Three Buddy Problem - Episode 59: Apple drops another emergency iOS patch and we unpack what that “may have been exploited” language really means: zero-click chains, why notifications help but forensics don’t, and the uncomfortable truth that Lockdown Mode is increasingly the default for high-risk users. We connect the dots from ImageIO bugs to geopolitics, discuss who’s likely using these exploits, why Apple’s guidance stops short, and the practical playbook (ADP on, reboot often, reduce attack surface) that actually works.

Plus, we debate Microsoft throttling MAPP access for Chinese vendors, the idea of “letters of marque” for cyber (outsourced offense: smart deterrent or Pandora’s box?), and dissect two case studies that blur APT and crimeware: PipeMagic’s CLFS zero-day and Russia-linked “Static Tundra” riding seven-year-old Cisco bugs.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Apple bulletin: iOS 18.6.2
• Apple discloses actively exploited zero-day affecting iOS, iPadOS and macOS
• UK drops demand for backdoor into Apple encryption
• Tulsi Gabbard on UK dropping Apple backdoor mandate
• Microsoft Curbs Early Notifications for Chinese Firms on Security Flaws
• Kaspersky report on PipeMagic
• Microsoft: Dissecting PipeMagic Backdoor Framework
• Cisco Talos on Static Tundra
• FBI advisory on end-of-life network devices
• SIM-Swapper, Scattered Spider Hacker Gets 10 Years
• Qubic Claims Majority Control of Monero Hashrate, Raising 51% Attack Fears
• State of Statecraft Call for Papers
• LABScon 2025 Speaker Roster
• Offensive AI Con
• Three Buddy Problem: LIVE in Canada

Three Buddy Problem - Episode 58: The buddies react to the Brandon Dixon episode, digging into what it’s really like to scale products inside a tech giant, navigate politics, and bring features to millions of machines. Plus, an exploration of the AI cybersecurity gold rush, the promise and hype, and the gamble for startups versus the slow-moving advantage of incumbents.

We revisit the Chinese "cyber militia" discussion and the looming AI “dot-com bubble,” the value of owning infrastructure, Nvidia and export controls, China’s manufacturing edge, and the geopolitics of supply chains.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Live from Black Hat: Brandon Dixon
• PSIRT | FortiGuard Labs
• SonicWall Firewalls – SSLVPN Recent Threat Activity
• Cisco CVSS 1.0 RCE
• Margin Research: Cyber Militias Redux
• Russia Is Suspected to Be Behind Breach of Federal Court Filing System
• Russian hackers seized control of Norwegian dam
• Poland foiled cyberattack on big city's water supply
• EU Parliament pressing for agreement on chat scanning bill
• LABScon 2025

Three Buddy Problem - Episode 57: Brandon Dixon (PassiveTotal/RiskIQ, Microsoft) leads a deep-dive into the collision of AI and cybersecurity. We tackle Google’s “Big Sleep” project, XBOW’s HackerOne automation hype, the long-running tension between big tech ownership of critical security tools and the community’s need for open access.

Plus, the future of SOC automation to AI-assisted pen testing, how agentic AI could transform the cyber talent bottlenecks and operational inefficiencies, geopolitical debates over backdoors in GPUs and the strategic implications of China’s AI model development.

Cast: Brandon Dixon, Juan Andres Guerrero-Saade, and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Brandon Dixon | LinkedIn
• Google 'Big Sleep' AI Issue Tracker
• XBOW - The road to Top 1: How XBOW did it
• Does “XBOW AI Hacker” Deserve the Hype?
• XBOW - Taking the Top Hacker in the US to New Heights: XBOW Raises $75M Series B
• NVIDIA: No Backdoors. No Kill Switches. No Spyware
• Nvidia reiterates its chips have no backdoors, urges US against location verification
• Google: Our Big Sleep agent makes a big leap
• Microsoft announces acquisition of RiskIQ
• RiskIQ attack surface management
• Brandon Dixon (SecurityConversations podcast)
• Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution

Three Buddy Problem - Episode 56: China-focused researcher Dakota Cary joins the buddies to dig into China’s sprawling cyber ecosystem, from the HAFNIUM indictments and MSS tasking pipelines to the murky world of APT contractors and the ransomware hustle. We break down China’s “entrepreneurial” model of intelligence collection, why public visibility into these threat actors is so hard to get right, and how companies like Microsoft get caught in the geopolitical crossfire.

Plus: a deep dive on suspected MAPP leaks and Sharepoint zero-days, Singapore targeted by extremely sophisticated China-nexus hacking group, soft censorship in corporate threat-intel, and whether the U.S. should rethink how it fills its intelligence gaps.

Cast: Dakota Cary, Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Dakota Cary on LinkedIn
• China’s Covert Capabilities -- Silk Spun From Hafnium
• HAFNIUM-Linked Hacker Xu Zewei: Riding the Tides of China’s Cyber Ecosystem
• Microsoft Probing Whether Chinese Hackers Found Flaw Via MAPP
• Cybersecurity Law of the People’s Republic of China
• Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
• Fire Ant: Hypervisor-Level Espionage Targeting VMware ESXi & vCenter
• Singapore actively dealing with ongoing China cyberattack
• Iranians Targeted With Spyware in Lead-Up to War With Israel — all inside Iran and working either in the country’s technology sector or for the government.
• LABScon 2025
• Apple in China (book)

Three Buddy Problem - Episode 55: A SharePoint zero-day exploit chain from Pwn2Own Berlin becomes a full-blown security crisis with Chinese nation-state actors exploiting vulnerabilities that Microsoft struggled to patch properly, leading to trivial bypasses and a cascade of new CVEs. The timeline is messy, the patches are faulty, and ransomware groups are lining up to join the party.

We also revisit the ProPublica bombshell about Microsoft's "digital escorts" and U.S. government data exposure to Chinese adversaries and the company's "oops, we will stop" response. Plus, trusting Google's Big Sleep AI claims and a cautionary tale about AI agents gone rogue that wiped out a production database.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Three Buddy Problem LIVE at Black Hat
• TBP at Countermeasures 2025
• CODE WHITE GmbH ToolShell exploit
• Microsoft guidance for SharePoint vulnerability CVE-2025-53770
• Kaspersky on ToolShell: A story of five Sharepoint vulns
• Ryan's EkoParty keynote on Microsoft culture
• Microsoft Disrupting active exploitation of on-prem SharePoint flaws
• SentinelLabs on Sharepoint zero-day in-the-wild
• ESET on ToolShell: An all-you-can-eat buffet for threat actors
• Microsoft Stops Using China-Based Engineers for DoD Computer Systems
• AI coding platform goes rogue during code freeze and deletes entire company database
• Jason Lemkin: Replit goes rogue
• John Hultquist on Big Dream AI
• LABScon 2025

Three Buddy Problem - Episode 54: Europol busted pro‑Russian hacktivist crew NoName 057(16), the Brits announce sanctions on Russia’s GRU cyber units, Wagner‑linked “war influencers” streamed atrocities from Africa, and fresh tech worries ranged from a $500 RF flaw that can hijack U.S. train brakes.

Plus, ProPublica on Microsoft’s China‑based “digital escorts,” Google’s headline‑grabbing AI‑found SQLite zero‑day, and OpenAI’s new task‑running agents. Meanwhile, Ukraine’s hackers wiped a Russian drone maker, ransomware crippled a major vodka producer, and another Chrome zero‑day quietly underscored how routine critical exploits have become.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Europol targets NoName057(16) pro-Russian cybercrime network
• Europe's most wanted list
• UK sanctions Russian spies linked to Mariupol strikes
• Profile: GRU cyber and hybrid threat operations
• Lindsay Freeman: War Crimes for Fun and Profit
• Lindsay Freeman bio
• CISA: End-of-Train and Head-of-Train Remote Linking Protocol
• Background of train vulnerability (CVE-2025-1727)
• ProPublica on Microsoft “Digital Escorts”
• Google’s Big Sleep AI bug-finding claims
• EchoLeak (CVE-2025-32711)
• Russian vodka producer reports disruptions after ransomware attack
• Ukrainian Hackers Cripple IT Infrastructure of Russian Drone Manufacturer
• Another exploited Google Chrome zero-day
• Three Buddy Problem LIVE at Black Hat
• Ringzer0 COUNTERMEASURE

Three Buddy Problem - Episode 53: We dig into news of the first-ever arrest of a Chinese intelligence-linked hacker in Italy, unpack the mystery behind HAFNIUM and how they somehow got their hands on the same Microsoft Exchange zero-days that researcher Orange Tsai discovered - was it coincidence, inside access, or something more sinister?

Plus, China's massive cyber capabilities pipeline, ‘theCom’ teenagers arrested in the UK after ransomware binge, and spyware attacks against Russian organizations.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• US Gov: Prolific Chinese state-sponsored contract hacker arrested
• Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
• Microsoft Exchange Server Attack Timeline
• YouTube: Orange Tsai on ProxyLogon
• Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace
• The Growing Role of Cyber Militias in China’s Network Warfare Force Structure
• NCA arrest four for attacks on M&S, Co-op and Harrods
• Four arrested by UK police over ransomware attacks on M&S, Co-op and Harrods
• Cyberattack deals blow to Russian firmware used to repurpose civilian drones for Ukraine war
• Cyberattack deals blow to Russian firmware used to repurpose civilian drones for Ukraine war
• Batavia spyware targeting Russian organizations
• Chainalysis: First-ever crypto seizure in Greece
• Ringzer0 COUNTERMEASURE — Three Buddy Problem discount code for training: CM25-3BUDDY
• LABScon 2025

Three Buddy Problem - Episode 52: Fresh intelligence reports out of Europe and China: France’s ANSSI documents a string of Ivanti VPN zero-days ('Houken'), and Quanxin frames a stealth Microsoft Exchange-zero-day chain linked to a North American 'Night Eagle' threat actor. We dissect the technical bread-crumbs, questions the attribution math, and connects Houken to SentinelOne’s “Purple Haze” research.

Plus, the FBI’s claim that China’s “Salt Typhoon” has been “contained,” Iran’s Nobitex crypto-exchange breach (Predatory Sparrow torches $90 million and leaks the source code), Iranian cyber capabilities and sanctions avoidance.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Houken: Seeking a path by living on the edge with zero-days
• China-nexus APTs recon on top-tier targets
• French cybersecurity agency confirms government affected by Ivanti hacks
• Top FBI cyber official: Salt Typhoon ‘largely contained’
• Operation Blockbuster (Novetta)
• Israel-Iran cyberwar: Predatory Sparrow, vanishing crypto, bank hacks
• Inside the Nobitex Breach: What the Leaked Source Code Reveals About Iran’s Crypto Infrastructure
• cisagov/thorium

Three Buddy Problem - Episode 51: Former Immunity/Trail of Bits researcher Hamid Kashfi joins the buddies for a fast-moving tour of cyber activities in the Israel-Iran war. The crew unpacks who 'Predatory Sparrow' is, why Sepah Bank and the Nobitex crypto exchange were hit, and what a $90 million cryptocurrency burn really means. Plus, radar-blinding cyberattacks that paved the way for Israel’s air raid, the human cost of sudden ATM outages and unpaid salaries, and the puzzling “Code Breakers” data leak that preceded it all.

Hamid shares on-the-ground context, the buddies debate whether cyber operations can sway a shooting war, and everyone tries to gauge Iran’s true offensive muscle under sanctions.

Cast: Hamid Kashfi, Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Pro-Israel hackers take credit for cyberattack on Iran's Bank Sepah
• Predatory Sparrow Burns $90 Million on Iranian Crypto Exchange in Cyber Shadow War
• Codebreakers and Predatory Sparrow
• Iranian Exchange Nobitex: The $90M Exploit
• Iranian newspaper: Defense system was hacked
• Iranian state TV shows footage of Israeli drone
• Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks
• Israeli Officials Warn Iran Is Hijacking Security Cameras to Spy
• LABScon - Security Research in Real Time
• Three Buddy Problem LIVE
• Hamid Kashfi: The curious case of Predatory Sparrow
• Glasshouse episode with Hamid Kashfi

Three Buddy Problem - Episode 50: This week, we dissect cyber flashpoints in the Iran-Israel war, revisit the “magnet of threats” server in Iran that attracted APTs from multiple nation-states, and react to Israel's Mossad sneaking explosive drone swarms deep into Iran to support airstrikes.

Plus, Stealth Falcon’s new WebDAV zero-day, SentinelOne’s brush with Chinese APTs, Citizen Lab’s forensic takedown of Paragon’s iPhone spyware, and the sneaky Meta/Yandex trick that links Android web browsing to app IDs.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Israel-Iran war breaks out
• 'The magnet of threats'
• Mossad set up drone swarm base in Iran
• Stealth Falcon's Exploit of Microsoft Zero Day
• CVE-2025-33053 - WebDAV remote code execution
• CISA, Microsoft warn of Windows zero-day
• China-nexus Threat actors target SentinelOne
• Chinese Espionage Crews Circle SentinelOne
• Citizen Lab: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab
• Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
• Dreadnode Offensive AI Conference
• LABScon Call for Papers