Read Time: 8 minutes

Brought to you by:

Howdy friends!

Booked my RSA and BlackHat/Defcon travel this week. Heads up if you want any sort of affordable hotel room, go get on it. It’s kind of ridiculous that a Courtyard Marriott can charge over $700 a night, but that’s RSA for ya.

I was talking to a lot of security researchers this week about DeepSeek and the crowd seems pretty split.

We’re 1/12th done with 2025 already so lets get to it:

ICYMI

🖊️ Something I wrote: I keep thinking about this one - The Myth of Arrival - The whole "I'll be happy when..." thing is a trap.

🎧️ Something I heard: start before you’re ready - Couldn’t agree more. There is a switch that flips in your head when you realize you don’t need to ask permission to do things, or take direction from someone else.

🎤 Something I said: The TikTok ban isn’t about cybersecurity. and that scares me more… New YouTube video about how I don’t think the future of the Internet is looking too great.

🔖 Something I read: I’ve been re-reading “But What If We’re Wrong” and I just love it. Makes you think about how the future people looking back on today are going to see it.

Vulnerable News

DeepSeek Mania

Well this was inevitable. China undercut the whole AI market claiming a new model produced using some new post training techniques (and potentially ripping off the incumbent models) for only $5mill and a bucket of scraps from a hedge funds GPU pile.

This led to a bit of a stock market …correction - and also the cybersecurity community losing their minds as everyone raced to install this Chinese app.

I made a YouTube video talking about whether or not it actually poses a massive risk.

All the attention also led to some security researchers finding some pretty glaring vulnerabilities. Imagine that, a rag tag operation out of China didn’t have a robust security team to keep up with the heat of a billion eyeballs on them this week. (read more)

Remediating CNAPP Alerts Suckssss*

CSPM, CNAPP, DSPM, or whatever acronym you’re using to secure the cloud can be incredibly powerful tools. But the minute you connect it, you’re inundated with hundreds, potentially thousands, of alerts per day.

Yay, we got visibility. Now comes the hard part: figuring out what to fix and the best way to remediate it. (free guide to better cloud remediation)

At Tamnoon, we help you get off the alert hamster wheel. No more chasing alerts, investigating each one manually, and remediating on someone else’s schedule.

Let Tamnoon’s combination of AI-powered technology and human CloudPros triage, prioritize, and remediate your cloud security alerts in record time. (read more)

*Sponsored

Apple Warns iPhone Users of Exploited iOS Bug

Apple drops a few of these a year, and when they do I pay attention. “Actively exploited zero-day” means upgrade ASAP. The vuln (CVE-2025-24085) was in their CoreMedia framework. It lets malicious apps elevate privileges through a use-after-free issue, and Apple says it's already been used in attacks against older iOS versions.

The fix is rolling out across pretty much everything Apple makes - iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3, and even visionOS 2.3. If you're running an iPhone XS or later, time to hit that update button. CoreMedia handles the media pipeline for AVFoundation, so this could be a fun one for researchers to dig into once more details emerge. (read more)

Adversarial Misuse of Generative AI

This is a great report by Google TAG and DeepMind. I’m going to make a YouTube video about this but wanted to include it in the newsletter also.

We get a view into how nation-state hackers are using their AI assistant Gemini. The TL;DR - Iranian APT groups are the most enthusiastic users, followed by China, while Russian groups have been surprisingly quiet. Most actors are using it for basic stuff like coding help, research, and content generation - nothing groundbreaking that changes the threat landscape.

The fun part is seeing how these groups try (and fail) to jailbreak Gemini. Instead of coming up with clever prompts, they're mostly copy-pasting public jailbreaks and hoping for the best. Google's safety controls seem to be holding up well against attempts to get malware code or phishing help. The report suggests AI isn't the game-changer some feared - it's more like a productivity tool that helps bad actors move faster, but isn't enabling any novel attack techniques yet. (read more)

Apache Patches Two Serious Flaws in Solr Search Platform

Apache released patches for two nasty Solr bugs that should get your attention if you're running it. It shocked me how popular Solr is. The first one (CVE-2024-52012) is a zipslip vulnerability on Windows systems - attackers can write files wherever they want through a poorly sanitized configset upload API. The second (CVE-2025-24814) lets attackers bypass trusted configsets and potentially load malicious code as a searchComponent.

Given Solr's massive footprint (we're talking Netflix, Instagram, eBay level deployments here), this is one to patch ASAP. The good news is there are some decent mitigations if you can't upgrade right away - like using rule-based auth to lock down the configset upload API for the first bug, or enabling authentication/switching to SolrCloud for the second. But really, just upgrade to 9.8.0 if you can. (read more)

Phishing Attacks Lead to New TorNet Backdoor

A new backdoor called TorNet was spotted in phishing campaigns targeting Poland and Germany and has been active since mid last year. After the initial phish drops PureCrypter malware, it actually downloads the Tor expert bundle and routes all C2 traffic through the Tor network. Pretty clever way to stay under the radar.

The attackers delivery is fun too - they're spoofing financial institutions and manufacturing companies, sending fake money transfer confirmations to hook victims. Both PureCrypter and TorNet come loaded with anti-VM and sandbox evasion tricks, and they even do this neat DHCP release/renew dance to dodge cloud-based antimalware. Cisco Talos thinks it's probably a financially motivated crew based on their targeting, but you know how attribution goes. (read more)

Europol, FBI Seize Nulled, Cracked Cybercrime Forums

Europol and the FBI just took down two massive cybercrime forums - Cracked and Nulled. Platforms with over 10 million users that were slinging everything from stolen data to malware, complete with fancy AI tools for automating attacks. The raid netted two arrests, 17 servers, and a bunch of cash/crypto (€300k). They also knocked out some connected services including a payment processor called Sellix and a sketchy hosting service called StarkRDP.

Wild to me how coordinated these takedowns are getting - eight countries worked together on this one. The forums were apparently pulling in over €1 million in criminal profits, and just like every VC backed SaaS company, they were offering AI-powered tools for vulnerability scanning and phishing. Seems like the cybercrime-as-a-service market keeps getting more sophisticated, even as law enforcement gets better at taking down these platforms. (read more)

UnitedHealth updates number of data breach victims to 190 million

I’ve covered the hell out of this massive Change Healthcare breach from last year. Well, UnitedHealth just dropped an update - they're now saying 190 million people were affected, up from the previous estimate of 100 million. That's more than half the US population. The breach exposed everything from health insurance info and medical records to Social Security numbers and financial data.(read more)

Backdoor found in two healthcare patient monitors, linked to IP in China

Well this is terrifying - CISA just caught Contec, a Chinese medical device maker, shipping patient monitors with a sketchy backdoor built right into the firmware. These CMS8000 devices are quietly trying to phone home to an IP at a Chinese university, attempting to download and execute files while also sending over patient data including names, DOB, and doctor info. When CISA called them out, Contec's "fix" was to just disable the network adapter... which their own backdoor code immediately re-enables.

The technical details are wild - the backdoor mounts a remote NFS share and can overwrite files anywhere on the system, all while keeping its activities off the logs. CISA's pretty convinced this isn't some janky update mechanism gone wrong, given there's no integrity checking or version tracking. They're telling healthcare orgs to yank these devices off the network ASAP since there's no real patch available. Between this and that pregnancy monitor from another Chinese manufacturer doing the same thing, it's not looking great. (read more)

Infrastructure Laundering: Blending in with the Cloud

Cybercriminals are getting craftier with their hosting game. This report details how Chinese crime groups (particularly one called "Funnull") are laundering their sketchy infrastructure through legit U.S. cloud providers like AWS and Azure. They're using these services to host everything from pig butchering scams to gambling sites, making their malicious traffic harder to block since you can't just wholesale blacklist major cloud providers.

Funnull managed to snag the domain polyfill[.]io (previously a legit open source library) and used it for a supply chain attack. Amazon and Microsoft are playing whack-a-mole trying to shut these operations down, but the criminals just keep spinning up new accounts. There's a proposed Commerce Department rule that might help by requiring cloud providers to better verify foreign customers, but we'll see if that actually goes anywhere. (read more)

Ransomware attack at New York blood services provider – donors turned away during shortage crisis

The New York Blood Center is dealing with a ransomware attack that couldn't have come at a worse time. They were already in the middle of a "blood emergency" with critically low reserves when their systems got hit on January 26th. The timing is brutal - they supply over a million blood products annually to 400+ hospitals across 15 states, and they're now having to turn away donors during a shortage.

Microsoft recently released some stats showing how these healthcare attacks literally kill people - hospitals hit by ransomware see cardiac arrest survival rates drop from 40% to 4.5%, and stroke incidents spike by 113%. No ransomware group has claimed credit yet, but this has echoes of last year's Synnovis attack in London that crippled hospital blood supplies. They're working on recovery but no timeline yet on when systems will be back up. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay