Three Buddy Problem - Episode 29: Another day, another Ivanti zero-day being exploited in the wild. Plus, China's strange response to Volt Typhoon attribution, Japan blames China for hacks, a Samsung 0-click vulnerability found by Project Zero, Kim Zetter's reporting on drone sightings and a nuclear scare. Plus, hijacking abandoned .gov backdoors and Ukrainian hacktivists wiping a major Russian ISP.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Ivanti Connect Secure zero-day advisory
• Mandiant report on new Ivanti zero-day
• China Daily responds to Volt Typhoon attribution
• Japan warns about Chinese 'MirrorFace' attacks
• Who is MirrorFace?
• Natalie Silvanovich on new Samsung 0-click
• Kim Zetter: Anatomy of a Nuclear Scare
• Backdooring .gov backdoors via $20 domains
• APT32 poisoning GitHub, targeting Chinese security pros
• Ukraine wipes Russian ISP
• Russian internet provider confirms network ‘destroyed’ by Ukrainian hackers
• Mullvad: Quantum-resistant tunnels on desktop VPN
• Fundraiser for Marc Rogers
• CNN: Amit Yoran has died at 54

Three Buddy Problem - Episode 28: In this episode, we explore the ongoing challenges of threat actor naming in cybersecurity and the confusion caused by a lack of standardization, methodological inconsistencies and skewed, marketing-driven incentives.

Plus, the US Treasury/BeyondTrust hack, the surge in 0day discoveries, a new variant of the Xdr33 CIA Hive malware, and exclusive new information on the Cyberhaven Chrome extension security incident.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• BeyondTrust statement on hack investigation
• U.S. Treasury says it was hacked by China-backed actors
• Another Palo Alto 0day exploited in the wild
• US telcos say they've evicted Salt Typhoon Chinese hackers
• Google: What is BeyondCorp?
• Introducing the MISP Threat Actor Naming Standard
• MISP: Recommendations on Naming Threat Actors
• New variant of the CIA HIVE attack kit
• Xdr33 Variant Of CIA's HIVE Attack Kit Emerges
• Savvy Seahorse connection to Cyberhaven incident
• US sanctions China's Integrity Technology over Flax Typhoon hacks
• Operation Aurora
• APT1 Exposing One of China’s Cyber Espionage Units

Three Buddy Problem - Episode 27: We discuss the discovery of a Palo Alto network firewall attack and a stealthy network ed ge device backdoor (LITTLELAMB.WOOLTEA), the Cyberhaven hack and the shady world of browser extensions, and a look back at the top research projects that caught our attention in 2025.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• LITTLELAMB.WOOLTEA: Stealthy Network Edge Device Backdoor
• Palo Alto: Operation Lunar Peek
• Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts
• “A Digital Prison”: Surveillance and the suppression of civil society in Serbia
• Cyberhaven breach reported. Employee phished and pushed malicious chrome extension
• GRU 29155 doing cyber operations
• How a Group of Israel-Linked Hackers Has Pushed the Limits of Cyberwar
• Sophos Used Custom Implants to Surveil Chinese Hackers Targeting Firewall Zero-Days
• Operation MiddleFloor: Unmasking the Disinformation Campaign Targeting Moldova's National Elections
• NSPX30: A sophisticated AitM-enabled implant evolving since 2005
• backdoor in upstream xz/liblzma leading to ssh server compromise
• PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem
• The Tech Coup - How to Save Democracy from Silicon Valley

Three Buddy Problem - Episode 26: We dive deep into the shadowy world of surveillance and cyber operations, unpacking Amnesty International's explosive report on NoviSpy, a previously unknown Android implant used against Serbian activists, and the links to Israeli forensics software vendor Cellebrite.

Plus, thoughts on the US government’s controversial guidance on VPNs, Chinese reports on US intel agency hacking, TP-Link sanctions chatter, Mossad's dramatic exploding beeper operation and the ethical, legal, and security implications of escalating cyber-deterrence. Also, a mysterious BeyondTrust 0-day!

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Surveillance and the suppression of civil society in Serbia
• CISA: VPN and mobile device security guidance
• Costin Raiu: Staying safe from Pegasus, Chrysaor and other APT mobile malware (2024 update)
• Bitsight: The Aftermath of the Kaspersky Ban
• US Probes China-Founded Router Maker TP-Link
• Rob Joyce: Move away from TP-Link
• China report on US intelligence corporate hacking
• Foreign hackers need to face real consequences
• Israel's Mossad spent years orchestrating Hezbollah pager plot
• BeyondTrust 0day
• Sophos Firewall CVSS 9.8 bulletin

Three Buddy Problem - Episode 25: An update on Romania’s cancelled election, the implications of TikTok on democratic processes, and the broader issues around surveillance capitalism and micro-targeting.

Plus, news on Turla piggybacking on cybercriminal malware to hit Ukraine, the return of Careto and the absence of IOCs, Claroty report on an Iran-linked cyberweapon targeting critical infrastructure, ethical considerations in cyberwarfare, and the implications of quantum computing on security and cryptocurrencies.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Turla using tools of other groups to attack Ukraine (Microsoft)
• EpicTurla.com: The lost reports
• Microsoft Recall screenshots credit cards and SSNs
• Stephan Casas: macOS applications quietly capturing screenshots
• CVE-2024-49138 - MS 0day exploited in the wild
• Sanctions hit Chinese company behind Sophos 0day attack
• SentinelLabs: Operation Digital Eye
• Careto APT’s recent attacks discovered
• Claroty: Inside a New OT/IoT cyberweapon
• Predatory Sparrow: cyber sabotage with a conscience?
• Willow, Google's state-of-the-art quantum chip
• What sucks in security? Research findings from 50+ security leaders

Three Buddy Problem - Episode 24: In this episode, we did into Lumen/Microsoft’s revelations on Russia's Turla APT stealing from a Pakistani APT, and issues around fourth-party espionage and problems with threat actor attribution. We also discuss Citizen Lab’s findings on Monokle-like spyware implanted by Russian authorities, the slow pace of Salt Typhoon disinfection, the Solana web3.js supply chain attack affecting crypto projects, and the Romanian election crisis over Russian interference via TikTok.

Cast: Juan Andres Guerrero-Saade, Costin Raiuand Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Russian APT Turla Caught Stealing From Pakistani APT
• Snowblind: The Invisible Hand of Secret Blizzard
• Microsoft: Secret Blizzard compromising Storm-0156 infrastructure for espionage | Microsoft Security Blog
• EpicTurla.com
• Device Confiscated by Russian Authorities Returned with Monokle-Type Spyware
• Lookout Security research paper on Monokle spyware
• Parubets: How a programmer foiled his own FSB recruitment
• CISA/FBI guidance to repel Salt Typhoon
• US officials say they still have not expelled Chinese telco hackers
• Solana backdoored in supply chain hack
• Romania's top court annuls first round of presidential vote won by far-right candidate

Three Buddy Problem - Episode 23: Volexity founder Steven Adair joins the show to explore the significance of memory analysis and the technical challenges associated with memory dumping and forensics. We dig into Volexity’s “nearest neighbor” Wi-Fi hack discovery, gaps in EDR detection and telemetry, and some real-talk on the Volt Typhoon intrusions.

