Copenhagen, Cisco, Korea, Cybercrime, and Criminals

It's all just a little bit of history repeating - and MegaZone is back in control again. This time we're looking at news from June 29th through July 5th, 2025. For my fellow USians, I hope you had a happy Fourth of July. And I hope you still have all your fingers.

It is a bit light this week, as I was out of the office for a few days last week and this week, dealing with a family health crisis, so my time to read and digest the news, and then compile this issue, is a bit compressed. But the show must go on!

Anyway, let's jump into it...

FIRSTCON 2025

The first item isn't security news, specifically, but I'm the one who decides what I'm going to write about. June 22-27 I attended the 37th Annual FIRST Conference in Copenhagen, Denmark - aka FIRSTCON 2025, The F5 SIRT officially became a member of FIRST in April of this year, and this was my first time attending FIRSTCON. Some of the content was TLP:GREEN or TLP:AMBER, but most of it was TLP:CLEAR and I believe the recordings will be made available. I recommend checking out the program for anything that might interest you.

While there was, of course, some security related content, I think my favorite session was Burnout: Detect, Investigate, Respond, Recover, Prevent. While it was on the schedule as TLP:CLEAR, I believe it was changed to TLP:GREEN when presented, so the recording my not be available, which is unfortunate. That said, the presenters did make their slides available for download (PPTX), and the final slide has a link to all of their references and resources.

Burnout is something I have personally struggled with for a long time, and I've had a number of friends and colleagues over the years hit burnout and need to take a break, change jobs, or even leave the tech industry entirely. Cybersecurity is a field where burnout is a big problem, as we're often bouncing from crisis to crisis, long and irregular hours are common, and there is a culture of trauma bragging. I've done it myself - told war stories about incidents where I worked around the clock, etc., like it's a source of pride. I've touched on this topic previously.

Remember to take care of yourself. And, should you find yourself in Copenhagen, the Copenhagen Distillery has some events available.

Cisco's Terrible, Horrible, No Good, Very Bad Month

Last week, my colleague ArvinF reported on a couple of Cisco Critical vulnerabilities, CVE-2025-20281 & CVE-2025-20282. Unfortunately, a new week brings a new CVSS 10.0 Critical for Cisco, CVE-2025-20309. This new CVE affects Engineering-Special Builds of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME), allowing an attacker to access the root account.

The root issue is default, unchangeable credentials for the root account which were included for use during development, and it sounds like they should have been removed before shipping - but were missed. Cisco has published a Security Advisory for the issue, and fixed software is available.

North Korea Is Still At It

I've covered this before, and I suspect I'll cover it again in the future. North Korea is persisting with their fake IT worker scams, seeking to get their agents jobs in western companies using false identities. They seem to be using these agents for espionage, obtaining western currency, other criminal activities, and/or possibly sleeper agents to use in the future. It has become a real problem, and seems to be more widespread than reported in the past.

Recently, the US Department of Justice reported finding North Korean IT staff working at over 100 US companies. That's fairly substantial, IMHO. And unsealed court documents show one of their operations dates back at least to 2021, so this has been going on for years and could be even more prevalent.

It is not only the US being targeted by North Korea, the United Kingdom is also in their sights. Researchers at Microsoft have found evidence that North Korean agents have been applying to IT positions in the UK. As US law enforcement continues to uncover, and shutdown, operations in the US, I think we can expect them to expand their operations to other countries. The more sophisticated actors are using deep fakes and AI image manipulation to bolster their false identities and avoid detection.

Cybercrime Does Pay

This was a tidbit that grabbed my attention - according to researchers with Mastercard, if cybercrime were considered as an economy, by 2029 it'd be the third largest in the world - after the US and China. The researchers estimate that, by the year 2029, cybercrime would collectively account for $15.6 trillion dollars of economic activity.

That actually surprised me. Sure, you can't work in this field and not be aware of all of the crimes happening every day, but the scope of what they claim is beyond what I expected. Of course, the researchers also partially blame the rise of AI, and its usefulness in cybercrime, for the rapid growth in activity. Cybercrime has become big business, with 57% of the threats they detected coming from 'cybercrime-as-a-service' operations - even criminals are into SAAS.

Just a little tidbit I thought was interesting. Job security, I suppose.

Criminals Doing Dumb Things

I'm including this just because I enjoy these kinds of stories - criminals getting caught because they were dumb. You can be very clever, and still do dumb things. Some lessons to take away:

If you're going to sell stolen corporate data, and accept crypto payments, do not use wallets for which you have verified your actual identity.
Do not commit a crime and then email your victim the details of said crime from your work account, especially not in an attempt to leverage your own crime into a paid gig 'fixing' the security system you damaged.
Remember that it only takes one oversight to get caught. Don't forget to use Tor when logging into you criminal chatroom, even once.
Do not reveal details about yourself and your life, and especially do not reveal your real name, when posting as your criminal alter-ego.

There are others in the article, but I do enjoy the schadenfreude when reading these.

In a similar vein, don't behave like an idiot if you lose your job and trash things on the way out. A British IT worker received a seven month prison sentence for doing just this after being suspended from his job. The company did make the mistake of not revoking his credentials when they let him go, but I'm not going to blame the victim here. It wouldn't have been an issue if he had behaved like a professional - or just an adult.

He started modifying account credentials within hours of being suspended, locking out users and clients. Compounding the issue, he logged what he'd done and they discussed his actions on phone recordings , which were later recovered by the police.

I previously wrote about an event from ~30 years ago, around 1996 when I was working for Livingston Enterprises, maker of the PortMaster line. So rash decisions aren't anything new.

But seriously, it isn't worth it. Losing your job sucks - BTDT - but be professional about it.