EY Exposes 4TB 🗄️ , Privileged Account Monitoring 👀, BLE Chip Leaks AES Keys 🔑

EY accidentally left a massive, unencrypted 4TB SQL Server backup file publicly accessible online, exposing sensitive data that included API keys ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2025-11-03 Collapse your security stack (Sponsor) Iru is the AI-powered platform used by the world's fastest-growing companies to secure their users, apps, and devices. With Iru, you can secure Mac, Windows, & Android, enable passwordless single sign-on to every app, and stay audit-ready for SOC 2 and ISO 27001. Iru collapses the stack and gives IT & Security time and control back. Find out more at iru.com 🔓 Attacks & Vulnerabilities New Herodotus Android Malware Fakes Human Typing to Avoid Detection (3 minute read) Threat Fabric has detected a new Android malware-as-a-service (MaaS) dubbed Herodotus that is being used in campaigns targeting Italian and Brazilian users through smishing. The malware uses a novel randomized delay of 0.3 to 3 seconds when typing to mimic human typing and evade behavioral detections. Herodotus also provides clients with a control panel to customize the SMS message, as well as the ability to overlay pages mimicking banking and crypto pages to steal credentials, overlay opaque pages to hide malicious behavior, an SMS stealer for MFA interception, and screen recording. "We got hacked" Emails Threaten to Leak University of Pennsylvania Data (2 minute read) This past Friday, students and alumni of the University of Pennsylvania received a series of offensive emails from various university email addresses stating that their data had been leaked. The university reported that its incident response team is addressing the issue, but hasn't released more specifics. The article includes a copy of the email, which appears to be politically motivated. EY exposes 4TB+ SQL database to open internet for who knows how long (4 minute read) EY accidentally left a massive, unencrypted 4TB SQL Server backup file publicly accessible online, exposing sensitive data that included API keys, passwords, and credentials. The database became accessible due to a misconfigured cloud bucket. The breach's duration is unknown. EY responded swiftly after being alerted and resolved the issue within a week, likely preventing further damage. 🧠 Strategies & Tactics Methodology: How we discovered over 2k high-impact vulnerabilities in apps built with vibe coding platforms (10 minute read) Platforms that enable anyone to build applications without prior coding experience are surging in popularity, but they also introduce serious security concerns. Escape's research analyzed over 5,600 publicly available applications created with these "vibe coding" tools and found more than 2,000 vulnerabilities, along with hundreds of exposed secrets and personal data. Many issues arose from inexperienced users misconfiguring security, particularly when platforms automatically integrated third-party services, such as Supabase, without strict access controls. Keys to the Kingdom: A Defender's Guide to Privileged Account Monitoring (15 minute read) Mandiant uses a three-pillar approach to privileged account monitoring (PAM). The prevention pillar focuses on identifying all identities that can change system state, alter security policy, or reach sensitive data and tiering them into a hierarchy of privileged access. The detection pillar focuses on distinguishing PAM-related detections from regular abuse. The response pillar focuses on ensuring that break-glass accounts work and customizing an incident response plan for privileged accounts. Code-in-the-Middle: An Introduction to IR (23 minute read) Traditional EDR evasion methods, such as runtime packers and post-compilation obfuscation, are increasingly ineffective due to high-entropy signatures and recognizable patterns, prompting a shift toward compile-time obfuscation using the LLVM Intermediate Representation. This approach applies transformations like control flow flattening and API call hashing during compilation, rather than after. IRvana is a tool that leverages LLVM IR for fileless execution by using lli.exe to directly interpret obfuscated IR files directly. It achieves strong static detection bypass while acknowledging that dynamic behavioral detection remains challenging. Security teams should focus their detection efforts on behavioral analysis and process injection techniques, rather than relying solely on static signatures, as IR-based evasion makes traditional binary analysis significantly more challenging. 🧑‍💻 Launches & Tools How to Use IP Reputation to Reduce Dwell Time, Stop Data Exfiltration, and Minimize Alert Fatigue (Sponsor) Used effectively, IP reputation can reduce noise, improve detection accuracy, and support zero trust initiatives. But its real value depends on how it's applied. Read Intrusion's guide to learn how to wield it to your advantage – within context, in real time, and as part of a broader security strategy. Read the blog Introducing Aardvark: OpenAI's agentic security researcher (4 minute read) Aardvark is OpenAI's new autonomous security research agent. Now in private beta, it is designed to help developers and security teams find and fix vulnerabilities. It continuously scans code repositories, prioritizes risks, and proposes targeted patches using AI-powered reasoning. BunkerWeb (GitHub Repo) Open-source and next-generation Web Application Firewall (WAF). Being a full-featured web server (based on NGINX under the hood), it will protect your web services to make them secure by default. MCP Scanner (GitHub Repo) A tool from Cisco AI Defense that scans MCP servers and tools for potential findings using the Cisco AI Defense inspect API, YARA rules, and LLM-as-a-judge. 🎁 Miscellaneous Australia warns of BadCandy infections on unpatched Cisco devices (3 minute read) Australia's ASD reported that over 400 Cisco IOS XE devices have been compromised with BadCandy webshell malware since July, exploiting CVE-2023-20198, a critical vulnerability that allows remote attackers to create administrative accounts and deploy Lua-based webshells with root privileges. The webshell persists until the device is rebooted, but can be easily reintroduced on unpatched systems, allowing attackers to detect its removal and re-exploit the same endpoints. Organizations must immediately patch affected Cisco IOS XE devices and follow the vendor's hardening guidelines, as state-sponsored actors, including Salt Typhoon, continue to exploit this two-year-old vulnerability for persistent network access. Eclipse Foundation Revokes Leaked Open VSX Tokens Following Wiz Discovery (2 minute read) The Eclipse Foundation revoked a small number of leaked Open VSX tokens after Wiz discovered some Visual Studio Code extensions exposing access tokens in public repositories. The investigation showed that the leaks were due to developer mistakes, not a compromise. Eclipse has introduced new token formats, tightened security, improved revocation procedures, and is scanning for malicious patterns. Firewalls and VPNs Are So Complex Now, They Can Actually Make You Less Secure (4 minute read) Organizations using Cisco or Citrix VPNs are nearly seven times more likely to experience a ransomware attack. This is due to the growing complexity of properly securing on-premises VPNs. SonicWall VPN users were the second most likely to be breached, with a 5.8 times increased rate of incidence. ⚡ Quick Links Eliminate the niggling misconfigurations that are chipping away at your security posture (Sponsor) Unused admin accounts. Mysterious firewall rules. Default Windows settings that weaken your defenses. ThreatLocker Defense Against Configurations (DAC) finds these problems and maps them to your compliance and security requirements. See how BTC bridge flagged for laundering money got hacked (2 minute read) A protocol called Garden, which facilitates the swapping of bitcoin across blockchains, suffered a $11 million hack just days after announcing a major milestone. Arm Opens Access to Chiplet Architectures and AI Platforms (3 minute read) Arm contributed its Foundation Chiplet System Architecture (FCSA) specification to the Open Compute Project, joined the OCP board alongside AMD and Nvidia, expanded its Total Design ecosystem from 20 to over 50 partners, and added its Armv9 Edge AI platform to its Flexible Access licensing program, enabling startups and smaller teams to prototype with production-grade IP at low or no upfront cost. BLE chip leaks AES keys through RF signals: a successful remote side-channel attack (1 minute read) Researchers demonstrated a remote RF-based side-channel attack on Nordic Semiconductor's nRF52832 BLE chip, recovering 128-bit AES keys at one meter using 2.4 GHz radio frequency analysis, raising security concerns for automotive and industrial systems. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.