Three Buddy Problem - Episode 55: A SharePoint zero-day exploit chain from Pwn2Own Berlin becomes a full-blown security crisis with Chinese nation-state actors exploiting vulnerabilities that Microsoft struggled to patch properly, leading to trivial bypasses and a cascade of new CVEs. The timeline is messy, the patches are faulty, and ransomware groups are lining up to join the party.

We also revisit the ProPublica bombshell about Microsoft's "digital escorts" and U.S. government data exposure to Chinese adversaries and the company's "oops, we will stop" response. Plus, trusting Google's Big Sleep AI claims and a cautionary tale about AI agents gone rogue that wiped out a production database.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Three Buddy Problem LIVE at Black Hat
• TBP at Countermeasures 2025
• CODE WHITE GmbH ToolShell exploit
• Microsoft guidance for SharePoint vulnerability CVE-2025-53770
• Kaspersky on ToolShell: A story of five Sharepoint vulns
• Ryan's EkoParty keynote on Microsoft culture
• Microsoft Disrupting active exploitation of on-prem SharePoint flaws
• SentinelLabs on Sharepoint zero-day in-the-wild
• ESET on ToolShell: An all-you-can-eat buffet for threat actors
• Microsoft Stops Using China-Based Engineers for DoD Computer Systems
• AI coding platform goes rogue during code freeze and deletes entire company database
• Jason Lemkin: Replit goes rogue
• John Hultquist on Big Dream AI
• LABScon 2025

Three Buddy Problem - Episode 54: Europol busted pro‑Russian hacktivist crew NoName 057(16), the Brits announce sanctions on Russia’s GRU cyber units, Wagner‑linked “war influencers” streamed atrocities from Africa, and fresh tech worries ranged from a $500 RF flaw that can hijack U.S. train brakes.

Plus, ProPublica on Microsoft’s China‑based “digital escorts,” Google’s headline‑grabbing AI‑found SQLite zero‑day, and OpenAI’s new task‑running agents. Meanwhile, Ukraine’s hackers wiped a Russian drone maker, ransomware crippled a major vodka producer, and another Chrome zero‑day quietly underscored how routine critical exploits have become.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Europol targets NoName057(16) pro-Russian cybercrime network
• Europe's most wanted list
• UK sanctions Russian spies linked to Mariupol strikes
• Profile: GRU cyber and hybrid threat operations
• Lindsay Freeman: War Crimes for Fun and Profit
• Lindsay Freeman bio
• CISA: End-of-Train and Head-of-Train Remote Linking Protocol
• Background of train vulnerability (CVE-2025-1727)
• ProPublica on Microsoft “Digital Escorts”
• Google’s Big Sleep AI bug-finding claims
• EchoLeak (CVE-2025-32711)
• Russian vodka producer reports disruptions after ransomware attack
• Ukrainian Hackers Cripple IT Infrastructure of Russian Drone Manufacturer
• Another exploited Google Chrome zero-day
• Three Buddy Problem LIVE at Black Hat
• Ringzer0 COUNTERMEASURE

Three Buddy Problem - Episode 53: We dig into news of the first-ever arrest of a Chinese intelligence-linked hacker in Italy, unpack the mystery behind HAFNIUM and how they somehow got their hands on the same Microsoft Exchange zero-days that researcher Orange Tsai discovered - was it coincidence, inside access, or something more sinister?

Plus, China's massive cyber capabilities pipeline, ‘theCom’ teenagers arrested in the UK after ransomware binge, and spyware attacks against Russian organizations.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• US Gov: Prolific Chinese state-sponsored contract hacker arrested
• Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
• Microsoft Exchange Server Attack Timeline
• YouTube: Orange Tsai on ProxyLogon
• Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace
• The Growing Role of Cyber Militias in China’s Network Warfare Force Structure
• NCA arrest four for attacks on M&S, Co-op and Harrods
• Four arrested by UK police over ransomware attacks on M&S, Co-op and Harrods
• Cyberattack deals blow to Russian firmware used to repurpose civilian drones for Ukraine war
• Cyberattack deals blow to Russian firmware used to repurpose civilian drones for Ukraine war
• Batavia spyware targeting Russian organizations
• Chainalysis: First-ever crypto seizure in Greece
• Ringzer0 COUNTERMEASURE — Three Buddy Problem discount code for training: CM25-3BUDDY
• LABScon 2025

Three Buddy Problem - Episode 52: Fresh intelligence reports out of Europe and China: France’s ANSSI documents a string of Ivanti VPN zero-days ('Houken'), and Quanxin frames a stealth Microsoft Exchange-zero-day chain linked to a North American 'Night Eagle' threat actor. We dissect the technical bread-crumbs, questions the attribution math, and connects Houken to SentinelOne’s “Purple Haze” research.

