Three Buddy Problem - Episodes Tagged with “Apt Research”

The Claude Mythos, Project Glasswing Shockwave

Security Conversations — Fri, 10 Apr 2026 13:30:00 -0700

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.)

Three Buddy Problem - Episode 93: We discuss Anthropic's release of Claude Mythos Preview (an AI model so capable and dangerous they won't release it publicly) and debate the looming patching crisis, bug bounty extinction, possible US government nationalization of frontier labs, and why the NSA might not be thrilled about all this bug-fixing.

Plus, North Korea's six-month Drift Protocol con job, APT28's retro DNS hijacking campaign, and Microsoft's driver signing mess hitting WireGuard and VeraCrypt.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

00:00 — Opening banter
01:36 — Anthropic Mythos Preview + Project Glasswing
06:17 — USG reaction + Wall Street emergency meeting
10:54 — Mythos capabilities vs hype (technical reality check)
13:44 — PR stunt? Skepticism of Anthropic narrative
20:42 — The patching crisis + “defender advantage”
27:41 — Bug bounty model under threat from AI
33:37 — Mythos practical workflows
45:09 — Geopolitics, NSA angle, and nationalization discussion
01:40:18 — Fortinet zero-day + ongoing failures
01:42:39 — Drift Protocol heist ($285M) + long-term social engineering
01:44:07 — Revisiting XZ Utils / Jia Tan attribution
01:54:07 — Crypto security gaps + need for real CTI in blockchain
02:04:22 — APT28 DNS hijacking + router compromise campaign
02:18:57 — Microsoft driver signing meltdown + ecosystem impact

Links:

LLMs writing exploits, engineers losing skills, and a case for the generative OS

Security Conversations — Fri, 03 Apr 2026 12:30:00 -0700

(Presented by TLPBLACK: High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.)

Three Buddy Problem - Episode 92: Costin walks through real-world ransomware incident response while Juanito makes the case for AI-generated operating systems that never run anyone else's code. Plus, debates on whether vulnerability research is cooked, why nobody should pay ransoms, and what the security industry looks like after the massive AI flood.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

0:00 – Introductory banter
2:00 – Costin's ransomware incident response work
3:30 – How attackers break in: Fortinet vulnerabilities everywhere
6:30 – Hunting for ransomware decryption keys
9:00 – Breaking into ransomware C2s and monitoring leak sites
12:00 – The ransom payment debate: should you ever pay?
16:00 – Why "don't pay the ransom" is overgeneralized
21:00 – How ransomware gangs price their demands
24:00 – The AI-pilling of the security industry
28:30 – Nicholas Carlini, Ptacek, and "vulnerability research is cooked"
35:00 – Towards a generative-first operating system
41:00 – Code factories, trusted computing, and killing dependencies
48:00 – Microsoft and Apple's AI positioning
56:00 – Chris St. Myers' "Cognitive Rust Belt" essay
1:18:00 – Choice, The Matrix, and the illusion of control
1:38:00 – Supply chain attacks, North Korea, and dependency sprawl

Links:

Google's Cyber Disruption Unit; Coruna is Triangulation, US Bans Foreign-Made Routers

Security Conversations — Sat, 28 Mar 2026 12:30:00 -0700

Three Buddy Problem - Episode 91: This week we dig into Google's new cyber threat disruption unit announced at RSAC, Kaspersky confirming Coruna is a direct evolution of Operation Triangulation, and a cascading supply chain compromise that chained through LiteLLM, Trivy, and Checkmarx into thousands of software pipelines.

Plus, VCs and the breathless AI hype, Apple's iOS 26.4 and silent patches, the FCC's ban on foreign-made routers, and Symantec catching an APT looking for Chinese military data.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

0:00 Intro & Pre-Show Banter
3:08 JAGS in San Francisco: RSAC week recap
6:05 Google Launches Cyber Disruption Unit — What's Actually New?
13:43 Why Separate Disruption Units Matter: ROI & Budget Justification
29:11 Haroon Meer's RSA Reality Check: The AI Hype Machine
32:37 The VC Ponzi Cycle & How Easy Money Hollowed Out Cybersecurity
47:32 ENT.ai & Tenex AI Hackathon at RSAC
53:08 Kaspersky Links Corona Exploit Kit to Operation Triangulation
1:08:09 Trenchant Cleanup & Lessons from Equation Group Burns
1:19:31 Apple iOS Patches, Hong Kong Device Passcode Law
1:27:53 Handala Hacks FBI Director Kash Patel's Personal Gmail
1:37:32 LeakBase Admin "Chucky" Arrested in Russia — FSB Gets the Data
1:45:38 Supply Chain Attacks: TeamPCP Hits LiteLLM & Trivy
2:04:34 FCC Bans Foreign-Made Routers — But What Do We Buy?

Links:

The greatest APT hunter of all time, Apple's exploit kit problem, Microsoft FedRAMP mess

Security Conversations — Fri, 20 Mar 2026 13:00:00 -0700

(Presented by Thinkst Canary: Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With zero admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.)

Three Buddy Problem - Episode 90: We remember GReAT teammate Sergey Mineev, the legendary malware hunter behind discoveries like Equation Group and Project Sauron (Remsec), including stories about his methods and why he was the best to ever do it.

Plus, another in-the-wild iOS exploit kit discovery and a long overdue conversation about Apple's responsibility to hundreds of millions of users on older iOS versions; the ProPublica Microsoft/FedRAMP bombshell, Interlock ransomware sitting on a Cisco zero-day, the White House AI policy framework, and Supermicro co-founder $2.5 billion AI chip smuggling bust.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Handala wiper attacks, APT28 implant devs are back, Signal's verification problems

Security Conversations — Fri, 13 Mar 2026 17:00:00 -0700

Three Buddy Problem - Episode 89: We discuss Iran hacktivist group 'Handala' wiper attacks against US medical device maker Stryker, Microsoft Intune MDM tool abuse, and whether Iran's cyber retaliation is as scary as the headlines suggest.

Plus, ESET's discovery that Russia's APT28 original implant developers are back after years of silence, Dutch intelligence warnings on Russian campaigns targeting Signal and WhatsApp accounts, Apple finally patching Coruna exploit kit vulnerabilities for older iPhones, and Google sharing Coruna samples that raise new questions about the exploit kit's proliferation chain.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Trenchant, Peter Williams, and the proliferation of a Shadow Brokers-level iOS exploit framework

Security Conversations — Fri, 06 Mar 2026 12:30:00 -0700

Three Buddy Problem - Episode 88: We unpack the fallout from public documentation of the Coruna iOS exploit kit, the likely connection to the Peter Williams/Trenchant exploit sale to Russians, how it slipped from government hands into criminal use, and the widening use of zero-days by surveillance vendors and cybercriminals.

Plus, fresh signs of cyber-warfare activity tied to Iran and Israel, the FBI’s disclosure of a breach affecting internal surveillance systems, and the latest debate over AI, security tooling, and Anthropic’s public stumbles.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Matthias Frielingsdorf on the mysterious Coruna iOS exploit kit discovery

Security Conversations — Thu, 05 Mar 2026 16:00:00 -0700

Matthias Frielingsdorf (co-founder and VP of Research at iVerify) joins the show to discuss the mysterious US government connection to 'Coruna', an iOS exploit kit fitted with 23 exploits across five full chains targeting iPhones iOS 13 through 17.2.1.

We talk about a "gut feeling" connecting this to the L3 Trenchant/Peter Williams exploit sale scandal, how a nation-state-grade exploit kit ended up in the hands of a Chinese cybercrime group chasing crypto wallets, and what it means that criminal organizations are now deploying iPhone zero-days at scale.

Matthias walks through what iVerify can and can't do on Apple's locked-down platform, why he thinks Apple needs to give defenders more access, the Lockdown Mode debate, the thorny issue of sample sharing in the research community, and practical advice for everyday iPhone users facing a threat landscape that just got a lot more complicated.

Links:

Threat Hunter Greg Linares on the modern ransomware playbook

Security Conversations — Tue, 03 Mar 2026 13:30:00 -0700

Huntress threat intelligence analyst Greg Linares shares insights on the modern ransomware ecosystem, including how crews operate like businesses and why Akira, Medusa, RansomHub, and Qilin cause so much damage. Plus, signs of overlap between ransomware and nation-state activity, what “time to ransom” really means for defenders, and why techniques like ClickFix and credential theft keep working at scale.

