This week, we are joined by Kyla Cardona and Aurora Johnson from SpyCloud discussing their research "China’s Surveillance State Is Selling Citizen Data as a Side Hustle." Chinese technology companies, under CCP mandate, collect vast amounts of data on citizens, creating opportunities for corrupt insiders to steal and resell this information on dark markets. These stolen datasets, aggregated into "Social Work Libraries" (SGKs), mirror lower-tech versions of CCP internal security databases.

Kyla and Aurora discuss how Chinese cybercriminals use these SGKs and their implications compared to Western, European, and Russian cybercrime ecosystems. With expertise in Chinese OSINT and cybersecurity policy, both researchers bring deep insights into the geopolitical and technical dynamics of China's digital landscape.

The research can be found here:

Learn more about your ad choices. Visit megaphone.fm/adchoices

Karlo Zanki, Reverse Engineer at ReversingLabs, discussing their work on "Malicious PyPI crypto pay package aiocpa implants infostealer code." ReversingLabs' machine learning-based threat hunting system identified a malicious PyPI package, aiocpa, designed to exfiltrate cryptocurrency wallet information.

Unlike typical attacks involving typosquatting, the attackers published a seemingly legitimate crypto client tool to build trust before introducing malicious updates. ReversingLabs used its Spectra Assure platform to detect behavioral anomalies and worked with PyPI to remove the package, highlighting the growing need for advanced supply chain security tools to counter increasingly sophisticated threats.

The research can be found here:

• Malicious PyPI crypto pay package aiocpa implants infostealer code

Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Asheer Malhotra and Vitor Ventura from Cisco Talos, and they are discussing "Operation Celestial Force employs mobile and desktop malware to target Indian entities." Cisco Talos revealed Operation Celestial Force, an espionage campaign by the Pakistani threat group "Cosmic Leopard," targeting Indian defense, government, and technology sectors.

Active for at least six years, the operation has recently increased its use of mobile malware and commercial spyware for surveillance.

The research can be found here:

• Operation Celestial Force employs mobile and desktop malware to target Indian entities

Learn more about your ad choices. Visit megaphone.fm/adchoices

Adam Khan, VP of Security Operations at Barracuda, joins to discuss his team's work on "The evolving use of QR codes in phishing attacks." Cybercriminals are evolving phishing tactics by embedding QR codes, or “quishing,” into PDF documents attached to emails, tricking recipients into scanning them to access malicious websites that steal credentials.

Barracuda researchers found over half a million such emails from June to September 2024, with most impersonating brands like Microsoft, DocuSign, and Adobe to exploit urgency and trust. To counter these attacks, businesses should deploy multilayered email security, use AI-powered detection tools, educate employees on QR code risks, and enable multifactor authentication to safeguard accounts.

The research can be found here:

• Threat Spotlight: The evolving use of QR codes in phishing attacks

Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Andrew Morris, Founder and CTO of GreyNoise, to discuss their work on "GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI." GreyNoise discovered two critical zero-day vulnerabilities in IoT-connected live streaming cameras, used in sensitive environments like healthcare and industrial operations, by leveraging its AI-powered detection system, Sift.

The vulnerabilities, CVE-2024-8956 (insufficient authentication) and CVE-2024-8957 (OS command injection), could allow attackers to take full control of affected devices, manipulate video feeds, or integrate them into botnets for broader attacks. This breakthrough underscores the transformative role of AI in identifying threats that traditional systems might miss, highlighting the urgent need for robust cybersecurity measures in the expanding IoT landscape.

The research can be found here:

• GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI

Learn more about your ad choices. Visit megaphone.fm/adchoices

Shawn Kanady, Global Director of Trustwave SpiderLabs, to discuss their work on "Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader." Trustwave SpiderLabs has uncovered Pronsis Loader, a new malware variant using the rare programming language JPHP and stealthy installation tactics to evade detection.

The malware is capable of delivering high-risk payloads like Lumma Stealer and Latrodectus, posing a significant threat. Researchers highlight its unique capabilities and infrastructure, offering insights for bolstering cybersecurity defenses.

The research can be found here:

• Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader

Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore episode:

Noah Pack, a SANS Internet Storm Center Intern, sits down to discuss research on "What happens when you accidentally leak your AWS API keys?" This research is a guest diary from Noah and shares a project he worked on after seeing an online video of someone who created a python script that emailed colleges asking for free swag to be shipped to him.

The research states "In this article, I will share some research, resources, and real-world data related to leaked AWS API keys." In this research, Noah shares what he learned while implementing his experiment.

The research can be found here:

• What happens when you accidentally leak your AWS API keys? [Guest Diary]

Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Ami Luttwak, Co-Founder and CTO from Wiz, sharing their work on "Wiz Research Finds Critical NVIDIA AI Vulnerability Affecting Containers Using NVIDIA GPUs, Including Over 35 percent of Cloud Environments." A critical vulnerability in the NVIDIA Container Toolkit, widely used for GPU access in AI workloads, could allow attackers to escape containers and gain full access to host environments, jeopardizing sensitive data.

Wiz estimates that at least 33% of cloud environments are affected and urges immediate updates to NVIDIA's patched version. This discovery highlights the broader issue of young, under-secured codebases in AI tools, emphasizing the need for stronger security measures and collaboration.

The research can be found here:

• Wiz Research Finds Critical NVIDIA AI Vulnerability Affecting Containers Using NVIDIA GPUs, Including Over 35% of Cloud Environments

Learn more about your ad choices. Visit megaphone.fm/adchoices

This week we are joined by, Blake Darché, Head of Cloudforce One at Cloudflare, to discuss their work on "Unraveling SloppyLemming’s Operations Across South Asia." Cloudforce One's investigation into the advanced threat actor "SloppyLemming" reveals an extensive espionage campaign targeting South and East Asia, with a focus on Pakistan's government, defense, telecommunications, and energy sectors.

Leveraging multiple cloud service providers, SloppyLemming employs tactics like credential harvesting, malware delivery, and command-and-control (C2) operations, often relying on open-source adversary emulation tools like Cobalt Strike. Despite its activities, the actor's poor operational security (OPSEC) has allowed investigators to gain valuable insights into its infrastructure and tooling.

The research can be found here:

• Unraveling SloppyLemming’s operations across South Asia

Learn more about your ad choices. Visit megaphone.fm/adchoices

Enjoy this special encore episode, where we are joined by Jon Williams from Bishop Fox, as he is sharing their research on "It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable." SonicWall published advisories for CVE-2022-22274 and CVE-2023-0656 a year apart after finding that NGFW series 6 and 7 devices are affected by two unauthenticated denial-of-service vulnerabilities.

The research states "Our research found that the two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern." They also found that when they scanned SonicWall firewalls with management interfaces exposed to the internet, they found that 76% are vulnerable to one or both issues.

The research can be found here:

• It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable

Learn more about your ad choices. Visit megaphone.fm/adchoices