We also cover news on a Firefox zero-day exploited on the Tor browser, the professionalization of ransomware, ESET's discovery of a Linux bootkit (we have a scoop on the origins of this!), Binarly research on connections to LogoFAIL, and major visibility gaps in the firmware ecosystem.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Honorary buddy: Steven Adair (Volexity)

Links:

• Transcript (unedited, AI-generated)
• Steven Adair on LinkedIn
• The Nearest Neighbor Wi-Fi Attack
• Detecting Compromise of Palo Alto Networks GlobalProtect Devices
• Volexity Catches Chinese Hackers Exploiting Ivanti VPN Zero-Days
• Volexity Warns of 'Active Exploitation' of Zimbra Zero-Day
• RomCom exploits Firefox and Windows zero days in the wild
• Bootkitty: Analyzing the first UEFI bootkit for Linux
• Binarly: LogoFAIL Exploited to Deploy Bootkitty
• T-Mobile statement on Salt Typhooon
• LABScon24 Replay -- Cristina Cifuentes

Episode sponsors:

In this reboot of the Security Conversations interview series, Foundation Capital partner Sid Trivedi weighs in on major changes to the RSA Innovation Sandbox, the mandatory $5M uncapped SAFE investment for all 10 finalists, and red-flag concerns around discounts and pro-rata rights.

Also discussed: controversial pay-for-play dynamics involving CISOs and venture capital firms, ethical implications of CISOs taking advisory positions in startups, and the challenges of investing in seed-stage startups amidst a trend towards platformization.

Links:

• RSA’s Innovation Sandbox: Cybersecurity Startups Must Accept $5 Million Investment
• RSA Innovation Sandbox: $50 Million Annual Investment Program for Top 10 Finalists
• RSA Conference - How do SAFEs work?
• This VC Built A Cybersecurity Unicorn Machine. Then Came A Conflict Of Interest Mess.
• The Gili Ra’anan model: CISOs and VCs controversy
• Sid Trivedi bio
• Foundation Capital

Three Buddy Problem - Episode 22: We discuss Volexity’s presentation on Russian APT operators hacking Wi-Fi networks in “nearest neighbor attacks,” the Chinese surveillance state and its impact on global security, the NSA's strange call for better data sharing on Salt Typhoon intrusions, and the failures of regulatory bodies to address cybersecurity risks.

We also cover two new Apple zero-days being exploited in the wild, the US Government’s demand that Google sell the Chrome browser, and the value of data in the context of AI.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript - (unedited, AI-generated)
• Russian APT WiFI Nearest Neighbor Attack
• Russian Spies Jumped From One Network to Another Via Wi-Fi
• Advisory: New exploited Apple zero-days
• NSA Director Wants Industry to Disclose Details of Telecom Hacks
• Microsoft's "Free" Plan to Upgrade Government Cybersecurity Was Designed to Box Out Competitors and Drive Profits
• Microsoft accuses Google of 'Shadow Campaigns'
• DOJ calls for breakup of Google and sale of Chrome
• DPRK IT Workers -- A Network of Active Front Companies and Their Links to China
• Be careful when coding with ChatGPT
• GSM-Symbolic: Understanding the Limitations of Mathematical Reasoning in Large Language Models
• PIVOTcon 2025

Three Buddy Problem - Episode 21: We dig into an incredible government report on Iranian hacking group Emennet Pasargad and tradecraft during the Israel/Hamas war, why Predatory Sparrow could have been aimed at deterrence in cyber, and the FBI/CISA public confirmation of the mysterious Salt Typhoon hacks.

Plus, discussion on hina’s cyber capabilities, the narrative around “pre-positioning” for a Taiwan conflict, the blending of cyber and kinetic operations, and the long tail of Chinese researchers reporting Microsoft Windows vulnerabilities. The future of CISA is a recurring theme throughout this episode with some speculation about what happens to the agency under the Trump administration.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript (unedited, AI-generated)
• CISA/Israel gov report on Iranian hacking operations
• Check Point: A deep-dive of Iran's WezRat malware
• Trend Micro report on Earth Estries
• FBI/CISA on China hacking US telcos
• US accuses China of vast cyberespionage against telecoms
• Volt Typhoon hackers hit SingTel in Singapore
• New Palo Alto firewall 0day attack
• CVE-2024-43450 - China reports Windows DNS Spoofing vuln