The conversation also covers the surge in RMM tool abuse, how “living off the land” attacks can unfold without traditional malware, and the basic defenses smaller organizations can prioritize.

Links:

War in Iran, Anthropic v Pentagon, Trenchant zero-day sanctions, AI stock market shocks

Security Conversations — Sat, 28 Feb 2026 12:00:00 -0700

Three Buddy Problem - Episode 87: We wake up to news of U.S./Israel military action against Iran and the expected fallout, including Tehran’s cyber capabilities and proxy risks. Plus: Anthropic’s clash with the Pentagon over AI use in warfare, market shockwaves from AI-driven security tools, mass layoffs tied to automation, Trenchant exec sentencing and sanctions in the exploit trade, and fresh questions around Cisco’s SD-WAN breach and supply-chain trust.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

GitLab doxxes North Korea .gov hackers; fresh Ivanti zero-days; AI addiction and human purpose

Security Conversations — Fri, 20 Feb 2026 01:00:00 -0700

Three Buddy Problem - Episode 86: We dig into GitLab’s explosive look at North Korea’s “Contagious Interview” APT operation, the scale of fake IT worker infiltration, and what it means for companies chasing cheap talent.

Plus, a fresh batch of already-exploited Ivanti and Dell zero-days, the return of Apple’s shutdown logs, and thoughts on addictive AI coding agents affecting human purpose.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Palo Alto and the uncomfortable politics of APT attribution

Security Conversations — Fri, 13 Feb 2026 12:30:00 -0700

Three Buddy Problem - Episode 85: Top stories this week include drone incursions over El Paso and the murky line between cartel activity, anti-drone tech testing, and full-blown hybrid warfare; updates on the Notepad++ supply chain fallout; Microsoft’s zero-day treadmill and AI-enabled attack surfaces; and Apple’s “extremely sophisticated” iOS exploits.

Plus, Europe’s growing appetite for offensive cyber, Palo Alto and the uncomfortable politics of cyber attribution, Singapore on telco intrusions, and the economics of end-of-life infrastructure.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

From Epstein to Notepad++: Redactions, Zero-Days and Supply Chain Attacks

Security Conversations — Sun, 08 Feb 2026 12:00:00 -0700

Three Buddy Problem - Episode 84: We process the cybersecurity fallout from the latest Epstein document dump, focusing on why redactions fail in the AI era and how quickly modern tools can unravel them. The conversation moves from sloppy redaction practices and exploit mythology to harder questions about ethics, accountability, and silence within the infosec community.

Plus, inside the Notepad++ supply-chain compromise attributed to a known Chinese APT, Microsoft’s security executive changes, Anthropic's AI-driven vulnerability discovery, China-linked network implants, and Lockdown Mode thwarting FBI investigators.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

A destructive cyberattack in Poland raises NATO 'red-line' questions

Security Conversations — Fri, 30 Jan 2026 13:00:00 -0700

(Presented by Material Security: We protect your company’s most valuable materials -- the emails, files, and accounts that live in your Google Workspace and Microsoft 365 cloud offices.)

Three Buddy Problem - Episode 83: Poland's CERT documents a rare, explicit wiper attack on civilians in a NATO country, including detailed attribution of a Russian government op targeting the electric grid in the heart of winter. We examine why this crosses a long-avoided threshold, why attribution suddenly matters again, and what it says about pre-positioned access, vendor insecurity, and the shrinking gap between cyber operations and acts of war.

Plus, another Fortinet fiasco, a new batch of Ivanti zero-days under attack, an emergency patch from Microsoft and the return of the mysterious KasperSekrets account.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Cheap, AI-generated zero-days and the real meaning of ‘advanced’ malware

Security Conversations — Fri, 23 Jan 2026 12:30:00 -0700

(Presented by Material Security: We protect your company’s most valuable materials -- the emails, files, and accounts that live in your Google Workspace and Microsoft 365 cloud offices.)

Three Buddy Problem - Episode 82: We parse news that China-linked VoidLink is a malware framework created entirely by AI and the collapsing line between elite APT operations and everyday threat actors.

Plus, a new Sean Heelan essay on low-cost exploit generation and why “AI guardrails” are mostly a comforting myth; AI slop overwhelming bug bounty programs; CISA's new Brickstorm YARA rules; and fresh research on a wiper-malware found in Russian attacks against Poland's electricity sector.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Google Pixel 'zero-click' exploit caused by AI, mysterious Poland grid attacks, China bans US cybersecurity software

Security Conversations — Fri, 16 Jan 2026 12:00:00 -0700

(Presented by Material Security: We protect your company’s most valuable materials -- the emails, files, and accounts that live in your Google Workspace and Microsoft 365 cloud offices.)

Three Buddy Problem - Episode 81: We dissect New York Times reporting on the "precision" of US cyber operations in Venezuela, the competing narratives around offensive cyber capabilities and "letters of marque" for private hackers. Plus, a mysterious failed cyber attack on Poland's power grid, internet blackouts in Iran (with fascinating DNS telemetry revealing Chinese bank traffic and Russian website spikes), and news of China's ban on US/Israeli cybersecurity software.

We also cover Check Point's research on "VoidLink" (is it a successor to ShadowPad?), Microsoft's threat intelligence sharing practices, and Google Project Zero's disclosure of zero-click vulnerabilities caused by AI-powered transcription features.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Hamid Kashfi on the situation in Iran; Did cyber cause Venezuela blackouts?

Security Conversations — Fri, 09 Jan 2026 12:30:00 -0700

(Presented by Material Security: We protect your company’s most valuable materials -- the emails, files, and accounts that live in your Google Workspace and Microsoft 365 cloud offices.)

Three Buddy Problem - Episode 80: Researcher Hamid Kashfi returns to unpack Iran’s latest unrest, separating economic reality from propaganda while examining how information control, cyber pressure, and state surveillance are shaping events on the ground.

Plus, did cyber make the lights go out in Venezuela?

Cast: Hamid Kashfi, Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

A special mailbag episode with book recommendations

Security Conversations — Fri, 02 Jan 2026 13:30:00 -0700

(Presented by Material Security: We protect your company’s most valuable materials -- the emails, files, and accounts that live in your Google Workspace and Microsoft 365 cloud offices.)

Three Buddy Problem - Episode 79: We cover MongoBleed (CVE‑2025‑14847), exposed MongoDB deployments, and the sad realization that zero-day attacks are a normal, everyday occurrence. Plus, AI’s expanding role and misuse across products and workflows, proximity attacks against Bluetooth audio devices, spyware sanctions de-listings, and ransomware economics.

In a special mailbag segment, we give our book recommendations and respond to common questions from the listeners.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Quiet Wins, Loud Failures: A Year-End Cybersecurity Reckoning

Security Conversations — Fri, 26 Dec 2025 16:00:00 -0700

(Presented by ThreatLocker: Allow what you need. Block everything else by default, including ransomware and rogue code.)

Three Buddy Problem - Episode 78: We close out the year with a no-budget, no-permission awards show, spotlighting the cybersecurity stories that actually mattered.

Plus, a bizarre polygraph scandal at CISA, Chinese APT research dumps, ransomware pre-notification hiccups, foreign drone bans, and the growing gap between cyber theater and real operational value.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

What's behind US gov push to 'privatize' offensive cyber operations?

Security Conversations — Sat, 20 Dec 2025 11:00:00 -0700

(Presented by ThreatLocker: Allow what you need. Block everything else by default, including ransomware and rogue code.)

Three Buddy Problem - Episode 77: New React2Shell data from Microsoft, fresh Apple and Cisco zero-days already in the wild, and state-linked campaigns from Russia and China that show a merging of espionage, crime, and infrastructure disruption.

Plus, the US government's push to enlist private firms in offensive hacking, letters of marque for cartels, new discovery of spyware used against journalists in Belarus, and Amazon catching North Koreans via keystroke latency.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Legal corruption, React2Shell exploitation, dual-use AI risks

Security Conversations — Thu, 11 Dec 2025 00:15:00 -0700

(Presented by ThreatLocker: Allow what you need. Block everything else by default, including ransomware and rogue code.)

Three Buddy Problem - Episode 76: On the show this week, Costin walks through how a single Romanian documentary kick-started nationwide protests, exposing how corruption can be perfectly legal when the law itself is gamed, and why this moment feels different, darker, and more consequential than past flare-ups.

Plus, news on the React-to-Shell exploitation wave overwhelming the internet, why patching is structurally hard, and how APTs and criminals are converging on the same fragile dependency chain. Along the way, they take aim at Microsoft’s shrinking transparency, the limits of vendor trust, and what it really means when defenders are told (again) to just patch and pray.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

APTs pounce on React2Shell; BRICKSTORM backdoors; .gov surveillance

Security Conversations — Sat, 06 Dec 2025 10:30:00 -0700

(Presented by ThreatLocker: Allow what you need. Block everything else by default, including ransomware and rogue code.)

Three Buddy Problem - Episode 75: We dig into a CVSS 10/10 unauthenticated RCE bug causing chaos across the internet and early signs that Chinese APTs are already launching exploits, the cascading patch chaos, and a long tail of malware intrusions to come.

Plus, commentary on Chrome’s telemetry collection, Microsoft and the "SFI success story," newest BRICKSTORM backdoor intrusions, the US national security strategy, Anthropic's AI popping smart-contract bugs, a secret FBI ransomware-hunting unit getting weird, and a pair of sad stories in the security community.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Shai-Hulud 2.0, Russia GRU Intrusions, and Microsoft’s Regulatory Capture

Security Conversations — Sat, 29 Nov 2025 11:30:00 -0700

(Presented by Material Security: We protect your company’s most valuable materials -- the emails, files, and accounts that live in your Google Workspace and Microsoft 365 cloud offices.)

Three Buddy Problem - Episode 74: We attempt to parse the rumor-fog around Microsoft’s CISO at CYBERWARCON and what it reveals about the company’s shifting posture on intel sharing, regulation, and its outsized grip on the security ecosystem. Plus, coverage of the Shai-Hulud npm supply-chain mess, CISA’s mobile spyware guidance, NSO’s legal contortions, a sharp new GRU-linked intrusion from Arctic Wolf.

We also discuss the FCC retreating on telco security rules, and the emerging AI arms race shaping how cloud giants hunt threats and how Washington misunderstands all of it.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Gemini 3 reactions, Fortinet/Chrome zero-days, a Cloudflare monoculture and a billion-dollar crypto twist

Security Conversations — Fri, 21 Nov 2025 12:00:00 -0700

(Presented by Material Security: We protect your company’s most valuable materials -- the emails, files, and accounts that live in your Google Workspace and Microsoft 365 cloud offices.)

Three Buddy Problem - Episode 73: The buddies react to Google’s release of Gemini 3 and its early performance, new Chrome interface changes landing on users’ machines, and major highlights from CYBERWARCON. We revisit the long-running debate over APT naming conventions, examine Amazon’s latest threat-intel reporting on Iranian activity, and walk through the Cloudflare outage that briefly knocked chunks of the internet offline.

Plus, new APT reports from ESET, Positive Technologies, and SecurityScorecard, and China's CN-CERT (now validated claim) that the U.S. government seized billions in Bitcoin tied to the Lubian mining-pool hack.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Anthropic Claude Code automating APT hacks, KnownSec leak, Chinese buses with remote access

Security Conversations — Fri, 14 Nov 2025 12:30:00 -0700

Presented by Material Security: We protect your company’s most valuable materials -- the emails, files, and accounts that live in your Google Workspace and Microsoft 365 cloud offices.

Three Buddy Problem - Episode 72: We unpack Anthropic’s conflicting self-promotion around the “first AI-orchestrated cyberattack” using Claude Code and the future of automated APT attacks.

Plus, Chinese cyber vendor KnownSec falls victim to data breach, fresh accusations that the U.S. stole billions in Bitcoin, Amazon warning about Cisco/Citrix zero-days, Google’s new Private AI Compute and Microsoft kernel zero-day marked as "actively exploited."

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

LIVE from Ring0 COUNTERMEASURE: Google v FFmpeg, Ransomware Turncoats, Samsung 0days

Security Conversations — Mon, 10 Nov 2025 11:15:00 -0700

Presented by Material Security: We protect your company’s most valuable materials -- the emails, files, and accounts that live in your Google Workspace and Microsoft 365 cloud offices.

Three Buddy Problem - Episode 71: The buddies travel to Canada for a live recording at the Countermeasure conference, discussing the Google v FFmpeg open-source patching brouhana, ransomware negotiators charged and linked to ransomware attacks, the looming TP-Link ban in the U.S., and the discovery of LANDFALL, an APT attack caught using a Samsung mobile zero-day.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Material Security — We protect your company’s most valuable materials — the emails, files, and accounts that live in your Google Workspace & Microsoft 365 cloud offices.
Transcript (unedited, AI-generated)
FFmpeg complains about Google BigSleep AI
Google v FFmpeg brouhaha
Curl's Daniel Stenberg on a new breed of AI analyzers
unit42.paloaltonetworks.com
iOS 26.1 security updates
U.S. agencies back banning TP-Link home routers on security grounds
TLP BLACK

OpenAI’s Dave Aitel talks Aardvark, economics of bug-hunting with LLMs

Security Conversations — Fri, 31 Oct 2025 11:30:00 -0700

Three Buddy Problem - Episode 70: Dave Aitel from OpenAI's technical staff joins the buddies to discuss the just-launched Aardvark, OpenAI’s agentic “security researcher” that claims to read code, finds bugs, validates exploits, and ships patches. We press him on where LLMs beat fuzzers, privacy boundaries, human-in-the-loop realities, SDLC budgets, pen-test cadence, and the zero-day economy.

Plus, L3 Harris/Trenchant exec pleads guilty to selling exploits to Russian brokers, Kaspersky catches the return of HackingTeam using Chrome zero-day exploit chain, and news of a proposed law in Russia to force researchers to report vulnerabilities first to goverment agencies.

Cast: Dave Aitel (Technical Staff, OpenAI), Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Apple’s iOS forensics freeze, WhatsApp zero-click, China outs NSA

Security Conversations — Fri, 24 Oct 2025 12:00:00 -0700

Three Buddy Problem - Episode 69: We dig into news that Apple's iOS 26 has quietly killed the shutdown.log forensic artifact used to spot signs of infections and what it means for threat hunters. Plus, whispers of a million-dollar WhatsApp zero-click exploit that never materialized at Pwn2Own, a surreal court case linking a Trenchant exploit developer to Russian buyers, and Chinese threat intel reports pointing fingers at the NSA.

We also discuss calls for the US government to build a structured, lawful ecosystem for private-sector offensive operations to address existing chaos and market gaps.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

JAGS LABScon 2025 keynote: Steps to an ecology of cyber

Security Conversations — Sat, 18 Oct 2025 06:30:00 -0700

Three Buddy Problem (Episode 68): The buddies are trapped in timezone hell with cross-country travel this week.

In this special episode, we present Juan Andres Guerrero-Saade's LABScon 2025 keynote-day presentation on the state of cybersecurity and why this phase of our collective project has failed, and how to build something smarter, more sustainable, and deeply interconnected in its place.

Juanito traces the field’s evolution from chaos to consolidation, weaving in cybernetics, standardization, and the dawning coexistence of human and artificial evaluative power. The result is part philosophical sermon, part rallying cry, an invitation to reject the industry’s slave morality, rethink our tools, and steer the next era of defense with intention.

Links:

Apple Exploit-Chain Bounties, Wireless Proximity Exploits and Tactical Suitcases

Security Conversations — Sat, 11 Oct 2025 11:30:00 -0700

Three Buddy Problem - Episode 67: We discuss the rise of automated red-teaming, Apple’s $2 million exploit chain bounties aimed at outbidding spyware brokers and the iPhone maker's focus on wireless proximity attacks and “tactical suitcase” Wi-Fi exploits. We also hit the news of Paragon spyware targeting European executives and the bizarre story of NSO Group’s supposed US investor buyout.

