Read Time: 5 minutes

Brought to you by:

Howdy friends!

My big news of the week is that I’m an uncle! My nephew was born happy and healthy and I’m very excited about it. I’m accepting all cool uncle tips and tricks. I’m incredibly proud of this even though I had absolutely nothing to do with it.

Is Q4 absolutely insane for anyone else? I feel like I haven’t inhaled in weeks. I also found out I have a muscle sprain and herniated disc so I’m now of the age where I’m getting intimately familiar with lacrosse balls. Lets get to it, lots to cover!

(Thanks for everyone who has signed up for premium. I appreciate it more than you know.)

ICYMI

🖊️ Something I wrote: F5 breach - everything we know so far

🎧️ Something I heard: The problem with self-help gurus

🎤 Something I said: These ai browsers are out of control

📣 Something I think you’ll dig: AI Agents in the SOC Benchmark Study

🔖 Something I read: Kim Zetter’s Wired article on the exec from the bug hunting company who was selling zero days to Russia

Vulnerable News

China hacking America’s critical infrastructure, retired four-star general warns | 60 Minutes

Whenever our industry leaks out into the mainstream I consider it a must watch/read. It is important for us to stay on top of how the general public is hearing about what we do everyday. This topic especially so, as it is something that I’ve used as my answer when asked what keeps me up at night. Nation state hacks that are proven but that aren’t causing much damage/loss. They are so patient and lying in wait, for what? Freaks me out.

Former NSA chief Tim Hawk went on 60 minutes and talked about how deep China's cyber tendrils go into US infrastructure. They're camping out in water treatment plants, power grids, and even tiny utilities like Littleton, Massachusetts (population 10,000). The FBI told that town's utility manager he was one of 200 similar targets, which raises the obvious question: for what?

Hawk's take is that this isn't about stealing secrets or economic advantage - it's pure warfare preparation. China's positioning to flip switches and cause chaos when things get spicy. Hawk got canned by Trump after some far-right activist complained he was "disloyal," which seems like terrible timing given the scale of what we're dealing with. Dealing with what feels like preemptive cyber war preparation while our cyber defense leadership keeps getting shuffled around for political reasons is a shitty place to be. (read more)

Deepfake attacks surged 50x. Are your security defenses ready?*

At Persona, we’ve seen deepfake attacks surge 50x this year, and 85% of CISOs say they don’t have GenAI-ready response plans. It’s no longer about if your workforce will be targeted, but whether you’re ready when it happens.

Persona verifies employees, contractors, and vendors in seconds, automating identity checks to cut manual work and stop impersonation attacks before they spread. With Workforce IDV, you can integrate identity verification into your existing security stack and always know who’s really behind the login.

Learn More.

*Sponsored

Major US Telecom Backbone Firm Hacked by Nation-State Actors

Another day, another telecom backbone getting pwned by nation-state hackers. This time it's Ribbon Communications, which provides the underlying tech that keeps phone calls and data networks running for Verizon, BT, Deutsche Telekom, and even the US Department of Defense. They discovered the breach in September, but turns out the attackers may have been lurking in their systems since December 2024.

The hackers managed to access some customer files stored on a couple laptops outside the main network, though Ribbon says they haven't found evidence of any major data exfiltration yet. While they're not naming names, all signs point to China given their well-documented obsession with targeting telecom infrastructure. (read more)

Alleged 764 member faces up to 69 years in prison for string of suspected violent crimes

I learned more about 764 when I was out PAX West in a presentation about child exploitation in online games like Roblox. They are responsible for some of the worst shit you’ll ever hear about like sextorting minors and getting them to self harm. I go into it a bunch in my worst performing YouTube video of all time since nobody wants to hear about this shit.

A 19-year-old member of this nihilistic extremist group "764" is facing serious federal charges that could land him up to 69 years in prison. Tony Christopher Long allegedly ran a two-month crime spree including cyberstalking, extortion, sexual exploitation of minors, and animal abuse.

This is part of a broader crackdown on 764 - an offshoot of The Com (aka Scattered Spider. well sort of) - which has been targeting vulnerable victims through a mix of financial, sexual, and violent crimes. The group seems to be attracting young members (typically 11-25 years old) who are driven by a mix of notoriety-seeking and a stated goal of causing societal collapse. This arrest follows the April takedown of two 764 leaders who were charged with directing CSAM distribution networks. (read more)

Open-source security group pulls out of U.S. grant, citing DEI restrictions

The Python Software Foundation just walked away from a $1.5 million NSF grant rather than agree to anti-DEI contract language. The grant was supposed to fund security improvements for Python and PyPI (the massive open-source code repository), but the contract required PSF to affirm they wouldn't run any DEI programs across their entire organization - not just the grant-funded work. Since PSF's literal mission includes supporting "a diverse and international community of Python programmers," that was a non-starter.

This would have been PSF's largest grant ever, and the security work they proposed sounds genuinely useful - automated tools to detect malicious packages before they hit PyPI, potentially protecting millions of users from supply chain attacks. The tech could have been adapted for other package managers too. But PSF decided the financial risk and ideological compromise weren't worth it, especially with a "claw back" provision that could have forced them to return already-spent money. Now we get to see how the administration's DEI crusade plays out against actual cybersecurity needs. (read more)

A variety of malicious payloads delivered through similar fake invitations*

Invitation-based attacks tend to peak around the holidays, but this year we are already seeing an influx of malicious digital invitations hitting inboxes. The two most frequently impersonated brands in these attacks (at the moment) are Evite and Punchbowl. Payloads currently vary between credential phishing and malware distribution. (read more)

*Sponsored

New physical attacks are quickly diluting secure enclave defenses from Nvidia, AMD, and Intel

Three new physical attacks are putting major holes in trusted execution environments (TEEs) from Nvidia, AMD, and Intel. The latest one, TEE.fail, takes just three minutes to execute and only needs a small piece of hardware between memory and motherboard (plus kernel access) to completely bypass security protections.

This completely breaks the trusted execution environments from Nvidia, AMD, and Intel. For under $1,000 and about three minutes of work, attackers can slip a small device between a memory chip and motherboard to defeat Confidential Compute, SEV-SNP, and TDX/SGX protections. Tons of major services rely on these TEEs - blockchain platforms, cloud providers, AI services, even Signal's contact discovery. Many of these companies are making bold claims about protection against physical attacks, but the chipmakers explicitly exclude physical threats from their threat models.

The root problem is that all three vendors use deterministic encryption, which creates the same ciphertext for identical inputs - perfect for replay attacks. The researchers demonstrated breaking everything from Ethereum block builders handling millions in transactions to blockchain networks using SGX. While cloud providers like AWS have better physical security, users often don't even know where their servers are running. The fix isn't simple either - switching to probabilistic encryption would crush performance when encrypting terabytes of server RAM. For now, it's mostly Band-Aid solutions and hoping your infrastructure isn't sitting in someone's basement. (read more)

'Living off the land' allowed Russia-linked group to breach Ukrainian entities

Sandworm (or someone doing a great impression) hit Ukrainian targets this summer using an interesting "living off the land" approach - hijacking legitimate Windows admin tools instead of dropping custom malware. They compromised a business services company and a government agency by first planting webshells on public servers, including their signature "Localolive" shell.

Ukraine's seeing a 20% jump in attacks this year, with over 3,000 incidents in just the first half of 2023. Pretty clever tradecraft, even if it's coming from the bad guys. (read more)

Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack

A new Windows malware called Airstalk has been discovered that hijacks AirWatch's MDM API for C2 communications. This malware breakdown by Unit42 is awesome. This thing comes in both PowerShell and .NET flavors and hijacks AirWatch's (now Workspace ONE) mobile device management API. Instead of traditional C2 infrastructure, it just uses the MDM's custom device attributes feature as a dead drop for communications.

The malware's main game is browser data theft (cookies, history, bookmarks, screenshots), but what makes this particularly nasty is the supply chain angle. They're hitting business process outsourcing companies as a way to get access to multiple client organizations at once. Smart move when you think about it - compromise one BPO and suddenly you've got a gateway into dozens of their customers' environments. (read more)

HTTPS by default

Chrome is finally making HTTPS the default in October 2026 with Chrome 154. While 95-99% of web traffic already uses HTTPS, those remaining HTTP connections are still an annoying target. The rollout will focus on public sites first, since private/local network sites (like 192.168.0.1) are trickier to secure with valid certificates.

Chrome's will only warn users about new or infrequently visited HTTP sites rather than bombarding them with alerts. Their testing shows most users will see less than one warning per week. The team's also been reaching out to companies still using HTTP, many of whom just haven't prioritized the switch despite it being relatively straightforward. For those managing corporate networks, now's a good time to enable "Always Use Secure Connections" to identify any sites that'll need updating before the 2026 deadline. (read more)

F5 asserts limited impact from prolonged nation-state attack on its systems

F5 is giving us more details about that nation-state breach from August, and they're working hard to spin it as "not that bad." Their CEO claims most customers handled emergency BIG-IP updates quickly (one managed 814 devices in 6 hours), and those who had config data stolen aren't super worried about it.

While they lost some source code and 44 zero-days, third-party auditors haven't found any critical vulnerabilities yet. They're partnering with CrowdStrike to add EDR to BIG-IP (which is actually pretty interesting - first time we're seeing EDR on perimeter devices). (read more)

Keys to the Kingdom: A Defender's Guide to Privileged Account Monitoring

Mandiant dropped a comprehensive PAM playbook that's actually worth your time. They break it down into three pillars - Prevention (securing privileged access), Detection (monitoring for anomalies), and Response (containing and recovering from compromise). Their maturity model takes you from "Uninitiated" (spreadsheet tracking, shared creds, chaos) all the way to "Iterative Optimization" where you've got zero standing privilege, full automation, and everything's locked down tight. They're big on tiering (T0/T1/T2) and emphasize that PAM isn't just about domain admins anymore - it's service accounts, API keys, cloud roles, and all the dependencies that actually matter.

The detection section gets into the weeds on behavioral analytics and why traditional SIEM falls short for privileged account monitoring. They want you correlating PAM vault checkouts with session recordings, IdP events, and endpoint telemetry to build that full "who/what/when/where/why" picture. Unsurprisingly, they pitch Google SecOps pretty hard as the platform to tie it all together with automated response workflows. The response section covers tactical hardening during incidents and emphasizes coordinated enterprise password resets (EPR) when you suspect mass credential compromise. Solid framework overall, though it reads like they're positioning for a lot of Google Cloud sales calls. (read more)

New Android malware mimics human typing to evade detection, steal money

Meet Herodotus, the new Android banking trojan that's trying to be sneaky about its automation. This malware, created by someone going by "K1R0," has a trick - instead of just dumping stolen credentials into form fields all at once (which screams "I'm a bot!"), it actually types each character individually with random pauses between keystrokes. 0.3 to 3 seconds between each letter, mimicking how humans actually type.

ThreatFabric spotted active campaigns hitting Italy and Brazil, with the malware disguising itself as legitimate banking security apps. The usual playbook is in effect - SMS distribution, fake overlays on real banking apps, SMS interception for 2FA codes, and accessibility service abuse. What's concerning is that K1R0 is apparently planning to sell this as a service on underground forums, and it's still actively being developed. Banks relying on basic behavioral detection like typing speed might need to step up their game, because this one's putting in the effort to blend in. (read more)

More than 10 million impacted by breach of government contractor Conduent

Government contractor Conduent just dropped some bad news - they got breached back in January and over 10 million people's data got got. The hackers were actually hanging out in their network from October all the way through January. Conduent handles critical government services across multiple states - Medicaid, food assistance, and child support payments.

The breach notification is finally rolling out now, almost a year later, with Texas getting hit the hardest at over 400,000 affected people. SafePay ransomware gang claimed credit for this one back in February, saying they made off with 8.5TB of data. The company's spent about $2 million cleaning up the mess so far, and while they say the stolen data hasn't surfaced on the dark web yet, that's cold comfort for folks whose SSNs and medical info are floating around somewhere. Hate to learn details about a breach affecting the most vulnerable populations who rely on these government services. (read more)

Canada says hacktivists breached water and energy facilities

Hacktivists managed to breach multiple Canadian critical infrastructure systems and actually messed with industrial controls.

They've had three incidents recently where attackers managed to tamper with water pressure systems, trigger false alarms at an oil and gas company by manipulating tank gauges, and even mess with temperature controls at a grain drying facility. These weren't sophisticated nation-state attacks - just opportunistic hacktivists looking to cause chaos and grab headlines. (read more)

Miscellaneous mattjay