December 12, 2025 • 26 mins
This week gave us the gift of some more React Server Components vulnerabilities and further exploitation of the previously disclosed bugs by a variety of threat groups. There were also a long list of vulnerabilities disclosed by Microsoft, Adobe, and others, which we discuss in the context of how difficult vulnerability management is right now. Finally, we discuss CISA's warning about continued Russian targeting of US critical infrastructure.
GreyNoise report: https://info.greynoise.io/hubfs/At-The-Edge/Weekly-Intelligence-Brief-120825.pdf?_ga=2.212724369.466870115.1765553789-1325891860.1765553788
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:11):
Hello and welcome to the Decipher podcast, Lindsay.
It's it's never a dull moment inthe security industry.
Like we had our first named vulnerability in a while last
week and this week it not another named vulnerability, but
some other bugs that came out ofthat React vulnerability
disclosure, which sometimes happens.
(00:33):
Actually it happens quite a lot,especially with critical bugs.
People start poking around at the patch or other areas around
where that bug was and all of a sudden find other
vulnerabilities, which is essentially what happened in
this case. Yeah, Yeah.
I was not super surprised when you sent me that link earlier
about, yes, that React, there's a couple new React flaws.
(00:56):
I think that it was like a high severity denial of service
vulnerability. And then the other one was
source code exposure. I think so.
And like you said, basically this is just kind of what
happens if there's a, a really massive kind of critical flaw,
(01:17):
you know, people start to poke and prod and researchers will
try to, you know, exploit the, the patches or what not.
And that's, that will ultimatelylead to them finding other
vulnerabilities in, in these products.
So that that seems to be the case with with this specific
one. Yeah, I think as you said, these
weren't exactly the most critical things in the world.
(01:39):
A denial of service, which I think every software product on
earth probably has like 3 or 4 DOS bugs just sitting there that
if you looked hard enough you could you could probably find
the source code. Exposure is like is a weird one.
You don't typically see that listed as a CVE and I'm not
totally sure how you somebody would have found that.
(02:04):
They don't really go into that, but that used to be the biggest
fear on Earth, especially in thein the early, not early, but you
know, like 20 years ago, the idea that like the Windows
source code, if that ever got out there, the world would end
or, you know, the source code for Chrome or something like
that. And those have leaked over the
(02:26):
years and nothing, we're all still here.
Like essentially, source code isnot the magic key that everybody
you know sort of feared it mightbe, right?
Yeah, it says like the the security advisory for it lists
it as a medium severity bug 5.3 on the CBSS scale.
(02:47):
It says malicious HTTP request sent to a vulnerable server
function may unsafely return thesource code of any server
function, and then exploitation requires the existence of a
server function. It's basically it's, it's
pretty. It's not something that seems as
serious as. No.
(03:08):
Anything else like the the DOS bug but then obviously not the
the initial React bug that kind of kicked all of this off?
Yeah. I mean, we're going to talk
about this in a larger context in terms of just the
proliferation, the continued proliferation of vulnerabilities
and how difficult it is for organizations to manage this
stuff. But this week we also saw
(03:31):
continued and I would say expanded exploitation of those
initial React server component bugs, Gray noise, shadow server,
you guys at Huntress, I saw so many different analysis of the
exploit activity, the POC's thatwere out there.
There's much more sharpened and sophisticated PO CS out there, I
(03:55):
would say now than, you know, even just a week ago when we
last recorded, because as we said last week, some of those
were sort of red herrings or just didn't work very well,
which happens all the time. But now it seems like there's
much more sophisticated PO CS out there available for
everybody, and lots of people are taking advantage.
(04:16):
Yeah, it is funny like in the first few days after, you know,
this this flaw was disclosed, welike I feel like we initially
just saw you know, kind of smattering of PO CS, but then
also like the just a couple of like crypto miners and those
types of things and now. It seems like it's.
Yeah, it's classic. But now it seems like it's
(04:39):
definitely escalated. We're seeing new types of,
excuse me, you know, malware droppers, new types of kind of
cross-platform, you know, threats.
So I think that you know this itwill be interesting to see kind
of the the longer tail of of this, the exploitation of this
flaw. And I know, you know, I don't
(05:01):
know if you saw this, but Gray Noise came out with this really
interesting analysis report thatlooked at all the different
attack sessions and the countries where exploitation's
been observed and all of this. We can probably drop this in the
show notes, but it shows attack volume over time and it's really
great breakdown of kind of the the bits and pieces that have
(05:26):
gone into this exploitation. So there's a lot more of an
understanding now of like how this is being exploited.
I think I would be curious to talk to people and get a better
understanding of how defense teams feel that they're being
able to handle this. And like have they been able to,
you know, effectively roll out the patches and find where these
(05:47):
components are in their environments and everything
else? Because like you said, this is
this is also been a really crazyweek in terms of disclosed
vulnerabilities in general. So.
Yeah. Yeah.
I mean the I have not read that Gray noise report, but they do
some of the best stuff around onthat kind of thing.
And what one thing I did notice is that both the geographic
(06:12):
breakdown and the types of hoststhat we're trying to exploit
this were not exactly what I might have expected.
I think we said last year that last year last week, good God,
time is a flat circle. We said last week that what we
were seeing at the time were mostly APT groups from, you
(06:36):
know, China, that that's what you would expect, right?
Because they have the resources to quickly build exploits and
find vulnerable hosts and get down to business.
And that that's still happening.But there's also plenty of other
groups trying to exploit this bug from all over the world.
And some of them, some of the activity is coming from
(06:57):
previously compromised hosts, you know, which is typical too.
But some of it is just like infrastructure used by these APT
groups all the time, just like here's our go to, you know,
server infrastructure. We're coming at you because we
know that you guys have all these vulnerable apps, so try
and stop us. Right.
(07:17):
Yeah, It is interesting to see how that's kind of spread out.
And this, the report has a geographic distribution as well.
And I, I think this is for, I'd assume for victims.
But surprisingly it looks like Poland is right now at the top,
which is very odd. And then Czech Republic, Brazil,
(07:37):
Netherlands, and then the US So it's kind of it's, there's some
really cool data there to try tofigure out, you know, what the
escalation of attacks has lookedlike and everything else.
That's so odd. I wonder what you, I remember in
there was a supply chain attack a few years ago and the IT was
(08:03):
like an account or a tax software that was used by
everybody. I think I want to say it was in
Romania. I cannot remember the name of
the software. It was like 4 or five years ago
now, but essentially everybody in that country used this tax
prep software and that got compromised and the downstream
effects were terrible for that one, but nobody else.
(08:25):
It didn't exist anywhere else. So I wonder if there's some app
that's used really widely in Poland that has the vulnerable
Reacts framework in it that is just getting hit all the time.
Because almost always in a widespread bug like this, it's
the US, the UK, you know, maybe Brazil, like big, big countries
(08:48):
that have a lot of computers that get hit.
You don't typically see, you know, Poland at the top of the
victim list. Yeah, that's it is interesting.
I'd I'd have to double check that this is geographic
distribution of victims versus like other like parts and pieces
of the attack. But, and I think also like
(09:12):
visibility in terms of, but you know, it's, it's interesting
when you see analysis like that,like every, every vendor, every
company is going to have a different level of visibility
given what their, you know, customer base is.
Exactly right. Yeah.
But it it is interesting to be able to kind of look at all the
different aspects of kind of howthis is playing out right now,
(09:34):
so. Yeah, it could also be a hosting
provider or some large platform in that country.
That's, you know, the the the sort of underlying issue there,
but. Yeah, but the I also wanted to
just like in terms of people whoare dealing with this right now,
(09:56):
I wanted to read some of these like news headlines off for
context of like where we're at this week.
Fortnet patches critical authentication bypass
vulnerabilities, Avanti EPM updates update patches critical
RCE flaw. Microsoft fixes 57 flaws,
including three zero days and Adobe patches 140 flaws.
(10:18):
And that's not even all of them.The Adobe ones, Adobe and
Oracle, you can't just read those things out of context
because you look at them and Oracle does them quarterly, not
not monthly. So you look at the Oracle patch
updates, there are always hundreds of vulnerabilities and
(10:43):
a lot of them are critical because Oracle has tons of
products same way Adobe does that are used all over the
place, right? Like everybody has some Adobe
product on their computer whether they use it or not.
And 145 or what are you, whatever you said is just it's
wild. Imagine if we were talking about
(11:04):
this is the larger context how an organization, even one that
has a good vulnerability management and patching program
and a well funded security team,how do they deal with this on?
I mean, we've talked to a lot ofpeople that this is their job,
but dealing with this on a monthly basis, even though you
(11:24):
know the timing of it, OK, the second Tuesday of every month
we're going to get our teeth kicked in.
We got to be ready. Let's plan this and that and
downtime and all that kind of stuff.
Trying to fix 145 Adobe bugs. I mean, obviously you're just
updating software packages, but on, you know, thousands or 10s
of thousands of endpoints and possibly servers and trying to
(11:48):
figure out how people can still do their jobs while you're
fixing this along with the Windows bugs.
I mean, 30 days, that would havebeen like the biggest headline
10 years ago. You know, Windows.
Now it's just like, hey, it's Tuesday, it's December.
Good luck. Like go get them, Tiger.
I know, and it's just it's what's wild to me is that
(12:11):
they're you know, we're dealing with that on top of this already
like insane vulnerability that teams are already kind of wrap
trying to wrap their heads around and deal with there.
So it's like just feeling overwhelmed, I think by
everything. But like, even without react,
like how are people like what you know, there, there's always
(12:35):
the discussion about how do you best prioritize vulnerability
management and things like that.And there's so many different
factors in it. And you know, we have, you know,
the ability to look at, you know, the CVSS score.
But then also there's like, is it actually being exploited?
How easy is it to exploit? Like is it in a product that is,
(12:57):
you know, potentially impacts other things and all these
different questions. And I think it's, it's not just,
you know, black and white issue.No, not at all.
Everything requires some kind ofcontext and prioritization
because even some of these bugs,even if they are exploited, a
lot of times it doesn't matter to a given organization if the
(13:20):
attacker can't get anywhere withthat or there's no sensitive
data exposed after exploitation,if it just causes a crash or a
DOS or something like that. Those are ones that you, you
know, can be farther down the list.
But I would just like me personally, if I had one of
those jobs, I would be like, my brain would just never stop
(13:44):
spinning trying to figure out, you know, it's like, how do you
even ever take a deep breath andlike go away for the weekend or
something? Or just, you know, go to the
movies without feeling like yourserver farm might fall over
while you're, you know, out of touch.
It's it, it seems like, and it honestly is just kind of a, a
(14:08):
vicious cycle that you you neverreally can get out of.
Yeah, no, I agree. I think it's it's every every
month. The fact that there's like this,
the cadence of this too, I thinkis, is tough because this is all
falling on everyone's lap like over the course of like a couple
days. And I understand, you know why
(14:29):
that has to happen. But yeah, it makes it pretty,
pretty tough, I would say. And it's also, you know, two
weeks before Christmas in the middle of the holiday season.
Yeah, yeah. Everybody kind of trying to wind
down and plan for, you know, time away from the office in and
all those sorts of things. And when more fires are being
(14:53):
piled on top of existing ones every week, I would just, you
know, it would be really hard toenjoy a little family time with
all this in the back of your head.
I know yeah, it's tough. I I also saw it too.
I don't know if you saw this, but the, the list of top most
dangerous security weaknesses was just released by later.
(15:16):
That was Oh, no resting too. Yeah, just, I know they release
it every year and it's, it's always funny to me because you
know, a lot of these, you know, once again, cross site
scripting, like no surprise there, but it's, it's always
interesting. Like I'm, I'm curious, you know,
(15:36):
how they pull that, that list together in terms of measuring
the level of danger, 'cause there's so many factors I think
that go into that and everythingis so.
That's a good question. Yeah.
And it says they scored each weakness based on its severity
and frequency after analyzing CBE records for for flaws that
(15:59):
were reported over the past yearor so.
And so it's, it's just really hard though, because you know,
if you have a even just like a react to shell type of situation
like that is going to be what much more have much more of a
widespread kind of downstream impact than a different type of
(16:21):
flaw under a different categorization that might be on
here. So anyways, I it that must be a
really tedious and tough processto kind of work through and
understand kind of how these weaknesses work.
Right. Yeah, I assume that they look at
publicly disclosed Cves over thecourse of the year, sort of
group them by, you know, the CVSS score along with maybe some
(16:46):
public exploitation activity, things like that, and put it
into a soup and, you know, ask Chachi PT what what's the most
dangerous? Like give me a list of the worst
things in this group. Actually I I assume they do not
do that with AI, but actually I hope not.
(17:08):
Yeah, but it says too they they so they brought in the CV ES in
the cab, the known exploitation vulnerability catalog too.
So like they're they're factoring in, you know, if these
are being exploited as well. And, you know, it's like I said,
cross site scripting, sequel injection, like just these
(17:30):
things that are not, you know, it's really a surprise to anyone
path traversal, but then they missing authorization and it
looks like missing authentication, like also ranked
up words after a few years. So I don't know, I, I think like
with all the conversations people have been having over the
past year or two around like, you know, secure by design, like
(17:53):
trying to figure out like, how can we actually take this list
that comes out every year and like make it actionable.
Like I, I think I would like to still kind of better understand
that. Those, you know, Secure by
Design and SDLC and all those software security initiatives
(18:15):
are great and I love them and you know, people should pay
attention to those. But when you look at the reality
of most modern apps, they're literally built on foundation of
a pile of open source code that maybe hasn't been reviewed by a
human in six years, if it ever was.
(18:36):
There might be some libraries inthere that have critical bugs
that nobody ever updated. You know, and this is no knock
on open source maintainers. That's most of them are doing
this for free, as you know, has side projects and those that's
the foundation of most of the modern Internet and even
(18:58):
enterprise apps. You know, there's just hundreds
and hundreds and hundreds of open source projects and
libraries in every enterprise app.
And there's no real way to to, you know, shore that up.
It's it's the XKCD meme of like the giant unwieldy building that
has all the apps and then there's one little stick holding
(19:21):
it up. That's like OSS libraries.
Yeah, yeah, I know. I think it's like the fact that
it's just how it's this, it's a systemic thing, you know, and
it's just how like I, I don't understand how that can really
be changed, unfortunately. There's no way to unwind it.
Yeah. And honestly like it it it could
(19:42):
potentially introduce new other types of risks if if that was
unwinded. Absolutely.
Yeah. It's, it reminds me a little bit
of, I mean, on a different scale.
But what we were talking about last week with like the telecom
infrastructure, you know, a lot of it is so old and, you know,
purpose built and there's no real way to upgrade some of
(20:03):
those things without breaking the entire network.
It's sort of that. But software like you can't,
there's no, there's, there's no way to change the way that apps
are built at this point. It's just, you know, we're too
far down the road. Yeah, I know.
Well, that kind of is a segue I guess into one other news item
(20:26):
too in terms of when you look atoperational technology and
that's. Always.
Fun to talk about. Always.
Good. Always good.
Yeah. The the only.
Yeah. This, the other thing I saw that
was interesting this week was, you know, Sisa came out with a
new advisory basically warning of Russian hacktivists that were
(20:50):
conducting attacks against US critical infrastructure, which
is absolutely not new at all. But it also came out in tandem
with the Justice Department charging a Ukrainian national
who had conducted some cyber attacks on various critical
infrastructure organizations worldwide.
(21:12):
Basically, it was part of it waslinked to Russian state
sponsored hacking operations that were targeting, you know,
all these kind of critical infrastructure orgs like water
utilities and like food processing facilities,
government networks, things thatwe've really we've seen bubble
up in the past couple years thatover over a variety of different
(21:36):
incidents. But it, it just kind of brings
up the same conversation around,you know, operational technology
security and the risks and potential impact that these
types of attacks could have downstream.
So. Yeah, it's always those kind of
(21:56):
things. It's easy for me and you to look
at those and be like, yeah, we know this is what they like.
Hackers going to hack type thinglike this is what they do.
But for a lot of people, and especially, you know, the
government, like as administrations change and
personnel changes and people have different jobs and
different responsibilities, likethere is sort of a recurring
(22:20):
cycle of people becoming aware of this activity.
And how, how I don't sophisticated is not the right
word, but how maybe persistent and pervasive it is and how much
of it goes on every single day all the time.
And the amount that we uncover privately or exposed publicly is
(22:44):
really small, a really small percentage of the total
activity. You know, it's the the thing of
like the duck swimming on the surface and then all the legs
like underneath, like paddling furiously.
It's just like we're only seeinga little bit of what's going on
here. Right, which is definitely
scary. Oh, it's terrifying.
(23:04):
Yeah. I mean, yeah.
And that that kind of leads intothe last thing I wanted to
mention, which is the a podcast that we published this week that
I recorded a couple weeks ago with a woman named Aaron
Whitmore, who works for a company called Cypher now and
does sort of executive risk in strategic intelligence type
stuff, which sounds really cool.And but her background, she was
(23:29):
a CIA operations officer. She worked in the office of the
Director of National Intelligence on cybersecurity
for a while. She supported the Defense
Intelligence Agency and the NGA is a civilian in the private
sector. She has this really fascinating
back story and sort of group of experiences and that it was one
(23:55):
of the most fascinating conversations I've had in a long
time on or off a podcast. And she talked a lot about that,
you know, sort of in broad terms, as you might expect being
a former CIA officer, but about how there are threats going on
all the time that most people have no concept of and don't
(24:16):
need to know about. And you just, you know, the
things that you hear about are the tiny, tiny percentage of
what the government thinks you should know about, which I mean,
maybe that's good or bad, I don't know.
But the, the entire conversationwas was just amazing.
It's really it's it's longer than most of the podcast we do.
It's like an hour and a half. And I thought about splitting it
(24:39):
up, but I couldn't really find like a good point to stop it.
So I was like, the hell with it.Here's an hour and a half of
this fascinating woman talking and me asking like 4 questions.
Which is It was great. It was like the easiest kind of
podcasting. That's great.
Yeah, No, definitely everyone should go listen to that one
because I feel like they just like it's, it's really good
(25:00):
conversation given, you know, all the the different things
that are happening today. So yeah.
It is. It's also heartening because she
talks a lot about how her familyhas this military background and
sort of a history of service, whether it's in the military or,
or other parts, and how she feltthis kind of pull to go do that
(25:24):
in one way or another. And not just, you know, go make
money somewhere. And, you know, which is
something that you don't hear about all that much anymore.
You know, it, it was just kind of like, ow, there are people
out there that are thinking about other people and not just
themselves. That's nice.
Yeah. It's good to know for.
(25:46):
The holidays, yeah. Heartwarming.
Story. Yeah.
We don't get enough of those, especially in this business.
I. Know, yeah.
All right, well, it's good to see you as always, and I'm sure
we'll have plenty to talk about next week.
I think we're going to hopefullyget the Home Alone podcast done
next week, so we'll have something for you guys to listen
(26:06):
and watch, listen to and watch while you're avoiding your
family over the holidays. Yeah.
All right, have a good weekend. Talk to you soon.
Hello and welcome to the Decipher podcast, Lindsay.
It's it's never a dull moment inthe security industry.
Like we had our first named vulnerability in a while last
week and this week it not another named vulnerability, but
some other bugs that came out ofthat React vulnerability
disclosure, which sometimes happens.
(00:33):
Actually it happens quite a lot,especially with critical bugs.
People start poking around at the patch or other areas around
where that bug was and all of a sudden find other
vulnerabilities, which is essentially what happened in
this case. Yeah, Yeah.
I was not super surprised when you sent me that link earlier
about, yes, that React, there's a couple new React flaws.
(00:56):
I think that it was like a high severity denial of service
vulnerability. And then the other one was
source code exposure. I think so.
And like you said, basically this is just kind of what
happens if there's a, a really massive kind of critical flaw,
(01:17):
you know, people start to poke and prod and researchers will
try to, you know, exploit the, the patches or what not.
And that's, that will ultimatelylead to them finding other
vulnerabilities in, in these products.
So that that seems to be the case with with this specific
one. Yeah, I think as you said, these
weren't exactly the most critical things in the world.
(01:39):
A denial of service, which I think every software product on
earth probably has like 3 or 4 DOS bugs just sitting there that
if you looked hard enough you could you could probably find
the source code. Exposure is like is a weird one.
You don't typically see that listed as a CVE and I'm not
totally sure how you somebody would have found that.
(02:04):
They don't really go into that, but that used to be the biggest
fear on Earth, especially in thein the early, not early, but you
know, like 20 years ago, the idea that like the Windows
source code, if that ever got out there, the world would end
or, you know, the source code for Chrome or something like
that. And those have leaked over the
(02:26):
years and nothing, we're all still here.
Like essentially, source code isnot the magic key that everybody
you know sort of feared it mightbe, right?
Yeah, it says like the the security advisory for it lists
it as a medium severity bug 5.3 on the CBSS scale.
(02:47):
It says malicious HTTP request sent to a vulnerable server
function may unsafely return thesource code of any server
function, and then exploitation requires the existence of a
server function. It's basically it's, it's
pretty. It's not something that seems as
serious as. No.
(03:08):
Anything else like the the DOS bug but then obviously not the
the initial React bug that kind of kicked all of this off?
Yeah. I mean, we're going to talk
about this in a larger context in terms of just the
proliferation, the continued proliferation of vulnerabilities
and how difficult it is for organizations to manage this
stuff. But this week we also saw
(03:31):
continued and I would say expanded exploitation of those
initial React server component bugs, Gray noise, shadow server,
you guys at Huntress, I saw so many different analysis of the
exploit activity, the POC's thatwere out there.
There's much more sharpened and sophisticated PO CS out there, I
(03:55):
would say now than, you know, even just a week ago when we
last recorded, because as we said last week, some of those
were sort of red herrings or just didn't work very well,
which happens all the time. But now it seems like there's
much more sophisticated PO CS out there available for
everybody, and lots of people are taking advantage.
(04:16):
Yeah, it is funny like in the first few days after, you know,
this this flaw was disclosed, welike I feel like we initially
just saw you know, kind of smattering of PO CS, but then
also like the just a couple of like crypto miners and those
types of things and now. It seems like it's.
Yeah, it's classic. But now it seems like it's
(04:39):
definitely escalated. We're seeing new types of,
excuse me, you know, malware droppers, new types of kind of
cross-platform, you know, threats.
So I think that you know this itwill be interesting to see kind
of the the longer tail of of this, the exploitation of this
flaw. And I know, you know, I don't
(05:01):
know if you saw this, but Gray Noise came out with this really
interesting analysis report thatlooked at all the different
attack sessions and the countries where exploitation's
been observed and all of this. We can probably drop this in the
show notes, but it shows attack volume over time and it's really
great breakdown of kind of the the bits and pieces that have
(05:26):
gone into this exploitation. So there's a lot more of an
understanding now of like how this is being exploited.
I think I would be curious to talk to people and get a better
understanding of how defense teams feel that they're being
able to handle this. And like have they been able to,
you know, effectively roll out the patches and find where these
(05:47):
components are in their environments and everything
else? Because like you said, this is
this is also been a really crazyweek in terms of disclosed
vulnerabilities in general. So.
Yeah. Yeah.
I mean the I have not read that Gray noise report, but they do
some of the best stuff around onthat kind of thing.
And what one thing I did notice is that both the geographic
(06:12):
breakdown and the types of hoststhat we're trying to exploit
this were not exactly what I might have expected.
I think we said last year that last year last week, good God,
time is a flat circle. We said last week that what we
were seeing at the time were mostly APT groups from, you
(06:36):
know, China, that that's what you would expect, right?
Because they have the resources to quickly build exploits and
find vulnerable hosts and get down to business.
And that that's still happening.But there's also plenty of other
groups trying to exploit this bug from all over the world.
And some of them, some of the activity is coming from
(06:57):
previously compromised hosts, you know, which is typical too.
But some of it is just like infrastructure used by these APT
groups all the time, just like here's our go to, you know,
server infrastructure. We're coming at you because we
know that you guys have all these vulnerable apps, so try
and stop us. Right.
(07:17):
Yeah, It is interesting to see how that's kind of spread out.
And this, the report has a geographic distribution as well.
And I, I think this is for, I'd assume for victims.
But surprisingly it looks like Poland is right now at the top,
which is very odd. And then Czech Republic, Brazil,
(07:37):
Netherlands, and then the US So it's kind of it's, there's some
really cool data there to try tofigure out, you know, what the
escalation of attacks has lookedlike and everything else.
That's so odd. I wonder what you, I remember in
there was a supply chain attack a few years ago and the IT was
(08:03):
like an account or a tax software that was used by
everybody. I think I want to say it was in
Romania. I cannot remember the name of
the software. It was like 4 or five years ago
now, but essentially everybody in that country used this tax
prep software and that got compromised and the downstream
effects were terrible for that one, but nobody else.
(08:25):
It didn't exist anywhere else. So I wonder if there's some app
that's used really widely in Poland that has the vulnerable
Reacts framework in it that is just getting hit all the time.
Because almost always in a widespread bug like this, it's
the US, the UK, you know, maybe Brazil, like big, big countries
(08:48):
that have a lot of computers that get hit.
You don't typically see, you know, Poland at the top of the
victim list. Yeah, that's it is interesting.
I'd I'd have to double check that this is geographic
distribution of victims versus like other like parts and pieces
of the attack. But, and I think also like
(09:12):
visibility in terms of, but you know, it's, it's interesting
when you see analysis like that,like every, every vendor, every
company is going to have a different level of visibility
given what their, you know, customer base is.
Exactly right. Yeah.
But it it is interesting to be able to kind of look at all the
different aspects of kind of howthis is playing out right now,
(09:34):
so. Yeah, it could also be a hosting
provider or some large platform in that country.
That's, you know, the the the sort of underlying issue there,
but. Yeah, but the I also wanted to
just like in terms of people whoare dealing with this right now,
(09:56):
I wanted to read some of these like news headlines off for
context of like where we're at this week.
Fortnet patches critical authentication bypass
vulnerabilities, Avanti EPM updates update patches critical
RCE flaw. Microsoft fixes 57 flaws,
including three zero days and Adobe patches 140 flaws.
(10:18):
And that's not even all of them.The Adobe ones, Adobe and
Oracle, you can't just read those things out of context
because you look at them and Oracle does them quarterly, not
not monthly. So you look at the Oracle patch
updates, there are always hundreds of vulnerabilities and
(10:43):
a lot of them are critical because Oracle has tons of
products same way Adobe does that are used all over the
place, right? Like everybody has some Adobe
product on their computer whether they use it or not.
And 145 or what are you, whatever you said is just it's
wild. Imagine if we were talking about
(11:04):
this is the larger context how an organization, even one that
has a good vulnerability management and patching program
and a well funded security team,how do they deal with this on?
I mean, we've talked to a lot ofpeople that this is their job,
but dealing with this on a monthly basis, even though you
(11:24):
know the timing of it, OK, the second Tuesday of every month
we're going to get our teeth kicked in.
We got to be ready. Let's plan this and that and
downtime and all that kind of stuff.
Trying to fix 145 Adobe bugs. I mean, obviously you're just
updating software packages, but on, you know, thousands or 10s
of thousands of endpoints and possibly servers and trying to
(11:48):
figure out how people can still do their jobs while you're
fixing this along with the Windows bugs.
I mean, 30 days, that would havebeen like the biggest headline
10 years ago. You know, Windows.
Now it's just like, hey, it's Tuesday, it's December.
Good luck. Like go get them, Tiger.
I know, and it's just it's what's wild to me is that
(12:11):
they're you know, we're dealing with that on top of this already
like insane vulnerability that teams are already kind of wrap
trying to wrap their heads around and deal with there.
So it's like just feeling overwhelmed, I think by
everything. But like, even without react,
like how are people like what you know, there, there's always
(12:35):
the discussion about how do you best prioritize vulnerability
management and things like that.And there's so many different
factors in it. And you know, we have, you know,
the ability to look at, you know, the CVSS score.
But then also there's like, is it actually being exploited?
How easy is it to exploit? Like is it in a product that is,
(12:57):
you know, potentially impacts other things and all these
different questions. And I think it's, it's not just,
you know, black and white issue.No, not at all.
Everything requires some kind ofcontext and prioritization
because even some of these bugs,even if they are exploited, a
lot of times it doesn't matter to a given organization if the
(13:20):
attacker can't get anywhere withthat or there's no sensitive
data exposed after exploitation,if it just causes a crash or a
DOS or something like that. Those are ones that you, you
know, can be farther down the list.
But I would just like me personally, if I had one of
those jobs, I would be like, my brain would just never stop
(13:44):
spinning trying to figure out, you know, it's like, how do you
even ever take a deep breath andlike go away for the weekend or
something? Or just, you know, go to the
movies without feeling like yourserver farm might fall over
while you're, you know, out of touch.
It's it, it seems like, and it honestly is just kind of a, a
(14:08):
vicious cycle that you you neverreally can get out of.
Yeah, no, I agree. I think it's it's every every
month. The fact that there's like this,
the cadence of this too, I thinkis, is tough because this is all
falling on everyone's lap like over the course of like a couple
days. And I understand, you know why
(14:29):
that has to happen. But yeah, it makes it pretty,
pretty tough, I would say. And it's also, you know, two
weeks before Christmas in the middle of the holiday season.
Yeah, yeah. Everybody kind of trying to wind
down and plan for, you know, time away from the office in and
all those sorts of things. And when more fires are being
(14:53):
piled on top of existing ones every week, I would just, you
know, it would be really hard toenjoy a little family time with
all this in the back of your head.
I know yeah, it's tough. I I also saw it too.
I don't know if you saw this, but the, the list of top most
dangerous security weaknesses was just released by later.
(15:16):
That was Oh, no resting too. Yeah, just, I know they release
it every year and it's, it's always funny to me because you
know, a lot of these, you know, once again, cross site
scripting, like no surprise there, but it's, it's always
interesting. Like I'm, I'm curious, you know,
(15:36):
how they pull that, that list together in terms of measuring
the level of danger, 'cause there's so many factors I think
that go into that and everythingis so.
That's a good question. Yeah.
And it says they scored each weakness based on its severity
and frequency after analyzing CBE records for for flaws that
(15:59):
were reported over the past yearor so.
And so it's, it's just really hard though, because you know,
if you have a even just like a react to shell type of situation
like that is going to be what much more have much more of a
widespread kind of downstream impact than a different type of
(16:21):
flaw under a different categorization that might be on
here. So anyways, I it that must be a
really tedious and tough processto kind of work through and
understand kind of how these weaknesses work.
Right. Yeah, I assume that they look at
publicly disclosed Cves over thecourse of the year, sort of
group them by, you know, the CVSS score along with maybe some
(16:46):
public exploitation activity, things like that, and put it
into a soup and, you know, ask Chachi PT what what's the most
dangerous? Like give me a list of the worst
things in this group. Actually I I assume they do not
do that with AI, but actually I hope not.
(17:08):
Yeah, but it says too they they so they brought in the CV ES in
the cab, the known exploitation vulnerability catalog too.
So like they're they're factoring in, you know, if these
are being exploited as well. And, you know, it's like I said,
cross site scripting, sequel injection, like just these
(17:30):
things that are not, you know, it's really a surprise to anyone
path traversal, but then they missing authorization and it
looks like missing authentication, like also ranked
up words after a few years. So I don't know, I, I think like
with all the conversations people have been having over the
past year or two around like, you know, secure by design, like
(17:53):
trying to figure out like, how can we actually take this list
that comes out every year and like make it actionable.
Like I, I think I would like to still kind of better understand
that. Those, you know, Secure by
Design and SDLC and all those software security initiatives
(18:15):
are great and I love them and you know, people should pay
attention to those. But when you look at the reality
of most modern apps, they're literally built on foundation of
a pile of open source code that maybe hasn't been reviewed by a
human in six years, if it ever was.
(18:36):
There might be some libraries inthere that have critical bugs
that nobody ever updated. You know, and this is no knock
on open source maintainers. That's most of them are doing
this for free, as you know, has side projects and those that's
the foundation of most of the modern Internet and even
(18:58):
enterprise apps. You know, there's just hundreds
and hundreds and hundreds of open source projects and
libraries in every enterprise app.
And there's no real way to to, you know, shore that up.
It's it's the XKCD meme of like the giant unwieldy building that
has all the apps and then there's one little stick holding
(19:21):
it up. That's like OSS libraries.
Yeah, yeah, I know. I think it's like the fact that
it's just how it's this, it's a systemic thing, you know, and
it's just how like I, I don't understand how that can really
be changed, unfortunately. There's no way to unwind it.
Yeah. And honestly like it it it could
(19:42):
potentially introduce new other types of risks if if that was
unwinded. Absolutely.
Yeah. It's, it reminds me a little bit
of, I mean, on a different scale.
But what we were talking about last week with like the telecom
infrastructure, you know, a lot of it is so old and, you know,
purpose built and there's no real way to upgrade some of
(20:03):
those things without breaking the entire network.
It's sort of that. But software like you can't,
there's no, there's, there's no way to change the way that apps
are built at this point. It's just, you know, we're too
far down the road. Yeah, I know.
Well, that kind of is a segue I guess into one other news item
(20:26):
too in terms of when you look atoperational technology and
that's. Always.
Fun to talk about. Always.
Good. Always good.
Yeah. The the only.
Yeah. This, the other thing I saw that
was interesting this week was, you know, Sisa came out with a
new advisory basically warning of Russian hacktivists that were
(20:50):
conducting attacks against US critical infrastructure, which
is absolutely not new at all. But it also came out in tandem
with the Justice Department charging a Ukrainian national
who had conducted some cyber attacks on various critical
infrastructure organizations worldwide.
(21:12):
Basically, it was part of it waslinked to Russian state
sponsored hacking operations that were targeting, you know,
all these kind of critical infrastructure orgs like water
utilities and like food processing facilities,
government networks, things thatwe've really we've seen bubble
up in the past couple years thatover over a variety of different
(21:36):
incidents. But it, it just kind of brings
up the same conversation around,you know, operational technology
security and the risks and potential impact that these
types of attacks could have downstream.
So. Yeah, it's always those kind of
(21:56):
things. It's easy for me and you to look
at those and be like, yeah, we know this is what they like.
Hackers going to hack type thinglike this is what they do.
But for a lot of people, and especially, you know, the
government, like as administrations change and
personnel changes and people have different jobs and
different responsibilities, likethere is sort of a recurring
(22:20):
cycle of people becoming aware of this activity.
And how, how I don't sophisticated is not the right
word, but how maybe persistent and pervasive it is and how much
of it goes on every single day all the time.
And the amount that we uncover privately or exposed publicly is
(22:44):
really small, a really small percentage of the total
activity. You know, it's the the thing of
like the duck swimming on the surface and then all the legs
like underneath, like paddling furiously.
It's just like we're only seeinga little bit of what's going on
here. Right, which is definitely
scary. Oh, it's terrifying.
(23:04):
Yeah. I mean, yeah.
And that that kind of leads intothe last thing I wanted to
mention, which is the a podcast that we published this week that
I recorded a couple weeks ago with a woman named Aaron
Whitmore, who works for a company called Cypher now and
does sort of executive risk in strategic intelligence type
stuff, which sounds really cool.And but her background, she was
(23:29):
a CIA operations officer. She worked in the office of the
Director of National Intelligence on cybersecurity
for a while. She supported the Defense
Intelligence Agency and the NGA is a civilian in the private
sector. She has this really fascinating
back story and sort of group of experiences and that it was one
(23:55):
of the most fascinating conversations I've had in a long
time on or off a podcast. And she talked a lot about that,
you know, sort of in broad terms, as you might expect being
a former CIA officer, but about how there are threats going on
all the time that most people have no concept of and don't
(24:16):
need to know about. And you just, you know, the
things that you hear about are the tiny, tiny percentage of
what the government thinks you should know about, which I mean,
maybe that's good or bad, I don't know.
But the, the entire conversationwas was just amazing.
It's really it's it's longer than most of the podcast we do.
It's like an hour and a half. And I thought about splitting it
(24:39):
up, but I couldn't really find like a good point to stop it.
So I was like, the hell with it.Here's an hour and a half of
this fascinating woman talking and me asking like 4 questions.
Which is It was great. It was like the easiest kind of
podcasting. That's great.
Yeah, No, definitely everyone should go listen to that one
because I feel like they just like it's, it's really good
(25:00):
conversation given, you know, all the the different things
that are happening today. So yeah.
It is. It's also heartening because she
talks a lot about how her familyhas this military background and
sort of a history of service, whether it's in the military or,
or other parts, and how she feltthis kind of pull to go do that
(25:24):
in one way or another. And not just, you know, go make
money somewhere. And, you know, which is
something that you don't hear about all that much anymore.
You know, it, it was just kind of like, ow, there are people
out there that are thinking about other people and not just
themselves. That's nice.
Yeah. It's good to know for.
(25:46):
The holidays, yeah. Heartwarming.
Story. Yeah.
We don't get enough of those, especially in this business.
I. Know, yeah.
All right, well, it's good to see you as always, and I'm sure
we'll have plenty to talk about next week.
I think we're going to hopefullyget the Home Alone podcast done
next week, so we'll have something for you guys to listen
(26:06):
and watch, listen to and watch while you're avoiding your
family over the holidays. Yeah.
All right, have a good weekend. Talk to you soon.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Betrayal Season 5
Saskia Inwood woke up one morning, knowing her life would never be the same. The night before, she learned the unimaginable – that the husband she knew in the light of day was a different person after dark. This season unpacks Saskia’s discovery of her husband’s secret life and her fight to bring him to justice. Along the way, we expose a crime that is just coming to light. This is also a story about the myth of the “perfect victim:” who gets believed, who gets doubted, and why. We follow Saskia as she works to reclaim her body, her voice, and her life. If you would like to reach out to the Betrayal Team, email us at betrayalpod@gmail.com. Follow us on Instagram @betrayalpod and @glasspodcasts. Please join our Substack for additional exclusive content, curated book recommendations, and community discussions. Sign up FREE by clicking this link Beyond Betrayal Substack. Join our community dedicated to truth, resilience, and healing. Your voice matters! Be a part of our Betrayal journey on Substack.