Cisco firewall zero-days and bootkits in the wild

September 27th, 2025  |  1 hr 54 mins

apt research, cyberespionage, nation-state, ransomware, zero-day

Three Buddy Problem - Episode 65: We zero in on one of the biggest security stories of the year: the discovery of a persistent multi-stage bootkit implanting malware on Cisco ASA firewalls. Details on a new campaign, tied to the same threat actors behind ArcaneDoor, exploiting zero-days in Cisco’s 5500-X series appliances, devices that sit at the heart of government and enterprise networks worldwide.

Plus, Cisco’s controversial handling of these disclosures, CISA's emergency deadlines for patching, the absence of IOCs and samples, and China’s long-term positioning. Plus, thoughts on the Secret Service SIM farm discovery in New York and evidence of Russians APTs Turla and Gamaredon collaborating to hit Ukraine targets.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Live at LABScon: Aurora Johnson and Trevor Hilligoss on China's 'internet toilets'

September 24th, 2025  |  22 mins 13 secs

apt research, cyberespionage, nation-state, ransomware, zero-day

Three Buddy Problem - Episode 64: SpyCloud Labs researchers Aurora Johnson and Trevor Hilligoss discuss the world of “internet toilets," the toxic online communities in China where harassment, stalking, and sextortion thrive. We explore how these groups operate, from doxing ex-lovers and enemies to running coordinated campaigns of cyberbullying that often spill into real-world harm. (Recorded at LABScon 2025).

Cast: Aurora Johnson, Trevor Hilligoss Ryan Naraine and Juan Andres Guerrero-Saade.

Live at LABScon: Visi Stark shares memories of creating the APT1 report

September 24th, 2025  |  28 mins 50 secs

apt research, cyberespionage, nation-state, ransomware, zero-day

Three Buddy Problem - Episode 63: Co-founder of the Vertex Project Visi Stark joins the buddies to reminisce about his work writing Mandiant's famous APT1 report, the China-nexus threat landscape, the value of cyber threat intelligence, APT-naming schemes, and more... (Recorded at LABScon 2025).

Cast: Visi Stark, Ryan Naraine and Juan Andres Guerrero-Saade.

Live at LABScon: Lindsay Freeman on tracking Wagner Group war crimes

September 24th, 2025  |  31 mins 52 secs

apt research, cyberespionage, military contractors, nation-state, zero-day

Three Buddy Problem - Episode 62: Lindsay Freeman, Director of the Technology, Law & Policy program at the Human Rights Center, UC Berkeley School of Law, joins the show to discuss her team's meticulous work to document the Wagner Group's chain of command, military operations in parts of Africa, and the broadcasting of war crimes on social media platforms like Telegram. (Recorded at LABScon 2025)

Cast: Lindsay Freeman, Ryan Naraine and Juan Andres Guerrero-Saade.

Can Apple's New Anti-Exploit Tech Stop iPhone Spyware Attacks?

September 9th, 2025  |  2 hrs 45 mins

apt research, cyberespionage, nation-state, spyware, surveillance, zero-day

Three Buddy Problem - Episode 61: We cover a pair of software supply chain breaches (Salesforce Salesloft Drift and NPM/GitHub) that raises big questions about SaaS integrations and the ripple effects across major security vendors.

Plus, Apple’s new Memory Integrity Enforcement in iPhone 17 and discussion on commercial spyware infections and the value of Apple notifications; concerns around Chinese hardware and surveillance equipment in US infrastructure; Silicon Valley profiting from China’s surveillance ecosystem; and controversy around a Huntress disclosure of an attacker’s operations after an EDR agent was mistakenly installed.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Salt Typhoon IOCs, Google floats ‘cyber disruption unit’, WhatsApp 0-click

August 29th, 2025  |  2 hrs 24 mins

apt research, china, microsoft, nation-state, russia, zero-day

Three Buddy Problem - Episode 60: We dissect a fresh multi-agency Salt Typhoon advisory (with IOCs and YARA rules!), why it landed late, why the wall of logos matters (and doesn’t), and what’s actually usable for defenders: new YARA, tool hashes, naming ambiguity across reports, the mention of Chinese vendors, and a Dutch note that smaller ISPs were hit.

Plus, Costin details his hunting stack and philosophy (historic IOC/malware hoarding, fast pivots, and AI as analyst “wingman”) and a new Chinese APT report that may intersect with LightBasin and the murky PSOA world.

We also debate Google’s proposed “cyber disruption unit” versus Microsoft’s DCU (legal vs. “ethical” takedowns, PR, and business models); react to Anthropic’s report on real attacker use of Claude; note Amazon’s APT29 watering-hole disruption; and close on a fresh WhatsApp-to-ImageIO zero-click chain and practical phone OPSEC.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Zero-day reality check: iOS exploits, MAPP in China and the hack-back temptation

August 22nd, 2025  |  2 hrs 32 mins

apt research, cyberespionage, nation-state, ransomware, zero-day

Three Buddy Problem - Episode 59: Apple drops another emergency iOS patch and we unpack what that “may have been exploited” language really means: zero-click chains, why notifications help but forensics don’t, and the uncomfortable truth that Lockdown Mode is increasingly the default for high-risk users. We connect the dots from ImageIO bugs to geopolitics, discuss who’s likely using these exploits, why Apple’s guidance stops short, and the practical playbook (ADP on, reboot often, reduce attack surface) that actually works.

Plus, we debate Microsoft throttling MAPP access for Chinese vendors, the idea of “letters of marque” for cyber (outsourced offense: smart deterrent or Pandora’s box?), and dissect two case studies that blur APT and crimeware: PipeMagic’s CLFS zero-day and Russia-linked “Static Tundra” riding seven-year-old Cisco bugs.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

On AI’s future, security’s failures, and what comes next...

August 15th, 2025  |  1 hr 57 mins

ai, apt research, backdoors, nation-state, zero-day

Three Buddy Problem - Episode 58: Indepth reaction to the Brandon Dixon episode, digging into what it’s really like to scale products inside a tech giant, navigate politics, and bring features to millions of machines. Plus, an exploration of the AI cybersecurity gold-rush, the promise and hype, and the gamble for startups versus the slow-moving advantage of incumbents.

We revisit the Chinese "cyber militia" discussion and the looming AI “dot-com bubble,” the value of owning infrastructure, Nvidia and export controls, China’s manufacturing edge, and the geopolitics of supply chains.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Live from Black Hat: Brandon Dixon parses the AI security hype

August 7th, 2025  |  1 hr 30 mins

ai, apt research, nation-state, zero-day

Three Buddy Problem - Episode 57: Brandon Dixon (PassiveTotal/RiskIQ, Microsoft) leads a deep-dive into the collision of AI and cybersecurity. We tackle Google’s “Big Sleep” project, XBOW’s automation hype, the long-running tension between big tech ownership of critical security tools and the community’s need for open access.

Plus, the future of SOC automation to AI-assisted pen testing, how agentic AI could transform cyber talent bottlenecks and operational inefficiencies, geopolitical debates over backdoors in GPUs and the strategic implications of China’s AI model development.

Cast: Brandon Dixon, Juan Andres Guerrero-Saade and Ryan Naraine.

Rethinking APT Attribution: Dakota Cary on Chinese Contractors and Espionage-as-a-Service

August 1st, 2025  |  1 hr 51 mins

apt research, cyberespionage, nation-state, ransomware, zero-day

Three Buddy Problem - Episode 56: China-focused researcher Dakota Cary joins the buddies to dig into China’s sprawling cyber ecosystem, from the HAFNIUM indictments and MSS tasking pipelines to the murky world of APT contractors and the ransomware hustle. We break down China’s “entrepreneurial” model of intelligence collection, why public visibility into these threat actors is so hard to get right, and how companies like Microsoft get caught in the geopolitical crossfire.

Plus: a deep dive on suspected MAPP leaks and Sharepoint zero-days, Singapore targeted by extremely sophisticated China-nexus hacking group, soft censorship in corporate threat-intel, and whether the U.S. should rethink how it fills its intelligence gaps.

Cast: Dakota Cary, Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Microsoft Sharepoint security crisis: Faulty patches, Toolshell zero-days

July 25th, 2025  |  1 hr 55 mins

ai, apt research, nation-state, zero-day

Three Buddy Problem - Episode 55: We dig into Microsoft's latest security nightmare: a SharePoint zero-day exploit chain from Pwn2Own Berlin becomes a full-blown security crisis, with Chinese nation-state actors exploiting vulnerabilities that Microsoft struggled to patch properly, leading to trivial bypasses and a cascade of new CVEs. The timeline is messy, the patches are faulty, and ransomware groups are lining up to join the party.

We also revisit the ProPublica bombshell about Microsoft's "digital escorts" and U.S. government data exposure to Chinese adversaries and the company's "oops, we will stop" response. Plus, trusting Google's Big Sleep AI claims and a cautionary tale about AI agents gone rogue that wiped out a production database.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Train brake hack, GRU sanctions, Wagner war crimes, Microsoft's Chinese ‘digital escorts’

July 18th, 2025  |  1 hr 48 mins

apt research, cyberwar, nation-state, zero-day

Three Buddy Problem - Episode 54: Europol busted pro‑Russian hacktivist crew NoName 057(16), the Brits announce sanctions on Russia’s GRU cyber units, Wagner‑linked “war influencers” streamed atrocities from Africa, and fresh tech worries ranged from a $500 RF flaw that can hijack U.S. train brakes.

Plus, ProPublica on Microsoft’s China‑based “digital escorts,” Google’s headline‑grabbing AI‑found SQLite zero‑day, and OpenAI’s new task‑running agents. Meanwhile, Ukraine’s hackers wiped a Russian drone maker, ransomware crippled a major vodka producer, and another Chrome zero‑day quietly underscored how routine critical exploits have become.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.