The Future Soon

It's the first May, first of May, outdoor... Oh, hi, didn't see you there. Welcome back, once again, to This Week In Security, the weekly (mostly weekly) newsletter where we take the random security news of the week and run it down. I'm your host this week, MegaZone, and these are the items that happened to catch my eye for the week of April 27th to May 3rd, as I once again drank from the firehose of doom, or security news, same thing.

But before I jump in, I just need to say... Signalgate. What? Or any of its sequels so far — the latest news is just insane. Just when you think the cybersecurity clown show can't get any worse, or more ridiculous, it does. I suspect that if anyone reading this right now did anything half as inept as some of our most trusted government officials, it would mean instant termination. It's really frustrating working to try to improve security only to see those who should take it the most seriously utterly trashing it. It's disheartening, really. But her emails.

Anyway, let's jump into it...

Good Morning Tucson

It was a few weeks ago, but as this is my first TWIS since, I'm going to talk about VulnCon a bit. VulnCon 2025 was held April 7–10 in Raleigh, NC, for the second year in a row—but it will not be back next year. As revealed at the end of the event, and on the FIRST Events page for 2026 and 2027, VulnCon is moving to Arizona - but actually Scottsdale, not Tucson. It is relocating to the DoubleTree Resort by Hilton, Paradise Valley, held April 13–16, 2026, This is a resort with an attached convention facility, so we'll be able to stay on-site. We'll also have more space, allowing for more content and more attendees. We don't want to grow too quickly, and this facility should be good for at least the next couple of years.

I’ll miss Raleigh. The last few years have been fun because I’ve been able to explore the area, find interesting places, and go back to some of my favorite places. The McKimmon Center at NC State has been a decent facility for us, but we've outgrown it and needed to find a new place. I've never been to Scottsdale, so that'll be a new experience.

Back to this year — VulnCon was bigger and better in its second year. I may be biased, as a member of the program committee, but I was impressed by the presentations I personally attended and I've talked to a number of others who felt the same. This year we had four days, up from three, and more simultaneous rooms on most days, meaning a significant overall increase in session count from the first year. Speaking of, most of the sessions should soon be published to YouTube. I was hoping they'd be up by now, but they're not quite ready, so keep an eye on FIRST's YouTube channel for those to be posted soon. The VulnCon 2024 content is there if you want to revisit that.

Day two had a track largely dedicated to the EU Cyber Resilience Act (CRA), and my colleague Christopher_Pa1 attended all of those sessions as a crash course in the CRA and related issues. I believe his impression when we had lunch together was that the CRA was "nightmare inducing". He wrote about it in his issue of TWIS a couple of weeks ago. For a while, I’ve been telling anyone who listens that they need to learn about the CRA and start planning how to handle its rules. If you do any business in the EU, there's a good chance the CRA will impact your business.

It wasn't a perfect event; we had some glitches and some lessons learned. But overall I think it went well and the issues were pretty minimal for an event in its second year, especially with the growth we experienced. We'll endeavor to continue to improve, and hopefully next year is even better. I'm looking forward to it—VulnCon has become my favorite event of the year.

Till the Money Comes

Another issue my colleague Christopher_Pa1 wrote about a couple of weeks ago, which I'm going to revisit anyway, is the CVE Program and the kerfuffle over funding. As regular TWIS readers are likely aware, I'm on the Board of the CVE Program as the CNA Board Liaison. News of the CVE Program’s demise was greatly exaggerated. To lay things out, there were basically three entities involved:

The CVE Program (CVE.org), run by an independent Board
CISA, part of DHS, providing the funding to run the CVE Program
MITRE, the contractor paid to maintain the infrastructure for the CVE Program

Fundamentally, this was a contract dispute between CISA (source of the funding) and MITRE (recipient of the funding), which unfortunately went public when a letter from MITRE to the CVE Board was 'leaked'. Note that the contract wasn’t for CVE specifically, but was a larger contract with covered CVE, CWE, and other efforts than MITRE runs for the US government.

No one is sure who 'leaked’ MITRE’s letter to the CVE Board, but it did leak and that caused a lot of panic and hyperbolic and inflammatory press coverage. There was really no risk that the program was going to shut down at midnight on April 15. Even though MITER’s contract was ending, the way things are hosted, even if no additional bills were paid, it would have continued to run for a while. The public panic and outcry worked, and that night CISA extended MITRE’s funding for another 11 months. The CVE Program is stable and funded for now. I certainly have an opinion on the most likely source of the leak, and I do not believe anyone on the Board was responsible, but it really isn’t important at this point.

After the incident, another player entered the picture: The CVE Foundation. The Foundation is a US 501(c)(3) non-profit based in Washington state, formed last year. Full disclosure, I have been involved with the Foundation since last year, when I was approached about it. A majority of the CVE Program Board has been involved for a while. The intention was to explore possible solutions to issues we saw with the program, to strengthen and improve the program overall. The idea was to try to create workable solutions that could then be brought to the program as more than just ideas and concepts, and things were still in fairly early stages.

TheFoundation’sn effort gelled around a few different things; this is not the first time there have been funding issues, and there have been other issues as well. Some non-US entities are reluctant to participate in the CVE Program because it is viewed as a ‘US government program’, despite the independent board. Relying on a single source of funding has inherent risks, especially when that funding is subject to political whim. There are efforts the CVE Program would like to undertake, but the current budget constraints limit what is possible. We hadn't intended to come forward just yet, as work was still being done on the proposals.

However, the crisis forced us to unveil the effort before someone else decided to step in with a similar effort. In that first day, we did see several other 'CVE alternatives' proposed, largely based on the reporting that made it sounds like the program was ending imminently. That Tuesday night was a mad scramble of registering an email account, domains, and spinning up a website as fast as possible—which I handled. I also created our Mastodon/Fediverse account, while others set up accounts on other platforms like Bluesky and LinkedIn. (I don't think anyone wanted to touch the cesspit that is 'X' these days.) I am not an officer of the Foundation; I was just in the right place, at the right time, with the right skillset to help out.

Others have since taken on the day-to-day operations of those properties. The Foundation’s website now contains content explaining what the effort is about, and answering some of the questions that have come up in the past few weeks. Work is still going on to create a formal organization to handle the tasks needed of a Foundation that is now public. These tasks include handling press inquiries and the large amount of email received.

The plan from the Foundation is to move the CVE Program under the aegis of the non-profit and diversify funding sources. There are already many large industry players who have pledged support to the effort. This would also open the program to global funding, which would help ease the ‘US-centric’ perception which hinders participation. Much work remains to be done, and many discussions with the different parties involved, so I don't expect any fast changes. And it may not come to fruition at all.

TL,DR; The CVE Program continues as it has. A significant, and growing number of board members feel that the program would be better under the aegis of an independent non-profit with a public funding model. However it plays out, there is no real risk to the program today.

Still Alive

I feel like I've been writing something about Salt Typhoon every time it has been my turn in the hot seat for the past year. Of course, it could also be a self-fulfilling thing - I'm covered them so much that I'm very aware of them, so when new articles pop up in my feed, they're more likely to grab my attention. Of course, they have to be perpetually in the news for that to happen. Anyway, after all this time, the news keeps coming. The FBI is asking the public for any tips relating to Salt Typhoon. They're hoping the public can help them find the Chinese hackers who have conducted one of the largest cyberattack campaigns against the US telecom industry to date. And the full extent of the attacks is still being uncovered.

It should be a wake-up call for the industry, given that companies were caught off guard by the extent of the penetrations into their networks. But companies running critical infrastructure should not be surprised to be the target of nation-state APTs. They're the most obvious targets you could name—telecom, power grid, water supplies, and more If you're a nation state and you're not trying to penetrate the networks of your adversaries, do you even have a cyber program? I think most cybersecurity professionals just take it for granted that these attacks are constant and ongoing.

Sticking It to Myself

Sometimes cybercriminals are higher-skilled, moving through networks undetected, covering their tracks, persisting in the very fabric of the network - like Salt Typhoon. And sometimes they're just complete morons, like these two chuckleheads.

First there's Jeffrey Bowie, a self-declared 'Cybersecurity CEO' from Edmond, Oklahoma, who was caught red-handed installing malware on hospital PCs. In person - not over the network. This malware was PowerShell code, which would take a screenshot every 20 minutes and upload it to a server. He was seen using not only a system for guests, but also a staff workstation, and malware was consequently found. OK, but that might be a coincidence, so how can we be sure he did it? Because this rocketsurgeon’sn galaxy brain decided to go on LinkedIn to explain himself - wherein he confessed to doing it. That should make life easier for the prosecutor handling his two counts of violating Oklahoma's Computer Crimes Act. I don't know why he thought this would help his case - maybe he was using the Kratom extracts his other company appears to sell.

And then there is Michael Scheurer, an ex-Disney employee who just got handed a three-year jail term for access Disney IT systems without authorization and basically vandalizing the system used to create menus for restaurants across the Walt Disney World property. He did this after being fired for misconduct, and, rather than accepting this as an adult, he decided to use his knowledge of the systems to obtain access after his termination. But he did a terrible job of covering his tracks, and the access was easily traced back to him. But, taking things from childish to dangerous, he also edited the allergen information on some menus. That could have caused a serious health crisis, even death, had someone unknowingly been exposed to an ingredient they were allergic to. Fortunately, the altered menus were caught before they were distributed.

Scheurer also ran a DoS attack against Disney’s systems, locking out employees by deliberately trying to authenticate with invalid credentials until the system locked the accounts. Quite a bit of evidence was compiled, and he wisely chose to plead guilty.

I've seen things like this in the past, and while it might feel good to lash out in the moment, I have never seen it work out for the perpetrator. I remember one incident, from early in my career, when an admin at an ISP was dismissed. On their way out, they subtly misconfigured every system - not enough that they'd fail outright, but that they'd experience annoying problems. For example, reconfiguring a 30-port access server (hey, it was the 90s) to only have 29 IPs in the pool to be assigned. Whenever things got busy and all the lines filled up, the last customer to connect couldn't negotiate successfully as there was no IP available. But you’d only see this if you were the 30th person to connect to that system. As they had many systems when it would fail and the customer tried to reconnect, they may hit a different server and succeed. So it was this annoying, intermittent issue.

I helped the customer scrub through all of their configurations, looking for this kind of thing, and we found a number of different issues. Most of them I've long since forgotten, but I did admire the knowledge and skill demonstrated - it's a lot harder to make things mostly correct, but just incorrect enough to be a gremlin in the system, than it is to just slash and burn everything. Of course, it was also very obvious who did it and law enforcement was involved. I don't know what eventually happened, but it seemed like a pretty open-and-shut case from where I was sitting.

Ordinary Man

A few TWIS stints ago, I covered a story about North Korean agents posing as Western workers to land jobs both to gather intelligence and earn money to support the North Korean regime. Well, that's still going on. CrowdStrike claims that thousands of North Korean agents have infiltrated the Fortune 500. That's pretty serious, but I am amused by the interview question CrowdStrike's Adam Meyers suggested to weed out these agents: "How fat is Kim Jong Un?” Exploiting their unwillingness to say anything potentially negative about the Supreme Leader, Meyers claims they'll terminate the call immediately. That's clever, but I suspect agents will be trained that it is OK to respond to maintain their cover.

But maybe they don't even need to maintain a cover, if someone is willing to just outsource their work to North Korea for money. That is what a Maryland man did after landing a job working on US government software. He has plead guilty to conspiracy to commit wire fraud after spending multiple years convincing US companies to hire him as a remote developer, only to outsource the actual work to developers overseas - including someone in China who openly claimed to be North Korean. He went through the interview process to obtain a job working on a contract for the Federal Aviation Administration described as: "part of a national defense program to develop software used by various other government entities that would allow them to coordinate aviation assets effectively." But that's just one of 13 different roles he fraudulently obtained and outsourced, earning more than $970,00 in the process.

I hope it was worth it, as he faces up to 20 years in prison when sentenced in August.

Make You Cry

Another week, another CVSS 10,0 Critical vulnerability. This time it is CVE-2025-31324 in SAP NetWeaver Visual Composer, an unauthenticated file upload vulnerability. And, bonus, it has already landed on the CISA Known Exploited Vulnerabilities (KEV) list. At the time, Shadowserver was reporting 454 vulnerable IPs, but it was also reported that over 7,500 servers were exposed and possibly vulnerable. A fix is available and mitigation was also possible in the meantime.