Alex Berninger, Senior Manager of Intelligence at Red Canary, and Mike Wylie, Director, Threat Hunting at Zscaler, join to discuss four phishing lures in campaigns dropping RMM tools. Red Canary and Zscaler uncovered phishing campaigns delivering legitimate remote monitoring and management (RMM) tools—like ITarian, PDQ, SimpleHelp, and Atera—to gain stealthy access to victim systems. Attackers used four main lures (fake browser updates, meeting invites, party invitations, and fake government forms) and often deployed multiple RMM tools in quick succession to establish persistent access and deliver additional malware.
The report highlights detection opportunities, provides indicators of compromise, and stresses the importance of monitoring authorized RMM usage, scrutinizing trusted services like Cloudflare R2, and enforcing strict network and endpoint controls.
The research can be found here:
You’re invited: Four phishing lures in campaigns dropping RMM tools
Learn more about your ad choices. Visit megaphone.fm/adchoices
--------
24:00
--------
24:00
When clicks turn criminal.
Dr. Renée Burton, Vice President of Threat Intelligence from Infoblox, is sharing the team's work on "Deniability by Design: DNS-Driven Insights into a Malicious Ad Network." Infoblox returns with new threat actor research uncovering Vane Viper, a Cyprus-based holding company behind PropellerAds—one of the world’s largest advertising networks. The report reveals that Vane Viper isn’t just being exploited by criminals but operates as a criminal infrastructure itself, built to profit from fraud, malware, and disinformation through offshore entities and complex ownership structures.
The findings highlight the growing convergence between adtech, cybercrime, and state-linked influence operations, suggesting that elements of the global digital advertising ecosystem are now functioning as infrastructure for large-scale cyber and disinformation campaigns.
The research can be found here:
Deniability by Design: DNS-Driven Insights intoa Malicious Ad Network
Learn more about your ad choices. Visit megaphone.fm/adchoices
--------
24:25
--------
24:25
A fine pearl gone rusty.
Tal Peleg, Senior Product Manager, and Coby Abrams, Cyber Security Researcher of Varonis, discussing their work and findings on Rusty Pearl - Remote Code Execution in Postgres Instances. The flaw could allow attackers to execute arbitrary commands on a database server’s operating system, leading to potential data theft, destruction, or lateral movement across networks.
While the vulnerability existed in PostgreSQL, Amazon RDS and Aurora were not affected, thanks to built-in protections like SELinux and AWS’s automated threat detection. Still, the research underscores the importance of patching and configuration hygiene in managed database environments.
The research can be found here:
Rusty Pearl: Remote Code Execution in Postgres Instances
Learn more about your ad choices. Visit megaphone.fm/adchoices
--------
23:59
--------
23:59
Attack of the automated ops.
Today we are joined by Dario Pasquini, Principal Researcher at RSAC, sharing the team's work on WhenAIOpsBecome “AI Oops”: Subverting LLM-driven IT Operations via Telemetry Manipulation. A first-of-its-kind security analysis showing that LLM-driven AIOps agents can be tricked by manipulated telemetry, turning automation itself into a new attack vector.
The researchers introduce AIOpsDoom, an automated reconnaissance + fuzzing + LLM-driven telemetry-injection attack that performs “adversarial reward-hacking” to coerce agents into harmful remediations—even without prior knowledge of the target and even against some prompt-defense tools. They also present AIOpsShield, a telemetry-sanitization defense that reliably blocks these attacks without harming normal agent performance, underscoring the urgent need for security-aware AIOps design.
The research can be found here:
When AIOps Become “AI Oops”:
Subverting LLM-driven IT Operations via Telemetry Manipulation
Learn more about your ad choices. Visit megaphone.fm/adchoices
--------
19:40
--------
19:40
A look behind the lens.
Noam Moshe, Claroty’s Vulnerability Research Team Lead, joins Dave to discuss Team 82's work on "Turning Camera Surveillance on its Axis." Team82 disclosed four vulnerabilities in Axis.Remoting—deserialization, a MiTM “pass-the-challenge” NTLMSSP flaw, and an unauthenticated fallback HTTP endpoint—that enable pre-auth remote code execution against Axis Device Manager and Axis Camera Station.
They found more than 6,500 Axis.Remoting services exposed online (over half in the U.S.), letting attackers enumerate targets, install malicious Axis packages, and hijack, view, or shut down managed camera fleets.Axis published an urgent advisory, issued patches for ADM 5.32, Camera Station 5.58 and Camera Station Pro 6.9, accepted Team82’s disclosure, and organizations are urged to update.
The research can be found here:
Turning Camera Surveillance on its Axis
Learn more about your ad choices. Visit megaphone.fm/adchoices
Ireland