Random in Security is a summary of the cybersecurity news.
Interesting Reads#
Backdooring Your Backdoors - Another $20 Domain, More Governments#
watchTowr Labs reflects on recent government-led initiatives to mandate encryption backdoors—framing it within the broader history of lawful intercept gone wrong. Drawing parallels with past abuses (e.g., the NSA’s Juniper debacle), the article questions whether it’s technically or ethically possible to implement such access without introducing systemic risk. It also critiques vague language in current legislation that could criminalize responsible disclosure or even routine pen-testing. The blurry line between offensive tooling, civil rights, and national security is one we’ll be walking for years to come.
Bad Tenable plugin updates take down Nessus agents worldwide#
A faulty plugin update from Tenable caused widespread failures in Nessus agents across Windows and Linux systems. The issue stemmed from malformed content in the plugin feed, which triggered segmentation faults and service crashes. Although a fix was rolled out within hours, the update left many organizations scrambling to restore functionality, especially in environments with automated scan pipelines.
Supply-chain attack analysis: Ultralytics#
Attackers briefly hijacked the PyPI account of Ultralytics, the publisher of the popular YOLOv5 machine learning library. Malicious versions of the package were uploaded and distributed for several hours before PyPI intervened. The compromised release included credential-stealing code that activated on install. PyPI’s analysis revealed the attacker likely gained access via stolen credentials rather than a PyPI vulnerability.
Ruling in WhatsApp against NSO Group case#
A U.S. federal judge ruled that NSO Group can be held legally accountable for its role in hacking over 1,400 WhatsApp users using its Pegasus spyware. The ruling rejects NSO’s claims to sovereign immunity, asserting that selling spyware to government clients does not shield private firms from liability. The case, brought by WhatsApp and Meta, is a rare instance of a surveillance vendor facing legal consequences for abuse of offensive cyber tools.
Uncovering GoPhish Deployments#
This post details how researchers fingerprinted and tracked active deployments of Gophish, an open-source phishing framework. By analyzing TLS certificates, favicon hashes, and response headers, they identified over 6,000 Gophish instances globally—some used by red teams, others by actual attackers. Notably, many instances were left exposed or unconfigured, leaking logs or allowing unauthenticated access. Misconfigured Gophish servers also create potential data leaks from training exercises.
The Surprising Complexity of Finding Known Vulnerabilities#
The article explores why it’s surprisingly difficult for scanners and SBOM tools to reliably detect known vulnerabilities in real-world software. The root causes include inconsistent version naming, incomplete metadata in vulnerability databases, and differences between upstream and downstream packaging. Case studies (like SQLite and zlib) show how CVEs may be missed—even when technically present—due to fuzzy matching or misaligned data.
Databroker Files: Neuer Datensatz enthüllt 40.000 Apps hinter Standort-Tracking#
An investigation by netzpolitik.org uncovered a dataset from a U.S. data broker containing 380 million location data points from 137 countries, linked to approximately 40,000 different apps. The data includes precise location information tied to Mobile Advertising IDs, revealing extensive tracking practices across various app categories, including dating, weather, and gaming apps. Notably, apps like Wetter Online, Focus Online, and Kleinanzeigen were found to have alarmingly accurate location data. The findings lay bare how everyday apps act as surveillance tools and that users often remain unaware of the extent to which their movements are monitored and traded.
Fortinet Zero-Day Used to Exfiltrate Firewall Configs – Now Leaked#
A massive trove of firewall configuration files exfiltrated from Fortinet FortiGate devices has surfaced publicly—likely stolen via CVE-2022-42475, a zero-day previously linked to Chinese APTs. The leak, dubbed Fortigate-Belsen, includes over 23,000 device configs from organizations worldwide, exposing internal network structures, VPN users, hashes, and policies. The attackers exploited a flaw in SSL-VPN components before Fortinet fully patched it in early 2023. A list of affected IPs contains 15000 entries.
Story of a Pentester Recruitment 2025#
Silent Signal offers a brutally honest (and dryly funny) take on the pentester recruitment scene in 2025. Through the metaphor of “mushroom farming”—keep them in the dark and feed them crap—they describe how job offers are often vague, exploitative, or hilariously misaligned with the realities of infosec work. It’s a short post but cuts right to the core of burnout, mismanagement, and HR misunderstandings in security hiring.
Chrome Web Store’s Shady Extension Problem#
Ars Technica reports on the growing spam and scam problem in Google’s Chrome Web Store, where shady browser extensions flood search results with SEO tricks and deceptive names. Many of these extensions mimic legitimate tools while harvesting data, injecting ads, or redirecting traffic—yet often remain listed for weeks or months. Google’s automated moderation systems are struggling to keep up with the volume and tactics. Much like the issues on npm and PyPI, it reflects a broader ecosystem problem: the incentives to ship fast often outweigh the costs of abuse.
Malicious Extensions Circumvent Google’s Remote Code Ban#
Security researcher Wladimir Palant shows how malicious Chrome extensions are evading Google’s ban on remote code execution. By abusing subtle loopholes—like injecting inline scripts into sandboxed iframes or loading obfuscated code from content delivery networks—extensions can effectively run arbitrary remote code without technically breaking the letter of Chrome Web Store policies. Palant names several extensions doing exactly this, all still live at time of writing.
Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel#
Sam Curry and team uncover a series of vulnerabilities in Subaru’s connected vehicle infrastructure, affecting their MySubaru web and mobile platforms. Issues included insecure direct object references (IDORs), broken access control, and predictable VIN enumeration—allowing attackers to remotely locate, unlock, and start vehicles. Subaru responded responsibly and patched within weeks, but the findings echo earlier issues found in other car manufacturers’ APIs. Connected car security continues to lag behind, even as automakers double down on app-driven features.
CVSS is dead to us#
Daniel Stenberg, creator of cURL, explains why he and the cURL project are stepping away from CVSS scores. His argument: CVSS often misrepresents real-world impact, encourages fear-driven narratives, and creates friction with vendors and users alike. He shares specific examples where scoring led to misunderstanding or pressure to overhype relatively low-risk bugs.
Tools#
- NCSC Cyber Toolkit - Protect your business from cyber criminals. For free
- BADGUIDS - Collection of bad GUID strings used by offensive tools (Website)