Breaking in with CrashFix, supply chain security, and CMMC phase 1 - David Zendzian, Anna Pham, Jacob Horne - ESW #449

In the security news this week: The XZ backdoor documentary Zero days - the clock isn't ticking Vulnerability Mis-Management Reversing traffic light controllers Reversing with Claude Don't curl to bash! Reading CVEs makes my head hurt Dumping browser secrets I open-sourced a new(ish) tool D-LINK exploits There is no password I control the building When old vulnerabilities become new Tile is for stalkers Hacking AI Iran War: What cybersecurity needs to know National cyber strategy Coruna I got phished and I want a refund Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-917

AI has created a dilemma for security teams. Attackers are using AI to develop exploits to newly disclosed vulnerabilities faster than security teams can patch them. Security teams have not fully leveraged the capabilities of AI to autonomously prevent these attacks. Without a radical change in approach, organizations will be exposed to an exponentially increasing attack surface. How long can your organization tolerate being exploitable? Myke Lyons, CISO at Cribl, joins Business Security Weekly to discuss why organizations need to embrace AI to understand the behavior of attacks to effectively prevent them. For decades, we've focused on the Indicators of Compromise (IoCs) and have played whack-a-mole to try and patch them. Instead, we should focus on the Tactics, Techniques, and Procedures (TTPs) and leverage LLMs to understand the behavior of the attack. Once we understand the behaviors, we can implement preventative controls to minimize exposure. And yes, AI can also help us automate patching, when we're ready to trust it. In the leadership and communications segment, Your Risk Tolerance Has Changed. Does Your Leadership Team Know That? , The New Leadership Structures that Unblock Innovation, How CISOs can build a resilient workforce, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-438

Precious Bodily Fluids, InstallFix, CISA, Claude, Overtime, Sim Swaps, Tube Stations, Aaran Leyland, and More on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-562

Medical devices are a special segment of the IoT world where availability and patient safety are paramount. Tamil Mathi explains why many devices need to fail open -- the opposite of what traditional appsec approaches might initially think -- and what makes threat modeling these devices interesting and unique. He also covers how to get started in this space, from where to learn hardware hacking basics to reviewing firmware and moving up the stack to the application layer. Segment Resources: https://www.defconbiohackingvillage.org https://medium.com/@tamilmathimaddytamilthurai/securing-the-future-of-iot-with-trusted-execution-environments-tees-a-secure-scalable-and-1376f94e755c Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-373

Interview with Anna Pham Breaking in with ClickFix: Anatomy of a modern endpoint attack Cybersecurity company Huntress just published a report on a new ClickFix variant they’ve discovered, which they’ve dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group. In short, the team observed the threat actors using KongTuke’s malicious browser extension to display a fake security warning, claiming the browser had “stopped abnormally” and prompting users to run a “scan” to remediate the threats. Upon “running the scan,” the user is presented with a fake “Security issues detected” alert and instructed to manually “fix” the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command. Segment Resources: BLOG - Dissecting CrashFix: KongTuke's New Toy Interview with David Zendzian Continuous compliance and real security lifecycle management Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable. In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people. Segment Resources: BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation Interview with Jacob Horne CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-449

Iran vs Everyone: 2FA-Bypass Phish, APT41 Drive, iOS 0days, Josh Marpet, and More on the Security Weekly News Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-561

In the security news this week: Remembering "FX" Finding and analyzing Windows drivers Network monitoring with Gibson the backdoor in your PAM The edge is fraying - and attackers have the advantage Age verification for Linux? Banning AI TPMS tracking BLE tracking weird strings Airsnitch RESURGE in and on Ivanti Attackers using Claude Government iPhone hacking kits Cisco SD-WAN, Linux, and 2023 Leakbase leaks and Bro, upgrade your solar panel! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-916

With the introduction of Agentic AI, autonomous "everything" is all the rage. But we've been burned by automation in the past. Remember the days of Intrusion Prevention Systems and why we never put them into blocking mode? Automation may be the future of security and IT operations, but the path to autonomous "everything" must be earned. How do you build autonomous capabilities with confidence and trust? Tim Morris, Financial Services Strategist at Tanium, joins Business Security Weekly to discuss how teams can introduce autonomous capabilities in a crawl-walk-run progression that builds trust over time. Automation is not about laying off employees, it's about efficiency and speed. Tim will guide us on a journey to build automation we can trust that allow us to reduce repetitive work and minimize human error without creating fear of “machine mistakes.” This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them! In the leadership and communications segment, Boards don’t need cyber metrics — they need risk signals, Why Cybersecurity Is Now a Business Strategy, Not Just IT?, Where Senior Leaders Are Struggling with AI Adoption, According to Research, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-437

North Korea, DOJ, APT 28, Anthropic, OpenClaw, Supply Chain, Josh Marpet, and More on Security Weekly News Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-560

As more developers turn to LLMs to generate code, more appsec teams are turning to LLMs to conduct security code reviews. One of the biggest themes in all the discussion around LLMs, agents, and code is speed -- more code created faster. James Wickett shares why speed continues to pose a challenge to appsec teams and why that's often because teams haven't invested enough in foundational appsec principles. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-372