🎓️ Vulnerable U | #138

f5 debacle is absolutely bananas, spying on unencrypted satellite comms, cisco, ivanti, and fortinet also all having a bad week full of 0days, CISA is gutted and facing pressure, and much more!

Author

Matt Johansen
October 17, 2025

Read Time: 9 minutes

Brought to you by:

Howdy friends!

Not a great week for me personally. But one foot in front of the other! Have an extremely busy Q4 - expect a ton out of Vuln U. We’ve been building the team and planning a lot more output for you all.

Did you see the latest premium interview drop? Rachel Tobac is the goat. Those of you who have upgraded, I really appreciate it. A few of you have asked for some live webinars for premium with Q&A and I think that is a great idea, I’ll plan to launch when we hit some milestones. Let’s call the first 100 members, so tell your friends.

Let’s get to the news, a ton to talk about this week.

ICYMI

🖊️ Something I wrote: f5 breach is a big deal

🎧️ Something I heard: cisco situation keeps getting worse

🎤 Something I said: age verification needs to go away

🔖 Something I read: “An investigation into how I identified one of suspects tied to the $28M Bittensor hack from 2024 by identifying anime NFT wash trades linked to a former employee”

Vulnerable News

This is a wild story. So F5 found out they got hacked in August, but just announced this week. They got special permission from the DOJ to delay the announcement, contrary to normal SEC rules, due to a matter of national security. The attackers stole source code and customer data related to their BIGIP product line. This included unreleased vulnerabilities, so everyone is on edge, looking for downstream ripple impacts.

They haven’t come out and say how long, but reporting now shows the attacker was in network for 12 months and links it to China. This also is in line with Google’s recent threat intel on BRICKSTORM - long dwell time sneaky malware that hides on network appliances that can’t usually have EDR installed on them.

F5 has patched the vulnerabilities, and multiple government agencies are now sounding the alarm. This is wild given F5's massive footprint in enterprise networking - their tech handles traffic for a huge chunk of Fortune 500 companies and government agencies. If you're running F5 gear, you'll want to get those patches deployed ASAP.

Greynoise is mostly seeing researchers elevating scanning for BIGIP, but did see a few anomalous spikes before the breach was public. (read more)

this is so cool

Remember the Optus breach? Millions of records stolen through an insecure API. Intruder’s team still finds the same mistakes in major U.S. companies.

That’s why they built Autoswagger: a free, open-source tool that hunts down unauthenticated APIs leaking sensitive data. Check out the real issues Intruder uncovered and grab the tool.

*Sponsored

Google's threat intel team just dropped some concerning news about North Korean hackers getting creative with blockchain. Also lol @ thegrugq - “Finally a use for blockchain!” - UNC5342 (the same crew behind those fake crypto job interviews) is now the first nation-state actor spotted using "EtherHiding" - basically storing malware payloads directly on Ethereum and BNB Smart Chain. Smart move from their perspective since you can't exactly take down a blockchain like you would a traditional C2 server. The attack chain is familiar though: fake recruiters lure crypto developers into "technical assessments," which drops JADESNOW malware that then pulls down INVISIBLEFERRET backdoors from blockchain transactions.

Once the malicious smart contract is deployed, it's basically permanent, and the attackers can update their payloads by just making new blockchain transactions. They're even using multiple chains and API services as failsafes. They're still relying on centralized API services to interact with the blockchains, so there are still chokepoints defenders can target. Chrome Enterprise users get some specific mitigation advice in the report, mainly around blocking dangerous download types and managing updates centrally so users know any "update Chrome" popup is definitely fake. (read more)

Trend Micro researchers just dropped details on "Operation Zero Disco," where attackers exploited a fresh Cisco SNMP vulnerability (CVE-2025-20352) to plant rootkits on network switches. The campaign hit Cisco 9400, 9300, and legacy 3750G series devices, with the malware that set a universal password containing "disco" - apparently a nod to "Cisco." The threat actors are deploying Linux rootkits that hook into IOSd memory and disappear after reboots, making forensics a nightmare.

The attack chain is impressively complex, involving VLAN hopping, ARP spoofing, and firewall bypasses to move laterally through networks. The rootkit comes with a UDP controller that can toggle logging, bypass authentication, hide configuration changes, and make it look like configs were never modified. They also target older systems without EDR solutions and use the compromised switches as stepping stones to protected network zones. Sound familiar? Read the BRICKSTORM brief above. If you're running Cisco gear, this one's worth checking - there's no universal detection tool yet, so Cisco TAC might be your best bet for a proper investigation. (read more)

Microsoft just shut down a ransomware operation by revoking over 200 certificates that Vanilla Tempest was using to sign fake Teams installers. The group set up convincing fake domains like teams-install[.]top and teams-download[.]buzz, complete with lookalike download sites that served up malicious MSTeamsSetup.exe files. Once victims ran these, they got hit with the Oyster backdoor instead of legitimate Teams software.

What made this campaign sneaky was how they leveraged legitimate code signing from SSL.com, DigiCert, and GlobalSign to make their malware look trustworthy. Vanilla Tempest (also known as VICE SPIDER) has been pushing Rhysida ransomware since at least 2021, typically going after education, healthcare, and manufacturing sectors. The whole thing started with malvertising campaigns and SEO poisoning - nothing crazy new, but effective when people are just trying to download Teams for work. (read more)

Stop DPRK job scammers and deepfake applicants at the front door.

1Kosmos binds workforce access to a verified, live human - document checks + liveness biometrics + passwordless auth - so the person you onboard is the person who logs in, every time.

See how it works → 1Kosmos

*Sponsored

October's Patch Tuesday just dropped with a massive haul - 183 vulnerabilities across Microsoft's ecosystem, including two Windows zero-days that are already being exploited in the wild. The nastier of the two is CVE-2025-24990, hitting a legacy Agere modem driver that ships with literally every version of Windows ever made, regardless of whether you actually have that hardware. Microsoft's planning to just rip the driver out entirely rather than patch it, which tells you everything about how antiquated this code is.

The second zero-day (CVE-2025-59230) targets Windows RasMan, and this marks the first time that component's been hit as an in-the-wild zero-day, though Microsoft's patched over 20 flaws in it since 2022. Both can give attackers local privilege escalation to administrator. There's also a third exploited zero-day involving an IGEL OS Secure Boot bypass, but that requires physical access so it's more of an "evil maid" scenario for traveling employees. CISA's already added all three to their must-patch list with a November 4th deadline for federal agencies. (read more)

What a freaking time for edge devices. F5, Cisco, Fortinet and Ivanti all having a time. The ladder two dropping a pile of security fixes in this patch cycle. Fortinet pushed out 29 advisories covering over 30 vulnerabilities across their product lineup, with several nasty high-severity issues in the mix. The highlights include privilege escalation flaws in FortiOS and FortiDLP, an authentication bypass in FortiPAM that's vulnerable to brute force attacks, and a particularly gnarly Apache Tika issue that could let attackers read sensitive data or mess with internal resources.

Ivanti's not sitting this one out either - they patched up some high-severity code execution bugs in Endpoint Manager Mobile and a couple of issues in Neurons for MDM, including an MFA bypass that's never a good look. Neither company has seen evidence of active exploitation yet, but let's be real - both Fortinet and Ivanti products are magnets for threat actors. If you're running any of this gear, probably want to get those patches rolled out sooner rather than later. (read more)

U.S. Eric Swalwell (Photo by Kevin Dietsch/Getty Images)

Rep. Eric Swalwell is demanding answers from CISA about what he calls workforce decimation under the Trump administration. According to his letter, around 760 people have been cut from the agency since January, and now there are reports that remaining cybersecurity staff are being forcibly transferred to work on deportation efforts instead of, you know, actual cybersecurity.

Swalwell's particularly annoyed that CISA also terminated its $27 million agreement with the Multi-State Information Sharing and Analysis Center, cutting off critical third-party support for state and local governments. He's asking for detailed breakdowns of exactly how many people have been cut, transferred, or forced out by October 24th. Of course, CISA couldn't comment because of the government shutdown, which is just chef's kiss perfect timing. Nothing says "national cybersecurity is a priority" quite like gutting your cyber agency during active threat campaigns. (read more)

Here's a wild new Android attack that even has its own name and branding! Thats how you know its cool. Researchers found a way to steal sensitive data from apps by literally grabbing it pixel by pixel, calling it "Pixnapping." The attack abuses Android's intents system and some GPU quirks to reconstruct everything from 2FA codes to Signal messages, even when apps have screen security enabled. The malicious app even needs zero permissions to pull this off.

The attack is painfully slow at 0.6-2.1 pixels per second, but researchers optimized it enough to snag 2FA codes in under 30 seconds. Google tried patching this in September, but the researchers immediately bypassed the fix and are now waiting for a proper solution in December's update. While it affects pretty much every modern Android device (Pixels, Galaxy phones, you name it), Google says there's no evidence of real-world exploitation yet. (read more)

Turns out all you need is $600 worth of consumer satellite gear and a clear view of the sky to become your own personal NSA. Researchers from University of Maryland and UC San Diego spent seven months passively scanning 39 satellites and holy hell did they find some stuff. Plaintext T-Mobile SMS messages, voice calls, military ship communications that revealed vessel names, and a whole bunch of other sensitive data just floating around unencrypted in space.

It’s wild how many organizations are treating satellites like they're just another internal network link - no IPSec, no proper encryption, nothing. Over a single nine-hour session, they grabbed phone numbers and metadata for over 2,700 people. They reached out to everyone they caught leaking data (T-Mobile, AT&T, the military, Mexican government) but declined any bug bounties with NDAs attached. The researchers basically proved that what we thought required nation-state resources can actually be done by anyone with a few hundred bucks and some skills. (read more)

Oracle just had a messy weekend cleaning up two zero-days that were being actively exploited. The latest fix addresses CVE-2025-61884, which ShinyHunters leaked a working exploit for on Telegram. Oracle's being characteristically tight-lipped about the whole thing - they won't even acknowledge that the vulnerability was actively exploited or that there's a public PoC floating around. Transparency!

Here's where it gets confusing: there are actually two separate Oracle EBS vulnerabilities in play. CVE-2025-61882 was the one Clop ransomware used for their extortion campaign, while CVE-2025-61884 is the ShinyHunters leak. Oracle somehow managed to mix up the indicators of compromise in their advisories, listing the ShinyHunters exploit as evidence for the wrong CVE. If you're running Oracle E-Business Suite, just patch everything immediately - the technical details are public now. (read more)

Holy bitcoin seizure, Batman. The DOJ just grabbed $15 billion worth of crypto from Chen Zhi, a Chinese guy running what they're calling one of the largest pig butchering operations in history out of Cambodia. This dude's Prince Group was operating 10 scam compounds with trafficked workers running cryptocurrency investment scams, complete with 1,250 mobile phones controlling 76,000 social media accounts.

The whole setup is pretty dystopian - hundreds of people trafficked and forced to work these romance scams under threat of violence, all to milk victims out of crypto with fake investment promises. Zhi's still on the run and looking at 40 years if they catch him, while Treasury hit his entire network with sanctions. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay