🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• HvLoader: HvLoader.efi is an EFI application for loading an external hypervisor loader - Microsoft 🔍 Show Kagi Synopsis
  The provided GitHub repository for `HvLoader.efi` details a technical overview of an EFI application designed for loading hypervisor loaders. It outlines the application's functionality, command-line arguments, and path limitations. The document also includes instructions for setting up the build environment and compiling the application using the TianoCore EDK2 framework. A key security requirement mentioned is that `HvLoader.efi` must be signed to function with Secure Boot enabled 【1】.
  
  **What Happened:**
  The repository describes the development and technical specifications of `HvLoader.efi`. It does not detail a specific cybersecurity incident or breach 【1】.
  
  **Who is Affected:**
  The document does not specify any particular groups or individuals affected by a cybersecurity event. It is a technical resource for developers working with hypervisor loaders and EFI applications 【1】.
  
  **Security Implications:**
  The primary security implication discussed is the necessity for `HvLoader.efi` to be **signed to comply with Secure Boot requirements** 【1】. This ensures that only trusted code can be loaded during the boot process.
  
  **Technical Details:**
  - **Functionality:** `HvLoader.efi` is an EFI application for loading hypervisor loaders 【1】.
  - **Command-line Arguments:** Specific arguments for the application are detailed 【1】.
  - **Path Limitations:** Restrictions on file paths are noted 【1】.
  - **Build Environment:** Instructions are provided for setting up a build environment using the TianoCore EDK2 framework 【1】.
  - **Signing:** The application requires signing for Secure Boot compatibility 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that **any EFI application, including `HvLoader.efi`, must be properly signed to be trusted by Secure Boot**. This signing process is crucial for maintaining the integrity of the boot process and preventing the execution of unauthorized or malicious code during system startup 【1】.
• STATICPLUGINによって実行される最新のPlugX亜種 – Latest PlugX variants executed by STATICPLUGIN - IIJ 🔍 Show Kagi Synopsis
  In January 2026, a new variant of the **PlugX malware** was discovered, believed to be associated with the Chinese APT group **UNC6354**, which is known for cyber espionage and has connections to the Mustang Panda APT group 【1】.
  
  **What Happened:**
  The malware was distributed using a downloader named **STATICPLUGIN**, which masqueraded as a browser update 【1】. Once executed, STATICPLUGIN downloaded and ran a malicious MSI file. This MSI file then dropped several files, including `Avk.exe`, `Avk.dll`, and `AVKTray.dat`. The `Avk.exe` file utilized **DLL Sideloading** to load the PlugX variant from `Avk.dll`. Subsequently, `Avk.dll` resolved API functions and executed shellcode from `AVKTray.dat`, which ultimately decoded and ran the PlugX variant in memory 【1】.
  
  **Who is Affected:**
  The primary targets of this campaign appear to be **government agencies and related personnel in Southeast Asian countries** 【1】.
  
  **Security Implications:**
  The ongoing evolution of PlugX variants and their deployment through sophisticated methods like STATICPLUGIN pose a significant threat to **national security and the theft of sensitive data** 【1】. The use of techniques such as DLL Sideloading and multi-layered encryption for configuration data highlights the advanced capabilities of these threat actors 【1】.
  
  **Technical Details:**
  - **Initial Dropper:** STATICPLUGIN, a new version of a previously reported malware, disguised as a browser updater 【1】.
  - **Malicious Payload:** An MSI file that drops `Avk.exe`, `Avk.dll`, and `AVKTray.dat` 【1】.
  - **Execution Method:** `Avk.exe` uses **DLL Sideloading** to load `Avk.dll` 【1】.
  - **Shellcode Execution:** `Avk.dll` resolves API functions and executes shellcode from `AVKTray.dat`, which then decodes and runs the PlugX variant in memory 【1】.
  - **Configuration Data:** Command and Control (C2) server addresses and other configuration details are **XOR-encoded and RC4-encrypted**, with a specific decoding process described in the article 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware of these **evolving PlugX variants** and the use of **STATICPLUGIN as an initial infection vector** 【1】. The **DLL Sideloading technique** employed is a critical detail to monitor for. Furthermore, understanding the **multi-layered encryption and encoding of configuration data** is essential for analysis and detection 【1】. The article also provides specific **Indicators of Compromise (IoCs)**, including network addresses, file hashes, and file paths, which can aid in threat hunting and defense 【1】.
• Detecting and preventing distillation attacks - "We have identified industrial-scale campaigns by three AI laboratories—DeepSeek, Moonshot, and MiniMax—to illicitly extract Claude’s capabilities" - Anthropic 🔍 Show Kagi Synopsis
  The article details **industrial-scale "distillation attacks"** that were carried out by three AI laboratories: **DeepSeek, Moonshot, and MiniMax** 【1】. These labs allegedly used over 16 million exchanges from approximately 24,000 fraudulent accounts to illicitly extract capabilities from Anthropic's Claude models, aiming to improve their own AI models 【1】. This action violated Anthropic's terms of service 【1】.
  
  **Who is affected:**
  * **Anthropic's Claude models** are directly affected by the extraction of their capabilities 【1】.
  * The **global AI community** and **national security** are also impacted due to the potential misuse of distilled models 【1】.
  
  **Security implications:**
  * Illicitly distilled AI models may **lack essential safeguards**, which could allow authoritarian governments to deploy AI for harmful purposes such as **offensive cyber operations, disinformation campaigns, and mass surveillance** 【1】.
  * These attacks also **undermine export controls** that are in place to maintain AI advantages 【1】.
  
  **Technical details:**
  * **Distillation** is a process where a less capable model is trained using the outputs of a more capable model 【1】.
  * The attackers employed **fraudulent accounts, proxy services, and "hydra cluster" architectures** to evade detection 【1】.
  * They generated a large volume of **carefully crafted prompts** designed to extract specific functionalities, including **agentic reasoning, tool use, and coding capabilities** 【1】.
  
  **What defenders should know:**
  * Defenders are implementing **detection classifiers** and **behavioral fingerprinting** to identify such attacks 【1】.
  * **Intelligence sharing** with other AI labs and authorities is crucial 【1】.
  * Strengthening **access controls** and developing **countermeasures** to reduce the effectiveness of model outputs for illicit distillation are ongoing efforts 【1】.
  * Addressing this threat requires **rapid, coordinated action** involving the AI industry, cloud providers, and policymakers 【1】.
• Have you tried turning it off and on again? On bricking OT devices (part 2) - Midnight Blue 🔍 Show Kagi Synopsis
  The article "Have you tried turning it off and on again? On bricking OT devices (part 2)" details the escalating threat of destructive wiper and bricking attacks targeting Operational Technology (OT) devices, predicting a rise in "commodity embedded wiper attacks" 【1】.
  
  **What Happened:**
  The article outlines several incidents where OT devices were rendered inoperable. These include attacks on the Polish electric grid (December 2025), the Ukrainian electric grid (BlackEnergy, 2015), Iranian fuel stations (Predatory Sparrow, 2021/2023), ViaSat KA-SAT modems (AcidRain, 2022), and industrial routers in Russia and Belarus (2022-2023), as well as Russian wastewater monitoring systems (Fuxnet, 2023-2024) 【1】. The methods employed involve overwriting data, corrupting firmware, or physically damaging storage to disable devices 【1】.
  
  **Who is Affected:**
  The primary targets are OT environments, encompassing critical infrastructure such as electric grids, fuel stations, and communication networks 【1】. Specific devices that have been affected include serial-to-Ethernet converters (Moxa, iRZ), Point-of-Sale (POS) devices (Ingenico), satellite modems (ViaSat SurfBeam2), and industrial routers (iRZ, Teleofis) 【1】. The article notes that while Linux-based devices are increasingly targeted, conventional operating systems like Windows Embedded are also vulnerable 【1】.
  
  **Security Implications:**
  These attacks significantly amplify the impact of cyber incidents by disabling critical OT devices, leading to substantial operational disruptions, prolonged downtime, and potential physical damage 【1】. The increasing availability of wiper payloads means that less sophisticated actors can execute these attacks, broadening the threat landscape 【1】. The article also suggests that current standards compliance, such as IEC 62443, may be insufficient to prevent these attacks due to vague requirements 【1】.
  
  **Technical Details:**
  The article describes various Tactics, Techniques, and Procedures (TTPs) used in these attacks. These include exploiting vulnerabilities (e.g., CVE-2024-8036, CVE-2016-4500, CVE-2016-2309) to deploy malicious firmware or applications 【1】. Attackers utilize methods such as exploiting default credentials, credential sniffing, remote code execution (RCE), corrupting block devices, recursive file deletion, and even attempting to physically destroy NAND flash memory 【1】. Malware examples include KillDisk, BrickerBot, Mirai, and AcidRain 【1】. Common attack vectors include SSH, FTP, Telnet, TFTP, and proprietary sensor management protocols 【1】.
  
  **What Defenders Should Know:**
  Defenders should implement several measures to mitigate these risks:
  - **Harden remote access:** Employ strong passwords, access control lists (ACLs), disable undocumented backdoor accounts, and turn off unused network services 【1】.
  - **Microsegmentation:** Implement strong microsegmentation around critical OT devices 【1】.
  - **Secure protocol flows:** Restrict sensitive protocol flows (firmware updates, logic downloads, shell access) to hardened endpoints 【1】.
  - **Verify firmware security:** Ensure firmware updates and logic downloads are securely authenticated and signed; disable remote invocation if they are not 【1】.
  - **Assume subpar security:** Recognize that even newer OT devices may have weak security, particularly concerning RCE vulnerabilities 【1】.
  - **Regular testing:** Conduct regular penetration testing and red teaming exercises 【1】.
  - **Advanced adversary awareness:** Understand that advanced adversaries may still pose a risk, necessitating thorough technical analysis and adjusted recovery strategies for mass-bricking events 【1】.
• The DJI Romo robovac had security so poor, this man remotely accessed thousands of them - The Verge 🔍 Show Kagi Synopsis
  A significant security vulnerability was discovered in **DJI Romo robot vacuums**, allowing unauthorized remote access to thousands of devices worldwide 【1】.
  
  **What Happened:**
  Security researcher Sammy Azdoufal discovered that by extracting his own device's private token, he could gain access to and remotely control approximately 7,000 DJI Romo robot vacuums globally. This access allowed him to view live camera feeds, listen through microphones, map rooms, and determine the approximate location of these devices without any form of authentication 【1】.
  
  **Who is Affected:**
  The vulnerability affected owners of **DJI Romo robot vacuums**. Azdoufal's research indicated that he could access around 7,000 such devices, and potentially over 10,000 DJI devices including power stations 【1】.
  
  **Security Implications:**
  This incident highlights severe security flaws in DJI's products and raises concerns about their data handling practices. The ability for an attacker to access live camera feeds, microphones, and room mapping data from smart home devices is a major privacy and security risk 【1】. The vulnerability exposed sensitive data including serial numbers, cleaning status, camera feeds, room mapping, and device location 【1】.
  
  **Technical Details:**
  The vulnerability stemmed from a lack of proper server-side permission validation. Even though communication was encrypted using TLS, the topic-level access controls were not adequately implemented. This allowed unauthorized users to access data by exploiting the system's trust in the provided tokens 【1】.
  
  **What Defenders Should Know:**
  Defenders, particularly manufacturers of connected devices, need to be aware that **encrypted communication alone is insufficient** if server-side validation is weak. Robust security requires proper implementation of access controls at all levels, including topic-level permissions. While DJI has stated they are addressing remaining vulnerabilities, this incident underscores the critical need for manufacturers to prioritize strong security measures and transparency in their connected devices 【1】.
• I found a Vulnerability. They found a Lawyer. - Yannick Dixken . 🔍 Show Kagi Synopsis
  The article describes a security vulnerability discovered in a sports insurer's portal, where user accounts, including those of students (some of whom were minors), could be accessed using predictable, incrementing numeric user IDs and a default password that was not enforced to be changed 【1】.
  
  **Who is affected:**
  * **Users of the sports insurer's portal:** This includes students and potentially other individuals whose personal data was stored on the platform 【1】.
  
  **Security implications:**
  * **Unauthorized access to sensitive personal data:** This included names, dates of birth, addresses, phone numbers, and email addresses 【1】.
  * **Potential GDPR violations:** The breach of personal data could lead to non-compliance with data protection regulations 【1】.
  * **Reputational damage to the organization:** The organization's response prioritized reputation management over user data protection 【1】.
  
  **Technical details:**
  * **Predictable User IDs:** User accounts were accessible via sequential, incrementing numeric IDs 【1】.
  * **Static Default Password:** A default password was used, and users were not compelled to change it, making accounts easily compromisable 【1】.
  
  **What defenders should know:**
  * **Organizations:**
  * Must implement clear **Coordinated Vulnerability Disclosure (CVD)** policies 【1】.
  * Should foster **transparency** and avoid legal threats against researchers 【1】.
  * Are **responsible for data security**, not the users 【1】.
  * Need to ensure **affected users are notified** of breaches as required by regulations like GDPR 【1】.
  * **Researchers:**
  * Should follow **responsible disclosure procedures** and report vulnerabilities to organizations and relevant bodies like CSIRTs 【1】.
  * Should **avoid signing restrictive Non-Disclosure Agreements (NDAs)** 【1】.
  * It is advisable to **document all communications** during the disclosure process 【1】.
  
  The vulnerability has since been fixed, but it is unclear if all affected users were notified 【1】.
• Apache ActiveMQ Exploit Leads to LockBit Ransomware - The DFIR Report - The DFIR Report 🔍 Show Kagi Synopsis
  This report details an intrusion that began in mid-February 2024, where a threat actor exploited a vulnerability in an internet-facing **Apache ActiveMQ server** (CVE-2023-46604) to gain **remote code execution (RCE)** 【1】. The attacker used a Java Spring class and a custom Java Spring bean configuration XML file to achieve this. Although initially removed, the threat actor regained access 18 days later by exploiting the same unpatched server 【1】.
  
  **What Happened:**
  The threat actor utilized **Metasploit and Meterpreter** for post-exploitation activities, including escalating privileges to the SYSTEM level, accessing LSASS process memory, and moving laterally across the network 【1】. After re-establishing access, they deployed **LockBit ransomware** via RDP 【1】. While the ransomware binary showed LockBit signatures, modifications to the ransom note and the exclusive use of the Session messaging service suggest it was created using a leaked LockBit builder by an independent actor 【1】.
  
  **Who is Affected:**
  The attack primarily targeted an organization with an internet-facing Apache ActiveMQ server. Subsequently, multiple systems within the network were affected, including **domain controllers, a backup server, and a file server** 【1】.
  
  **Security Implications:**
  The exploit resulted in a full-scale ransomware deployment, leading to system encryption and the display of ransom notes 【1】. The threat actor's ability to regain access after being evicted underscores the critical importance of **patching vulnerabilities** 【1】. The use of a leaked builder indicates that even custom-modified ransomware can pose a significant threat 【1】.
  
  **Technical Details:**
  * **Vulnerability:** CVE-2023-46604 in Apache ActiveMQ 【1】.
  * **Initial Access:** Achieved through RCE via a crafted OpenWire command containing a Java Spring class and a malicious XML configuration file 【1】.
  * **Tools Used:** Metasploit, Meterpreter, CertUtil (for downloading payloads), AnyDesk (for remote access), and a modified LockBit ransomware builder 【1】.
  * **Techniques Employed:** Privilege escalation (GetSystem), LSASS memory dumping, lateral movement (SMB traffic, RDP, remote service execution), defense evasion (log clearing, disabling Defender), and persistence (AnyDesk service) 【1】.
  * **Command and Control (C2):** Primarily through Metasploit (166.62.100.52) and later AnyDesk 【1】.
  * **Indicators of Compromise (IOCs):** Specific IP addresses, file names (e.g., rdp.bat, LB3_pass.exe, LB3.exe, netscan.exe), and SHA256 hashes for executables and scripts are detailed in the report 【1】.
  
  **What Defenders Should Know:**
  * **Patching is Crucial:** Promptly patching vulnerabilities like CVE-2023-46604 on systems such as Apache ActiveMQ is essential to prevent exploitation 【1】.
  * **Detection:** Defenders should utilize the provided network and Sigma detection rules, which cover Metasploit activity, misuse of CertUtil, AnyDesk installation, and RDP connections 【1】.
  * **Monitoring:** It is important to monitor for suspicious SMB traffic, unusual process execution (especially Java spawning shells), LSASS memory access, and unauthorized RDP activity 【1】.
  * **Ransomware Variants:** Be aware that leaked ransomware builders can lead to custom variants that may bypass traditional detection methods, as seen with the use of Session messaging in this incident 【1】.
  * **Re-entry Risk:** Threat actors can re-exploit systems if vulnerabilities are not remediated, emphasizing the need for continuous monitoring and robust incident response capabilities 【1】.
  * **Tool Misuse:** Recognize that legitimate tools like AnyDesk and CertUtil can be repurposed for malicious activities 【1】.
• [CVE-2026-0714] TPM-sniffing LUKS Keys on an Embedded Device - CYLOQ 🔍 Show Kagi Synopsis
  A vulnerability, **CVE-2026-0714**, has been discovered that allows an attacker with physical access to an embedded device to **sniff LUKS decryption keys from the SPI bus** 【1】.
  
  **What Happened:**
  The vulnerability involves the **Moxa UC-1222A Secure Edition**, an ARM-based industrial computer that utilizes a discrete TPM 2.0 (Infineon SLB9670) to safeguard its storage encryption keys. An attacker can passively monitor the SPI bus during the device's boot process to capture the full LUKS decryption key, which is transmitted in plaintext 【1】.
  
  **Who is Affected:**
  The **Moxa UC-1222A Secure Edition** is the specific device identified as affected by this vulnerability 【1】.
  
  **Security Implications:**
  The primary security implication is that an adversary with **physical access can obtain the complete LUKS decryption key**. This recovered key can then be used to **decrypt the device's encrypted storage**, compromising sensitive data 【1】.
  
  **Technical Details:**
  The attack exploits the host SoC issuing a `TPM2_NV_Read` command to retrieve the LUKS key from a policy-protected Non-Volatile (NV) index. While the TPM correctly enforces authorization, the key material is sent unencrypted over the SPI interface. The exploit was demonstrated using a logic analyzer to capture SPI traffic, custom scripts to parse TPM 2.0 commands, and tools like `hexdump` to extract the key. This differs from previous TPM sniffing attacks that focused on `TPM2_Unseal`, as this vulnerability specifically targets `TPM2_NV_Read` for key release 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware that **TPM bus sniffing attacks are not confined to client PCs but can also impact embedded systems**. To mitigate these risks, it is recommended to follow the **Trusted Computing Group (TCG) guidance on CPU–TPM Bus Protection**. This includes implementing **encrypted sessions**, such as salted sessions, to protect sensitive command and response parameters transmitted between the host and the TPM 【1】.
• PayPal February 2026 Breach Notification - PayPal 🔍 Show Kagi Synopsis
  On December 12, 2025, **PayPal experienced a cybersecurity incident** that resulted in the exposure of Personally Identifiable Information (PII) for a limited number of customers 【1】.
  
  **What Happened:**
  The incident originated from an **error in the PayPal Working Capital (PPWC) loan application** that inadvertently exposed customer data to unauthorized individuals. This exposure occurred between July 1, 2025, and December 13, 2025 【1】. PayPal has since rectified the issue by rolling back the erroneous code change 【1】.
  
  **Who is Affected:**
  A **small number of PayPal customers** had their PII exposed. The affected information may include business contact details such as **name, email address, phone number, and business address**, in addition to **Social Security numbers and dates of birth** 【1】.
  
  **Security Implications:**
  The primary security implication is the **unauthorized access to sensitive personal and business information**, which could be used for identity theft or fraudulent activities. PayPal has taken steps to mitigate this by resetting passwords for affected accounts, requiring new passwords upon login, and issuing refunds for any unauthorized transactions 【1】.
  
  **Technical Details:**
  The article indicates that the breach stemmed from a **code error within the PayPal Working Capital loan application** 【1】. While specific technical details of the error are not extensively provided, it is stated that the **code change responsible has been rolled back** 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware of the potential for **PII exposure due to application code errors**, particularly in financial services. The incident highlights the importance of robust code review and testing processes. PayPal is offering **two years of complimentary credit monitoring and identity restoration services** through Equifax to affected customers 【1】. Customers are advised to remain vigilant, monitor their accounts and credit reports for suspicious activity, and enroll in the provided credit monitoring services by June 30, 2026 【1】.