Plus, an update on Oracle’s zero-day ransomware fiasco, Ivanti’s endless patch delays, the ethics of journalists enabling ransomware operations on leak sites, Europe’s latest failed push for Chat Control, and VirusTotal’s new pricing tiers.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Oracle cl0p ransomware crisis, EU drone sightings, Cisco bootkit fallout

Security Conversations — Fri, 03 Oct 2025 11:30:00 -0700

Three Buddy Problem - Episode 66: We discuss drone sightings that shut down airports across Europe and what they reveal about hybrid warfare and the changing nature of conflict; Oracle ransomware/extortion campaign tied to unpatched E-Business Suite vulnerabilities and the company’s muted response.

Plus, the TikTok–Oracle deal and the strange role Oracle now plays in U.S. national security; OpenAI’s Sora 2 launch and its implications for social media and human expression; Palo Alto’s “Phantom Taurus” APT report, a follow-up on Cisco’s ArcaneDoor disclosures, and the impact of the U.S. government shutdown on CISA.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Cisco firewall zero-days and bootkits in the wild

Security Conversations — Sat, 27 Sep 2025 11:00:00 -0700

Three Buddy Problem - Episode 65: We zero in on one of the biggest security stories of the year: the discovery of a persistent multi-stage bootkit implanting malware on Cisco ASA firewalls. Details on a new campaign, tied to the same threat actors behind ArcaneDoor, exploiting zero-days in Cisco’s 5500-X series appliances, devices that sit at the heart of government and enterprise networks worldwide.

Plus, Cisco’s controversial handling of these disclosures, CISA's emergency deadlines for patching, the absence of IOCs and samples, and China’s long-term positioning. Plus, thoughts on the Secret Service SIM farm discovery in New York and evidence of Russians APTs Turla and Gamaredon collaborating to hit Ukraine targets.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Live at LABScon: Aurora Johnson and Trevor Hilligoss on China's 'internet toilets'

Security Conversations — Wed, 24 Sep 2025 11:30:00 -0700

Three Buddy Problem - Episode 64: SpyCloud Labs researchers Aurora Johnson and Trevor Hilligoss discuss the world of “internet toilets," the toxic online communities in China where harassment, stalking, and sextortion thrive. We explore how these groups operate, from doxing ex-lovers and enemies to running coordinated campaigns of cyberbullying that often spill into real-world harm. (Recorded at LABScon 2025).

Cast: Aurora Johnson, Trevor Hilligoss, Ryan Naraine and Juan Andres Guerrero-Saade.

Links:

Live at LABScon: Visi Stark shares memories of creating the APT1 report

Security Conversations — Wed, 24 Sep 2025 11:00:00 -0700

Three Buddy Problem - Episode 63: Co-founder of the Vertex Project Visi Stark joins the buddies to reminisce about his work writing Mandiant's famous APT1 report, the China-nexus threat landscape, the value of cyber threat intelligence, APT-naming schemes, and more... (Recorded at LABScon 2025)

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Visi Stark.

Links:

Live at LABScon: Lindsay Freeman on tracking Wagner Group war crimes

Security Conversations — Wed, 24 Sep 2025 10:30:00 -0700

Three Buddy Problem - Episode 62: Lindsay Freeman, Director of the Technology, Law & Policy program at the Human Rights Center, UC Berkeley School of Law, joins the show to discuss her team's meticulous work to document the Wagner Group's chain of command, military operations in parts of Africa, and the broadcasting of war crimes on social media platforms like Telegram. (Recorded at LABScon 2025)

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Lindsay Freeman.

Links:

Can Apple's New Anti-Exploit Tech Stop iPhone Spyware Attacks?

Security Conversations — Tue, 09 Sep 2025 15:00:00 -0700

Three Buddy Problem - Episode 61: We cover a pair of software supply chain breaches (Salesforce Salesloft Drift and NPM/GitHub) that raises big questions about SaaS integrations and the ripple effects across major security vendors.

Plus, Apple’s new Memory Integrity Enforcement in iPhone 17 and discussion on commercial spyware infections and the value of Apple notifications; concerns around Chinese hardware and surveillance equipment in US infrastructure; Silicon Valley profiting from China’s surveillance ecosystem; and controversy around a Huntress disclosure of an attacker’s operations after an EDR agent was mistakenly installed.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Salt Typhoon IOCs, Google floats ‘cyber disruption unit’, WhatsApp 0-click

Security Conversations — Fri, 29 Aug 2025 12:00:00 -0700

Three Buddy Problem - Episode 60: We dissect a fresh multi-agency Salt Typhoon advisory (with IOCs and YARA rules!), why it landed late, why the wall of logos matters (and doesn’t), and what’s actually usable for defenders: new YARA, tool hashes, naming ambiguity across reports, the mention of Chinese vendors, and a Dutch note that smaller ISPs were hit.

Plus, Costin details his hunting stack and philosophy (historic IOC/malware hoarding, fast pivots, and AI as analyst “wingman”) and a new Chinese APT report that may intersect with LightBasin and the murky PSOA world.

We also debate Google’s proposed “cyber disruption unit” versus Microsoft’s DCU (legal vs. “ethical” takedowns, PR, and business models); react to Anthropic’s report on real attacker use of Claude; note Amazon’s APT29 watering-hole disruption; and close on a fresh WhatsApp-to-ImageIO zero-click chain and practical phone OPSEC.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Zero-day reality check: iOS exploits, MAPP in China and the hack-back temptation

Security Conversations — Fri, 22 Aug 2025 12:00:00 -0700

Three Buddy Problem - Episode 59: Apple drops another emergency iOS patch and we unpack what that “may have been exploited” language really means: zero-click chains, why notifications help but forensics don’t, and the uncomfortable truth that Lockdown Mode is increasingly the default for high-risk users. We connect the dots from ImageIO bugs to geopolitics, discuss who’s likely using these exploits, why Apple’s guidance stops short, and the practical playbook (ADP on, reboot often, reduce attack surface) that actually works.

Plus, we debate Microsoft throttling MAPP access for Chinese vendors, the idea of “letters of marque” for cyber (outsourced offense: smart deterrent or Pandora’s box?), and dissect two case studies that blur APT and crimeware: PipeMagic’s CLFS zero-day and Russia-linked “Static Tundra” riding seven-year-old Cisco bugs.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

On AI’s future, security’s failures, and what comes next...

Security Conversations — Fri, 15 Aug 2025 13:00:00 -0700

Three Buddy Problem - Episode 58: The buddies react to the Brandon Dixon episode, digging into what it’s really like to scale products inside a tech giant, navigate politics, and bring features to millions of machines. Plus, an exploration of the AI cybersecurity gold rush, the promise and hype, and the gamble for startups versus the slow-moving advantage of incumbents.

We revisit the Chinese "cyber militia" discussion and the looming AI “dot-com bubble,” the value of owning infrastructure, Nvidia and export controls, China’s manufacturing edge, and the geopolitics of supply chains.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Live from Black Hat: Brandon Dixon parses the AI security hype

Security Conversations — Thu, 07 Aug 2025 09:00:00 -0700

Three Buddy Problem - Episode 57: Brandon Dixon (PassiveTotal/RiskIQ, Microsoft) leads a deep-dive into the collision of AI and cybersecurity. We tackle Google’s “Big Sleep” project, XBOW’s HackerOne automation hype, the long-running tension between big tech ownership of critical security tools and the community’s need for open access.

Plus, the future of SOC automation to AI-assisted pen testing, how agentic AI could transform the cyber talent bottlenecks and operational inefficiencies, geopolitical debates over backdoors in GPUs and the strategic implications of China’s AI model development.

Cast: Brandon Dixon, Juan Andres Guerrero-Saade, and Ryan Naraine.

Links:

Rethinking APT Attribution: Dakota Cary on Chinese Contractors and Espionage-as-a-Service

Security Conversations — Fri, 01 Aug 2025 11:00:00 -0700

Three Buddy Problem - Episode 56: China-focused researcher Dakota Cary joins the buddies to dig into China’s sprawling cyber ecosystem, from the HAFNIUM indictments and MSS tasking pipelines to the murky world of APT contractors and the ransomware hustle. We break down China’s “entrepreneurial” model of intelligence collection, why public visibility into these threat actors is so hard to get right, and how companies like Microsoft get caught in the geopolitical crossfire.

Plus: a deep dive on suspected MAPP leaks and Sharepoint zero-days, Singapore targeted by extremely sophisticated China-nexus hacking group, soft censorship in corporate threat-intel, and whether the U.S. should rethink how it fills its intelligence gaps.

Cast: Dakota Cary, Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Transcript (unedited, AI-generated)
Dakota Cary on LinkedIn
China’s Covert Capabilities -- Silk Spun From Hafnium
HAFNIUM-Linked Hacker Xu Zewei: Riding the Tides of China’s Cyber Ecosystem
Microsoft Probing Whether Chinese Hackers Found Flaw Via MAPP
Cybersecurity Law of the People’s Republic of China
Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
Fire Ant: Hypervisor-Level Espionage Targeting VMware ESXi & vCenter
Singapore actively dealing with ongoing China cyberattack
Iranians Targeted With Spyware in Lead-Up to War With Israel — all inside Iran and working either in the country’s technology sector or for the government.
LABScon 2025
Apple in China (book)

Microsoft Sharepoint security crisis: Faulty patches, Toolshell zero-days

Security Conversations — Fri, 25 Jul 2025 02:30:00 -0700

Three Buddy Problem - Episode 55: A SharePoint zero-day exploit chain from Pwn2Own Berlin becomes a full-blown security crisis with Chinese nation-state actors exploiting vulnerabilities that Microsoft struggled to patch properly, leading to trivial bypasses and a cascade of new CVEs. The timeline is messy, the patches are faulty, and ransomware groups are lining up to join the party.

We also revisit the ProPublica bombshell about Microsoft's "digital escorts" and U.S. government data exposure to Chinese adversaries and the company's "oops, we will stop" response. Plus, trusting Google's Big Sleep AI claims and a cautionary tale about AI agents gone rogue that wiped out a production database.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Train brake hack, GRU sanctions, Wagner war crimes, Microsoft's Chinese ‘digital escorts’

Security Conversations — Fri, 18 Jul 2025 10:00:00 -0700

Three Buddy Problem - Episode 54: Europol busted pro‑Russian hacktivist crew NoName 057(16), the Brits announce sanctions on Russia’s GRU cyber units, Wagner‑linked “war influencers” streamed atrocities from Africa, and fresh tech worries ranged from a $500 RF flaw that can hijack U.S. train brakes.

Plus, ProPublica on Microsoft’s China‑based “digital escorts,” Google’s headline‑grabbing AI‑found SQLite zero‑day, and OpenAI’s new task‑running agents. Meanwhile, Ukraine’s hackers wiped a Russian drone maker, ransomware crippled a major vodka producer, and another Chrome zero‑day quietly underscored how routine critical exploits have become.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

How did China get Microsoft's zero-day exploits?

Security Conversations — Thu, 10 Jul 2025 12:00:00 -0700

Three Buddy Problem - Episode 53: We dig into news of the first-ever arrest of a Chinese intelligence-linked hacker in Italy, unpack the mystery behind HAFNIUM and how they somehow got their hands on the same Microsoft Exchange zero-days that researcher Orange Tsai discovered - was it coincidence, inside access, or something more sinister?

Plus, China's massive cyber capabilities pipeline, ‘theCom’ teenagers arrested in the UK after ransomware binge, and spyware attacks against Russian organizations.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Who’s hacking who? Ivanti 0-days in France, China outs 'Night Eagle' APT

Security Conversations — Thu, 03 Jul 2025 15:00:00 -0700

Three Buddy Problem - Episode 52: Fresh intelligence reports out of Europe and China: France’s ANSSI documents a string of Ivanti VPN zero-days ('Houken'), and Quanxin frames a stealth Microsoft Exchange-zero-day chain linked to a North American 'Night Eagle' threat actor. We dissect the technical bread-crumbs, questions the attribution math, and connects Houken to SentinelOne’s “Purple Haze” research.

Plus, the FBI’s claim that China’s “Salt Typhoon” has been “contained,” Iran’s Nobitex crypto-exchange breach (Predatory Sparrow torches $90 million and leaks the source code), Iranian cyber capabilities and sanctions avoidance.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Israel-Iran cyberwar: Predatory Sparrow, vanishing crypto, destructive bank hacks

Security Conversations — Fri, 20 Jun 2025 02:00:00 -0700

Three Buddy Problem - Episode 51: Former Immunity/Trail of Bits researcher Hamid Kashfi joins the buddies for a fast-moving tour of cyber activities in the Israel-Iran war. The crew unpacks who 'Predatory Sparrow' is, why Sepah Bank and the Nobitex crypto exchange were hit, and what a $90 million cryptocurrency burn really means. Plus, radar-blinding cyberattacks that paved the way for Israel’s air raid, the human cost of sudden ATM outages and unpaid salaries, and the puzzling “Code Breakers” data leak that preceded it all.

Hamid shares on-the-ground context, the buddies debate whether cyber operations can sway a shooting war, and everyone tries to gauge Iran’s true offensive muscle under sanctions.

Cast: Hamid Kashfi, Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Cyber flashpoints in Israel-Iran war, the 'magnet of threats', Mossad drone swarms

Security Conversations — Fri, 13 Jun 2025 12:00:00 -0700

Three Buddy Problem - Episode 50: This week, we dissect cyber flashpoints in the Iran-Israel war, revisit the “magnet of threats” server in Iran that attracted APTs from multiple nation-states, and react to Israel's Mossad sneaking explosive drone swarms deep into Iran to support airstrikes.

Plus, Stealth Falcon’s new WebDAV zero-day, SentinelOne’s brush with Chinese APTs, Citizen Lab’s forensic takedown of Paragon’s iPhone spyware, and the sneaky Meta/Yandex trick that links Android web browsing to app IDs.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Mikko Hypponen talks drone warfare, APT naming schemes

Security Conversations — Fri, 06 Jun 2025 11:00:00 -0700

Three Buddy Problem - Episode 49: Cybersecurity veteran Mikko Hypponen joins the show to discuss the fast-changing life and times on NATO’s newest frontline, how Ukraine’s long-range “Spiderweb” drone swarms punched holes in Russian air bases, the cyber connections to the escalating drone warfare, and the coming wave of autonomous “killer robots”.

Plus, news on Ukraine’s hack of bomber-maker Tupolev, the industry’s never-ending APT naming mess, iVerify’s newly disclosed iMessage zero-click bug, fresh Qualcomm GPU exploits still unpatched on Android devices, and Cellebrite’s purchase of Corellium.

Cast: Ryan Naraine, Costin Raiu and Mikko Hypponen

Juan Andres Guerrero-Saade is out this week at Sleuthcon.

Links:

The dark hole of 'friendlies' and Western APTs

Security Conversations — Fri, 30 May 2025 11:30:00 -0700

Three Buddy Problem - Episode 48: We unpack a Dutch intelligence agencies report on ‘Laundry Bear’ and Microsoft’s parallel ‘Void Blizzard’ write-up, finding major gaps and bemoaning the absence of IOCs. Plus, discussion on why threat-intel naming is so messy, how initial-access brokers are powering even nation-state break-ins, and whether customers (or vendors) are to blame for the confusion.

Plus, thoughts on an academic paper on the vanishing art of Western companies exposing Western (friendly) APT operations, debate whether stealth or self-censorship is to blame, and the long-tail effects on cyber paleontology.

We also dig into Sean Heelan’s proof that OpenAI’s new reasoning model can spot a Linux kernel 0-day and the implications for humans in the bug-hunting chain.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Russia hacks Ukraine war supply lines, Signal blocks Windows screenshots, BadSuccessor vuln disclosure debate

Security Conversations — Fri, 23 May 2025 11:30:00 -0700

Three Buddy Problem - Episode 47: We unpack a multi-agency report on Russia’s APT28/Fancy Bear hacking and spying on Ukraine war supply lines, CISA’s sloppy YARA rules riddled with false positives, the ethics of full-disclosure after Akamai dropped Windows Server “BadSuccessor” exploit details, and Sekoia’s discovery of thousands of hijacked edge devices repurposed as honeypots.

The back half veers into Microsoft’s resurrected Windows Recall, Signal’s new screenshot-blocking countermeasure, Japan’s fresh legal mandate for pre-emptive cyber strikes, and why appliance vendors like Ivanti keep landing in the headlines.

