🏀 This is a story, all about how…

Recently some friends and I saw a Fresh Prince of Bel Air drag parody. 😂 (as you do)

I realized right as it was starting that one of my friends was international and had never seen the original show. Fortunately, they still enjoyed it.

Some parts I liked:

• The show opened with the same intro video that the cast had recreated shot for shot.

• The butler had next level sass.

• Carlton’s dance, spontaneous songs, and slow motion fights 😂 

I like to see musical, parody, or drag versions of things that surprise me. Productions that make you think, “Who would think to make this, and why?”

Other examples I’ve seen include musical parodies of The Exorcist and The Fast and The Furious (the entire franchise in one production).

This strategy has never failed to either entertain or at least be memorable, feel free to give it a try. 👍️ 

Sponsor

📣 Simplify Your Email Security—Even After a Breach

Managing email security feels like a never-ending battle—phishing, account takeovers, and data leaks keep cybersecurity teams on high alert. But what if your defenses didn’t just block threats, but also protected accounts even after they’re compromised? That’s where Material Security comes in. Material Security integrates with your Google Workspace or O365 to detect risks, prevent data exposure, and keep your organization safe—without adding extra headaches. Join companies like Lyft, Databricks, and Carta by automating and simplifying your email security. 

👉 See the Material difference 👈

AppSec

The road to zero trust is paved with good intentions
The written version of a NorthSec 2022 talk by Eric Chiang and Maya Kaczorowski on the challenges of implementing zero trust architectures, how zero trust is ultimately about Users, Devices, and Access, and a 4-level maturity model (Inventory → Management → “Zero Trust” → The Long Tail). The long tail that makes it effectively impossible for a normal organization to completely adopt zero trust: SaaS applications, truly risk-based access, device state, and all the random devices on your network.

how to gain code execution on millions of people and hundreds of popular apps
Eva describes how they discovered a critical vulnerability in ToDesktop, an Electron app bundler service used by major applications like ClickUp, Cursor, Linear, and Notion Calendar. How: they poked around ToDesktop’s deployment pipeline by creating an application with a postinstall in package.json with a reverse shell payload. Inside the container, they found the code building the application and hardcoded secrets, including the Firebase admin key, which would have allowed them to update any app, enabling them to push malicious updates to millions of users.

💡 Shout-out to the Cursor team for paying $50K for a vulnerability not even directly in their software 👏 

Turning the Security Flywheel
Google Cloud CISO Phil Venables applies Jim Collins’ flywheel concept to amplifying the effects of our security programs, walking through seven potential security flywheels. Key insight on flywheels: each step needs to propel the next. (I’m only calling out 2 in detail for brevity’s sake.)

1. Raise the Baseline by Reducing Control Costs: Design controls, implement on prioritized systems, reduce the cost of controls, capture/recycle cost savings, and industrialize/embed controls.

2. Threat Intelligence

3. From Inventories to Digital Twins: Scan reality / build inventory, set policy, capture value, use discoveries and linkages to create capabilities and rule sets in managed configurations (controls-as-code, policy-as-code, etc.)

4. Detection and Response / Red Teaming

5. Adjacent Benefits Risk Assessment Cycle

6. Continuous Control Monitoring

7. Federated Security Teams – Pull not Push

Sponsor

📣 Interested in a tailored threat briefing for you and your team? 

Identity attacks are the most common and impactful threats organizations face today. 

To help you to stay ahead of attackers, Push Security is offering exclusive threat briefing sessions tailored for your team.

Push’s threat researchers are known for their SaaS Attacks Matrix on GitHub, and have featured on respected security podcasts like Risky Business and Hacked.

These sessions are specifically designed for security teams concerned about the surge in infostealers, mass credential attacks, Adversary-in-the-Middle phishing, and cookie-based session hijacking techniques.

Book your free slot now!

👉 Request a threat briefing 👈

Push does some great security research- I’ve included their SaaS Attacks Matrix and several posts on identity and SaaS attacks I hadn’t considered before 😅 I’d expect this briefing to be solidly technical and practical 🤘 

Cloud Security

AWS CloudFormation Phishing Attack: A Growing Threat
Victor Grenu describes a type of phishing attack that leverages AWS CloudFormation StackSets to compromise AWS accounts. The attack uses a fake AWS Support email with a “Launch Stack” button to trick victims into deploying a malicious CloudFormation template, creating an IAM role with admin privileges that can be assumed by the attacker’s AWS account. The post also contains some tips on responding to the threat, proactive defense measures, and detection strategies. See also Victor’s AWS Security Survival Kit, for some bare minimum AWS security alerting and configuration.

Get Phished by a Public AWS Systems Manager Automation Document
Gabriel Koo demonstrates a phishing technique using a malicious AWS Systems Manager (SSM) Automation document shared publicly by an attacker. The attack exploits user trust in AWS Console links, tricking victims into executing a document that appears legitimate (e.g., named “AWSBedrock-SetupNovaPremier”) but could perform malicious actions like creating unauthorized IAM users, exfiltrating sensitive data, etc.

Are Your Twilio Serverless Functions Public? How to Find Out and Lock Them Down
Relay Hawk’s Justin Massey and Charlie Smith describe how Twilio’s serverless toolkit can inadvertently expose sensitive data by creating public assets and functions by default. They’ve released a twilio-security-scanner tool that flags public serverless functions and assets and unencrypted HTTP webhooks in phone numbers and messaging services. TIL you add ‘private’ or ‘protected’ to a Twilio asset or function file name to make it non public 🤷 (e.g. numbers.private.csv)

I Want You to Hack AWS: Cloud Penetration Testing for Traditional Hackers
Datadog’s Nick Frichette share some of the things he wishes he’d known when he started pentesting AWS environments, including the AWS shared responsibility model, fundamentals of Identity and Access Management (IAM), important classes of misconfigurations, and important tradecraft for avoiding detection.

Congrats to Nick for recently making it to #1 on the AWS Vulnerability Disclosure Program Leaderboard!

Nick also did a breakdown on the ByBit/Safe{Wallet} breach, calling out a number of DPRK tradecraft blunders. Thankfully, Nick is paid well enough not to turn black hat (or is too good to be caught) 🙏 

Supply Chain

t0sche/cvss-bt
A project by Stephen Shaffer to enhance NVD CVSS scores by integrating temporal and threat metrics, specifically the exploit code maturity/exploitability (E) metric, using data from sources like CISA KEV, VulnCheck KEV, EPSS, Metasploit, Nuclei, ExploitDB, and PoC-in-GitHub. H/T my bud Chris Hughes for sharing.

Blue Team

DarkWebInformer/FBI_Watchdog
By Dark Web Informer: An OSINT tool that monitors domain seizures and DNS record changes in real time, alerting users to law enforcement takedowns (e.g. ns1.fbi.seized.gov and ns2.fbi.seized.gov) and other DNS modifications.

seized.fyi
By matdoesdev and friends: An attempt at archiving every website seizure banner image or page created by government agencies. The database is updated partially automatically by periodically downloading CZDS and checking for domains with certain nameservers, and by scraping for news articles that mention website seizures.

S3N4T0R-0X0/APT-Attack-Simulation
By Abdulrehman Ali: A compilation of APT simulations (Russia, China, Iran, North Korea) that target many vital sectors, both private and governmental, including written tools, C2 servers, backdoors, exploitation techniques, stagers, bootloaders, and many other tools that attackers might have used in actual attacks.

Update: Stopping Cybercriminals from Abusing Cobalt Strike
Fortra, in collaboration with Microsoft’s Digital Crimes Unit and Health-ISAC describe their two-year effort to combat unauthorized use of Cobalt Strike and compromised Microsoft software for ransomware attacks. Their efforts have reduced unauthorized Cobalt Strike copies by 80%, seized over 200 malicious domains, and the average dwell time—the period between initial detection and takedown—has been reduced to less than one week in the United States and less than two weeks worldwide.

💡 It’s nice to see a company taking ownership for the impact their product can have, and taking real steps to stop bad actors from abusing it.

Red Team

boku7/StringReaper
By Bobby Cooke: A CobaltStrike BOF designed to carve strings out of remote process memory. This tool allows operators to carve ASCII and UTF-16 strings from targeted processes, making it effective for retrieving JWT tokens, credentials, and other sensitive data directly from memory.

hardenedlinux/userland-exec
Userland exec replaces the existing process image within the current address space with a new one. It mimics the behavior of the system call execve, but the process structures describing the process image remain unchanged (the process name reported by system utilities will retain the old process name). This can be used to achieve stealth after gaining arbitrary code execution as well as to execute binaries stored in noexec partitions.

Abusing VS Code’s Bootstrapping Functionality To Quietly Load Malicious Extensions
Cas van Cooten explores how attackers can abuse VS Code’s bootstrapping and portable installation features to silently install malicious extensions, bypassing normal security prompts (like “Do you trust this extension/developer?”). By creating ./data and ./bootstrap/extensions folders in a VS Code installation, extensions can be loaded without user interaction.

Cas lists several potential detection methods, but given that normal extensions may call out to the Internet, spawn shells as child processes, etc., looking for anomalous or malicious extension behavior seems tricky.

AI + Security

Russian propaganda is reportedly influencing AI chatbot results
Instead of SEO poisoning, LLM created slop can influence the models trained on it. A Moscow-based network called Pravda has flooded search results and web crawlers with pro-Russian falsehoods, publishing 3.6 million misleading articles in 2024 alone. NewsGuard’s analysis, which probed 10 leading chatbots, found that the chatbots collectively repeated false Russian disinformation narratives, like that the U.S. operates secret bioweapons labs in Ukraine, 33% of the time.

osgil-defense/TARS
By Mehmet Yilmaz, Ben Zimmerman, and Kanan Aliyev: A prototype for trying to automate penetration testing using AI agents. Integrated tools: Nettacker, RustScan, ZAP, nmap.

BountySecurity/BountyPrompt
By Bounty Security: An open source Burp Suite extension that leverages Burp AI/Groq AI. Save preconfigured AI prompts, and automatically pass the prompt + selected HTTP requests and responses to Burp AI for security testing insights.

Shadow Repeater:AI-enhanced manual testing
Portswigger’s Gareth Heyes describes a new Burp Suite feature, Shadow Repeater, that monitors your Repeater requests and identifies which parameters you’re changing, extracts the payloads you’ve placed in these parameters, and sends them to an AI model which generates variants. It then attacks the target with these payload variations and uses response diffing to identify whether any of them triggered a new interesting code path, which can uncover unexpected behaviors, such as unconventional XSS vectors, successful path traversal attempts, and even novel vulnerabilities like email splitting attacks.

💡 Basically: “Hm it looks like you’re testing this parameter, let me auto-generate some variants and test those for you. Based on the response, this one looks sketchy.” Neat example of getting extra security coverage in the background with no extra manual work.

Finding leaked passwords with AI: How we built Copilot secret scanning
GitHub’s Ashwin Mohan and Courtney Claessens describe the development of Copilot secret scanning, which uses AI to detect generic passwords in codebases. The team used mirror testing to validate improvements, achieving up to 94% reduction in false positives across some organizations. More details on the web version.

The post discusses:

• Challenges like handling unconventional file types.

• Improving precision and recall through various prompting techniques, such as MetaReflection, a novel offline reinforcement learning technique that allows experiential learnings from past trials to come up with a hybrid Chain of Thought (CoT) and few-shot prompt that improves precision with a small penalty in recall.

• Model selection, settling on GPT-3.5-Turbo with GPT-4 confirmation.

• And scaling for public preview by optimizing resource usage and implementing a workload-aware request management system.

Misc

• Wired – Tesla vehicles record driver behavior, biometric data, etc.

• Prof Galloway on Elon Musk – WSJ estimates DOGE will save $2.6B. Subsidies to Tesla have been ~$15-50B.

• HealthyGamerGG on Situationships

• Crystal – A super detailed flow chart on Situationships 😂 

• Forrest Hanson’s Being Well Podcast – Why You Chase, and How to Stop: The Pursuer-Distancer Dynamic – The father/son dynamic 🥹 

• When rappers lead with hatred – Oof, some 🌶️ 

• Brene Brown – What happens when men try to be vulnerable

• How do we tell truths that might hurt? – Dijkstra spitting some 🔥 in 1975. “The use of COBOL cripples the mind; its teaching should, therefore, be regarded as a criminal offense.”

• Fireship – How programmers flex on each other 😂 

• Alexander Solzhenitsyn on the future of the West – Also, from a 1997 book: “Russia should ‘introduce geopolitical disorder into internal American activity, encouraging all kinds of separatism and ethnic, social, and racial conflicts, actively supporting all dissident movements.”

• Russian and Chinese spies are targeting US federal workers fired in DOGE purges. Former director for Counterintelligence at the National Security Council during Trump’s first term: “We may be creating, albeit somewhat unintentionally, the perfect recruitment environment.”

• Members of the Five Eyes spy alliance, as well as Israel and Saudia Arabia, are considering scaling back the intelligence they share with the U.S. due to recent friendliness with Russia officials

• Testimony by former NSA head Rob Joyce on the Chinese Community Party – “[China] even unfairly exploit our open markets to achieve a growing advantage inside the technology we rely upon for our communications. After a decade of using cyber to steal industrial and military secrets, they’ve evolved to far more threatening penetrations of our nation’s infrastructure. They run cyber operations deliberately intended to create ‘societal panic’ at the time of escalating tensions.” Also: “I want to raise my grave concerns that the aggressive threats to cut U.S. government probationary employees will have a devastating impact on the cybersecurity and our national security.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler