SANS NewsBites

Cyberattack on DeepSeek; Six-Week Ransomware Outage at ENGlobal; UK's NCSC Assesses "Unforgivable" Vulnerabilities

January 31, 2025  |  Volume XXVII - Issue #8

Top of the News


2025-01-28

DeepSeek R1 Release, Cyberattack, and Jailbreak

On January 20, 2025, a new open-source AI model was released to the public from Chinese tech startup DeepSeek, available for use in apps, on a web page, via cloud API, and locally. The new R1 model represents a jump in functionality at an ostensibly lower cost and higher energy efficiency relative to comparably capable models such as o1 made by OpenAI, specifically involving "reasoning" to consider approaches when problem-solving, and "time test scaling," described by Rand Researcher Lennart Heim as "thinking out loud," which the model then uses for further training without additional data sources. DeepSeek's privacy policy notes that the company collects and will use many types of data to train new models, such as text, audio, prompts, feedback, and chat history shared with the chatbot; user account information and personal details; data about users' devices, operating systems, crash reports, keystroke patterns, cookies, and IP addresses; and advertising data such as mobile IDs and cookie identifiers for profiling users' activity outside the AI model. Unless users are operating a local walled version, DeepSeek sends collected data to servers in the PRC. On Monday, January 27, the company announced that new signups on the web chatbot interface would be limited due to "large-scale malicious attacks." Commentary from experts suggests that the company's notice is characteristic of a DDoS attack, but this has not been confirmed by DeepSeek. The same day, researchers from Kela published a blog post describing their red team's success "jailbreak[ing] the model across a wide range of scenarios, enabling it to generate malicious outputs, such as ransomware development, fabrication of sensitive content, and detailed instructions for creating toxins and explosive devices." Techniques such as telling the chatbot to act like an "evil confidant," or even "a persona that has no restrictions," will jailbreak DeepSeek R1, but no longer work on ChatGPT. R1 also complied with a request for personal information about OpenAI employees, providing erroneous information but demonstrating no guardrails around this type of request.

Editor's Note

As the newest industry member in the LLM space, one can expect it to be poked and prodded by researchers, competitors, and criminals alike. What's important is for organizations to have an AI Acceptable Use Policy and training in place before using the AI models. Else, they may find that company sensitive data has been collected on servers throughout the world.

Curtis Dukes
Curtis Dukes

I was about to suggest "use with extreme caution." However, on second thought I cannot think of a safe way to use this product. In any case, keep in mind that you are responsible for everything that you ask any computer to do and for all the properties and uses of the results.

William Hugh Murray
William Hugh Murray

DeepSeek is massively undercutting OpenAI on pricing, due to it operating on standard CPUs efficiently, as its API costs just $0.55 per million input tokens and $2.19 per million output tokens, compared to $15 and $60 for OpenAI's API. One problem is that DeepSeek servers, which also house user device and connection information, usage patterns and payment details, fall under China's 2017 National Intelligence law, which mandates Chinese companies assist state security agencies upon request, providing a potential data conduit for the PRC. DoD and other agencies are already blocking access to the service because of this. Secondarily, if you're looking to research the service, DeepSeek appears to have certain responses tuned to avoid any direct criticism of China or the Communist Party.

Lee Neely
Lee Neely

This model is interesting because, by definition, it must be developed with very constrained systems. At the same time, in the US, we keep adding more and more GPUs, so the constraints didn't necessarily have to be accounted for. The model is open source so that anyone can read through the algorithm and all that. Am I worried about this? This could be a bit of posturing from other governments to 'prove' they have the right chops. I think universally, everyone benefits. Now, to address the security concerns. Every company in the PRC has to abide by all the laws of their system, including the ones that ByteDance has. It's not surprising that information is collected. We can move that entire conversation into geopolitical in a different forum, so that's not exciting. DDoS? It's hard to say it's plausible; it could also be plausible that the entire internet is trying to sign up. If you remember, ChatGPT, when first launched, also appeared to be DDoSed. It's hard to say because the transparency with systems in that country is less than - well - transparent. Finally, the attackers' research. It appears this hosted Chatbot lacks many of the guardrails that other more mature chatbots have. It's not surprising to see all of the workarounds working. It will be interesting to see if it has to abide by any censorship guidelines and if those are now in place. How about we give this story 6 months to bake, return to it, and take the temperature then? For those just getting here, if you wonder about my stance on all this, I have some Bored Apes you may be interested in for 25 million dollars. I'm just kidding; this technology has some material use. RIP my inbox.

Moses Frost
Moses Frost

2025-01-28

ENGlobal Suffered Six-Week Outage from Ransomware

ENGlobal, a Texas-based "single source company providing Engineering, Procurement, Fabrication, Construction Management, Modular Process Systems, [and] Integration & Automation for EPFCm projects," holding major contracts with US federal agencies and private companies, has submitted an amendment (Form 8-K/A) to its previous report filed with the US Securities and Exchange Commission (SEC), disclosing additional details about a ransomware attack that took place in November, 2024. The attack reduced ENGlobal's access to its operational applications, including financial and operating reporting systems, for about six weeks, and gave the threat actor access to a system containing "sensitive personal information," though the report does not specify the scope of the breach nor whose information was accessed. ENGlobal "intends" to notify any possibly affected parties, and does not believe the incident had or will have a material impact on the company.

Editor's Note

If I was the CEO of a company that had certain systems go down for 6 weeks without causing a material impact, I'd look at turning those systems off permanently to gain positive material cost savings.

John Pescatore
John Pescatore

This is an interesting story, as many people think we don't make much in the US anymore. We will build more factories in the US if we start to re-shore factories. There will be many geopolitical reasons, one of which may be population density. If you are in Info Security, consider looking at the security of these factory floor operations as a niche, because the number of factories has increased in the last few years and will continue. This is also a geopolitical story, so bear in mind that this will also apply to countries like Vietnam, Countries in Africa, Mexico, Central America, and India.

Moses Frost
Moses Frost

A study from Illumio Research finds that Ransomware remediation is now taking an average of 132 hours (17 working days), requiring 17.5 people and that 58% of organizations had to shut down operations after an attack, which is up from 45% in 2021. It further found that costs from reputation and brand damage exceed those from legal and regulatory actions. Latstly, failure to prioitize investments to boost resilience is impacting the ability to identify and contain attacks. Revisit your Ransomware response/recovery plans with a eye to these findings: https://www.globenewswire.com/news-release/2025/01/28/3016416/0/en/Illumio-Research-Reveals-58-of-Companies-Hit-With-Ransomware-Have-Been-Forced-to-Halt-Operations.html

Lee Neely
Lee Neely

The slow drip of information on a cyber incident only helps the adversary. Nearly 90 days later, parties that lost their sensitive personal information are still waiting to be notified by the company. It really doesn't appear that SEC cyber rule changes have made any difference, other than informing the federal government.

Curtis Dukes
Curtis Dukes

Another instance in which the compromise of PII, though an obvious problem, is dwarfed by the loss of mission-critical applications and capabilities.

William Hugh Murray
William Hugh Murray

2025-01-30

UK Cybersecurity Agency Seeks to Eradicate 'Unforgivable' Vulnerabilities

The term 'unforgivable vulnerabilities' was coined by Steve Christey in a 2007 MITRE paper; they are described as 'beacons of a systematic disregard for secure development practices. They simply should not appear in software that has been designed, developed, and tested with security in mind.' In a research paper published earlier this week, the UK's National Cyber Security Centre (NCSC) 'proposes a method that allows security researchers to assess if a vulnerability is 'forgivable' or 'unforgivable'. The method outlined in the paper effectively quantifies how easily the mitigations required to manage the vulnerability could be applied.' The NCSC identified 11 top-level mitigations that include, but are not limited to, input validation, output encoding, reducing the attack surface, sandboxing, and separation of privilege, assigning each an 'ease of implementation' score. The mitigations were identified as means to address 'the root cause of vulnerabilities (opposed to the details provided in the individual vulnerability advisory), using the CWE Top 25 Most Dangerous Software Releases for 2023.Ó

Editor's Note

I've always summarized papers like this with one line: "If companies buy crappy software, vendors will write even crappier software." This paper puts it more eloquently: 'Put simply, if the majority of customers prioritise price and features over 'security', then vendors will concentrate on reducing time to market at the expense of designing products that improve the security and resilience of our digital world.' In Roman times 'caveat emptor' (buyer beware) put all the onus on the buyer to make sure the ox being bought was not diseased, and in 1603, Britain put that in their contract law. But in 1979, the UK came out with the Sales of Goods acts (updated in 2015) that gave buyers redress for 'perishable' goods that were already perished when sold - kinda like much software today! Here's an idea: if we have broad political support in the US to ban Tik Tok over security concerns, how about banning the many, many applications with 'unforgivable' vulnerabilities that cyber criminals are exploiting every day?

John Pescatore
John Pescatore

Unforgivable vulnerabilities are those which represent a disregard for secure development practices, of which the paper identifies thirteen, initially identified by Mitre in 2007. The 11 mitigations are intended to manage the occurrence of these vulnerabilities. In addition to unforgivable, two other categories of vulnerabilities are identified: forgivable, where the implementation is expensive, unknown, subtle, or mitigation is too expensive; and non-exploitable where there is no code path to exploit it, it has been mitigated, or it is unlikely chaining vulnerabilities will result in exploitation. In 2017 it was found that software source code in systems doubles every 3.5 years due to user demands for added functionality as well as increased processing capacity to handle the increased functionality, which results in a similar increase in the number of defects, highlighting the need to implement those mitigations sooner than later in the software lifecycle.

Lee Neely
Lee Neely

Steve Lipner suggests that most attacks exploit incomplete input validation. Most remote code execution attacks exploit this. Input validation is harder than it looks, at least in part because the developer cannot know all about the environment in which his program may run. Better to maintain separation between data and procedure, as in IBM iSeries and iOS, such that procedures cannot be modified, and data, input or otherwise, cannot be executed. Fred Cohen reminds us that "in a world of application-only (non-programmable) devices we could enjoy most, though not all, of the value of the modern computer." The problem is that there is a market preference for late programmability. That is why Windows is so popular and Android exists.

William Hugh Murray
William Hugh Murray

I've always loved this idea of 'Unforgivable' vulnerabilities. If you read through the NCSC document, there are so many common sense ones. For example, Data Input Validation bugs, like some of the stories in this NewsBites newsletter, potentially are cheap to implement and correctable mistakes that we should classify as 'unforgivable.' This is not to pass judgment on everyone, but to say that some bugs are easier to fix than others. Secure Architecture (Secure by Design?) is a really hard one to solve. One example is the notion of Shift Left. 'Write secure code.' Or, 'Just let the system make sure you write secret code.' We have been chasing this idea for almost 2 decades now. The number of CVEs does not correlate with fixing this problem. As such, that one is rated as hard. Overall, the methodology appears sound, although there may be some ambiguity in the scoring, but don't let perfect be the enemy of good or something like that.

Moses Frost
Moses Frost

What a cute naming scheme. The reality though, is that secure software development practices have been around for decades. Two excellent sources are: SAFECode.org and the NIST Secure Software Development Framework (SSDF). Instead of classifying whether the vulnerability is forgivable or not, implement the security best practices. That will go further in moving the industry towards secure by design.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2025-01-29

Zyxel Flaw (not the one we mentioned on Tuesday) is Being Actively Exploited

Researchers at GreyNoise have detected active exploitation of a critical zero-day command injection vulnerability in Zyxel CPE devices. The issue (CVE-2024-40891) was first reported in July 2024 by VulnCheck. GreyNoise researcher Glenn Thorpe writes that "attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration.Ó Data gathered by Censys indicated that there are more than 1,500 vulnerable devices detectible online. There is no patch currently available, and the CVE does not yet have an NVD entry.

Editor's Note

This exploit has been added to existing Mirai botnet variants, yeah those are still operating. CVE-2024-40891 is similar to CVE-2024-40890 except that the former is Telnet-based while the latter is HTTP-based. Both attacks are unauthenticated and leverage service accounts such as supervisor or zyuser to gain privileged access. While there is no patch, you can limit access to management interfaces, as well as blocking Telnet. Addtionally block and hunt for activity from the IP addresses listed in the GreyNoise blog.

Lee Neely
Lee Neely

Last story was impactful, from my recollection, because of the physical requirements to console. This time, we must talk about telnet. In 2025. I'm just going to be honest: why not just use Gopher and turn on r-commands and telnet? I'm just saying this because I feel like keeping Telnet enabled now is the equivalent of just giving up on things. Unauthenticated privilege escalation on telnet on an Internet-connected device that, well, frankly, you cannot do much about because if you have one, it's in front of the firewall. I would say patch, but there is no patch at the time of this writing. They probably have a decent stack, to be honest, but this is not good. And for reference, all of the enterprise security vendors that keep telnet in their code for <reasons>, you are in the same boat here. Remove telnet. Even Windows supports SSH; let that sink in.

Moses Frost
Moses Frost

2025-01-29

VMware AVI Load Balancer Vulnerability

Broadcom has published a security advisory describing a high-severity unauthenticated blind SQL Injection vulnerability in VMware AVI Load Balancer. The vulnerability could be exploited to access the database and cause additional problems. Patches are available to address the flaw; Broadcom does not offer workarounds for the issue.

Editor's Note

The AVI Load Balancer provides multi-cloud load balancing, WAF, analytics and container services. CVE-2025-22217, AVI Load Balancer blind SQL Injection flaw, has a CVSS score of 8.6, and affects version 30.1.1, 30.1.2, 30.2.1 and 30.2.2. Note you need to update 30.1.1 to 30.1.2 before you can apply the 30.1.2 patch. 30.2.1 & 30.2.2 each have patches. Versions 22.x and 21.x are not vulnerable, albeit version 21.x doesn't appear to be getting updates. This is a good time to look at moving to version 30.2.2p2 or higher.

Lee Neely
Lee Neely

The AVI Load Balancer provides multi-cloud load balancing, WAF, analytics and container services. CVE-2025-22217, AVI Load Balancer blind SQL Injection flaw, has a CVSS score of 8.6, and affects version 30.1.1, 30.1.2, 30.2.1 and 30.2.2. Note you need to update 30.1.1 to 30.1.2 before you can apply the 30.1.2 patch. 30.2.1 & 30.2.2 each have patches. Versions 22.x and 21.x are not vulnerable, albeit version 21.x doesn't appear to be getting updates. This is a good time to look at moving to version 30.2.2p2 or higher.

Moses Frost
Moses Frost

2025-01-30

International Law Enforcement Effort Disrupts Cybercrime Forums

An international law enforcement effort led by authorities in Germany has taken down domains associated with cybercrime forums, including Cracked and Nulled. People attempting to visit the targeted domains will be greeted by a banner declaring that they were seized as part of Operation Talent, which involved law enforcement from Australia, France, Greece, Italy, Romania, Spain, and the United States, and well as Europol. The three-day operation resulted in two arrests, seven property searches, 17 servers, and more than 50 electronic devices seized, and roughly EUR 300,000 (US $312,000) in cash and virtual currency seized.

Editor's Note

For such a popular set of forums, only seizing 300K euros may be the most interesting part of the story. Either it's all hidden away, and we haven't found it all, or they just didn't have the money and lost their street cred. I'm betting there may be more somewhere else. Oh, and, yeah, I bet another forum will pop up somewhere else. Did anyone find it funny it was called Operation Talent? That has fueled some speculation as well.

Moses Frost
Moses Frost

Dismantling cybercrime hubs continues to be a major focus for law enforcement, with this takedown identifying a total of eight people as directly involved with the service, two of whom were apprehended. Beyond the domains/servers seized, a financial processor Selix, and hosting service StarkRDP were also taken down, operated by the same suspects. Services provided included AI-based tools and scripts to help discover flaws and optimize attacks, which included far more personalized and convincing phishing messages.

Lee Neely
Lee Neely

Congratulations to law enforcement. The reality though, is that the criminals will simply reorganize and rebuild the infrastructure as cybercrime is still an incredibly lucrative business.

Curtis Dukes
Curtis Dukes

2025-01-29

Smiths Group Discloses Cybersecurity Incident

Smiths Group, a major UK engineering firm, has disclosed a breach of its systems in a filing with the London Stock Exchange. The firm supports industries including "petrochemical, mining, pulp & paper, water treatment, semiconductor testing, heating elements, automotive, and rail transportation," as well as oil, gas, and energy, aerospace and defense, and travel security screening and defense scanners. The filing and the company's subsequent statements provide little detail beyond "unauthorized activity" and ongoing recovery and investigation; The Record notes that "the engineering and manufacturing sector is a popular target for cybercriminals, as well as nation-state hackers, because of the economic importance of the companies involved and the often sensitive nature of the work."

Editor's Note

Smiths Detection arm builds security screening technology used in airports and other points of entry, adding another factor to their being an attractive target. Even so, there is not a lot of transparency here, other than to note they are working with cybersecurity experts to recover systems and determine any wider impact, as well as taking all measures needed to comply with regulatory requirements. Even so, peer organizations can review their current cyber hygiene, ensuring they are leveraging segmentation, keeping products isolated, not exposing management interfaces to the Internet, and using MFA wherever it is technically possible.

Lee Neely
Lee Neely

Talk about lack of information in an initial report. No discussion on when the attack was discovered, what systems were affected, potential loss of data: nothing other than detecting unauthorized access. The LSE could learn a thing or two from the SEC Form 8-K.

Curtis Dukes
Curtis Dukes

2025-01-29

Maryland Health Group Recovering from Ransomware

Maryland's Frederick Health medical group "proactively took [its] systems offline" following detection of a ransomware attack, as stated in an advisory released January 27, 2025 and updated the following day. All medical offices and laboratories are still operating except for the Frederick Health Village Laboratory, and while "most appointments are continuing as scheduled," patients may still experience delays, and can work with the office team to take care of rescheduling. While third-party experts investigate and restore the systems, the medical group is operating "using established back-up processes and other downtime procedures." Frederick Health employs almost 4,000 people and serves a growing county with a population of nearly 300,000.

Editor's Note

Not much new to say here, but I just have to once again say that companies who are still allowing privileged access via reusable passwords are like restaurants storing perishable food in plastic buckets.

John Pescatore
John Pescatore

Their outage notification has been updated adding the Mt. Airy Laboratory as being temporarily closed. They also provide guidance on things to bring with you to facilitate manual check-in for your appointments, and are letting patients know that prescriptions will be provided on paper rather than electronically filed with their pharmacy. Note their patient portal is also unavailable.

Lee Neely
Lee Neely

2025-01-30

South Africa's Government Weather Service Website is Offline Due to Cyberattack

The South African Weather Service (SAWS), South Africa's government-operated weather service, has been disrupted by a cyberattack. SAWS is a critical service for the country's transportation and agricultural sectors as well as to other countries in the area. The Information and Communication Technology (ICT) systems have been down since the evening of Sunday, January 26. Because the organization's website is down, they were forced to turn to social media platforms to share critical information.

Editor's Note

This attack, the second in two days (the attack on January 25th failed), has taken out both the SAWS web site and their email system. They were able to pivot and provide weather updates through social media (Facebook, X, etc.). There are also online alternate SA weather sources, begging the question of how many users will return to the SAWS site once service is restored.

Lee Neely
Lee Neely

2025-01-28

PowerSchool Begins Official Breach Notifications

On January 27, 2025, PowerSchool added an update to its informational web page on the late 2024 breach and data theft from its Student Information System. The company has begun officially informing customers and government authorities, "filing regulatory notifications with Attorneys General Offices across applicable U.S. jurisdictions on behalf of impacted customers who have not opted-out of [PowerSchool's] offer to do so," and promising a future update for its international customers after informing Canadian regulators. Current and former students, parents and guardians where applicable, and educators affected by the breach should expect forthcoming notices including instructions on PowerSchool's offers of credit monitoring and identity protection services. A notification already filed with the Maine Attorney General's office indicates 33,488 of the state's residents were affected.

Editor's Note

PowerSchool is only sending notifications to those who they have sufficient contact information. Those affected in the US will be notified by Experian of their coverage. Canadian users will be contacted starting next week. If you are a PowerSchool user and don't receive notification shortly, go to their incident website for ways to contact them.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

SANS ISC StormCast, Friday, January 31, 2025

Old Netgear Vuln in Depth; Lightning AI RCE; Canon Printer RCE; DeepSeek Leak

https://isc.sans.edu/podcastdetail/9304

PCAPs or It Didn't Happen: Exposing an Old Netgear Vulnerability Still Active in 2025 [Guest Diary]

https://isc.sans.edu/diary/PCAPs+or+It+Didnt+Happen+Exposing+an+Old+Netgear+Vulnerability+Still+Active+in+2025+Guest+Diary/31638

RCE Vulnerability in AI Development Platform Lightning AI

Noma Security discovered a neat remote code execution vulnerability in Lightning AI. This vulnerability is exploitable by tricking a logged in user into clicking a simple link.

https://noma.security/noma-research-discovers-rce-vulnerability-in-ai-development-platform-lightning-ai/

Canon Laser Printers and Small Office Multifunctional Printer Vulnerabilities

Canon fixed three different vulnerabilities affecting various laser and small office multifunctional printers. These vulnerabilities may lead to remote code execution, and there are some interesting exploit opportunities

https://www.usa.canon.com/support/canon-product-advisories/service-notice-regarding-vulnerability-measure-against-buffer-overflow-for-laser-printers-and-small-office-multifunctional-printers

DeepSeek ClickHouse Database Leak

https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak

SANS ISC StormCast, Thursday, January 30, 2025

Python vs. Powershell; Fortinet Exploits and Patch Policy; Voyager PHP Framework Vuln; Zyxel Targeted; VMWare AVI Patch

https://isc.sans.edu/podcastdetail/9302

From PowerShell to a Python Obfuscation Race!

This information stealer not only emulates a PDF document convincingly, but also includes its own Python environment for Windows

https://isc.sans.edu/diary/From+PowerShell+to+a+Python+Obfuscation+Race/31634

Alleged Active Exploit Sale of CVE-2024-55591 on Fortinet Devices

An exploit for this week's Fortinet vulnerability is for sale on Russian forums. Fortinet also requires patching of devices without cloud license within seven days of patch release

https://x.com/MonThreat/status/1884577840185643345

https://community.fortinet.com/t5/Support-Forum/Firmware-upgrade-policy/td-p/373376

The Tainted Voyage: Uncovering Voyager's Vulnerabilities

SonarQube identified vulnerabilities in the popular PHP package Voyager. One of them allows arbitrary file uploads.

https://www.sonarsource.com/blog/the-tainted-voyage-uncovering-voyagers-vulnerabilities/

Hackers exploit critical unpatched flaw in Zyxel CPE devices

A currently unpatched vulnerability in Zyxel devices is actively exploited.

https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-unpatched-flaw-in-zyxel-cpe-devices/

VMSA-2025-0002: VMware Avi Load Balancer addresses an unauthenticated blind SQL Injection vulnerability (CVE-2025-22217)

VMWare released a patch for the AVI Load Balancer addressing an unauthenticated blink SQL injection vulnerability.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25346

SANS ISC StormCast, Wednesday, January 29, 2025

Learn about fileless crypto stealers written in Python; the ongoing exploitation of recent SimpleHelp vulnerabilities; new Apple Silicon Sidechannel attacks; a Team Viewer Vulnerability; and an odd QR Code

https://isc.sans.edu/podcastdetail/9300

Fileless Python InfoStealer Targeting Exodus

This Python script targets Exodus crypto wallet and password managers to steal crypto currencies. It does not save exfiltrated data in files, but keeps it in memory for exfiltration

https://isc.sans.edu/diary/Fileless+Python+InfoStealer+Targeting+Exodus/31630

Campaign Exploiting SimpleHelp Vulnerability

Arctic Wolf observed attacks exploiting SimpleHelp for initial access to networks. It has not been verified, but is assumed that vulnerabilities made public about a week ago are being exploited.

https://arcticwolf.com/resources/blog-uk/arctic-wolf-observes-campaign-exploiting-simplehelp-rmm-software-initial-access/

Two New Side Channel Vulnerabilities in Apple Silicon

SLAP (Data Speculation Attacks via Load Address Prediction): This attack exploits the Load Address Predictor in Apple CPUs starting with the M2/A15, allowing unauthorized access to sensitive data by mispredicting memory addresses. FLOP (Breaking the Apple M3 CPU via False Load Output Predictions): This attack targets the Load Value Predictor in Apple's M3/A17 CPUs, enabling attackers to execute arbitrary computations on incorrect data, potentially leaking sensitive information.

https://predictors.fail/

TeamViewer Security Bulletin

TeamViewer patched a privilege escalation vulnerability CVE-2025-0065

https://www.teamviewer.com/en-us/resources/trust-center/security-bulletins/tv-2025-1001/

Odd QR Code

A QR code may resolve to a different URL if looked at at an angle.

https://mstdn.social/@isziaui/113874436953157913

Limited Discount for SANS Baltimore

https://sans.org/u/1zQd