Preboot UEFI Flaw 💻, Bypassing AWS Trusted Advisor 🌩️, Google's Agentic Cybersecurity 🤖

Researchers from Riot Games discovered a UEFI flaw that could allow for Direct Memory Access capable devices to load before the operating system ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR TLDR Information Security 2025-12-22 🔓 Attacks & Vulnerabilities Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware (5 minute read) CountLoader 3.2 and GachiLoader malware are spreading via cracked software sites and 100+ compromised YouTube videos (220K views from 39 accounts), deploying ACR Stealer and Rhadamanthys through multi-stage attacks. CountLoader uses trojanized Python interpreters that execute via mshta.exe, create persistence with fake Google scheduled tasks that run every 30 minutes, detect CrowdStrike Falcon to adapt its execution, and spread via USB drives. GachiLoader employs Node.js with novel Vectored Exception Handling PE injection techniques and kills SecHealthUI.exe to disable Windows Defender. Security teams should monitor for mshta.exe abuse, suspicious scheduled tasks that mimic legitimate software, WMI queries for AV detection, and modifications to system folders that exclude Defender, and implement application whitelisting to block execution of unauthorized Python interpreters and Node.js scripts. New UEFI Flaw Enables Pre-Boot Attacks From Gigabyte, MSI, ASUS, ASRock (2 minute read) Researchers from Riot Games discovered a UEFI flaw that could allow for Direct Memory Access (DMA) capable devices to load before the operating system. DMA allows for PCIe devices to read and write RAM without going through the CPU and relies upon IOMMU for protection. A physically present attacker would need to attach a rogue PCIe device before boot to exploit this vulnerability. New Critical WatchGuard Firebox Firewall Flaw Exploited in Attacks (2 minute read) WatchGuard is warning users to patch a critical, actively exploited remote code execution vulnerability in its Firebox firewalls. The vulnerability is caused by an out-of-bounds write that allows unauthenticated attackers to execute remote code. Firebox firewalls are only vulnerable if they are configured to use IKEv2, or in some circumstances, even if the configuration was deleted. 🧠 Strategies & Tactics TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy in the Era of AI Assisted Reverse Engineering (18 minute read) A security researcher documented AI-assisted firmware analysis of TP-Link Tapo C200 cameras using tools including Grok, GhidraMCP, and Claude Sonnet 4. They discovered hardcoded SSL private keys that enabled HTTPS traffic decryption, pre-authentication memory overflows, integer overflow crashes, and unauthenticated WiFi hijacking, affecting approximately 25,000 internet-exposed devices. The vulnerabilities enabled remote attackers to decrypt camera traffic, crash devices, force connections to malicious networks, and enumerate nearby WiFi BSSIDs for precise geolocation via Apple's location services API. TP-Link delayed patching beyond its 90-day commitment despite being a CVE Numbering Authority, raising concerns about vendor conflicts of interest when controlling their own vulnerability disclosure pipeline while marketing low CVE counts as a competitive advantage. Mistrusted Advisor: Evading Detection With Public S3 Buckets and Potential Data Exfiltration in AWS (5 minute read) Researchers from Fog Security discovered three methods to bypass AWS Trusted Advisor and expose S3 buckets without triggering alerts. The three methods are to create a bucket policy that denies s3:GetBucketPolicyStatus, s3:GetBucketPublicAccessBlock, and s3:GetBucketAcl. Fog Security coordinated disclosure with AWS, but noted that it took AWS two attempts to fix the vulnerability and felt that AWS's communication downplayed the severity. How Google Does It: Building Agents for Cybersecurity and Defense (6 minute read) When introducing agentic AI to its cybersecurity teams, Google began by building trust in generative AI by adding chat interfaces to existing tools. Google security then identified initial use cases for distillation and translation, focusing on bottlenecks that AI could alleviate. The team then established and monitored KPIs as they scaled their program. 🧑‍💻 Launches & Tools What happens when you approach InfoSec like a martial artist? (Sponsor) In a dojo, agents train to avoid wasted motion, to anticipate, and to endure. Sumo Logic brings dojo thinking to the SOC. Automation delivers repeatable discipline, machine learning detects anomalies, and it's all orchestrated through natural language. See how analysts can move with agility Announcing GotaTun, the future of WireGuard at Mullvad VPN (3 minute read) Mullvad's GotaTun is a Rust-based WireGuard implementation forked from Cloudflare's BoringTun that replaces wireguard-go, eliminating 85% of Android app crashes attributed to the Go implementation's FFI complexity and opaque runtime debugging challenges. The Android rollout in November reduced the user-perceived crash rate from 0.40% to 0.01%, with zero GotaTun-originated crashes, while improving connection speeds and battery efficiency through safe multithreading and zero-copy memory strategies. Mullvad plans a third-party security audit in early 2026 before expanding the GotaTun deployment to desktop and iOS platforms, maintaining full WireGuard protocol compatibility while supporting privacy features, including DAITA and Multihop. Kanidm (GitHub Repo) Kanidm is a simple and secure identity management platform that provides a full identity provider, covering the broadest possible set of requirements and integrations. DedSec (GitHub Repo) The DedSec Project is a comprehensive cybersecurity toolkit designed for educational purposes. It provides 50+ powerful tools that cover everything from network security analysis to ethical hacking education. Everything is completely free and designed to help you shift from being a target to being a defender. 🎁 Miscellaneous Dismantling Defenses: Trump 2.0 Cyber Year in Review (20 minute read) The Trump administration systematically dismantled federal cybersecurity infrastructure: CISA lost 1/3 of its workforce and faces $491M budget cuts, the Cyber Safety Review Board was dissolved mid-investigation of Chinese telecom intrusions, and both NSA and Cyber Command have operated without leadership since April. DOGE accessed sensitive federal databases from SSA, DHS, OPM, and Treasury by circumventing security controls and audit mechanisms, with data exfiltration coinciding with Russian login attempts using valid DOGE credentials. Security professionals should prepare for degraded federal threat intelligence sharing after the elimination of CIPAC and MS-ISAC funding, reduced public-private coordination as agencies canceled meetings with infrastructure operators, and increased foreign intelligence recruitment of laid-off federal employees with security clearances. Defense Bill Addresses Secure Phones, AI Training, Cyber Troops' Mental Health (2 minute read) In addition to $901B in funding, the 2026 National Defense Authorization Act (NDAA) also includes a series of new cybersecurity policies. The NDAA includes a provision that secure phones provided to senior leaders meet a set of security requirements, such as data encryption. The act also includes increased mental health provisions and training initiatives around AI security. Ministers confirm breach at UK Foreign Office but details remain murky (2 minute read) UK ministers acknowledge a confirmed cyberattack on the Foreign Office, first reported by The Sun and widely linked in the media to Chinese state-backed hackers, though officials stress those claims are speculative. They say a technical flaw at one site was quickly closed and insist there is currently low risk to individuals, despite concerns about possible exposure of visa application data and growing warnings over China's broader cyber-espionage activity in Europe. ⚡ Quick Links 2025 LLM Year in Review (9 minute read) Six paradigm shifts occurred with LLMs during 2025. Ukrainian National Pleads Guilty to Conspiracy to Use Nefilim Ransomware to Attack Companies in the United States and Other Countries (2 minute read) Ukrainian national Artem Stryzhak pleaded guilty to conspiracy charges for deploying Nefilim ransomware against US companies. University of Sydney Data Breach Affects 27,000 Individuals (2 minute read) Hackers accessed an online code library at the University of Sydney that contained historical test data files. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here, create your own role or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! TLDR is one of Inc.'s Best Bootstrapped businesses of 2025. If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.