Corey

Is this thing on? Where's my chicken tendies? Where's my triple dipper combo or whatever? I don't know what Chili's is, but people are into that thing. If you like chilies, paste in the chat. Your favorite order from Chili's. I don't. There's not Chili's where I live, so I don't know what that is.

Elise

If anybody says it's their chips and salsa, I've got beef with them on that one.

Corey

Why are they like really bad salsa? That's fair.

Bronwyn

I can't even remember how many years it's been since I was to a Chili's.

Corey

I've just discovered. Oh, no, but says it's permanently closed. Yeah, they don't exist in my region. I would have to drive. Oh, no, it's also permanently closed. How far would I have to drive to get to a Chili's?

Bronwyn

See, I know that the chain lives on in the video game.

Corey

Wait, what? Where's this going?

Bronwyn

The video game?

Corey

No, no, it's definitely still a real thing. It's just not in the Pacific Northwest.

Bronwyn

Okay.

Elise

Restaurant. Unfortunately, in California.

Corey

They're everywhere. Okay. So I would have to drive or ride my bike because that's how I get places foreign. Let's find out how far it would take me. It would be a three day bike ride. 767 miles. But it would probably be insanely beautiful because it would go through eastern Oregon and then Northern California. It would be incredible.

Bronwyn

That sounds nice.

Corey

I'm gonna do that. I'll see you guys in a month.

Bronwyn

Do attack. Today is a matter of quality, not quantity. Sorry. You know, if you ever do get down this way, Corey let me know and we will make.

Corey

Somebody can go to Chili the Smoker

Bronwyn

and have just, you know, I'll make homemade baked beans from scratch. Well.

Corey

Oh, my goodness.

Bronwyn

Do the whole schmear.

Corey

Okay. That sounds way better than Chili's. The trip plans have changed. I'm definitely not going to Chili's anymore. But I think you live farther away than my nearest Chili's, unfortunately. Let's see. Yeah, that would add another 300 miles. It would be 1059 miles.

Bronwyn

Well, yeah, I mean, that's a lot for me to drive from. From my house to Sacramento is easily eight hours by car.

Elise

Yikes.

Corey

So. And I only travel by bike. So that definitely extends the timeline quite significantly.

Bronwyn

I will say in the middle.

Corey

Yeah. Over the weekend I rode my bike to the Pacific Ocean and I talked to a guy there that was. He was riding from Canada to Mexico and I was like, that's a. That's a lot of writing. That was the whole conversation. I think he was kind of lonely. It's kind of like riding from Canada to Mexico would take. He said he budgeted a month. I was like, that's pretty good. That's pretty good pace.

Elise

That seemed a little ambitious by my standards.

Corey

Yeah, that's like 80 to 100 miles a day, which is pretty. I mean that's a. That's a commit.

Bronwyn

That is a definite commit. I mean, a gajillion years ago I did walk Hadrian's Wall, which I was averaging. But the first day was the longest. I was like 15 miles, but it was all flat. And then later on the average was seven to ten miles a day.

Corey

That sounds amazing. I want to go do this.

Bronwyn

It was, it was awesome.

Corey

Just wandering through fields feeling like you're in Lord of the Rings, I'm assuming.

Bronwyn

Yeah, you do a lot of that in and it's kind of embarrassing. I. I blistered my feet badly on that particular excursion, so I wound up having to do a little bit of cheating. There's a bus line that runs along the. Well, you know, you should have seen I had so many. They call.

Corey

Blisters are. Blisters are one way trip. Once you blister up, you can't go back. It takes weeks to heal.

Bronwyn

Yeah, well, actually I was pretty good by the end of the week, but that, that first day. Oh my God. I got to.

Corey

I.

Bronwyn

It's. It's a whole long story, but the thing you want to do is you want to walk from west to east so that the wind is at your back. Even though Sycamore Gap no longer has a sycamore because a deranged teenager chopped down a multi hundred year tree, it's still very scenic. There are tons of Roman sites where they had garrisons and. And various other things that are museums all along that way. And it's. It's really. If you want to do just the walk. Yes. Tons and tons of sheep pastures and it's about 80 something miles, so.

Corey

All right, well, I think we've stalled long enough. John Strand has abandoned us. We must continue without him.

Bronwyn

Hey, you know he's jet setting. That jet lag is not to be messed with.

Corey

That's true. All right, you can roll the finger, Megan. Let's do this.

Elise

All right, give me one second because

Corey

there might be have to download more ram first. I get it. I've been there.

Bronwyn

Rolling in three, two.

Corey

Hello and welcome to Black Hills Information securities Talking about news. It's Tuesday. I'm scared. I thought we only do this show on a Monday, but yesterday was Memorial Day in the US which means we weren't here. And so now we're here with our skeleton crew of people who actually survived the weekend, apparently. I guess it took some people out. We've got me, we've got ath and we've got Bronwin. How's it going?

Elise

Doing well. How about you?

Corey

I'm alive. That's what I've been telling people. I feel like that says that's. That's as aggressive as I'm willing to go, you know, like, I don't want to get. I am alive. It is true. And that's, you know, I don't want to be. I don't want to be mean.

Bronwyn

If you're not alive, you look awfully good for a corpse, I'll say that much.

Corey

Thank you. Yeah, that's the goal. That's my. That's my bar is like, look better than a zombie. So that's. That's always how I'm trying to live. Stories this week we've got some good stuff. We put. We have had our routers patched by the FBI. That's nice. We also leaked our govcloud keys. Oops. We also got our NGINX web servers exploited by Mythos. There's all kinds of fun stories. I think let's dip into the CISA govcloud thing. I think that's probably. I mean, it's kind of a quick hit, but basically there was an article on Craig's Krebs on security that essentially a contractor for CISA had posted their repository containing high privileged AWS GovCloud accounts and information about a large number of internal CISA systems. And that's bad. That is generally not recommended to publish your stuff on GitHub to the public.

Bronwyn

It's when you're a government agency or form is rule. Yep.

Corey

So, yeah, basically this is someone from Git Guardian that reported it. Honestly, like, my biggest question with this is like, why doesn't GitHub just automatically take this down? Like, how do they. How are we, like for non legacy repos? Like, I know there's Secret scanning on GitHub. I know there's like capabilities to do this. I'm really confused why I can still in 2026 create a repo that has sensitive exposed data in it. Like, I feel like it just shouldn't be that hard to lock that down. I don't know. Am I crazy? Why don't we have guardrails for this?

Bronwyn

Well, yes, you are crazy, but not about this.

Corey

I don't get. Yeah, you would.

Bronwyn

You would think. It seems like they're policing all the wrong things.

Corey

It's just a text file called important AWS tokens. Txt. Like why is that? I don't get why that is a thing, but yeah, basically. A spokesperson from CISA said the agency is aware of the report exposure and is continuing to investigate the situation. There is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences. So basically y' all are about to lose access to GitHub. I'm sorry, that sucks.

Elise

I think we're going to See more Managed GitHub repos and companies not allowing contractors to have their personal GitHub in the mix, which I think is what happened here. It says this contractor created theirs back in September of 2018 and then just used it for the work they were doing.

Corey

Yep. I will say I do think Git GitHub is kind of a nightmare when it comes to managing like accounts. It's like, hey, who's Squeezy Hacker17 is that. Should they have access to our GitHub like, because it uses your git username like for enterprise access. I mean, obviously you could force people to create their own git accounts or GitHub accounts for their job and that's probably the way to go, but it's not great. You'd think they would, you know, pull a Microsoft and have it be integrated with, you know, Entre ID or something. I don't know. It's weird that.

Elise

It's just I had this problem in the past with engineers that I hired that they want to keep the activity on their own personal GitHub so that they can keep that. Keep their little green boxes, keep their

Corey

streak, their shower curtain or their.

Elise

At this point, like you're basically asking people to separate their personal work from their professional work and I think a lot of people are gonna have an issue with that. But security wise, I don't really see another option.

Corey

Totally. It's kind of one of those areas of like, oh, our developers, they're not subject to, to security policies because they're developers and they're special, but that's probably shouldn't be a thing. Yeah. So let's move on. There was also an Nginx critical vulnerability with PoC code published this is CVE 2020642945 with a CVSS of 9.2, not a 10, at least from our perspective and our customers. This wasn't that exploitable. It requires a certain configuration to be exploit, and none of our customers matched those criteria. Also, it was a dos, so we were like, probably shouldn't mess around too hard with that one, but I guess. Has anyone else? Anyone. Any listeners or any elite or anyone. Have you seen this one? Exploited this one. This one's pretty kind of a nothing burger, to use my favorite term.

Elise

Yeah, no, nothing to contribute for me. I'm waiting for somebody in the chat

Bronwyn

to finish writing, but I'm still tripping over the CVE number 42, 945.

Corey

That's just from Mythos this week.

Bronwyn

Probably

Corey

still. Yeah, it's basically. I don't know, I. It's. I guess I'm not sure. It was part of F5's quarterly patch, so it actually got released and published as part of another vendors, which is kind of interesting. Like, F5 uses nginx, so they published this bug. I don't necessarily know if it was AI generated, you know, if this is actually discovered by AI. They didn't specify, like the chain of custody on this vulnerability, but basically, long story short, Patcher nginx. This is the broader theme right now in security, which is like John's joke from a couple of weeks ago was that every CVS score gets a plus one. So with that old math, this is actually a 10.2 CVSS. So over a 10. Uh, you probably patch that immediately. But yeah, with AIs running around and, you know, exploiting stuff, this unpatched software stuff gets pretty nasty pretty quick.

Bronwyn

Basically, if you're not doing it already, patch all the things, please.

Corey

Yeah, definitely. We didn't talk about this or I don't know if it's in the list, but speaking while we're here, there was an article in Bleeping Computer that said that they might be publishing Mythos. I don't know.

Bronwyn

I hadn't heard that. The last I heard, which was what? Last week, was that Mythos was never going to be accessible to the public, which makes no sense at all to me because it's only a matter of time before they wind up. They, meaning the frontier model developers develop something that's even better at finding and creating malware than Mythos is.

Corey

Yeah, so this just got dropped into my feed by someone and like, basically the reason this became an article is because some users noticed that when they Went to select a model in Claude. It. It gave them the option for Mythos.

Wade

Are you talking about Mythos?

Corey

Well, we're trying to. Now you're here, so now we. We got to go backwards.

Bronwyn

Yay.

Corey

Hayden, did you get access to Mythos?

Wade

Talking about. No, I wish. Dude, if I. No, I. If only I would have expensed it right away. I'm sure it's a thousand dollars a month.

Corey

Well, okay.

Wade

Three queries per week.

Corey

Well, hold on. In the news article, the screenshot that the. Whoever, you know, sent to bleeping computer is just a person who's just on a Pro plan. It's not clear on whether it's. I guess. Does it say in the UI if you're on, like, Pro or Pro 20X or whatever? Like, I don't know, but probably not. But basically, this isn't a real thing. But some users did see that they were able to select Mythos in their ui.

Wade

Well, Anthropic is notoriously bad at accidentally leaking things ahead of time recently. Like, they leaked model names ahead of time recently. They've leaked things to the UI many times that aren't supposed to be in there yet. So, I mean, this could. This. I. I would guess this is probably just a way to give those, like, project class wing companies access to Mythos inside of cloud desktop. I don't mean. I don't think that this necessarily means that it's coming soon to. To us normal people, but it could be. Maybe. Maybe it could be. I. I would hope so. Well, that'll be nice.

Bronwyn

I found the article, I think. Let me go.

Corey

Yeah, I pasted in the discord. Yeah, it's. I don't know.

Bronwyn

Yep.

Corey

That's basically. It's kind of a. It's kind of a rumor. Like, it's literally just like. Some users were able to select Mythos in the cloud ui. That's it.

Bronwyn

Well, they say that they're adding it to Claude code.

Corey

Yeah.

Wade

How are people using it before then?

Corey

Whatever. Yeah, it just connects to.

Wade

To your brain and it's like, don't worry. I'll find everything you want.

Corey

You. What you do is you. You install the Mythos launcher into your environment, and then it just sprays. It installs it. It's like an edr. It installs a Mythos agent on every system in your environment. Don't worry.

Wade

You're now secure.

Corey

You're now secure through Mythos. You just type. The prompt is just recurring every minute. Don't hack me. Please

Bronwyn

don't hack me, bro.

Corey

So next article this one's kind of fun. I apparently this has happened before. This is the first one I remember. But the FBI decided to patch patch in air quotes thousands of routers throughout the US and other places. Basically they, they published this, you know, little write up on what they did and how they did it. But essentially these are mostly TP link routers, toilet paper link for you know, to expand that acronym. Basically the were being abused by Russia and probably for you know, botnet type activities. The FBI went ahead and reset the devices for them. So it's. They did actually in, in their like press release they basically said that they created a series of commands that it could send to compromise router designed to collect evidence regarding the GRU actors activities. Sure. Just that to reset DNS settings, AKA remove the DNS resolvers and force the routers to obtain legitimate DNS resolvers and then I guess three somehow close the door behind them. So basically if your router went down last weekend, I have bad news for you and there's a lot of effect this weekend.

Wade

Is that bad?

Corey

These are really old routers. Like most of them are specifically tagged as wireless N routers which like holy crap, that brings me back. Yeah, that's a, that's an old issue

Wade

with TP links not too long ago either like a major issue with TP link.

Corey

Most of the, I mean any router has major issues. That's just the way it is. But I don't know specifically any major issues with them recently.

Bronwyn

This is not the first time the FBI has, has done stuff in 2021 they patched, copied and removed malicious web shells from vulnerable web servers in the Microsoft Exchange proxy logon. And they also they were involved in removing lingering web shells with the hafnium exchange response. So that was 2020.

Corey

So it started in 2021 and then it's happened a handful of times since then.

Bronwyn

Yes, Plug X botnet disruption, SOHO router botnet disruption. That was see 2020, 24 and 2023. So they're, this is pretty normal. They're. They're sticking their hands in all kinds of pies.

Corey

I mean I honestly like, of all the things that you could be sketched out by, this is the least sketchy to me. Like just taking down botnet infrastructure. I'm here for it. That's super. I'd be a little bit salty if my router just stopped working. But honestly it would be like better than participating in a Russian botnet. But also you lose your plausible deniability for being a threat actor. Right. Like before, if you had the Russian botnet running on your home router, just claim anything that you did that was illegal was definitely the Russians. Now you don't have that defense. It's too bad.

Wade

I mean, you could still claim that. You could just claim it. Just lie.

Corey

Just be like, it's the Russians. Why don't you patch my router for me, please?

Wade

Yeah, yeah, pretty much exactly.

Corey

Yeah.

Elise

I think it's cute that they say legitimate users can also reverse the changes by logging into the web management pages and restoring the desired settings. But, like, all the people that still have this router, none of them are going.

Corey

Are not. Yeah. I do love the idea that someone's like, I really like the Russian DNS servers. I was getting a lot of great results back. I'm going to log in, set the Russian DNS servers back so I can Google something, and just immediately get malware on my computer.

Elise

I bet it's like credit card processing routers at like, fast food chains all over the place.

Corey

Oh, yeah.

Elise

It just doesn't get residential type Internet traffic.

Corey

No one even knows they exist. You go to tell the customer that they have.

Elise

I don't know.

Corey

Yeah, you're like, hey, you have an exposed router. They're like, where? Even the ISP doesn't know where it is.

Elise

I don't know if you've ever supported orgs like that, but they'll just like, order a new service and then that vendor will be like, this is who we use for Internet. And then you've got like six different routers and all kinds of stuff. And people are using Internet connections that they don't even know.

Corey

Oh, yeah.

Elise

Where they're coming from.

Corey

Yeah. I think the best one I've seen so far is one of our customers, one of their remote employees connected their laptop directly to the ont, which is like the fiber terminal, which is basically a modem. And so the laptop pulled a public IP off the ont, which is like, we found the exposed RDP on the Internet. So, like, we just. The weirdest thing ever. It's like this Internet host with a public IP is just one of your work laptops. So that's a fun. That was a fun scenario.

Bronwyn

But hey, we got another addition to the party.

Wade

Hey, Wade.

Corey

Can't hear you. Oh, they got him.

Wade

It's the Russian botnet.

Bronwyn

He's double muted all bet.

Corey

His router. His router got patched by the FBI. I get it.

Elise

That's why he's late too.

Corey

So we got his mixer. Yeah. So Drupal is also. Oh, hey, wait.

Wade

Let's go.

Megan

All right, I got a new camera. How do I look? You look.

Corey

That's some nice lighting you got there.

Megan

The lighting is always a problem.

Wade

Like, you look like a hacker though.

Corey

Do I have some depth of field? You got some depth of field there some bokeh or. Bokeh, definitely.

Megan

I got us. I got myself one of those like fancy Sony DSLR cameras since my webcam broke.

Wade

But anyways, I just ordered one of those yesterday. We have to talk about this after so we don't derail another podcast.

Bronwyn

Yeah, speaking of, why should today be any different?

Corey

Speaking of Mythos, let me just keep this train on the tracks. Drupal has released an emergency core security update. I'm blaming Mythos for this completely, with no sources to prove that, but basically they're publishing an urgent core security update for all supported versions. This was as of May 2026. Exploits for the vulnerability could emerge within hours or days after disclosure. I mean, this is kind of a new thing that, you know, as presumably threat actors are doing, buying, you know, self hosted AI type stuff. And anytime there's a patch to any of this software, just reverse engineering it and developing exploits immediately based on the changes made in the patch, we're, you know, looking at doing it. It's super fun and it's terrifying. You know, obviously for tools like Windows are more important operating systems and stuff, it's even more impactful. But Drupal is, I think, a pretty common web framework for corporate environments, at least from my. My perspective.

Bronwyn

Well, Corey, just one, one thing. When it comes to a content management system, a cms, one of the guiding principles you always want to maintain is do not hack the core. Now the problem is with Drupal, anytime you implement it, you have to hack the core and it's. I don't know if they corrected it, but back when I was still doing web development, that was still a thing. You had to hack the core and that.

Corey

What does that even mean? I feel like I'm in a hackers movie right now. What does hack the core mean? Is that real?

Bronwyn

There. There are core files in the CMS that you basically do not want to mess with unless you're a Tony Stark plus level genius or you're really desperate to get something shoehorned in and you don't know a better way to do it. Those are, you know, the extreme cases.

Wade

I like those odds.

Corey

So are you saying that CMSs are hardcore? Is that what you're saying?

Bronwyn

Two points.

Corey

No, they're not.

Bronwyn

But when. When you install WordPress or some other frame or Drupal, well, other than Drupal, you're supposed to maintain the integrity of those certain core files. It's the same thing. You don't want to go tweaking your DLLs in a way.

Corey

Oh, I tweak on DLLs every weekend when no one's.

Bronwyn

Well, yeah, but you're a hacker. You're not just a normal web developer. But the problem is with Drupal, you have to hack the core. So there are lots and lots of installations of Drupal that not only won't get patched, but if they do get patched, the poor people patching them have to reverse engineer what changes they made to core files and figure out how to apply those changes after they update the core.

Corey

All right, Bronwyn, you get 10,000 bonus points for figuring out how to legitimately say, hack the core and make us sound like we're in a hacker movie.

Wade

Hack the core.

Corey

So what's this? Has anyone seen this Azure vulnerability that they rejected? I guess. Has anyone had a chance to look at this? This is from May 16, so a little bit older, but.

Bronwyn

Oh, you moved on to another story. Got it.

Corey

New story. Yeah, basically a security researcher named Justin o' Leary discovered a security flaw in March, reported to Microsoft, MSRC rejected the report. And then basically he went to CERT and CERT said, no, we're going to assign a vulnerability for this. And then I guess they were like, hey, never mind, you should probably close this. But basically this is a Azure backup vulnerability where trusted access is granted and backup clusters have admin privileges for some reason. So, yeah, I guess this is like Microsoft says, this is a feature is the. Basically the summary of this.

Wade

Okay, I do remember reading about that one.

Corey

Now, basically Microsoft's official statement was this is not a security vulnerability, but expected behavior. It requires pre existing admin privileges within the customer environment. So no product changes were necessary and no CVSS or CVE was issued. But also they fixed it. Well, they.

Wade

What I'm reading also says they originally also told mitre part of the problem is like, it looks AI generated. So like they're like, yeah, we don't want your slop. CBE is. But we will go fix the problem, don't worry.

Corey

So, yes, this is just from my perspective, this is how you get things like Blue hammer and the BitLocker vulnerability. Like, we're in a spot right now where I told a customer last week I could just get local admin on their laptop because of Microsoft. And that's just the way it is. And I think this is the bed that they made for themselves is by doing stuff like this to basically be like, this isn't a real vulnerability, by the way. Go fix that. Like, right now, please. But yeah, you don't get a cve. We can't even give you a T shirt. But yeah, sucks to suck. I don't. This is really lame. I feel bad for the researcher. Kevin, we'll send you a free T shirt. Where do we. Where do we send it? Just tell us.

Megan

Did you guys talk about the researcher who got banned from GitHub?

Corey

No. Please tell us about the researcher who got banned from GitHub.

Megan

All right, so recently a researcher who has been releasing Microsoft vulnerabilities got banned from GitHub. So GitHub has terminated the account of Nightmare Eclipse, an anonymous rogue security researcher known for dropping critical unpatched Windows vulnerabilities since.

Corey

Oh, yeah, we talked about this.

Megan

Did we?

Corey

We talked about this. Oh, no.

Megan

Did we? This guy. This is just. This was this week. We talked last week.

Corey

Okay. We talked about the.

Megan

The vulns he released.

Corey

The vulns they released. Okay, so did they reinstate it yet?

Megan

Not that GitHub kicked him off.

Corey

Yeah. Is it gone? Gone? This is basically. They blocked the yellow key exploit.

Megan

Yep. Yeah, the. His repo. It's gone. 404 error.

Wade

Well, he did get Lab. Now he moved to get Lab. Yeah, yeah, yeah.

Corey

Okay. So basically, I mean, honestly though, threatening Microsoft.

Wade

What the it says moved to GitLab and then they're now threatening to release unspecified documents telling Microsoft to mark this date July 14th. That's crazy. Whoa.

Corey

Yeah. I mean, I got to make sure

Wade

your bones are shattered that day. Okay. I guess they didn't like losing all their git commit history and everything. Jeez.

Corey

Is this. Is it actually live on. On GitLab either or did it also go down there?

Wade

That's what this article says.

Corey

This dead Eclipse blog spot doesn't seem to have any repos on it. I don't know. But either way, this is basically a great case study in how you should not handle public relations with vulnerability researchers, especially because.

Bronwyn

Yeah, yeah.

Corey

I mean, you're basically the other funny thing about Microsoft is they're part of the glass wing Mythos, like cool kids club. So like, maybe they're trying to just race to the bottom and fix all this stuff before researchers do. I don't know. I feel like they're going to lose. We already have a BitLocker zero day or whatever you want to call it. End day in the wild. That's still working as long as you don't have a pin on your TPM or whatever. I don't know. This feels like a dangerous game for Microsoft to be playing right now.

Megan

The GitLabs are 404.

Wade

Yeah.

Corey

Yeah.

Bronwyn

Since we're talking about GitHub, do we want to talk about Team PCP?

Corey

I love PCP. I've got a gallon of it right here.

Bronwyn

Team PCP.

Corey

Yeah. I didn't see that article. Let's run through it.

Bronwyn

It's. Hold on a second, let me share it.

Wade

On just the one with GitHub getting compromised.

Bronwyn

It's them basically. Team PCP is actively poisoning open source code.

Wade

Oh that one. Oh yeah. They're still doing that. They've not gotten bored of it.

Bronwyn

I mean it's. I think it's been going on for a long time and it certainly seems like the type of thing that would be an obvious thing for a group of malicious hackers do. But Wired seems to think that it's an unusual happenstance.

Corey

I mean, I think it's unusual the level of access they've gotten to from GitHub or like within GitHub. Like that's pretty sketchy. It seems like they've actually compromised. Didn't they compromise like the internal. Some of the internal GitHub code as well? Not just open source projects.

Bronwyn

Let me have a free article.

Wade

I. I don't know if they ever talked about who actually breached GitHub, but I think it was last week some GitHub did release that they had internal repositories sort of accessed in some way and stolen.

Corey

I heard it was Team pcp. I mean there are some articles out there corroborating that. I don't know if that's. I'll paste article I found it's on helpnet Security basically claiming that Team PCP was the ones who get breached GitHub's internal code base through a poisoned VS code extension. Oh, which is just hilarious. Oh, that's right.

Wade

Yeah.

Corey

How is that seriously? The, the entry vector for this? Like you work at GitHub and you're just installing random extensions on VS code. How is that possible? You don't, you don't have a license. Like, you don't have a license. I don't know. Whatever we need to talk about.

Wade

Just friendly reminder, if you're going to download an extension, you better be sure where it's coming from.

Megan

How, how often do you see logs for that situation.

Corey

Hayden

Wade

of like VS code extensions. Oh my gosh. We get so many logs of VS code it's crazy really.

Megan

I don't think I've ever been at a location that is logging VS code.

Corey

Well, we get.

Wade

We get alerts quite frequently from the SOC team as we work on rules because our, Our detections are all AS code. And so we're working with code detections which are technically hitting against the RAW detections because they have some of those same matching strings and ind. So every so often it'll be like, yep, guys, I'm doing all 14 of these terrible things. Just go ahead and allow this to happen. Please don't isolate me dangerously.

Corey

Skip permissions. It's fine.

Wade

Yeah, yeah, right?

Corey

I mean, that's what Seraph said in Discord, basically. Like, it probably was Claude or Copilot that installed the extension, not the actual user themselves. Apparently it was a pretty well known extension NX Console, which I don't know what that is. It better be good. What is it? What does it actually do? This better be related to Vim.

Megan

It's a plugin for Notepad plus plus.

Corey

Is it really?

Megan

No, I'm just.

Corey

What is it?

Megan

That's more of a callback to you. To you making me uninstall Notepad everywhere.

Wade

Oh, yeah.

Corey

Tragic. IT enhancers. Okay. NX Console enhances your editor's AI features by providing relevant context large language models. Powering VS code and Cursor automatically teach AI about your workspace infrastructure generators and feed it up to date NX docs.

Wade

So this is the Microsoft employee needed to like juice up Copilot inside of BS code.

Corey

It probably is part of like their internal kbs, I would assume. Right? Like, there's no way someone just decided. I don't know. Maybe they did. I don't know, man. I don't know. I mean, let this be a reminder to everyone who's listening to this. If you don't already have a allow list for your browser extensions and your VS code extensions, you should work on that. Although honestly, in this case, this is a supply chain thing. So even if you do have an allow list, this still could have hit you. And 2.2 million installs is a lot. That's kind of a lucky or unlucky timing thing.

Wade

But yeah, I've seen a lot of people just say at this point you need to fork all your dependencies and just pin them. Like, don't ever update anything.

Corey

Yeah, speaking of vulnerable routers, unifi or ubiquiti. Also patched three Max severity vulnerabilities, unauthorized changes to targeted systems and proper access control prompt command injection, network access and then command another command injection one. So basically the router bleeding is never going to stop bleeding. Like if you have a router.

Wade

My router updated this weekend probably.

Corey

I guess if you have a router you need to make sure it's either automatically updating or that you're manually updating it. Because this is going to be just such a common theme this year is just vulnerability after vulnerability.

Bronwyn

Task reminders to check to make sure that that stuff is updated at least once a month.

Wade

I just make it automatic. I would forget.

Corey

Automatic is the best.

Megan

But yeah, every morning at 2:00am my, my ubiquity goes down and comes back up.

Corey

Yeah.

Megan

Knocked me off video games several times because I forgot about it.

Corey

I will say though like 2am so yeah, also why are you gaming at 2am? Get it together. Wait.

Megan

Oh, I'm sorry. The only time my children are sleeping.

Corey

Dude, kids go to bed at like 6pm Dude. Don't lie.

Megan

Oh no, yeah, that's. And then you, then you have to recover after that. That's the word room is that one right behind me. So if I just clack blowing mechanical

Corey

keyboard, throwing frag grenades.

Megan

Yeah, he gets pissed off. He tells me.

Corey

He's like, dad, stop playing video games. I love that your kid would be telling you to stop playing video games. This would be the ultimate like reverse card uno moment.

Wade

Yeah.

Corey

But Yeah, I think Ron1's tip is good because like there are scenarios where repos will break. Like recently if you're a plex person there, they had to change some repo keys and so like their auto updates broke so you had to like manually update your repo or whatever. So like it's good to check. I agree with auto update being the absolute best, but it's also good to verify every month or so that like is it working? Do you have to switch your repos or you know, is everything good?

Bronwyn

And I actually do have it set on auto update, but you know, paranoia is a survival skill in this industry.

Corey

It's true. It's very true. All right, what else?

Bronwyn

Speaking of supply chain attacks, do we want to talk about Pizza Hut?

Megan

I was, I was trying to read that one.

Corey

Hit us with some pizza. Let's go to the buffet.

Megan

Yeah, it seems like people gamed the AI in order to cherry pick the deliveries that they want that provided the most tips so they would make more money which then caused wait times to go out the wazoo.

Corey

Okay, hold on. They're saying it caused a hundred million dollars in damages.

Megan

This dude owns 11 Pizza Huts.

Corey

11 pizza. That's like, dude, how many pizzas is that? That's got to be like a freaking.

Megan

He owns 111. 111 Pizza Huts.

Bronwyn

Jeez.

Corey

So, okay, so he's claiming almost a million dollars in damages per Pizza Hut.

Wade

Dude, it is like crazy.

Corey

So, wait.

Elise

Yeah, because if it's over 30 minutes, it's free. And he's saying that before this, it was 90 of everything was delivered on time, but after they implemented this, everything

Corey

went to heck Dragon Tail.

Elise

So he's giving away free pizzas, essentially.

Corey

Okay, so this is. This is a lawsuit between Pizza Hut, like the corporate entity and a large franchisee. Right. He's basically saying, you made me adopt this AI thing that I don't like, and then it cost me a lot of money, basically.

Elise

Oh, you know what it is? It's the drivers are waiting for additional deliveries. They're not just taking the first one that's ready.

Corey

Okay.

Elise

And so they're trying to do multiple.

Corey

It's like batching. They're trying to. Yeah, it's turning into Uber.

Megan

Isn't that in the old days with pizza pizzas, when you ordered pizza, they

Elise

would only deliver like multiple orders if they were on the same street or whatever. I mean, if you think back, I like saw a meme of this over the weekend, but if you think these people were navigating with paper maps, taking a phone call, making a pizza and getting it to your door within 30 minutes and they implemented this AI and it completely messed everything up. When we're like literally using GPS and like online ordering. I don't understand, but it must have just been holding drivers from leaving for, it said 15 minutes or more.

Wade

So that has to be some like inflated number where they're like, yeah, we've suffered this reputational damage.

Bronwyn

It's not fact.

Elise

This is.

Bronwyn

He alleges that Pizza Hut failed to adequately train operators on the system.

Corey

So basically the court have reputational damage.

Wade

Like, what is everybody's overall opinion of Pizza Hut? Like, are you. If you're going to get pizza, is that your first choice?

Elise

Definitely. No, not generally. Not currently. But I've heard that they are refurbishing the current Pizza Hut design to make it look more like the 90s family friendly. One Pizza Hut owner, so down for

Bronwyn

that, who was updating his. Who is retrofitting. Retrofitting his retro. His franchises himself. But I think that's a different guy.

Corey

Yeah, I mean, either way, there wouldn't be my first pick, but I do. I will. I wouldn't push back. If my friends. If it was like, let's get pizza. We're all drunk, that would be. I'd be like, fine. Like, it couldn't be sober pizza. It would never be sober pizza, but it could be drunk pizza.

Megan

If I got a free pizza because it came and didn't come in 30 minutes, I would order all of my pizzas from there, hoping that I get another free one. It's.

Corey

That's basically what they're claiming happened. Yeah. So the other thing is, it's called Dragon Tales, which, if you're a 90s kid, I mean, that should hit somewhere for you. Yeah, that's a thing. I mean, I think the courts will decide, and the verdict better be delivered in whether you can or cannot out Pizza the Hut. Basically.

Elise

Yeah. Essentially. True or false.

Corey

That's. That's funny, though. I mean, honestly, it is. It's a cautionary tale for, like, the companies forcing AI rollouts like this. People don't like AI being pushed down their throats. Like, whether it's the pizza delivery drivers, the franchise owners, the consumers. If you're going to do the AI thing, you got to do it right. You can't mess this up. You get one shot, and then you're screwed. Yeah.

Wade

And you got to deploy it to, like, a couple stores first, because people are going to figure out that system right away. Like, if somebody controls someone's livelihood, they're going to find the way to maximize that pretty quickly. So instead of doing, you know, 111 stores or whatever it was of just one dude, maybe do a phased rollout, maybe be a little careful with it, maybe keep an eye on it and see if all of a sudden all these orders are late. Like, it just seems like an operational mishap of, like, hey, we need better AI adoption, and we're not meeting this quarter's goal on AI adoption, so let's just send it.

Corey

So basically, the good, like, rule of thumb, if you're rolling out an AI system is a bunch of stoned pizza delivery people can figure out the gaps and exploit them. You didn't get a very good pen test.

Elise

Yeah, that and, like, I Think Customer Service 101 is that the customer always lies. I mean,

Bronwyn

They may be deaf, dumb, blind.

Elise

The customer always lies, but they're always right.

Corey

I love that being the first rule of retail.

Elise

What is for their own benefit. Like, everybody's going to put themselves first. And when you, as an employer Hire contractors. They don't see themselves as part of your team. They see themselves as a separate entity. So if they can take advantage of a system, they're going to.

Corey

Very true. If you're in Germany, I have bad news. There was a huge amount of data leaked from a German healthcare hospital, or I guess several hospitals. The article is in German, so I can't read it, but I'm just going to read the summary. And basically data was stolen from Unamed. I'm assuming is how you pronounce that, which handles billing for the hospitals, names, date of birth, address details, and also contains billing data which includes information about diagnoses and treatment plans. I don't know what the German, like HIPAA is. I'm assuming it has like a 17, 000 letter long consonant name. I'm curious. I'm assuming their regulations are stricter than ours, but I don't. I genuinely don't know what the repercussions of this is. But that. That is rough.

Megan

Yeah, the article under that one.

Corey

Yeah, we're going to skip that. What? I'm not. I'm not waiting through those logs, So. Okay, this one's interesting. Microsoft shut down an illegal code signing operation. Huh. Interesting. Why wasn't I running in an illegal code signing operation?

Megan

I thought that was you.

Corey

So basically this is a cybercrime service that sold code signing certificates to ransomware gangs which can help with bypassing controls and defenses. The. They're calling it Fox Tempest and which has been around since about a year ago and abuses their artifact signing code service. I'm wondering whether these are like, are they using Shell Corpse or are they actually just stealing the code signing certificates? It looks like they're using Shell Corpse because it says they use fake identities and impersonated real organizations. So they're basically just signing up for an account and being like, hey, what's up? It's Pizza Hut. I need a code signing certificate. Don't ask why. And then there's not enough KYC to actually validate that. I don't know. But either way it's an interesting.

Megan

I was just doing intel research around Certs, right. For. For my actual class that we'll talk about later, I guess. But Cert Ch has been down for like the past month. Oh, which means you don't know, like Cert Sh. Cert Sh.

Corey

Yeah.

Megan

Okay. Now it worked literally. So if you go to right now. But I've been trying to get to it for literally like the last month, trying to get to it and to. To build some Labs off of it and it just kept going down. If you don't know what cert Sh is, it's pretty much every public certificate transparency law in. In ever, right? So then you can go there and theoretically trace back one of these malicious certs back to Microsoft and their poor signing capabilities. But you could also look if they're using the same names or if they're using the same company names. You could then go look around for the same certs. But of course, like, I knew the moment I talked about this online it was gonna work and it did. Okay, there it goes. 502 Gateway. I got in once.

Corey

I think you're just rate limited, man.

Megan

I. I haven't been hitting it that much.

Corey

Like, it doesn't like you.

Megan

They have it on GitHub. I'm like, maybe I should just stand up my own.

Corey

Like, I will say there are a lot of other sources for certificate transparency data, and Cert Sh has just one. And you should have an official. If you. If you rely on this kind of data, you should have a paid API that gives you access to the certificate transparency data. Most of the big ones have it like, you know, your security trails or census or Shodan or those. But yeah, anyway, that's a fun little cyber crime. Operation disrupted. There's no chicken news. I have a chicken story.

Bronwyn

It's not a chicken chicken story, but it is a chicken story.

Corey

Okay.

Wade

I also have a normal article.

Corey

Whenever hit us with a chicken. Chickens, rubber chicken go.

Bronwyn

So a. A chicken escaped a poultry factory and is now living the life of Riley. It's been rescued. This person on Reddit is in East Williamsburg and said that a chicken escaped a local poultry factory and is now just enjoying its nice and easy life living in the bathtub.

Megan

For those listeners and that are listening to us not with a visual podcast, we're looking at a chicken on the side of the street hiding behind some containers. It definitely doesn't look like a normal chicken. It is black. Which do someone who is more chicken informed than me, like, what? That is not a typical American chicken. And then why is it in the bathroom in pink light?

Corey

Have you never.

Megan

Come on, come on.

Corey

Should we be worried about this person's bathroom? Like, what is the lighting in their bathroom? That's scary.

Wade

I don't think we should just mood lighting.

Corey

Okay, so Elite already nailed the first rule of retail, which is that the customer is always lying. I think that the first rule of Reddit. I think the first rule of Reddit is the same rule that the post the op is always lying.

Megan

Always lying. You never go look at their. Let's go look at their history. Okay, Their posts are open.

Wade

You probably don't want to do that.

Megan

Didn't give me an NSFW flag. So that's how we know it's okay.

Wade

This is more Reddit coded than me, I guess.

Bronwyn

You know, like I said, it's not cyber security related, but it is a chicken story and the chicken is free.

Megan

All right.

Corey

I mean there's, yeah, let's, let's, let's move on, but I think you could spend 15 seconds debunking this. It also appears to be a rooster. Why there would be a rooster? Anyway, let's move on.

Wade

So my story, I put it in the Zoom chat, it's just a bleeping computer article, is the first article I could find on this, this. And this is half story, half like wild tinfoil hat hypothesis. Right? So it started for us about Friday in the Black Hills sock because we started getting a ridiculous amount of alerts for customers for all sorts of like terrible things. And so this is like several spanning different customers. And we're like, oh, that's not good. But we quickly figured out this is just their NESSUS scanners. Why all of a sudden are they like firing off the hook? Come to find out, there's some Nessus plugin for the exploit POC for mini plasma. So that's what the article is on is it's a privilege escalation zero day. Supposedly it's just a re. Like resurrection of an older vulnerability from 2020. But from, from what I've gathered, NESSUS has started scanning with us as part of their standard scans as. As one does. But I found a thread specifically from CrowdStrike where one of their sort of, I guess internal people posted a support article about this saying that evidently NESSUS decided to start running this POC code, like exploit code live on, on machines to test if it's vulnerable. And so I guess all of our customer fleets started running this code, sending our alerts into a spiral. So we had a few customers that were talking to us and asking what is going on here? We're trying to explain this to them. We had one that said their EDR was like driving them nuts, that it triggered, I don't know, I think, I think they said like somewhere around 20,000 alerts from this EDR from the scans. I think I got a call at like 4am on Sunday from one of our guys asking like, what are we supposed to do about this? Because it's Just scanners and it's just blowing everything up.

Corey

You're just sitting there watching 20,000 alerts roll in. Be like that. That should be normal maybe, right?

Megan

Normal in a sock. That is totally normal. Like, Everything breaking and 50,000 alerts coming in. Like, I don't know how many times that's happened to me.

Wade

It shouldn't be normal, but it is. But this time it was like, oh, man, it was. It was immensely frustrating and we like, we held off the rush after a little bit because we have like intelligent risk scoring on our rules to. After a while they started to recognize that like, this is not actually real malicious activity. This is a simulated malicious activity. So it eventually slowed down a bit, but there was a good while there where we're all like, like, what is going on? Until we found out, like, ah, this very exciting plugin here is causing a lot of problems. So if your EDR is firing off the hook, you might want to look into your Nessa skins.

Bronwyn

Yeah.

Corey

I mean, that's crazy. How long has it been since there was an exploitable vulnerability like this? Like, since we had edr? Like, I'm confused. Wouldn't this happen anytime there's a local privesque or something in Windows? Like, or is it just that this specifically hits on some signature?

Wade

I still don't know if we know. Like, the CrowdStrike article I found on it. It's. It's through like a Reddit thread and they posted the article on the internal CrowdStrike, like, support portal. So I don't have access to any of their details. But that was my first question. I just did in the Zoom. Yeah. But I was like, dude, how. How is this one, the one that's causing it? Because we have. Everybody's got nessus, right? Everybody's running Nessus and it runs a

Corey

ton of local type things.

Wade

Yeah. And we've never seen it this bad. So I don't know exactly what changed or what happened that was different.

Corey

It also could be that CrowdStrike beat them to the punch, you know what I mean? Like, they developed an alert for this before the scanner plugin was developed.

Wade

It also wasn't just CrowdStrike because they're actually running three different EDRs, then it's

Megan

not a single crowd.

Wade

And I think that's what it was, that's why. Right. So we had, I think it was Crowdstake, Sentinel 1 and Defender. Like, all were really angry. At least those three were ticked off about that. And so those all three were firing off the hook like crazy. Interesting. So that was, that was interesting. I. I still am very curious. So, Wade, you said it's because they were just running effectively the raw code. They weren't.

Megan

That's. That's what it's saying.

Corey

Yeah, it was, yeah.

Megan

The tenable Nessus decided that actually running an exploit POC of mini plasma against its hosts is the best way to test if it's vulnerable.

Wade

So it's like when they started spamming jndi, like log four shell strings against everything.

Megan

Like one of the, one of the top tunes you do right off the bat though, right? As you say, negate everything the Nessus user does. So that's like number one. And then it does crazy stuff.

Corey

Are you saying you have to tune the edr? Is that similar to changing my router settings? Right?

Megan

It's very similar. You know, you don't just any. Any you deny.

Corey

I always end my firewall rules with an allow all just in case someone wants to get to something.

Wade

Well, it's just like with EDRs, like if you have the insert vendor name here, then it's the perfect one and you'll never get hacked. And so we will take bids for which vendor name we actually insert in there and post. So we'll start that bidding. Just go ahead. Email. Corey, what's your email again?

Corey

For Black Hills, it's haydenlackhillsinfosec.com oh, damn.

Wade

He got me J. Strand.

Corey

Is that what it was? No, J. Strand's not cool enough to have a first name email.

Megan

No, no. Well, the J Strand, it's a, it's a, it's a canary email. People who aren't sure it's our marketing email.

Wade

Jstrand, we had someone send a really nasty email. A vendor that we had contacted to do some work. They. We didn't respond to them quick enough, so they just found John's email and emailed him directly. So I got into and basically told him, like, hey, your team is not responding to this fast enough. Here's everything our product does. So I went and domain blocks that entire company and John thought that was hilarious. Just, they're just, they're just totally like blacklisted now.

Megan

Is that a very aggressive EDR company that we all know about?

Wade

No, it was, it was a different company. I'll tell you afterwards.

Corey

I think I know which one you're talking about, Wade. Is it the one that always offers you a yeti mug? I'm like, dude, I have a yeti mug. I'm not.

Megan

I got so many yetis. Like, you gotta give me Something really good.

Corey

Now, I'm not gonna click the fish, okay? Now, if you start fishing, me offering a DJX Spark, I'm gonna click that in a heartbeat. I'm not looking for a yeti.

Megan

I got an Oculus Quest.

Corey

Once you actually got it or you got.

Megan

Yeah, it's behind me. There's a proof point Oculus Quest behind me right now if anybody wants it.

Wade

That's kind of sick.

Corey

But you sold your soul for an Oculus Quest. All right, this week in security.

Wade

Yeah, dude, I sold myself. I sold for a Chipotle bowl, man.

Megan

I think this is like 20. I think it was like 2020 that I got that. Yeah, Like, I was stuck inside. Come on. It's a VR headset. Like, I was like, you know what? I just gotta listen to a sales pitch.

Corey

Like, in 2020.

Bronwyn

Come on. We were still in full COVID lockdown.

Wade

Of course they had the Blood Saber's fire, though.

Megan

But I'm gonna tell you right now, Star wars flank games with a headset was amazing. And I thoroughly puked like, I was like, I can fly an X wing, no problem.

Corey

No, it was not a half ass puke. It was a thorough puke.

Megan

This poster. This poster right here is because I threw a grenade in Half Life, Alex,

Corey

and put a hole in your door.

Megan

Punch the wall.

Wade

Oh, that. That game's terrifying in VR.

Megan

I need a bigger room. I didn't have anywhere to play.

Wade

You know, where's this phasmophobia in VR? I don't know if you've played that game, but it's like a ghost hunting game.

Megan

I'm good.

Wade

It's horrifying. It was not a good experience. I did one round of that in VR. I was like, nope, I'm done. I'm. I'm good without this.

Bronwyn

I. I'm not a fan of horror video games. And if it has zombies, I am out. So I can't imagine doing that in VR.

Corey

All right, so based on. Yeah, now that it's almost the end of the show, so let's have everyone plug your stuff. Who wants to go first? Wade, you want to go first? You're on the screen.

Megan

I'll go first. I'm here. So I am giving a threat intelligence class in one month. It's my Thronetel 101 class. It's now two days. It has a lot more. I think there's 13 labs in it now. And we talk about everything, about getting into intel, the roles that you'll have. Dark Web stuff. Now I have some. An OSINT class. Surprisingly, the OSINT class was really hard for me to write just because I wasn't sure how to scope it. Right. Like if you're doing cti, you're not going to be really looking at people. But anyways, it's. It's fun. Come check it out. I'll be on Simply Cyber talking about it later this week too.

Corey

Sweet. Elise, you got some stuff?

Elise

Yep. I have one thing coming up quick. This Friday, May 29, starting at 12pm Eastern, so 9am Pacific. If I'm doing the math correctly, that workshop is four hours. It's on social engineering and creating pressure proof pretexts for primarily physical engagements, but can go outside of that as well. So that is pay what you can or 25 bucks and open enrollment ends soon.

Corey

Awesome.

Wade

And then Wade's class is also part of the Threat Hunting Summit, which is going to be June 17, and then there will be classes that follow it. There's going to be lots of very cool talks, lots of trainings that follow it, a lot of very interesting talks, like how AI agents solve threat hunting's biggest problems. We experiment a lot with how can you augment human based threat hunting with AI to scope these things out for you, make them a bit easier just to find sources. The keynote specifically is Jason Haddock's Looks like. So that one will be one to be around for. And then there's a pretty sick panel with a bunch of sort of IR legends. You got our own Patterson and Troy on there as well, so that'll be a pretty awesome one too. Just how to deal with legal landmines, insurance and incident response.

Corey

Wow, landmines. Sign me up.

Wade

Yeah.

Corey

All righty. Well, I think that's everything. Any final articles if you're around on Thursday? Oh yeah. Bronwyn, you have a webcast, right?

Bronwyn

Why do I feel like a redheaded stepchild today? No. Yeah, Thursday I'm doing the Paranoid Prompter. It's going to be talking about using AI, specifically targeting use cases and examples for cybersecurity. And we're going to touch on a lot of different things. So talking about some of the liability issues, going into some practical use cases, and lots of ways to stack your prompts and build a library that will help you go further, farther, faster.

Corey

Paranoid Prompter is so good. That's such a fun. Like, I love that. That's amazing alliteration. Yeah, that's awesome. All right, no one else has anything to plug, right? I don't have any.

Wade

We got to start plugging your Strava Corey you guys.

Corey

If you've. If you've ever seen a private. You've ever seen a private Strava that no one else can access. Unless you're someone I personally know in real life, you should definitely follow me on Strava.

Megan

All right.

Corey

That's all I have to plug. Yeah. Have a good week, everyone. Short week. See you next Monday. Bye.

Megan

Bye.

Bronwyn

With fire.

Megan

Megan. So hot in this room.

Corey

Oh, it's dying. Wait. Held it because of the new camera.