Plus, the FBI’s claim that China’s “Salt Typhoon” has been “contained,” Iran’s Nobitex crypto-exchange breach (Predatory Sparrow torches $90 million and leaks the source code), Iranian cyber capabilities and sanctions avoidance.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Houken: Seeking a path by living on the edge with zero-days
• China-nexus APTs recon on top-tier targets
• French cybersecurity agency confirms government affected by Ivanti hacks
• Top FBI cyber official: Salt Typhoon ‘largely contained’
• Operation Blockbuster (Novetta)
• Israel-Iran cyberwar: Predatory Sparrow, vanishing crypto, bank hacks
• Inside the Nobitex Breach: What the Leaked Source Code Reveals About Iran’s Crypto Infrastructure
• cisagov/thorium

Three Buddy Problem - Episode 51: Former Immunity/Trail of Bits researcher Hamid Kashfi joins the buddies for a fast-moving tour of cyber activities in the Israel-Iran war. The crew unpacks who 'Predatory Sparrow' is, why Sepah Bank and the Nobitex crypto exchange were hit, and what a $90 million cryptocurrency burn really means. Plus, radar-blinding cyberattacks that paved the way for Israel’s air raid, the human cost of sudden ATM outages and unpaid salaries, and the puzzling “Code Breakers” data leak that preceded it all.

Hamid shares on-the-ground context, the buddies debate whether cyber operations can sway a shooting war, and everyone tries to gauge Iran’s true offensive muscle under sanctions.

Cast: Hamid Kashfi, Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Pro-Israel hackers take credit for cyberattack on Iran's Bank Sepah
• Predatory Sparrow Burns $90 Million on Iranian Crypto Exchange in Cyber Shadow War
• Codebreakers and Predatory Sparrow
• Iranian Exchange Nobitex: The $90M Exploit
• Iranian newspaper: Defense system was hacked
• Iranian state TV shows footage of Israeli drone
• Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks
• Israeli Officials Warn Iran Is Hijacking Security Cameras to Spy
• LABScon - Security Research in Real Time
• Three Buddy Problem LIVE
• Hamid Kashfi: The curious case of Predatory Sparrow
• Glasshouse episode with Hamid Kashfi

Three Buddy Problem - Episode 50: This week, we dissect cyber flashpoints in the Iran-Israel war, revisit the “magnet of threats” server in Iran that attracted APTs from multiple nation-states, and react to Israel's Mossad sneaking explosive drone swarms deep into Iran to support airstrikes.

Plus, Stealth Falcon’s new WebDAV zero-day, SentinelOne’s brush with Chinese APTs, Citizen Lab’s forensic takedown of Paragon’s iPhone spyware, and the sneaky Meta/Yandex trick that links Android web browsing to app IDs.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Israel-Iran war breaks out
• 'The magnet of threats'
• Mossad set up drone swarm base in Iran
• Stealth Falcon's Exploit of Microsoft Zero Day
• CVE-2025-33053 - WebDAV remote code execution
• CISA, Microsoft warn of Windows zero-day
• China-nexus Threat actors target SentinelOne
• Chinese Espionage Crews Circle SentinelOne
• Citizen Lab: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab
• Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
• Dreadnode Offensive AI Conference
• LABScon Call for Papers

Three Buddy Problem - Episode 49: Cybersecurity veteran Mikko Hypponen joins the show to discuss the fast-changing life and times on NATO’s newest frontline, how Ukraine’s long-range “Spiderweb” drone swarms punched holes in Russian air bases, the cyber connections to the escalating drone warfare, and the coming wave of autonomous “killer robots”.

Plus, news on Ukraine’s hack of bomber-maker Tupolev, the industry’s never-ending APT naming mess, iVerify’s newly disclosed iMessage zero-click bug, fresh Qualcomm GPU exploits still unpatched on Android devices, and Cellebrite’s purchase of Corellium.

Cast: Ryan Naraine, Costin Raiu and Mikko Hypponen

Links:

• Transcript (unedited, AI-generated)
• Mikko Hyppönen pivots from infosec to drones inspired by war
• Mikko Hypponen Leaves Anti-Malware Industry to Fight Against Drones
• Anti-drone system | Sensofusion
• Ukraine's military intelligence claims cyberattack on Russian strategic bomber maker
• How Microsoft names threat actors
• CrowdStrike and Microsoft Unite to Deconflict Cyber Threat Attribution
• Qualcomm GPU driver 0days (exploitation detected)
• Chrome 0day exploited in the wild
• iVerify documents 'Nickname' iMessage exploitation
• Cellebrite to acquire mobile testing firm Corellium
• Hacker Chris Wade reveals the story of his presidential pardon, US government collaboration

Three Buddy Problem - Episode 48: We unpack a Dutch intelligence agencies report on ‘Laundry Bear’ and Microsoft’s parallel ‘Void Blizzard’ write-up, finding major gaps and bemoaning the absence of IOCs. Plus, discussion on why threat-intel naming is so messy, how initial-access brokers are powering even nation-state break-ins, and whether customers (or vendors) are to blame for the confusion.

Plus, thoughts on an academic paper on the vanishing art of Western companies exposing Western (friendly) APT operations, debate whether stealth or self-censorship is to blame, and the long-tail effects on cyber paleontology.

We also dig into Sean Heelan’s proof that OpenAI’s new reasoning model can spot a Linux kernel 0-day and the implications for humans in the bug-hunting chain.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Dutch intelligence agency outs 'Laundry Bear' Russian APT
• Russian gov hackers buying passwords from cybercriminals
• Microsoft: Russian actor Void Blizzard targets critical sectors for espionage
• Censys data on AyySSHush ASUS router botnet
• Czech Republic statement on Chinese hack
• Czech gov condemns Chinese hack on critical infrastructure
• NATO floats cybersecurity included in new spending target
• Mark your Google Calendar: APT41 innovative tactics
• The rise of responsible behavior: Western commercial reports on Western cyber threat actors
• How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation
• ASUS Botnet Tracker
• CISA: Logging Made Easy (LME)

Three Buddy Problem - Episode 47: We unpack a multi-agency report on Russia’s APT28/Fancy Bear hacking and spying on Ukraine war supply lines, CISA’s sloppy YARA rules riddled with false positives, the ethics of full-disclosure after Akamai dropped Windows Server “BadSuccessor” exploit details, and Sekoia’s discovery of thousands of hijacked edge devices repurposed as honeypots.

The back half veers into Microsoft’s resurrected Windows Recall, Signal’s new screenshot-blocking countermeasure, Japan’s fresh legal mandate for pre-emptive cyber strikes, and why appliance vendors like Ivanti keep landing in the headlines.

Along the way you get hot takes on techno-feudalism, Johnny Ive’s rumored AI gadget, and a lively debate over whether publishing exploit code ever helps defenders.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Russian hackers hitting logistics companies supplying Ukraine
• CISA says Russian hackers targeting Ukraine war supply lines
• ViciousTrap: Turning edge devices into honeypots
• BadSuccessor: Abusing dMSA to escalate privileges in Active Directory
• Signal adds anti-screenshot to thwart Windows Recall
• Controversial Windows Recall gets security makeover
• Microsoft's International Criminal Court blockade
• Japan enacts active cyberdefense law
• UAE recruiting US personnel Displaced by DOGE

Three Buddy Problem - Episode 46: We dig into a Coinbase breach headlined by bribes, rogue contractors and a $20 million ransom demand. Plus, (another!) batch of Ivanti and Microsoft zero-days being exploited in the wild, a new 'Intrusion Logging' feature coming to Android, Apple's iOS 18.5 patches, and the EU announcing its own vulnerability database and software vendor secure-coding pledge.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Coinbase on $20m ransom demand
• SEC filing on Coinbase breach
• Coinbase Rogue Contractors Bribed to Leak Customer Data
• Ivanti 0day exploit chain (CVE-2025-4427 and CVE-2025-4428)
• Watchtowr blog on new Ivanti 0days
• CISA Known Exploited Vulnerabilities (KEV)
• 'Advanced Protection' comes to Android 16
• Europe launches it own vulnerability database