🎓️ Vulnerable U | #175

Free Fable! Fortibleed updates, New Citrix and Oracle active attacks, and much more!

Read Time: 8 minutes

Brought to you by:

Howdy friends!

Finally back at home. Feels good to be writing this from my own office again. Just got back from SF the other night and had a great time talking AI and security at PlanetScale HQ. Have you been to SF recently? It is like a whole other world just by reading the billboards and bus stop ads. I swear there is a whole ecosystem of companies that only exist there.

I love the city but it sure is dystopian to see someone sleeping at a bus stop where the ad is saying “Never hire another human again!” for some AI sales rep thing.

But mission escape Texas heat for a few weeks was a success. Now its time to sweat again. Speaking of sweat, Vegas summer camp plans are in full swing. Calendar is already filling up, and me and Low Level have something fun planned for you guys to come to. More details soon, eyes peeled if you’re headed to BlackHat/DEFCON.

ICYMI

🎧️ Something I heard: Michael Roytman and Ed Bellis are 2 data nerds who have thought about vulnerabilities and exploitation longer than most anybody.

🎤 Something I said: This event at PlanetScale was awesome. Really good live discussion worth watching.

🔖 Something I read: Mike Privette’s Quantum Security Is a One-Company Market

Vulnerable News

Well finding security vulnerabilities is possible again! (Right? Mythos is the only thing that could do that, right?) After a few weeks of back-and-forth, Anthropic and the Commerce Department have kissed and made up over Fable 5 and Mythos 5. The models are back online for U.S. users and export controls have been lifted, after the Trump administration briefly panicked over an Amazon threat intel report claiming they'd jailbroken Fable's cybersecurity capabilities. The fix is new safety classifiers that Anthropic says will block the problematic behaviors 99.9% of the time, stress-tested by the federal Center for AI Standards and Innovation. Guardraily-er Guardrails!

Anthropic's own testing found that ChatGPT 5.5, Claude Opus 4.8, and several other existing models could do the same things that freaked everyone out about Fable in the first place. So the export controls were essentially targeting capabilities that are already widely available. Former Bush-era Commerce official Christopher Padilla summed it up pretty well, calling the administration's AI policy approach "chaotic and unpredictable" - which is a bit rich given they're simultaneously loosening export controls on advanced AI chips to China. Defensive security folks should also note that the new classifiers will likely make Fable 5 even more restrictive for routine security work than it already was. Aka not useful. (read more)

Adrian is the open-source runtime security harness for AI agents. Five minutes from install to a continuous, independent security system monitoring your agents. While other tools watch what your agent does, Adrian also watches what it thinks and plans, blocking misalignment, prompt injection and tool abuse before they happen.

Uses a technique theorised by OpenAI and Google DeepMind, and proven to catch 4x more malicious actions than activity monitoring alone. Built by Secure Agentics, a London-based AI security startup founded by former red teamers.

Self-hosted and free, forever. (Read more)

*Sponsored

Turns out FortiBleed wasn't just opportunistic data hoarding. SOCRadar has now tied the whole operation directly to the INC and Lynx ransomware groups, and the scale is way bigger than originally thought. 430,000 FortiGate firewalls targeted, ~19,000 devices with actual traffic sniffers deployed, around 20 operators with defined roles, and roughly 500 servers running the operation. The smoking gun was finding browser sessions on FortiBleed infrastructure actively accessing both ransomware negotiation panels.

The technical details are pretty gnarly too - they deployed a custom tool called "FortiGate Sniffer" to intercept VPN credentials directly from network traffic, left persistent backdoor accounts under the username "adminin," and may have exploited an undisclosed Nextcloud zero-day for lateral movement. If you're running FortiGate devices, hunting for that "adminin" account is a good place to start. (read more)

Another Scattered Spider member is facing the music - Peter Stokes, a 19-year-old dual U.S.-Estonian citizen, got extradited from Finland to Chicago this week. The centerpiece of the DOJ's case is a pretty textbook Scattered Spider playbook: call the IT help desk with Google Voice numbers, social engineer a password and MFA reset, compromise three accounts in under three hours, then drop an $8 million ransom demand on a luxury jewelry retailer. They also threw in ngrok for persistent access, which is becoming a bit of a calling card for this group.

The company didn't pay the ransom, but still ate roughly $2 million in disruption and remediation costs. Stokes was originally picked up by Finnish authorities back in April following an Interpol Red Notice. This is part of a broader crackdown on Scattered Spider, a group the DOJ estimates has hit over 100 networks and collected more than $100 million in ransom payments. The arrests are starting to stack up for them. (read more)

New macOS infostealer just dropped and this one's got some interesting tricks up its sleeve. PamStealer poses as Maccy, a legit clipboard manager, and uses a combo of AppleScript and JavaScript for Automation to drop its Rust payload. It validates stolen passwords locally through macOS's own PAM interface rather than phoning home with unverified creds - meaning it's making less noise than your typical commodity stealer. It also holds off on triggering the Full Disk Access prompt for up to 40 minutes after launch so nothing looks suspicious right out of the gate.

The social engineering piece is solid too - it tricks users into pressing Command-R which both executes the malicious code AND bypasses macOS's quarantine attribute that normally warns you about downloaded executables. Once it grabs your password, it throws up a fake "file is damaged" error so you just shrug and move on, none the wiser. Mac defenders should be watching for processes masquerading as Finder or Software Update, especially anything running under com[.]apple.finder.core or com[.]apple[.]security.daemon. The Jamf writeup is worth a read if you want the full technical breakdown. (read more)

The FBI just took down NetNut, a residential proxy service run by publicly-traded Israeli company Alarum Technologies. If that name doesn't ring a bell, you might know it better as the Popa botnet - a network of over 2 million compromised devices, mostly cheap TV streaming boxes and smart TVs, rented out to cybercriminals for ad fraud, account takeovers, and traffic scraping. Google's threat intel team noted 316 distinct threat actor clusters using NetNut exit nodes in a single week, including both cybercriminal and espionage groups.

NetNut had actually grown significantly after the FBI took down its biggest competitor IPIDEA earlier this year, so experts are hopeful this puts a real dent in the ecosystem. The practical takeaway here is worth repeating - those cheap no-name Android TV boxes flooding Amazon and AliExpress are essentially malware delivery devices. Spur found that 42% of LG webOS apps and over 25% of Samsung Tizen apps contain proxy SDKs that silently enroll your TV into these networks. Stick to name brands and verify your device supports Google's official Play Protect certification. (read more and krebs here)

Researchers found something genuinely concerning - while sifting through nearly 3,000 DeepSeek-attributed malware samples, they found one where the AI independently figured out that the browser's native showDirectoryPicker() API could be weaponized for ransomware. No exploit or installation required - just a permission prompt that, as ClickFix shows us, a ton of users would click. The attacker who prompted it probably had no idea this API even existed, which is nuts. DeepSeek connected the dots between a vague malicious goal and a real browser capability on its own.

The PoC in the research is a fake AI photo tool that asks you to select a folder, encrypts your images during the fake "processing" step, and calls it a day. Worth noting this works on Android Chrome (since v132 added full File System Access support), and your DCIM folder - years of photos, banking screenshots, recovery codes - is fair game. iOS Safari doesn't expose the same API so iPhone users are in the clear here. No active campaigns have been spotted yet, but the barrier to operationalizing this is low enough that it warrants attention. Treat browser folder-access prompts like any other permission request, and maybe don't point random websites at your main photo library. (read more)

New CVE to keep on your radar - CVE-2026-46817, a 9.8 severity hit on Oracle E-Business Suite's payments processing feature. Threat intel firm Defused caught six exploitation attempts on their honeypots over a two-hour window Saturday, all from a single IP, and this was happening before any public proof-of-concepts were even available. Shadowserver's scans show about 950 potentially vulnerable instances exposed to the internet, with more than half sitting in the US.

If this sounds familiar, it should - Clop ransomware had a field day with Oracle E-Business Suite last year, and ShinyHunters just got done tearing through PeopleSoft hitting over 100 organizations. The current activity looks more like someone testing their weaponization than an active campaign, but given the history here, patch your Oracle deployments before this gets interesting. (read more)

Huntress caught a massive password spray campaign hitting Microsoft 365 that's bypassing MFA through a legacy auth flow most people forgot exists. Attackers are using old breached credentials and validating them through Azure CLI's OAuth 2.0 ROPC flow—which completely skips interactive MFA prompts because it sends creds directly to the token endpoint. Dozens of orgs thought they had MFA enforced everywhere, but their Conditional Access Policies weren't scoped to cover this flow. Tens of millions of login attempts and dozens of confirmed compromises.

The fix is pretty straightforward but requires tightening up your CAP scope. You need to enforce MFA for all users, all cloud apps, and all client types. Microsoft has a setting specifically to block ROPC sign-ins (userStrongAuthClientAuthNRequired), and you should probably restrict Azure CLI access to admins only. Also worth noting: the attacks are coming primarily from an IPv6 range tied to LSHIY LLC (AS32167), so watch your sign-in logs for ROPC attempts and weird geo patterns. If you've been relying on "trusted location" exceptions or report-only policies, those are getting exploited too.
(read more)

New CitrixBleed-adjacent vuln just dropped for NetScaler, and threat actors were already hammering it within 24 hours of public disclosure - basically the moment watchTowr published their technical writeup and detection artifact generator. CVE-2026-8451 is an out-of-bounds read in NetScaler's XML parser that leaks memory contents back in the NSC_TASS cookie, no auth required. The catch is the appliance needs to be configured as SAML IDP, but that's not exactly a rare configuration in enterprise environments.

Lupovis caught at least two separate threat actors probing their sensors, one from Frankfurt infrastructure and another from Koapu Cloud HK, both using the same playbook - probe for the right endpoint, get a 200 OK, immediately drop the payload. If you're running NetScaler as SAML IDP, patch now, and if you can't patch, disable SAML IDP until you can. Either way, go check your /saml/login traffic and NSC_TASS cookie values for anything weird - if you're already hit, you'll want to know sooner rather than later. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay