Three Buddy Problem - Episode 46: We dig into a Coinbase breach headlined by bribes, rogue contractors and a $20 million ransom demand. Plus, (another!) batch of Ivanti and Microsoft zero-days being exploited in the wild, a new 'Intrusion Logging' feature coming to Android, Apple's iOS 18.5 patches, and the EU announcing its own vulnerability database and software vendor secure-coding pledge.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Coinbase on $20m ransom demand
• SEC filing on Coinbase breach
• Coinbase Rogue Contractors Bribed to Leak Customer Data
• Ivanti 0day exploit chain (CVE-2025-4427 and CVE-2025-4428)
• Watchtowr blog on new Ivanti 0days
• CISA Known Exploited Vulnerabilities (KEV)
• 'Advanced Protection' comes to Android 16
• Europe launches it own vulnerability database

Three Buddy Problem - Episode 45: (The buddies are trapped in timezone hell with cross-continent travel this week).

In the meantime, absorb this keynote presented by Juan Andres Guerrero-Saade (JAG-S) at CounterThreats 2023. It's a frank discussion on the role of cyber threat intelligence (CTI) during wartime and its importance in bridging information gaps between adversaries. Includes talk on the ethical challenges in CTI, questioning the impact of intelligence-sharing and how cyber operations affect real-world conflicts. He pointed to Ukraine and Israel as examples where CTI plays a critical, yet complicated, role. His message: cybersecurity pros need to be aware of the real-world consequences of their work and the ethical responsibility that comes with it.

Acknowledgment: Credit for the audio goes to CyberThreat 2023, SANS Institute, NCSC, and SentinelOne.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Keynote transcript
• The ethics and perils of APT research
• Recommended Talks
• The Lost APT Reports

Three Buddy Problem - Episode 44: We unpack news that US government officials are using an obscure app to archive Signal messages, OpenAI’s new “Aardvark” code-evaluation and reasoning model and leapfrog implications, NSC cyber lead Alexei Bulazel on normalizing US offensive operations, and JP Morgan Chase CISO’s warning to software vendors.

Plus, fresh SentinelOne threat-intel notes, France’s attribution of GRU activity and a head-scratching $330 million Bitcoin heist.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• US government using obscure app to archive Signal messages
• Reuters photo of Mike Waltz phone
• US revokes Romania visa waiver program
• OpenSSH bug found by OpenAI 'Aardvark'
• JP Morgan Chase CISO: An open letter to third-party suppliers
• JPMorgan Chase CISO Fires Warning Shot Ahead of RSA Conference
• SentinelOne LABS on DPRK threat actor targeting
• Alexei Bulazel comments at RSA conference
• Google report on 0day exploitation in 2024
• Apple notifies new victims of spyware attacks across the world
• France attributes cyberattacks to Russia's military intelligence
• RT-Solar on ViPNet backdoor from 2021
• Kaspersky: Sophisticated backdoor mimicking secure networking software updates
• $330m Bitcoin heist

Three Buddy Problem - Episode 43: Director of the Alperovitch Institute for Cybersecurity Studies Thomas Rid joins the show for a deep-dive into the philosophical and ethical considerations surrounding AI consciousness and anthropomorphism. We dig into the multifaceted implications of AI technology, particularly focusing on data privacy, national security, and the philosophical questions surrounding AI consciousness and rights.

Plus, TP-Link under US government investigation and the broader issues of consumer trust in hardware security, the need for regulation and inspectability of technology, and the struggles with patching network devices.

Cast: Thomas Rid, Juan Andres Guerrero-Saade and Ryan Naraine. Costin Raiu is away this week.

Links:

• Transcript (unedited, AI-generated)
• Anthropic: Exploring AI model welfare, consciousness
• David Chalmers: Taking AI Welfare Seriously
• Sam Altman: AI privacy safeguards can’t be established before ‘problems emerge’
• TP-Link router pricing and China ties under US gov probe
• Bloomberg: TP-Link’s US Future Hinges on Claimed Split From China
• Verizon DBIR 2015 (full report)
• Mandiant M-Trends 2025 Report
• FBI seeking tips about China's 'Salt Typhoon' hackers
• North Korean Cryptocurrency Thieves Caught Hijacking Zoom ‘Remote Control’ Feature
• Dan Geer on the realpolitik of cybersecurity
• LABScon 2025 CFP is open
• Ransom War by Max Smeets

Three Buddy Problem - Episode 42: We dig into news that China secretly fessed up to the Volt Typhoon hacks and followed up with claims that named NSA agents launched advanced cyberattacks against the Asian Winter Games. Plus, the MITRE CVE funding crisis, new Apple 0days in the wild includes PAC bypass exploit, Microsoft Patch Tuesday zero-days.

Plus, the effectiveness of Lockdown Mode, the rising costs of mobile exploits, Chris Krebs' exit from SentinelOne after a presidential executive order, and the value and effectiveness of security clearances.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• China names alleged NSA cyberattack agents
• WSJ: In Secret Meeting, China Acknowledged Role in U.S. Infrastructure Hacks
• Apple Quashes Two Zero-Days With iOS, MacOS Patches
• Apple bulletin - iOS 18.4.1 Security Vulnerabilities
• Android zero-days documented
• MITRE CVE Program Gets Last-Hour Funding Reprieve
• NIST Still Struggling to Clear Vulnerability Submissions Backlog in NVD
• EU issues US-bound staff with burner phones to avoid espionage
• Exploitation of CLFS zero-day leads to ransomware
• Google announces Sec-Gemini v1 cybersecurity model

Three Buddy Problem - Episode 41: Costin and Juanito join the show from Black Hat Asia in Singapore. We discuss Bunnie Huang's keynote on hardware supply chains and a classification system to establish a grounded perspective on trust in hardware, Ivanti's misdiagnosis of a critical VPN applicance flaw and Mandiant reporting on a Chinese APT exploiting Ivanti devices. Plus, breaking news on the sudden firing of NSA director and head of Cyber Command Tim Haugh.

We also discuss Microsoft touting AI's value in finding open-source bootloader bugs, Silent Push report on a RUssian APT impersonating the CIA, a backdoor in a popular Chinese robot dog, and Chinese dominance of the robotics market.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• National Security Agency chief ousted after far-right activist urged his removal
• Mandiant: China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability
• Ivanti security bulletin (CVE-2025-22457)
• Chinese APT exploits misdiagnosed RCE in Ivanti VPNs
• Another exploited 0day in Apple iOS
• Android version of Lockdown Mode coming
• Microsoft: Using AI to find open-source bootloader flaws
• Indiana University cybersecurity "safe" after FBI home searches
• Silent Push: Russians impersonate CIA to target Ukraine sympathizers
• Unitree Go1 robot dog backdoor documentation
• America is missing in the robotics race
• Automated AI Reverse Engineering with MCP for IDA and Ghidra
• Bunny Huang: Perspectives on trust in hardware supply chains

Three Buddy Problem - Episode 40: On the show this week, we look at the technical deficiencies and opsec concerns around the use of Signal for ultra-sensitive communications. Plus, some speculation on who's behind Kaspersky’s ‘Operation Forum Troll’ report, Chinese discussion on NSA/CIA mobile networks exploitation, and the return of ‘Lab Dookhtegan’ hack-and-leak exposures.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• The Atlantic: The Trump admin accidentally texted me its war plans
• The Atlantic: Here are the attack plans shared on Signal
• Signal statement on SignalGate
• Our experts separate Signal from noise in the Trump team group chat
• Operation ForumTroll exploits zero-days in Google Chrome
• PuzzleMaker attacks with Chrome zero-day exploit chain
• Ten most mysterious APT campaigns that remain unattributed
• Operation FishMedley linked to i-SOON
• Chinese gov agency on mobile attacks by US intel agencies
• LabDookhtegan Telegram channel
• Tornado Cash sanctions removed
• Intrusion Truth
• Lab Dookhtegan archives on CyberScoop

Three Buddy Problem - Episode 39: Luta Security CEO Katie Moussouris joins the buddies to parse news around a coordinated Chinese exposure of Taiwan APT actors, CitizenLab's report on Paragon spyware and WhatsApp exploits, an “official” Russian government exploit-buying operation shopping for Telegram exploits, the fragmentation of exploit markets and the future of CISA in the face of budget cuts and layoffs.

Cast: Katie Moussouris, Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• China's MSS discloses Taiwan APTs
• Antiy report Taiwan's "Green Spot" attack group
• Citizen Lab on Paragon’s Proliferating Spyware Operations
• Operation Zero wants Telegram 1-click RCE exploits
• Operation Zero 0day Vulnerability Platform
• GitHub Action supply chain attack
• Blast radius of GitHub Action supply chain attack
• Windows .lnk shortcut exploit abused as zero-day
• Sean Plankey nominated to lead CISA
• Trump admin halts funding for two cybersecurity efforts
• CISA publishes Jen Easterley's calendars
• CISA statement on 'red-team' layoff reports

Three Buddy Problem - Episode 38: On the show this week, we look at a hefty batch of Microsoft zero-days exploited in the wild, iOS 18.3.2 fixing an exploited WebKit bug, a mysterious Unpatched.ai being credited with Microsoft Access RCE flaws, and OpenAI lobbying for the US to ban China's DeepSeek.

Plus, discussion on a Binarly technical paper with new approach to finding UEFI bootkits, Mandiant flagging custom backdoors on Juniper routers, and MEV 'sandwich attacks' front-running cryptocurrency transactions.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Microsoft Flags Six Active Zero-Days, Patches 57 Flaws
• Unpatched.ai discoveries
• Apple Ships iOS 18.3.2 to Fix Already-Exploited WebKit Flaw
• Apple iOS 18.3.2 and iPadOS 18.3.2 documentation
• Citizen Lab: Predator in the wires
• FreeType Zero-Day Being Exploited in the Wild
• CVE-2020-15999: FreeType Heap Buffer Overflow
• Mandiant : Ghost in the Juniper router
• Jun OS out-of-cycle security bulletin (CVE-2025-21590)
• Juniper Malware Removal Tool
• Binarly: UEFI Bootkit Hunting -- In-Depth Search for Unique Code Behavior
• Crypto Trader Loses $215,000 in MEV Sandwich Attack on Uniswap
• The Secretive World Of MEV, Where Bots Front-Run Crypto Investors For Big Profits
• Reuters journalist Raphael Satter loses overseas citizenship
• Yanis Varoufakis: Trump’s tariff chaos explained
• Technofeudalism: What Killed Capitalism (Yanis Varoufakis)

Three Buddy Problem - Episode 37: This week, we revisit the public reporting on a US/Russia cyber stand down order, CISA declaring no change to its position on tracking Russian threats, and the high-level diplomatic optics at play.

Plus, a dissection of ‘The Lamberts’ APT and connections to US intelligence agencies, attribution around ‘Operation Triangulation’ and the lack of recent visibility into these actors. We also discuss a fresh batch of VMware zero-days, China’s i-Soon ‘hackers-for-hire’ indictments, the Pangu/i-Soon connection, and a new wave of Apple threat-intel warnings about mercenary spyware infections.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Kim Zetter: Did Trump admin order a stand-down on Russia?
• Unraveling the Lamberts Toolkit (Securelist)
• VB2019: King of the hill: nation-state counterintelligence for victim deconfliction
• VB2018: Draw me like one of your French APTs
• Symantec: Who is Longhorn?
• VMware: Three new zero-days exploited
• Broadcom patches 3 VMware zero-days exploited in the wild
• DOJ indictments: i-Soon hackers for hire and APT27
• Unmasking I-Soon
• Catalan court orders former NSO Group execs be indicted for spyware abuses
• Apple sending 'mercenary spyware' threat notifications
• How Social Engineering Sparked a Billion-Dollar Supply Chain Cryptocurrency Heist
• Safe{Wallet] post-mortem on ByBit $1.4B crypto heist