist. You go to tell the customer that they have it.

Alethe Denis: 20:36

I don't know.

Corey Ham: 20:37

Yeah. You're like, hey, you have an exposed router. They're like, where? Even the ISP doesn't know where it is.

Alethe Denis: 20:42

I don't know if you've ever supported orgs like that, but they'll just like order a new service and then that vendor will be like, this is who we use for Internet. And then you've got like six different routers and all kinds of stuff. And people are using Internet connections that they don't even know.

Corey Ham: 20:56

Oh, yeah.

Alethe Denis: 20:57

Where they're coming from.

Corey Ham: 20:59

Yeah. I think the best one I've seen so far is one of our customers, one of their remote employees connected their laptop directly to their ONT, which is like the fiber terminal, which is basically a modem. And so the laptop pulled a public IP off the ONT, which is like, we found the exposed RDP on the internet. So like, it was just the weirdest thing ever. It's like, this Internet host with a public IP is just one of your work laptops.

Corey Ham: 21:28

So that's a fun that was a fun scenario. But

Bronwen Aker: 21:33

Hey. We have another addition

Bronwen Aker: 21:35

to the party. Hey, Wade. Can't hear you.

Hayden Covington: 21:41

Oh, but got him. It's the Russian botnet.

Wade Wells: 21:43

I was

Bronwen Aker: 21:43

wondering you have a little bit.

Corey Ham: 21:45

His router his router got patched by the FBI. I get it.

Alethe Denis: 21:48

That's why he's late too.

Corey Ham: 21:53

So You got his mixer. Yeah. So Drupal is also oh, hey, Wade. Let's go.

Wade Wells: 22:01

Yeah. Alright. I got a new camera. How do I look?

Bronwen Aker: 22:05

You look marvelous, darling.

Corey Ham: 22:07

That's some nice lighting you got there.

Wade Wells: 22:10

The lighting is always a problem. Like

Hayden Covington: 22:13

You look like a hacker, though.

Wade Wells: 22:14

Do I?

Corey Ham: 22:15

You got some depth of field. You got some depth of field there. Some bokeh or bokeh.

Wade Wells: 22:20

Definitely. I got us I got myself one of those, like, fancy Sony DSLR cameras since my webcam broke. But, anyways

Hayden Covington: 22:26

I just ordered one of those yesterday. We have to talk about this after the so we don't derail another podcast. No. We

Corey Ham: 22:33

yeah. Speaking of Why

Bronwen Aker: 22:34

should today be any different?

Corey Ham: 22:37

Yeah. Speaking of mythos, let me just keep this train on the tracks. Drupal has released an emergency core security update. I'm blaming Mythos for this completely with no sources to prove that. But, basically, they're publishing an urgent core security update for all supported versions.

Corey Ham: 22:54

This was as of May 2026. Exploits for the vulnerability could emerge within hours or days after disclosure. I mean, this is kind of a new thing that, you know, as presumably threat actors are doing. Buying, you know, self hosted AI type stuff. And anytime there's a patch to any of the software, reverse engineering it and developing exploits immediately based on the changes made in the patch.

Corey Ham: 23:20

We're looking at doing it. It's super fun and it's terrifying. Know, obviously, for tools like Windows are more important operating systems and stuff. It's even more impactful. But Drupal is, I think, a pretty common web framework for corporate environments, at least from my my perspective.

Bronwen Aker: 23:39

Well, Corey, just one one thing when it comes to a a content management system, a CMS, one of the guiding principles you always want to maintain is do not hack the core. Now the problem is with Drupal, anytime you implement it, you have to hack the core. And it's I don't know if they corrected it, but back when I was still doing web development, that was still a thing. You had to hack the core. And that was

Corey Ham: 24:11

does that even mean? I feel like I'm in a hacker's movie right now. What does hack the core mean? Is that real?

Bronwen Aker: 24:17

There there are core files in the CMS that you basically do not want to mess with unless you're a Tony Stark plus level genius or you're really desperate to get something shoehorned in and you don't know a better way to do it. Those are, you know, the extreme cases.

Hayden Covington: 24:42

I like those odds.

Corey Ham: 24:43

So are you saying that CMSs are hardcore? Is that what you're saying? You.

Bronwen Aker: 24:50

Two points. No. They're not. But when when you install WordPress or or some other framework or Drupal well, other than Drupal, you're supposed to maintain the integrity of those certain core files. But it's the same thing.

Bronwen Aker: 25:07

You don't wanna go tweaking your DLLs in a way

Corey Ham: 25:11

I tweak on DLLs every weekend when no

Bronwen Aker: 25:13

one's working. But you're a hacker. You're not just a normal web developer, but the problem is with Drupal, you have to hack the course. So there are lots and lots of installations of Drupal that not only won't get patched, but if they do get patched, the poor people patching them have to reverse engineer what changes they made to core files and figure out how to apply those changes after they update the core.

Corey Ham: 25:41

Alright, Bronwen. You get 10,000 bonus points for figuring out how to legitimately say hack the core and make us sound like we're in a hacker movie.

Wade Wells: 25:50

Hack the core.

Corey Ham: 25:54

So what's this? Has anyone seen this Azure vulnerability that they rejected, I guess? Has anyone had a chance to look at this? This is from May 16, so a little bit older, but

Bronwen Aker: 26:06

Oh, you moved on to

Hayden Covington: 26:07

another story. Got it.

Corey Ham: 26:08

New story. Yeah. Basically, a security researcher named Justin O'Leary discovered a security flaw in March reported to Microsoft. MSRC rejected the report. And then basically, he went to cert and cert said, no.

Corey Ham: 26:23

We're gonna assign a vulnerability for this. And then I guess they were like, hey. Never mind. You should probably close this. But basically, this is Azure backup vulnerability, where trusted access is granted and backup clusters have admin privileges for some reason.

Corey Ham: 26:46

So yeah, I guess this is like Microsoft says this is a feature is the basically the summary of this.

Hayden Covington: 26:53

Okay, I do remember reading about that one now.

Corey Ham: 26:56

Is it basically Microsoft's official statement was, this is not a security vulnerability, but expected behavior. It requires pre existing admin privileges within the customer environment. So no product changes were necessary and no CVSS or CVE was issued. But also they fixed it.

Hayden Covington: 27:14

Well, they

Wade Wells: 27:15

Well, everything else says

Hayden Covington: 27:16

that they they they they originally also told MITRE part of the problem was, like, it looks AI generated. So, like, they're like, yeah. We don't want your slop CBEs, but we will go fix the problem. Don't worry.

Corey Ham: 27:28

So, yes, this is just, from my perspective, this is how you get things like BlueHammer and the BitLocker vulnerability. Like we're in a spot right now where I told a customer last week, could just get local admin on their laptop because of Microsoft. And that's just the way it is. And I think this is the bed that they made for themselves is by doing stuff like this. To basically be like, this isn't a real vulnerability.

Corey Ham: 27:51

By the way, go fix that, like, right now, please. But, yeah, you don't get a CV. We can't even give you a T shirt. But, yeah, sucks to suck. I I don't this is really lame.

Corey Ham: 28:03

I feel bad for the researcher. Kevin, we'll send you a free t shirt. Where where do we where do we send it? Just tell us.

Wade Wells: 28:08

Did we talk did you guys talk about the researcher who got banned from GitHub?

Corey Ham: 28:12

No. Please tell us about the researcher who got banned from GitHub.

Wade Wells: 28:15

Alright. So recently, a researcher who has been releasing Microsoft vulnerabilities got banned from GitHub. So GitHub has terminated the account of Nightmare Eclipse, an anonymous rogue security researcher known for dropping critical unpatched Windows vulnerabilities since

Corey Ham: 28:33

Oh, yeah. We talked about this. Did we We talked about this. Oh, no.

Wade Wells: 28:37

Did we? This guy this is just We This was this week. This was last week.

Corey Ham: 28:41

Okay. We talked about the

Wade Wells: 28:43

The Vollns he released.

Corey Ham: 28:45

The Vollans they released. Okay. So But Did they reinstate it yet?

Wade Wells: 28:51

Not that Or is it GitHub kicked him off.

Corey Ham: 28:54

Yeah. Is it gone gone? This is basically, they blocked the yellow key exploit.

Wade Wells: 28:59

Yep. Yeah. The his repo is gone. 404 error.

Hayden Covington: 29:02

Well, it's on GitHub to GitLab now.

Wade Wells: 29:04

He moved to GitLab. Yeah. Yeah.

Hayden Covington: 29:06

Yeah. Okay.

Corey Ham: 29:08

So, basically I mean, honestly, though

Hayden Covington: 29:11

threatening Microsoft. What the it it says move to GitLab, and then they're now threatening to release unspecified documents telling Microsoft to mark this date July 14. That's crazy.

Corey Ham: 29:24

Woah. I yeah. It's like

Hayden Covington: 29:26

I mean, I gotta say your bones are shattered that day. Okay? I guess they didn't like losing all their git commit history and everything. Jeez.

Corey Ham: 29:35

Is this is it actually live on on GitLab either? Or did it also go down there?

Hayden Covington: 29:42

That's what this article says.

Corey Ham: 29:45

This deadeclipse.blogspot doesn't seem to have any repos on it. I don't know. But either way, this is basically great case study in how you should not handle public relations with vulnerability researchers. Especially because Yeah. I mean, you're basically the other funny thing about Microsoft is they're part of the glass wing mythos, like, cool kids club.

Corey Ham: 30:13

So, like Yeah. Maybe they're trying to just race to the bottom and fix all this stuff before researchers do. I don't know. I feel like they're gonna lose. We already have a BitLocker zero day or whatever you wanna call it, end day in the wild that's still working as long as you don't have a a pin on your TPM or whatever.

Corey Ham: 30:33

I don't know. This feels like a dangerous game for Microsoft to be playing right now.

Wade Wells: 30:37

The Gitlabs are four zero four. Yeah. I

Hayden Covington: 30:41

found out.

Bronwen Aker: 30:42

Since we're talking about GitHub, do we wanna talk about team PCP?

Corey Ham: 30:47

Love PCP. I've got a gallon of it right here.

Bronwen Aker: 30:51

Team PCP.

Corey Ham: 30:54

Yeah. I didn't see that article. Let run through it.

Bronwen Aker: 30:57

It's hold on a second. Let me share it on

Hayden Covington: 31:01

So so with GitHub getting compromised?

Bronwen Aker: 31:03

It's them basically, team PCP is actively poisoning open source code.

Hayden Covington: 31:11

Oh, that one. Oh, yeah. They're still doing that. They've not gotten bored of it.

Bronwen Aker: 31:16

I mean, it's I think it's been going on for a long time, and, it certainly seems like the type of thing that would be an obvious thing for a group of malicious hackers to do. But Wired seems to think that it's an unusual happenstance.

Corey Ham: 31:37

I mean, I think it's unusual the level of access they've gotten to from GitHub or, like, within GitHub. Like, that's pretty sketchy. It it seems like they've actually compromised didn't they compromise, like, the internal some of the internal GitHub code as well, not just open source projects?

Bronwen Aker: 31:54

Was it can't have a wire rule. Let me have a free article.

Hayden Covington: 31:58

I I don't know if they ever talked about who actually breached GitHub. I think it was last week some GitHub did release that they had internal repositories sort of accessed in some way and stolen I heard it

Corey Ham: 32:10

was team PCP. I mean, are some articles out there corroborating that. I don't know if

Hayden Covington: 32:14

that's gonna shock me, man.

Corey Ham: 32:16

I'll paste it I'll paste the article I found, it's on help net security, basically claiming that team PCP was the ones who get breached GitHub's internal code base through a poisoned Versus code extension. Oh. Yes. Which is just hilarious. That's right.

Corey Ham: 32:30

Yeah. How is that seriously the the entry vector for this? Like, you work at GitHub and you're just installing random extensions on Versus code. How is that possible? Yeah.

Corey Ham: 32:41

You don't you don't have a license? Like, you don't have a license? I I I don't know. Whatever.

Hayden Covington: 32:45

We need to talk about Just friendly reminder, if you're gonna download an extension, you better be sure where it's coming from.

Wade Wells: 32:52

How how often do you see logs for that situation, Hayden?

Hayden Covington: 32:58

Of, like, Versus Code extensions? Oh my gosh. We get so many logs of Versus Code. It's crazy.

Wade Wells: 33:04

Really? I I don't think I've ever been at a location that is logging Versus Code.

Hayden Covington: 33:10

Well, we get we get alerts quite frequently from the SOC team as we work on rules because our our detections are all as code, and so we're working with code detections, which are technically hitting against the raw detections because they have some of those same matching strings and indicators. So every so often, it'll be like, yep, guys. I'm doing all 14 of these terrible things. Just go ahead and allow this to happen. Please don't isolate me.

Corey Ham: 33:31

Dangerously skip permissions. It's fine.

Hayden Covington: 33:34

Yeah. Yeah. Right?

Corey Ham: 33:36

I mean, that's what Seraph said in Discord, basically. Like, it probably was Claude or Copal that installed the extension, not the actual user themselves.

Hayden Covington: 33:46

Oh, no.

Corey Ham: 33:47

Apparently, it was a pretty well known extension, NX console, which I don't know what that is. It better be good. What is it? What does it actually do? This better be related to Vim.

Wade Wells: 34:00

It's a it's it's a plug in for Notepad plus plus.

Corey Ham: 34:05

Is it really?

Wade Wells: 34:06

No. I'm just What is it? That's more a callback to you to you making me uninstall Notepad plus plus everywhere.

Hayden Covington: 34:14

Oh, yeah.

Corey Ham: 34:15

Tragic. It enhancers okay. NX console enhances your editor's AI features by providing relevant context to large language models powering Versus Code in Cursor. Automatic CTA by your workspace infrastructure generators and feed it up to date NX docs.

Hayden Covington: 34:34

So this is probably the Microsoft employee needed to, like, juice up Copilot inside of Versus Code.

Corey Ham: 34:40

It probably is part of, like, their internal KBs, I would assume. Right? Like, there's no way someone just decided I don't know. Maybe they I

Hayden Covington: 34:48

don't know, man. I don't know.

Corey Ham: 34:50

I mean, let this be a reminder to everyone who's listening to this. If you don't already have a allow list for your browser extensions and your Versus Code extensions, should work on that. Although honestly, in this case, this is a supply chain thing. So even if you do have an allow list, this still could have hit you. And 2,200,000 installs is a lot.

Corey Ham: 35:10

That's kind of a lucky or unlucky timing thing.

Hayden Covington: 35:14

Yeah. I've seen a lot of people just say at this point, you need to fork all your dependencies and just pin them. Don't ever update anything.

Corey Ham: 35:20

Yeah. Speaking of vulnerable routers, Unifi or Ubiquiti also patched three max severity vulnerabilities, unauthorized changes to targeted systems and proper access control, prompt command injection, network access, and then command another command injection one. So basically the router bleeding is never gonna stop bleeding. Like, if you have a router

Hayden Covington: 35:46

Is that my router updated this weekend? Probably. I guess.

Corey Ham: 35:50

If you have a router, you need to make sure it's either automatically updating or that you're manually updating it because it this is gonna be just such a common theme this year is just See, I said Vulnerability after vulnerability.

Bronwen Aker: 36:04

Task reminders to to check to make sure that that stuff is updated at least once a month. Is this just I just

Hayden Covington: 36:15

make it automatic. I would forget.

Corey Ham: 36:16

Yeah. Yeah. Was gonna say automatic is the best. But yeah.

Wade Wells: 36:19

Every morning at 2AM, my my ubiquity goes down and comes back up.

Corey Ham: 36:23

Yeah.

Wade Wells: 36:24

Me off video games several times because I forgot about it.

Corey Ham: 36:27

I will say, though. I I will say so.

Hayden Covington: 36:29

2AM. So

Corey Ham: 36:30

Yeah. Also, why are you gaming at 2AM? Get it together. Wait.

Wade Wells: 36:33

Oh, I'm sorry. The only time my children are sleeping.

Corey Ham: 36:37

Dude, kids go to bed at, like, 6PM, dude. Don't lie. Oh, no.

Bronwen Aker: 36:42

No. That yeah. That's then

Wade Wells: 36:43

you then you have to recover after that. That's the

Hayden Covington: 36:48

The worst worst in your room is that

Wade Wells: 36:51

one right behind me. So if I click clack on the mechanical keyboard Throwing

Corey Ham: 36:55

frag grenades.

Wade Wells: 36:56

Yeah. He gets pissed off.

Corey Ham: 36:57

He tells me. He's like, dad,

Wade Wells: 36:59

stop playing video games. No. I

Corey Ham: 37:02

love that your kid would be telling you to stop playing video games. This would be the ultimate, like, reverse card Uno moment.

Hayden Covington: 37:08

Yeah.

Corey Ham: 37:10

But, yeah, I think Bronwen's tip is good because, like, there are scenarios where repos will break. Recently, if you're a plex person, they had to change some repo keys. And so their auto updates broke. So you had to manually update your repo or whatever. So, like, it's good to check.

Corey Ham: 37:30

I agree with auto update being the absolute best, but it's also good to verify every month or so that, like, is it working? Do you have to switch your repos, or, you know, is everything good?

Bronwen Aker: 37:41

And I actually do have it set on auto update, but, you know, paranoia is a survival skill in this industry.

Corey Ham: 37:48

It's true. It's very true. Any chance What else?

Bronwen Aker: 37:53

Speaking of supply chain attacks, we wanna talk about Pizza Hut. I was I was trying to

Corey Ham: 37:59

read that one. Hit us with some pizza. Let's go to the buffet.

Hayden Covington: 38:03

It seems

Wade Wells: 38:03

like people gamed the AI in order to cherry pick the deliveries that they want that provided the most tips so they would make more money, which then caused wait times to go out the wazoo. Okay. Hold on. They're saying

Corey Ham: 38:19

it caused a $100,000,000 in damages.

Wade Wells: 38:24

This dude owns eleven Pizza Hut. So now that's

Corey Ham: 38:26

that's Eleven pizza? That's like, dude, how many pizzas is that? That's gotta be, like, a freaking

Wade Wells: 38:32

guy was rocked. He owns a hundred and eleven. A hundred and eleven Pizza Hut. Jeez.

Corey Ham: 38:35

So he's claiming almost a million dollars in damages per Pizza Hut?

Hayden Covington: 38:42

Dude, it is like, can't out pizza

Wade Wells: 38:43

the hut.

Hayden Covington: 38:43

So wait. Yeah.

Alethe Denis: 38:46

Because if it's over thirty minutes, it's free. And he's saying that before this, it was 90% of everything was delivered on time. But after they implemented this, everything went to heck.

Corey Ham: 38:58

Dragon Tail.

Alethe Denis: 38:59

So he's giving away free pizzas, essentially.

Corey Ham: 39:01

Okay. So this is this is a lawsuit between Pizza Hut, like the corporate entity, and a large franchisee. Right? He's basically saying, you made me adopt this AI thing that I don't like, and then it cost me a lot of money, basically.

Hayden Covington: 39:19

Seems fair.

Alethe Denis: 39:21

You know what it is? It's the drivers are waiting for additional deliveries. They're not just taking the first one that's ready.

Corey Ham: 39:28

Okay.

Alethe Denis: 39:28

And so they're trying to do multiple.

Corey Ham: 39:30

It's like batching. They're trying

Wade Wells: 39:32

Corey Ham: 39:33

Yeah, it's starting in

Hayden Covington: 39:34

an Uber.

Corey Ham: 39:35

Isn't it also called drag in the old

Bronwen Aker: 39:36

days with pizza pizzas when you ordered pizza?

Alethe Denis: 39:39

They would only deliver like multiple orders if they were on the same street or whatever. I mean, if you think back, I like saw a meme of this over the weekend. But if you think that these people were navigating with paper maps, taking a phone call, making a pizza and getting it to your door within thirty minutes, and they implemented this AI and it completely messed everything up when we're like literally missing GPS and like online ordering. I don't understand. But it must have just been, holding drivers from leaving for it said fifteen minutes or more.

Alethe Denis: 40:11

Hayden Covington: 40:12

That has to be some, like, inflated number where they're like, yeah.

Corey Ham: 40:15

We we've suffered this reputational damage

Alethe Denis: 40:17

and stuff. Not fact. This is what they're claiming.

Bronwen Aker: 40:21

No. It's not. Alleges that Pizza Hut failed adequately train operators on the system.

Corey Ham: 40:29

So, basically, the courts will

Hayden Covington: 40:30

decide have reputational damage? Like, what is everybody's overall opinion of Pizza Hut? Like, are you if you're going to get pizza, is that your first choice? Definitely. Me?

Alethe Denis: 40:39

No. Not generally. Not currently. But I've heard that they are refurbishing the current Pizza Hut design to make it look more like the nineties family friendly

Bronwen Aker: 40:51

selling heard that on YouTube.

Alethe Denis: 40:53

One Pizza Hut owner so down for that.

Bronwen Aker: 40:55

Who was updating his who was retrofitting retro pundit and fitting Yeah.

Corey Ham: 41:02

His Retro his franchises

Bronwen Aker: 41:04

himself. But I think that's a different guy.

Corey Ham: 41:07

Yeah. Okay. I mean, either way, there wouldn't be my first pick, but I do I will I I wouldn't push back. If my friends if it was, like, let's get pizza, we're all drunk, that would be I'd be

Wade Wells: 41:19

like, fine. Like, it

Corey Ham: 41:21

would Honestly couldn't be sober pizza. It would never be sober pizza, but it could be drunk pizza.

Wade Wells: 41:27

If I got a free pizza because it came and didn't come in thirty minutes, I would order all of my pizzas from there hoping that I get another free one. It's

Corey Ham: 41:36

That's basically what they're claiming happened. Yeah. So the other thing is it's called Dragon Tails, which if you're a nineties kid, I mean, that should hit somewhere for you. Yeah. That's a thing.

Corey Ham: 41:49

I mean, I think the courts will decide and the verdict better be delivered in whether you can or cannot out pizza the hut, basically.

Alethe Denis: 41:57

Yeah, essentially. True or false.

Corey Ham: 42:01

That's funny I mean, honestly, it's a cautionary tale for, like, the companies forcing AI rollouts like this. People don't like AI beings pushed down their throats. Like, whether it's the pizza delivery drivers, the franchise owners, the consumers. If you're gonna do the AI thing, you gotta do it right. You can't mess this up.

Corey Ham: 42:20

You get one shot, and then you're screwed.

Hayden Covington: 42:23

Yeah. And you gotta deploy it to, like, a couple stores first because people are gonna figure out that system right away. Like, if somebody if it controls someone's livelihood, they're gonna find the way to maximize that pretty quickly. So instead of doing, you know, a 111 stores or whatever it was of just one dude, maybe do a phased rollout. Maybe be a little careful with it.

Hayden Covington: 42:43

Maybe keep an eye on it and see if all of a sudden all these orders are late. Like, it just seems like an operational mishap of, hey. We need better AI adoption, and we're not meeting this quarter's goal on AI adoption, so let's just send it.

Corey Ham: 42:57

So, basically, the good, like, rule of thumb if you're rolling out an AI system is that a bunch of stoned pizza delivery people can figure out the gaps and exploit them. You didn't get a very good pen test.

Wade Wells: 43:09

That Pretty

Alethe Denis: 43:12

and like, I think customer service one zero one is that the customer always lies. I mean,

Wade Wells: 43:20

the customer always lies.

Bronwen Aker: 43:21

Well, that

Wade Wells: 43:22

is why

Bronwen Aker: 43:22

it's pretty The customer is always right. They may be deaf, dumb, blind, or

Alethe Denis: 43:27

long tethered. The customer always lies.

Bronwen Aker: 43:30

But they're always right.

Corey Ham: 43:32

I love that being the first rule of what

Alethe Denis: 43:36

is for their own benefit. Like everybody's going to put themselves first. When you as an employer hire contractors, they don't see themselves as part of your team. They see themselves as a separate entity. So if they can take advantage of a system, they're going to.

Corey Ham: 43:51

Very true. If you're in Germany, I have bad news. There was a huge amount of data leaked from a German healthcare hospital or I guess several hospitals. The article is in German, so I can't read it, but I'm just gonna read the summary. And basically data was stolen from UniMed.

Corey Ham: 44:14

I'm assuming is how you pronounce that, which handles billing for the hospitals, names, date of birth, address details, and also contains billing data, which includes information about diagnoses and treatment plans. I don't know what the German like HIPAA is. I'm assuming it has like a 17,000 letter long consonant name. I'm curious. I'm assuming their regulations are stricter than ours, but I don't I genuinely don't know what the repercussions of this is, but that that is rough.

Wade Wells: 44:48

See the article under that one?

Corey Ham: 44:50

Yeah. We're gonna skip that.

Wade Wells: 44:52

What?

Corey Ham: 44:53

I'm not I'm not I'm not wading through those logs. So okay. This one's interesting. Microsoft shut down an illegal code signing operation. Interesting.

Corey Ham: 45:08

Why wasn't I running in an illegal code signing operation?

Wade Wells: 45:11

I thought that was you.

Corey Ham: 45:12

So basically, this is a cybercrime service that sold code signing certificates to ransom more gangs, which can help with bypassing controls and defenses. The they're calling it Fox Tempest, and which has been around since about a year ago and abuses their artifact signing code service. I'm wondering whether these are, like, are they using shell corpse or are they actually just stealing the code signing certificates? It looks like they're using shell corpse because it says they use fake identities and impersonated real organizations. So they're basically just signing up for an account and being like, hey, what's up?

Corey Ham: 45:54

It's Pizza Hut. I need a code signing certificate. Don't ask why. And then there's not enough KYC to actually validate that. I don't know.

Corey Ham: 46:03

Either But way, it's an interesting one.

Wade Wells: 46:05

I was just doing Intel research around certs, right, for for my actual class that we'll talk about later, I guess. But cert dot c h has been down for like the past month. The last month trying to get to it and to to build some labs off of it, and it just kept going down. If you don't know what cert dot s h is, it's pretty much every public

Corey Ham: 46:41

certificate transparency laws.

Wade Wells: 46:43

In in ever. Right? So then you can go there and theoretically trace back one of these malicious certs back to Microsoft and their poor signing capabilities. But you could also look if they're using the same names or if they're using the same company names. You could then go look around for the same certs.

Wade Wells: 46:59

But, of course, like, I knew the moment I talked about this online, it was gonna work, and it did. Okay. There it goes. Five zero two gateway. I got in once.

Corey Ham: 47:08

I think you're just rate limited, man.

Wade Wells: 47:11

I I'm haven't been hitting it that much. Like

Corey Ham: 47:14

It doesn't like you.

Wade Wells: 47:16

They have it on GitHub. I'm like, maybe I should just stand up my own. Like

Corey Ham: 47:20

I will say there are a lot of other sources for certificate transparency data, and cert.sh is just one. And you should have an official if you if you rely on this kind of data, you should have an paid API that gives you access to the certificate transparency data. Hey. Most of the big ones have it, like, you know, your security trails or census or showed in or those. But yeah.

Corey Ham: 47:45

Anyway, that's a fun little cybercrime operation disrupted. There's no chicken news.

Bronwen Aker: 47:53

I'm sorry. Story. It's not a

Corey Ham: 47:56

cyber security

Bronwen Aker: 47:57

chicken story. I But it is a chicken story.

Hayden Covington: 48:01

Okay. I also have a normal article whenever Hey. That's with the chicken. Chickens. Rubber chicken.

Hayden Covington: 48:07

Go.

Bronwen Aker: 48:09

So a a chicken escaped a poultry factory and is now living the life of Riley. It's been rescued. This per person on Reddit is in East Williamsburg and said that a chicken escaped a local poultry factory and is now just enjoying its nice and easy life living in the bathtub.

Wade Wells: 48:38

For those listeners and that are listening to us and not with a visual podcast, we're looking at a chicken on the side of the street hiding behind some containers. It definitely doesn't look like a normal chicken. It is black, which do someone who is more chicken informed than me. Like, what that is not a typical American chicken. And why is it in the bathroom in pink light?

Alethe Denis: 49:01

Have you never gone to, like,

Wade Wells: 49:04

a Kelly's barracks? Alethe has it. Come on. Come on. What kind

Corey Ham: 49:07

of chicken is place? Worried about this person's bathroom? Bathroom? Like, what is the lighting in their bathroom?

Alethe Denis: 49:13

That's scary. I don't think we should

Corey Ham: 49:14

be I showing feel

Hayden Covington: 49:15

mood lighting.

Wade Wells: 49:16

What? It's okay.

Corey Ham: 49:17

So Alethe Alethe already nailed the first rule of retail, which is that the customer's always lying. I think that the first rule of Reddit

Bronwen Aker: 49:27

Not lying.

Corey Ham: 49:27

I think the first rule of Reddit is the same rule that the poet the OP is always lying.

Wade Wells: 49:32

Always lying. You never go look at their let's go look at their history. Okay. Their posts are open.

Hayden Covington: 49:37

You probably don't wanna do that.

Wade Wells: 49:39

There's It didn't didn't give me an SFW flag, so that's how we know it's okay. This is

Hayden Covington: 49:44

more Reddit coded than me, I guess.

Bronwen Aker: 49:48

I don't Like I said, it's not cybersecurity related, but it is a chicken story, and the chicken is free.

Corey Ham: 49:55

Alright. I mean, there's let yeah. Let's let's let's move on, but I think you could spend fifteen seconds debunking this. It also appears to be a rooster. Why there would be a rooster?

Corey Ham: 50:05

Anyway Let's move on.

Hayden Covington: 50:07

So my story, I put it in the Zoom chat. It's just a bleeping computer article. It's the first article I could find on this. And this this is half story, half, like, wild tinfoil hat hypothesis. Right?

Hayden Covington: 50:20

So it started for us about Friday in the Black Hills SOC as we started getting a ridiculous amount of alerts for customers for all sorts of, like, terrible things. And so this is, like, several spanning different customers, and we're like, oh, that's not good. But we quickly figured out this is just their Nessus scanners. Why all of a sudden are they, like, firing off the hook? Come to find out, there's some Nessus plug in for the exploit POC for mini plasma.

Hayden Covington: 50:50

So that's what the article is on. Is it's a privilege escalation zero day. Supposedly, it's just a re like, resurrection of an older vulnerability from 2020. But from from what I've gathered, Nessus has started scanning with us as part of their standard scans as as one does. But I found a thread specifically from CrowdStrike where one of their sort of, I guess, internal people posted a support article about this saying that, evidently, Nessus decided to start running this POC code, like, exploit code live on on machines to test if it's vulnerable.

Hayden Covington: 51:26

And so I guess all of our customer fleets started running this code sending our alerts into a spiral. So we had a few customers that were talking to us and asking, what is going on here? We're trying to explain this to them. We had one that said their EDR was, like, driving them nuts that it triggered, I don't know, I think I think they said, like, somewhere around 20,000 alerts from this EDR

Corey Ham: 51:48

from these scans.

Hayden Covington: 51:50

I think I I got a call at, like, 4AM on Sunday from one of our guys asking, like, what are we supposed to do about this? Because it's just messing scanners, and it's

Corey Ham: 52:00

just blowing everything up. You're just sitting there watching 20,000 alerts roll and be like, that should be normal, baby.

Wade Wells: 52:08

Right. That's normal. In a sock, that is totally normal. Like, everything breaking and 50,000 alerts coming in, like, I don't know how many times that's happened to me.

Hayden Covington: 52:15

It shouldn't be normal, but it is. But this this time, it was like oh, man. It was it was immensely frustrating. And and we, like, we held off the rush after a little bit because we have, like, intelligent risk scoring on our rules. So after a while, they started to recognize that, like, this is not actually real malicious activity.

Hayden Covington: 52:35

This is a simulated malicious activity. So it eventually slowed down a bit, but there was a good while there where we're all like, like, what is going on until we found out, like, ah, this very exciting plug in here is causing a lot of problems. So if your EDR is firing up the hook, you might wanna look into your Nexus scans.

Corey Ham: 52:56

Yeah. I mean, that's crazy. Has it how long has it been since there was an exploitable vulnerability like this? Like, since we had EDR? Like, I I'm confused.

Corey Ham: 53:06

Wouldn't this happen anytime there's a local PriveSK or something in Windows? Like or is it just that this specifically hits on some signature?

Hayden Covington: 53:44

What changed or what happened that was different.

Corey Ham: 53:47

It also could be that CrowdStrike beat them to the punch. You know what I mean? Like, they developed an alert for this before the scanner plug in was developed.

Hayden Covington: 53:56

It also wasn't just CrowdStrike.

Wade Wells: 53:57

Was, like, two or

Hayden Covington: 53:59

different EDRs.

Wade Wells: 54:01

Then it's not a scan.

Hayden Covington: 54:01

They're actually running the what it was.

Wade Wells: 54:03

That's why.

Hayden Covington: 54:04

Right. So we had it was CrowdStrike sent to the one and Defender, like, all were really angry. At least those three were were ticked off about that mess. And so those all three were firing up the hook like crazy. Interesting.

Hayden Covington: 54:19

So that was that was interesting. I I still am very curious. So, Wade, you said it's because they were just running effectively the raw code. They weren't That's that's what it's saying. Yeah.

Corey Ham: 54:29

Was, but it's TLGR.

Wade Wells: 54:31

Yeah. The tenable Nessus decided that actually running an exploit POC of mini plasma against its hosts is the best way to test if it's vulnerable. So

Hayden Covington: 54:40

And it's like when they started spamming JNDI, like, log four shell strings against everything.

Wade Wells: 54:45

Like, one of the one of the top tunes you do right off the bat, though, right, is you say Is Nessus. Everything the Nessus user does. So that's, like, number one. And then, it does crazy stuff.

Corey Ham: 54:59

Are you saying we have to tune the EDR? Is that similar to changing my router settings?

Wade Wells: 55:03

Right. Very similar. You you don't just any any. You deny that.

Corey Ham: 55:09

I always end my firewall rules with an allow all just in case someone wants to get to something.

Hayden Covington: 55:14

Well, it's just like with EDRs. Like, if you have the insert vendor name here, then it's the perfect one, and you'll never get hacked. And so we will take bids for which vendor name we actually insert in there and post. So we'll start that bidding. Just go ahead, email.

Hayden Covington: 55:28

Corey, what's your email again for Blackhills?

Corey Ham: 55:30

It's Hayden@BlackhillsInfosec.com.

Hayden Covington: 55:33

Hot. Damn. He got me.

Wade Wells: 55:35

Jay Strand? Is that what it was? No. Jay Strand. Strand dance.

Corey Ham: 55:39

It does sound cool enough to have a first name email.

Wade Wells: 55:41

No. No. Well, the Jay Strand, it's a it's a it's a canary email, people who aren't sure.

Corey Ham: 55:48

It's our marketing email, J Strand.

Hayden Covington: 55:51

We had someone send a really nasty email, a vendor that we had contacted to do some work. They we didn't respond to them quick enough, so they just found John's email and emailed him directly. So I got into and and basically told him, like, hey. Your team is not responding to this fast enough. Here's everything our product does.

Hayden Covington: 56:08

So I went and domain blocked that entire company, and John thought that was hilarious. Just they're just they're just totally, like, black listed now in our

Wade Wells: 56:16

Is that a very aggressive EDR company that we all know about?

Hayden Covington: 56:20

No. It was a it was a different company. I'll tell you afterwards.

Corey Ham: 56:24

I think I know which one you're talking about, Wade. Is it the one that always offers you a Yeti mug? I'm like, dude, I have a Yeti mug. I'm not

Wade Wells: 56:31

I got so many Yetis. Like, you gotta get me something really good now to

Corey Ham: 56:35

I'm not gonna click the fish

Wade Wells: 56:36

for Yeti whale

Bronwen Aker: 56:37

on my

Corey Ham: 56:38

sand mugs. Okay. Now if you start fishing me offering a DJX Spark, I'm gonna click that shit in a heartbeat. I'm I'm not clicking for a Yeti.

Wade Wells: 56:45

I got an Oculus Quest once.

Corey Ham: 56:49

You actually got it, or you got this?

Wade Wells: 56:50

Yeah. It's behind me. There's a proof point Oculus Quest behind me right now if anybody wants it. It's it's cool.

Corey Ham: 56:56

But you sold your soul for an Oculus Quest. Alright. This week in security. Yeah. Dude, I sold

Hayden Covington: 57:02

myself for my soul for a Chipotle bowl, man. I think

Wade Wells: 57:04

this was, like, 2020. I think it was, like, 2020 that I got that. Yeah. Like, I was stuck inside. Come on.

Wade Wells: 57:11

It's a VR headset. Like, I was like, you know what? I just gotta listen to a sales pitch.

Hayden Covington: 57:14

Like, see

Bronwen Aker: 57:14

In 2020, come on. We were still in full COVID lockdown. Of course.

Hayden Covington: 57:19

They had the blood saver though. Yeah. But I'm

Wade Wells: 57:23

gonna tell you right now. Star Wars flight games with a headset was amazing, and I thoroughly puked.

Hayden Covington: 57:28

Oh, dude.

Wade Wells: 57:29

Like, I I I was like, I can fly a tie an x wing. No problem. No. Dude, it was not a half

Corey Ham: 57:36

ass puke. It was a thorough puke.

Bronwen Aker: 57:38

This poster

Wade Wells: 57:39

this poster right here is because I threw a grenade in half life Alex and

Hayden Covington: 57:45

punched hole in your door?

Wade Wells: 57:46

Punched the wall. Like

Hayden Covington: 57:48

Oh, that that game's terrifying in VR. Been bigger room.

Wade Wells: 57:52

I didn't have anywhere to play. You know?

Hayden Covington: 57:55

Where's this phasmophobia in VR? I don't know if you've played that game, but it's like a ghost type game. I'm good.

Wade Wells: 58:00

I'm good.

Hayden Covington: 58:01

It's horrifying. It was not a good experience. I did one round of that in VR. I was like, nope. I'm done.

Hayden Covington: 58:07

I'm I'm good without this.

Bronwen Aker: 58:09

I I'm not a fan of horror video games, and if it has zombies, I am out. So I can't imagine doing that in VR.

Corey Ham: 58:17

Alright. So based on yeah. Now that it's almost the end of the show, so let's have everyone plug your stuff. Who wants to go Wade, do wanna go first? You're on

Wade Wells: 58:29

the screen. I'll go first. I'm here. So I am giving a threat intelligence class in one month. It's my ThreatIntel one zero one class, it's now two days.

Wade Wells: 58:38

It has a lot more. I think there's 13 labs in it now. And we talk about everything about getting into intel, the roles that you'll have, dark web stuff now. I have some an OSINT class. Surprisingly, the OSINT class was really hard for me to write just because I wasn't sure how to scope it.

Wade Wells: 58:57

Right? Like, if you're doing CTI, you you're not gonna be really looking at people. But, anyways, it's it's fun. Come check it out. I'll be on Simply Cyber talking about it later this week too.

Corey Ham: 59:10

Sweet. Alethe, you got some stuff?

Alethe Denis: 59:13

Yep. I have one thing coming up quick. This Friday, May 29, starting at 12PM Eastern. So 9AM Pacific, if I'm doing the math correctly. That workshop is four hours.

Alethe Denis: 59:26

It's on social engineering and creating pressure proof pretext for primarily physical engagements, but can go outside of that as well. So that is pay what you can or $25 and open enrollment ends soon.

Hayden Covington: 59:42

Awesome. And then Wade's class is also part of the threat hunting summit, which is gonna be, June 17, and then there will be classes that follow it. There's gonna be lots of very cool talks, lots of trainings that follow it, a lot of very interesting talks like how AI agents solve threat hunting's biggest problems. We experiment a lot with how when you augment human based, you know, threat hunting with with AI to scope these things out for you, make them a bit easier just to find sources. The keynote specifically is Jason Haddix looks like.

Hayden Covington: 01:00:15

So that one will be be one to be around for. And then there's a pretty sick panel with a bunch of sort of IR legends. You got our our own Patterson and Troy on there as well, so that'll be a pretty awesome one too. Just had to

Corey Ham: 01:00:26

do it. I love

Hayden Covington: 01:00:27

a good deal. Landmines, insurance, and incident response.

Corey Ham: 01:00:32

Wow. Landmines. Sign me up. Yeah. Alrighty.

Corey Ham: 01:00:40

Well, I think that's everything. Any final article that you're around on Thursday. Oh, yeah. Bronwen, you have a webcast. Right?

Bronwen Aker: 01:00:47

Why do I feel like the redheaded stepchild today? No. Yeah. Thursday, I'm doing the paranoid prompter. It's gonna be talking about using AI, specifically targeting use cases and examples for cybersecurity.

Bronwen Aker: 01:01:04

And we're we're gonna touch on a lot of different things. So talking about some of the liability issues, going into some practical use cases, and lots of ways to stack your prompts and build a library that will help you go further, farther, faster.

Corey Ham: 01:01:25

Paranoid prompter is so good. That's such a fun like, I love that. That's amazing.

Wade Wells: 01:01:30

With alliteration.

Corey Ham: 01:01:32

Yeah. That's awesome.

Alethe Denis: 01:01:35

Alright. That's my favorite.

Corey Ham: 01:01:36

Else has anything to plug. Right? I don't have

Hayden Covington: 01:01:37

anything your we gotta start plugging your Strava, Corey.

Corey Ham: 01:01:41

You guys if you've if you've ever seen a private you've ever seen a private Strava that no one else can access unless you're someone I personally know in real life, you should definitely follow me on Strava. Alright. That's all I have to plug. Yeah. Have a good week, everyone.

Corey Ham: 01:01:59

Short See you next Monday. Bye bye.

Bronwen Aker: 01:02:02

Kill it with fire, Meagan.

Wade Wells: 01:02:19

So hot in this room.

Corey Ham: 01:02:24

Dying. Wade held it in camera.