Along the way you get hot takes on techno-feudalism, Johnny Ive’s rumored AI gadget, and a lively debate over whether publishing exploit code ever helps defenders.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

A Coinbase breach with bribes, rogue contractors and a $20M ransom demand

Security Conversations — Fri, 16 May 2025 11:15:00 -0700

Three Buddy Problem - Episode 46: We dig into a Coinbase breach headlined by bribes, rogue contractors and a $20 million ransom demand. Plus, (another!) batch of Ivanti and Microsoft zero-days being exploited in the wild, a new 'Intrusion Logging' feature coming to Android, Apple's iOS 18.5 patches, and the EU announcing its own vulnerability database and software vendor secure-coding pledge.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

JAGS keynote: The intricacies of wartime cyber threat intelligence

Security Conversations — Fri, 09 May 2025 09:30:00 -0700

Three Buddy Problem - Episode 45: (The buddies are trapped in timezone hell with cross-continent travel this week).

In the meantime, absorb this keynote presented by Juan Andres Guerrero-Saade (JAG-S) at CounterThreats 2023. It's a frank discussion on the role of cyber threat intelligence (CTI) during wartime and its importance in bridging information gaps between adversaries. Includes talk on the ethical challenges in CTI, questioning the impact of intelligence-sharing and how cyber operations affect real-world conflicts. He pointed to Ukraine and Israel as examples where CTI plays a critical, yet complicated, role. His message: cybersecurity pros need to be aware of the real-world consequences of their work and the ethical responsibility that comes with it.

Acknowledgment: Credit for the audio goes to CyberThreat 2023, SANS Institute, NCSC, and SentinelOne.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Signalgate redux, OpenAI's Aardvark, normalizing cyber offense

Security Conversations — Sat, 03 May 2025 12:30:00 -0700

Three Buddy Problem - Episode 44: We unpack news that US government officials are using an obscure app to archive Signal messages, OpenAI’s new “Aardvark” code-evaluation and reasoning model and leapfrog implications, NSC cyber lead Alexei Bulazel on normalizing US offensive operations, and JP Morgan Chase CISO’s warning to software vendors.

Plus, fresh SentinelOne threat-intel notes, France’s attribution of GRU activity and a head-scratching $330 million Bitcoin heist.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

Thomas Rid joins the show: AI consciousness, TP-Link's China connection, trust in hardware security

Security Conversations — Fri, 25 Apr 2025 11:00:00 -0700

Three Buddy Problem - Episode 43: Director of the Alperovitch Institute for Cybersecurity Studies Thomas Rid joins the show for a deep-dive into the philosophical and ethical considerations surrounding AI consciousness and anthropomorphism. We dig into the multifaceted implications of AI technology, particularly focusing on data privacy, national security, and the philosophical questions surrounding AI consciousness and rights.

Plus, TP-Link under US government investigation and the broader issues of consumer trust in hardware security, the need for regulation and inspectability of technology, and the struggles with patching network devices.

Cast: Thomas Rid, Juan Andres Guerrero-Saade and Ryan Naraine. Costin Raiu is away this week.

Links:

China doxxes NSA, CVE's funding crisis, Apple's zero-day troubles

Security Conversations — Thu, 17 Apr 2025 11:00:00 -0700

Three Buddy Problem - Episode 42: We dig into news that China secretly fessed up to the Volt Typhoon hacks and followed up with claims that named NSA agents launched advanced cyberattacks against the Asian Winter Games. Plus, the MITRE CVE funding crisis, new Apple 0days in the wild includes PAC bypass exploit, Microsoft Patch Tuesday zero-days.

Plus, the effectiveness of Lockdown Mode, the rising costs of mobile exploits, Chris Krebs' exit from SentinelOne after a presidential executive order, and the value and effectiveness of security clearances.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

NSA director fired, Ivanti's 0day screw-up, backdoor in robot dogs

Security Conversations — Fri, 04 Apr 2025 10:00:00 -0700

Three Buddy Problem - Episode 41: Costin and Juanito join the show from Black Hat Asia in Singapore. We discuss Bunnie Huang's keynote on hardware supply chains and a classification system to establish a grounded perspective on trust in hardware, Ivanti's misdiagnosis of a critical VPN applicance flaw and Mandiant reporting on a Chinese APT exploiting Ivanti devices. Plus, breaking news on the sudden firing of NSA director and head of Cyber Command Tim Haugh.

We also discuss Microsoft touting AI's value in finding open-source bootloader bugs, Silent Push report on a RUssian APT impersonating the CIA, a backdoor in a popular Chinese robot dog, and Chinese dominance of the robotics market.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

Signalgate and ID management hiccups, PuzzleMaker and Chrome 0days, Lab Dookhtegan returns

Security Conversations — Fri, 28 Mar 2025 11:30:00 -0700

Three Buddy Problem - Episode 40: On the show this week, we look at the technical deficiencies and opsec concerns around the use of Signal for ultra-sensitive communications. Plus, some speculation on who's behind Kaspersky’s ‘Operation Forum Troll’ report, Chinese discussion on NSA/CIA mobile networks exploitation, and the return of ‘Lab Dookhtegan’ hack-and-leak exposures.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

China exposing Taiwan hacks, Paragon spyware and WhatsApp exploits, CISA budget cuts

Security Conversations — Fri, 21 Mar 2025 13:00:00 -0700

Three Buddy Problem - Episode 39: Luta Security CEO Katie Moussouris joins the buddies to parse news around a coordinated Chinese exposure of Taiwan APT actors, CitizenLab's report on Paragon spyware and WhatsApp exploits, an “official” Russian government exploit-buying operation shopping for Telegram exploits, the fragmentation of exploit markets and the future of CISA in the face of budget cuts and layoffs.

Cast: Katie Moussouris, Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

A half-dozen Microsoft zero-days, Juniper router backdoors, advanced bootkit hunting

Security Conversations — Fri, 14 Mar 2025 12:00:00 -0700

Three Buddy Problem - Episode 38: On the show this week, we look at a hefty batch of Microsoft zero-days exploited in the wild, iOS 18.3.2 fixing an exploited WebKit bug, a mysterious Unpatched.ai being credited with Microsoft Access RCE flaws, and OpenAI lobbying for the US to ban China's DeepSeek.

Plus, discussion on a Binarly technical paper with new approach to finding UEFI bootkits, Mandiant flagging custom backdoors on Juniper routers, and MEV 'sandwich attacks' front-running cryptocurrency transactions.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

Revisiting the Lamberts, i-Soon indictments, VMware zero-days

Security Conversations — Sat, 08 Mar 2025 11:00:00 -0700

Three Buddy Problem - Episode 37: This week, we revisit the public reporting on a US/Russia cyber stand down order, CISA declaring no change to its position on tracking Russian threats, and the high-level diplomatic optics at play.

Plus, a dissection of ‘The Lamberts’ APT and connections to US intelligence agencies, attribution around ‘Operation Triangulation’ and the lack of recent visibility into these actors. We also discuss a fresh batch of VMware zero-days, China’s i-Soon ‘hackers-for-hire’ indictments, the Pangu/i-Soon connection, and a new wave of Apple threat-intel warnings about mercenary spyware infections.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

Lazarus ByBit $1.4B heist was supply chain attack on developer

Security Conversations — Sat, 01 Mar 2025 09:00:00 -0700

Three Buddy Problem - Episode 36: Ryan and Juanito join the show from the RE//verse conference with discussion on Natalie Silvanovic’s keynote on hunting for bugs in mobile messengers, the thrill of looking at exposed attack surfaces and the grueling “losses” bug hunters endure before a breakthrough.

We also cover the latest on the $1.4 billion ByBit hack pinned on the Lazarus Group and the malicious JavaScript supply chain attack at the center of the cryptocurrency heist. Plus, the ethical gray zones of tethered exploits via Cellebrite, the whiplash of AI-driven threat intel, and the looming pivot in U.S. cyber policy signaling a stand-down on Russia-focused ops.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

North Korea's biggest ever crypto heist: $1.4B stolen from Bybit

Security Conversations — Sun, 23 Feb 2025 12:00:00 -0700

Three Buddy Problem - Episode 35: Juanito is live from DistrictCon with notes on discussion of an elusive iOS zero-day by a company called QuaDream and Apple’s controversial removal of iCloud backup end-to-end encryption in the UK. We also cover a staggering $1.4 billion hack by the Lazarus Group against Bybit, new angles in NSA-linked cyber-espionage against China’s top universities, Chinese hacking gangs moonlighting as ransomware criminals, and Russian APTs abusing Signal’s “linked devices” feature. Plus, Costin explains Microsoft’s quantum computing breakthrough.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

An 'extremely sophisticated' iPhone hack; Google flags major AMD microcode bug

Security Conversations — Sat, 15 Feb 2025 11:00:00 -0700

Three Buddy Problem - Episode 34: We dig into the latest exploited Apple iPhone zero-day (USB Restricted Mode bypass), an AMD microcode flaw so serious it’s not being fully disclosed, a barrage of Patch Tuesday updates, the helpless nature of trying to defend corporate networks, Russian threat actor movements, and fresh intel from Rapid7, Volexity, and Microsoft.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

Unpacking the UK government's secret iCloud backdoor demand

Security Conversations — Sat, 08 Feb 2025 12:00:00 -0700

Three Buddy Problem - Episode 33: In this episode, we unpack the UK government's secret push for backdoor access to encrypted iCloud data, Apple’s approach to iCloud encryption, and the broader implications for privacy and security on a global scale. Plus, how security agencies handle zero-day vulnerabilities, surveillance spyware and mercenary hacking, and TikTok-powered election disinformation and interference.

From wormable exploits like Eternal Bue to the realities of AI-based spying, the episode offers a detailed look into how government oversight, private sector collaboration, and shifting market forces have reshaped the way we think about cybersecurity.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

Inside the DeepSeek AI existential crisis, Chinese 'backdoor' in medical devices

Security Conversations — Fri, 31 Jan 2025 12:30:00 -0700

Three Buddy Problem - Episode 32: In this episode, we rummage through the DeepSeek hype and break down what makes it different from OpenAI’s models, why it’s stirring up existential controversies, and what it means for the broader tech landscape. We get into the privacy concerns, the geo-political implications, how AI models handle data, the ongoing debate over IP theft and innovation, and the challenges that come with a Chinese company shipping an open-source alternative.

Beyond AI, we dig into some of the latest headlines; from a Chinese ‘backdoor’ in medical devices, problems with CISA’s backdoor bulletin, the risks of insecure IoT, phishing attacks on influencers, and ongoing battles over censorship in the VPN space. We also touch on WhatsApp catching spyware vendor Paragon Solutions and potential shifts in U.S. government policy on commercial mercenary hacking and surveillance companies.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

Death of the CSRB, zero-days storms at the edge, Juniper router backdoors

Security Conversations — Fri, 24 Jan 2025 14:30:00 -0700

Three Buddy Problem - Episode 31: Dennis Fisher steps in for Ryan Naraine to moderate discussion on a very busy week in cybersecurity. The cast dig into the wave of big research reports, the disbanding of the Cyber Safety Review Board (CSRB), the ongoing flood of exploits targeting security appliances from Ivanti and SonicWall, and the recent Lumen research on Juniper router backdoors.

Plus, the challenges of coordinating disclosures, the tough realities of intelligence work, and the complex landscape of nation-state attacks -- especially around Chinese threat actors and Western defenses.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Dennis Fisher.

Ryan Naraine in on work travel.

Links:

Inside the PlugX malware removal operation, CISA takes victory lap and another Fortinet 0day

Security Conversations — Fri, 17 Jan 2025 12:30:00 -0700

Three Buddy Problem - Episode 30: We discuss French threat-intel Sekoia creating a portal to handle “sovereign disinfections” of the PlugX malware, CISA leadership taking a victory lap using the ‘Secure by Design’ pledge as a trophy, the new Biden cybersecurity Executive Order, another Fortinet zero-day, the TikTok ban and Ukrainian hackers targeting Russian companies.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

Hijacking .gov backdoors, Ivanti 0days and a Samsung 0-click vuln

Security Conversations — Fri, 10 Jan 2025 12:00:00 -0700

Three Buddy Problem - Episode 29: Another day, another Ivanti zero-day being exploited in the wild. Plus, China's strange response to Volt Typhoon attribution, Japan blames China for hacks, a Samsung 0-click vulnerability found by Project Zero, Kim Zetter's reporting on drone sightings and a nuclear scare. Plus, hijacking abandoned .gov backdoors and Ukrainian hacktivists wiping a major Russian ISP.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

US Treasury hacked via BeyondTrust, MISP and the threat actor naming mess

Security Conversations — Fri, 03 Jan 2025 12:00:00 -0700

Three Buddy Problem - Episode 28: In this episode, we explore the ongoing challenges of threat actor naming in cybersecurity and the confusion caused by a lack of standardization, methodological inconsistencies and skewed, marketing-driven incentives.

Plus, the US Treasury/BeyondTrust hack, the surge in 0day discoveries, a new variant of the Xdr33 CIA Hive malware, and exclusive new information on the Cyberhaven Chrome extension security incident.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

Palo Alto network edge device backdoor, Cyberhaven browser extension hack, 2024 research highlights

Security Conversations — Fri, 27 Dec 2024 11:30:00 -0700

Three Buddy Problem - Episode 27: We discuss the discovery of a Palo Alto network firewall attack and a stealthy network ed ge device backdoor (LITTLELAMB.WOOLTEA), the Cyberhaven hack and the shady world of browser extensions, and a look back at the top research projects that caught our attention in 2025.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

US government's VPN advice, dropping bombs on ransomware gangs

Security Conversations — Mon, 23 Dec 2024 12:30:00 -0700

Three Buddy Problem - Episode 26: We dive deep into the shadowy world of surveillance and cyber operations, unpacking Amnesty International's explosive report on NoviSpy, a previously unknown Android implant used against Serbian activists, and the links to Israeli forensics software vendor Cellebrite.

Plus, thoughts on the US government’s controversial guidance on VPNs, Chinese reports on US intel agency hacking, TP-Link sanctions chatter, Mossad's dramatic exploding beeper operation and the ethical, legal, and security implications of escalating cyber-deterrence. Also, a mysterious BeyondTrust 0-day!

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

Surveillance economics, Turla and Careto, and the AI screenshots nobody asked for

Security Conversations — Fri, 13 Dec 2024 11:00:00 -0700

Three Buddy Problem - Episode 25: An update on Romania’s cancelled election, the implications of TikTok on democratic processes, and the broader issues around surveillance capitalism and micro-targeting.

Plus, news on Turla piggybacking on cybercriminal malware to hit Ukraine, the return of Careto and the absence of IOCs, Claroty report on an Iran-linked cyberweapon targeting critical infrastructure, ethical considerations in cyberwarfare, and the implications of quantum computing on security and cryptocurrencies.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

Inside the Turla Playbook: Hijacking APTs and fourth-party espionage

Security Conversations — Sat, 07 Dec 2024 11:30:00 -0700

Three Buddy Problem - Episode 24: In this episode, we did into Lumen/Microsoft’s revelations on Russia's Turla APT stealing from a Pakistani APT, and issues around fourth-party espionage and problems with threat actor attribution. We also discuss Citizen Lab’s findings on Monokle-like spyware implanted by Russian authorities, the slow pace of Salt Typhoon disinfection, the Solana web3.js supply chain attack affecting crypto projects, and the Romanian election crisis over Russian interference via TikTok.

Cast: Juan Andres Guerrero-Saade, Costin Raiuand Ryan Naraine.

Links:

Volexity’s Steven Adair on Russian Wi-Fi hacks, memory forensics, appliance 0days and network inspectability

Security Conversations — Sat, 30 Nov 2024 11:00:00 -0700

Three Buddy Problem - Episode 23: Volexity founder Steven Adair joins the show to explore the significance of memory analysis and the technical challenges associated with memory dumping and forensics. We dig into Volexity’s “nearest neighbor” Wi-Fi hack discovery, gaps in EDR detection and telemetry, and some real-talk on the Volt Typhoon intrusions.

We also cover news on a Firefox zero-day exploited on the Tor browser, the professionalization of ransomware, ESET's discovery of a Linux bootkit (we have a scoop on the origins of this!), Binarly research on connections to LogoFAIL, and major visibility gaps in the firmware ecosystem.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Honorary buddy: Steven Adair (Volexity)

Links:

Russian APT weaponized nearby Wi-Fi networks in DC, new macOS zero-days, DOJ v Chrome

Security Conversations — Fri, 22 Nov 2024 12:00:00 -0700

Three Buddy Problem - Episode 22: We discuss Volexity’s presentation on Russian APT operators hacking Wi-Fi networks in “nearest neighbor attacks,” the Chinese surveillance state and its impact on global security, the NSA's strange call for better data sharing on Salt Typhoon intrusions, and the failures of regulatory bodies to address cybersecurity risks.

We also cover two new Apple zero-days being exploited in the wild, the US Government’s demand that Google sell the Chrome browser, and the value of data in the context of AI.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

What happens to CISA now? Is deterrence in cyber possible?

Security Conversations — Fri, 15 Nov 2024 12:00:00 -0700

Three Buddy Problem - Episode 21: We dig into an incredible government report on Iranian hacking group Emennet Pasargad and tradecraft during the Israel/Hamas war, why Predatory Sparrow could have been aimed at deterrence in cyber, and the FBI/CISA public confirmation of the mysterious Salt Typhoon hacks.

Plus, discussion on hina’s cyber capabilities, the narrative around “pre-positioning” for a Taiwan conflict, the blending of cyber and kinetic operations, and the long tail of Chinese researchers reporting Microsoft Windows vulnerabilities. The future of CISA is a recurring theme throughout this episode with some speculation about what happens to the agency under the Trump administration.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

Mysterious rebooting iPhones, EDR vendors spying on hackers, Bitcoin 'meatspace' attacks

Security Conversations — Sat, 09 Nov 2024 11:00:00 -0700

Three Buddy Problem - Episode 20: We revisit the ‘hack-back’ debate, the threshold for spying on adversaries, Palo Alto watching EDR bypass research to track threat actors, hot nuggets in Project Zero’s Clem Lecinge’s Hexacon talk, Apple’s new iOS update rebooting iPhones in law enforcement custody, the mysterious GoblinRAT backdoor, and physical ‘meatspace’ Bitcoin attacks and more details on North Korean cryptocurrency theft.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

The Sophos kernel implant, 'hack-back' implications, CIA malware in Venezuela

Security Conversations — Sun, 03 Nov 2024 12:00:00 -0700

Three Buddy Problem - Episode 19: We explore Ivan Kwiatkowski’s essay on the limits of threat intelligence, Sophos using kernel implants to surveil Chinese hackers, the concept of ‘hack-back’ and legal implications, geopolitical layers of cyber espionage, CIA malware in Venezuela, Vatican/Mossad mentioned in high-profile Italy hacks, and Canada bracing for .gov attacks from India.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

Fortinet 0days, Appin hack-for-hire exposé, crypto heists, Russians booted from Linux kernel

Security Conversations — Fri, 25 Oct 2024 12:00:00 -0700

Three Buddy Problem - Episode 18: This week’s show covers the White House's new Traffic Light Protocol (TLP) guidance, Reuters expose of Appin as a hack-for-hire mercenary company, Fortinet zero-day exploitation and missing CSRB investigations, major cryptocurrency heists, Apple opening Private Cloud Compute to public inspection, Russians removed from Linux kernel maintenance and China’s Antiy beefing with Sentinel One over APT reporting.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

ESET Israel wiper malware, China's Volt Typhoon response, Kaspersky sanctions and isolation

Security Conversations — Fri, 18 Oct 2024 12:45:00 -0700

Three Buddy Problem - Episode 17: News of a wiper malware attack in Israel implicating ESET, threats from wartime hacktivists, China's strange response to Volt Typhoon attribution and Section 702 messaging, an IE zero-day discovery and web browser rot in South Korea, the ongoing isolation of Kaspersky due to sanctions, and the geopolitical influences affecting cybersecurity reporting.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

Ep10: Volt Typhoon zero-day, Russia's APT29 reusing spyware exploits, Pavel Durov's arrest

Security Conversations — Fri, 30 Aug 2024 11:00:00 -0700

Three Buddy Problem - Episode 10: Top stories this week -- Volt Typhoon zero-day exploitation of Versa Director servers, Chinese APT building botnets with EOL routers, the gap in security solutions for network devices and appliances, Russia's APT29 (Midnight Blizzard) caught reusing exploits from NSO Group and Intellexa, Microsoft’s upcoming Windows endpoint security summit in response to the CrowdStrike incident, and the arrest of Telegram’s Pavel Durov in France. Plus, the NSA is launching a podcast.

Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek)

Links:

Ep9: The blurring lines between nation-state APTs and the ransomware epidemic

Security Conversations — Fri, 23 Aug 2024 10:00:00 -0700

Three Buddy Problem - Episode 9: On this episode, we look at the hacking scene in Taiwan, the sad state of visibility into big malware campaigns, the absence of APTs linked to the prolific MIVD Dutch intelligence agency, the blurring lines between big ransomware heists and nation-state actors caught using ransomware as a tool for sabotage and misattribution.

Plus, Chinese mobile OS vendor Xiaoimi caught disabling parts of its infrastructure -- including its global app store -- to thwart Pwn2Own contestants; and news of an addition to the LABScon 2024 keynote stage.

Hosts: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh), Ryan Naraine (SecurityWeek)

Links:

Ep8: Microsoft's zero-days and a wormable Windows TCP/IP flaw known to China

Security Conversations — Sat, 17 Aug 2024 04:00:00 -0700

Three Buddy Problem - Episode 8: This week’s show digs into Microsoft’s in-the-wild zero-day woes, Patch Tuesday and the absence of IOCs, a wormable Windows TCP/IP flaw that the Chinese government knew about for months, Iran’s aggressive hacking US election targets, CrowdStrike v Qihoo360 and major problems with APT naming conventions.

Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek)

Links:

Episode 8 Transcript
Six Windows Zero-Days Being Actively Exploited
CVE-2024-38063 - Windows Ping of Death
Wormable TCP/IP flaw known to China — Chinese researcher Xiao Wei of Cyber KunLun said he discovered the vulnerability “several months ago.”
Google TAG: Iran steps hacking against Israel, U.S.
Microsoft report on Iran election hacking
Qihoo claims CrowdStrike bug exploitable
CrowdStrike root cause analysis
LABScon - Speakers 2024

Ep6: After CrowdStrike chaos, should Microsoft kick EDR agents out of Windows kernel?

Security Conversations — Fri, 26 Jul 2024 01:00:00 -0700

Three Buddy Problem - Episode 6: As the dust settles on the CrowdStrike incident that blue-screened 8.5 million Windows computers worldwide, we dig into CrowdStrike’s preliminary incident report, the lack of transparency in the update process and the need for more robust testing and validation. We also discuss Microsoft's responsibility to avoid infinite BSOD loops, risks of deploying EDR agents on critical systems, and how an EU settlement is being blamed for EDR vendors having access to the Windows kernel.

Other topics on the show include Mandiant's attribution capabilities, North Korea’s gov-backed hacking teams launching ransomware on hospitals, KnowBe4 hiring a fake North Korean IT worker, and new developments in the NSO Group surveillance-ware lawsuit.

Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek)

Links:

Ep5: CrowdStrike's faulty update shuts down global networks

Security Conversations — Fri, 19 Jul 2024 08:00:00 -0700

Three Buddy Problem - Episode 5: Hot off the press, we dive into the news of the CrowdStrike software update that caused blue screens on computers worldwide, the resulting chaos and potential connections to the Microsoft 365 outage, the fragility of modern computing and the risks of new software paradigms.

We also discuss the AT&T mega-breach and the ransom paid to delete the stolen data; the challenges of ransomware and the uncertainty surrounding the deletion of stolen data; the FBI gaining access to a password-protected phone, the prices for zero-click exploits; and the resurgence of APT 41 with expanding targets.

Plus, some news on upcoming keynote speakers at LabsCon 2024.

Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek)

Links:

Costin Raiu: The GReAT exit interview

Security Conversations — Mon, 15 Jan 2024 11:00:00 -0700

Episode sponsors:

Binarly, the supply chain security experts (https://binarly.io)
FwHunt (https://fwhunt.run)

Costin Raiu has spent a lifetime in anti-malware research, working on some of the biggest nation-state APT cases in history, including Stuxnet, Duqu, Equation Group, Red October, Turla and Lazarus.

In this exit interview, Costin digs into why he left the GReAT team after 13 years at the helm, ethical questions on exposing certain APT operations, changes in the nation-state malware attribution game, technically impressive APT attacks, and the 'dark spots' where future-thinking APTs are living.

Links: