Tracks, Hacks, and Time to Relax

Time flies when you're having fun, and I have been having fun, so it is time once again for me to bring you the news.  MegaZone is back to cover the week of August 17th through the 23rd, 2025.

As for the fun,  I was on PTO the previous two weeks, my first real break since February. It was the longest stretch I've taken off since - I don't know when.  My wife & I did an eight-night Disney cruise out of Southampton, England, stopping in Belgium and multiple locations in Norway.  Followed by two days in London and three in Scotland.  While in London, I spent a fun afternoon at Compass Box Whisky Co., thanks to a friend who works at their HQ.  In Scotland, we stayed at the Glenmorangie House, which is just incredible.  I strongly recommend it.  The house itself is amazing and the extensive grounds are gorgeous.

The day we arrived, we did a little tour of the area around Inverness - including Loch Ness and The Singleton of Glen Ord. But for me the real highlight was the second day.  As might be obvious, I have an interest in whisky, with a particular obsession for Compass Box - and Glenmorangie.  I spent the entire day, around eight hours, at the distillery having just an amazing experience.  I met and was able to spend time chatting with a number of wonderful people who are also passionate about whisky.  I only wish we had more time there! Scotland is a beautiful country.  Now we know we need to get back and spend more time there just exploring.

I will say we learned that a tiny cabin on a sleeper train, which we took from London to Inverness, isn't a mode of travel we enjoy and probably would not repeat.  Definitely not made for someone of my stature, let's say.  But you have to try it to find out, and it was a new experience.

This is a long way of saying that I quite deliberately haven't been paying any attention whatsoever to the security world the past two weeks.  My work apps were disabled and I was deliberately trying to unplug and reset, so I'm playing a bit of catch-up with the news.  And you get to follow along - how fun for you.

Of course, while I was out, F5 itself dropped some major news, as detailed in K000152956: BIG-IP strategic update: Modernizing BIG-IP TMOS and discontinuing BIG-IP Next.  The title kind of gives it away.  While it is not directly security news, you might imagine this created a few ripples across other areas, such as prep work for future QSNs.  And I think it is safe to say there will be security-related changes coming to BIG-IP as part of the modernization effort. 

Let’s just jump into it, shall we?

 

FIRSTCON 2025 Flashback

The last time I was at these controls, in early July, I had just attended FIRSTCON 2025 and wrote a bit about it.  I am happy to say that the session recordings, at least for those sessions, which were TLP:CLEAR, are now available as a playlist on YouTube.  A number of them are security-related in some way.  I have not seen them all myself, of course, but most of the sessions I attended in person were interesting. I expect there to be more gems among these recordings.

Leave a comment with the recordings you would recommend to others - and why you recommend them.

• https://www.youtube.com/playlist?list=PLBAUUhONOrO81e07ErZclykFgacbncbSZ

 

Perfect 10, Again

Last time around, Cisco had just had a rough week with a CVSS 10.0 vulnerability - and if history doesn't repeat itself, it at least rhymes.  Last week, Cisco patched a CVSS 10.0 vulnerability in their Firewall Management Center.  The issue, CVE-2025-20265, affected the RADIUS subsystem and could allow unauthenticated remote command execution.  While no exploitation was known, it is a serious issue and users of Cisco Firewall Management Center, at least where RADIUS authentication is in use, are advised to patch the system ASAP.

• https://www.scworld.com/news/cisco-patches-firewall-management-center-bug-rated-100
• https://www.cve.org/CVERecord?id=CVE-2025-20265

 

From Russia, With Love

Cisco, along with the FBI, also warned of hacking activity linked to the Russian FSB's Center 16 group.  They've been exploiting unpatched and end-of-life network switches via CVE-2018-0171 to gain access to networks and the traffic therein.  This is another example of why it is important to keep systems updated - and to remove EOL systems from service once they stop receiving security patches.  The operations have been tracked under code names including "Berserk Bear" and "Dragonfly".

• https://www.cybersecuritydive.com/news/russia-hacking-cisco-switches-fbi-warning/758206/
• https://www.scworld.com/news/fbi-russias-fsb-actively-exploited-a-seven-year-old-cisco-flaw-to-target-critical-infrastructure
• https://www.cve.org/CVERecord?id=CVE-2018-0171

 

A Bad Workday

Workday disclosed that one of their CRM systems was comprised by attackers who used social engineering to gain access.  It looks like the intruders came away with business contact information, including names, emails, and phone numbers.  The attack is being attributed to the ShinyHunters organization.

• https://www.theregister.com/2025/08/18/workday_crm_breach/
• https://www.scworld.com/news/workday-hit-by-breach-of-third-party-crm-platform-via-social-engineering
• https://www.cybersecuritydive.com/news/hackers-target-workday-in-social-engineering-attack/758095/

 

Dumb Ways to Crime

I never really tire of dumb cybercriminal stories, it's a bit of schadenfreude.  This time around we have Davis Lu, a former developer a Eaton, who just received a four year prison sentence for installing malware on the corporate systems.  He became disgruntled after being demoted in a restructuring.  Now, I can understand being upset by this.  That's normal.  What isn't normal is creating Java malware designed to DoS the company systems should it ever be activated, and tying this activation to his network access.  Revoke his access and the 'kill switch' activates - which, of course, is what happened when Eaton let him go on September 9, 2019.  The malware overloaded the network, blocked access for thousands of employees, and deleted some corporate data.

Where it really gets dumb is that:

• The malware was labeled "IsDLEnabledinAD" - short for "Is Davis Lu enabled in Active Directory".
• He uploaded the malware using his personal corporate credentials.

That's some brilliant OpSec.

As icing on the cake, when he turned in his corporate laptop, his undeleted search history showed he'd been looking for ways to delete data, escalate privileges, and conceal his tracks.  

Why would you do this and not completely wipe the machine before turning it in, if nothing else?  I'm not committing crimes using my corporate systems, and I still do a complete drive nuke before turning in old laptops just because I work with sensitive data in my role.  Though, given how bad an idea this whole thing was, I suppose I shouldn't expect much forethought.

Anyway, so now he has a four year prison term followed by three years of supervised release.  Given how badly he botched his 'revenge', one wonders if the demotion that set this in motion was really unfair.

• https://www.theregister.com/2025/08/22/worlds_dumbest_it_admin_gets/

 

That Was the Week That Was

Thank you for your time and attention this week.  I hope you found something of value in my ramblings.

As always, if this is your first TWIS, you can always read past editions.  I also encourage you to check out all of the content from the F5 SIRT.