On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news with special guest Rob Joyce, a Former Special Assistant to the US President and Director of Cybersecurity for NSA.

They talk through:

• A realistic bluetooth-proximity phishing attack against Passkeys
• A very patient ransomware actor encrypts an entire enterprise with a puny linux webcam processor
• The ESP32 backdoor that is neither a door nor at the back
• The X DDoS that Elon said was Ukraine is claimed by pro-Palestinian hacktivists
• Years later, LastPass hackers are still emptying crypto-wallets
• …and it turns out North Korea nailed {Safe}Wallet with a malicious docker image. Nice!

Rob recently testified to the US House Select Committee on the Chinese Communist Party, and he explains why DOGE kicking probationary employees to the curb is “devastating” for the national security staff pipeline.

This week’s episode is sponsored by SpecterOps, makers of the Bloodhound identity attack path mapping tool. Chief Product Officer Justin Kohler and Principal Security Researcher Lee Chagolla-Christensen discuss their pragmatic approach to disabling NTLM authentication in Active Directory using Bloodhound’s insight.

Show notes:

CVE-2024-9956 - PassKey Account Takeover in All Mobile Browsers | Tobia Righi - Security Researcher https://mastersplinter.work/research/passkey/

Feds Link $150M Cyberheist to 2022 LastPass Hacks – Krebs on Security https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/

Camera off: Akira deploys ransomware via webcam https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam

Tarlogic detects a hidden feature in the mass-market ESP32 chip that could infect millions of IoT devices https://www.tarlogic.com/news/hidden-feature-esp32-chip-infect-ot-devices/

Alleged Co-Founder of Garantex Arrested in India – Krebs on Security https://krebsonsecurity.com/2025/03/alleged-co-founder-of-garantex-arrested-in-india/

37K+ VMware ESXi instances vulnerable to critical zero-day | Cybersecurity Dive https://www.cybersecuritydive.com/news/37k-vmware-esxi-instances-vulnerable-to-critical-zero-day/741749/

Apple patches 0-day exploited in “extremely sophisticated attack” - Ars Technica https://arstechnica.com/security/2025/03/apple-patches-0-day-exploited-in-extremely-sophisticated-attack/

What Really Happened With the DDoS Attacks That Took Down X | WIRED https://www.wired.com/story/x-ddos-attack-march-2025/

Eleven11bot estimates revised downward as researchers point to Mirai variant | Cybersecurity Dive https://www.cybersecuritydive.com/news/eleven11bot-revised-downward-mirai/741923/

Previously unidentified botnet infects unpatched TP-Link Archer home routers | The Record from Recorded Future News https://therecord.media/ballista-botnet-tp-link-archer-routers

Safe.eth on X: “Investigation Updates and Community Call to Action” / X https://x.com/safe/status/1897663514975649938

How to verify Safe{Wallet} transactions on a hardware wallet | Safe{Wallet} Help Center and Support. https://help.safe.global/en/articles/276344-how-to-verify-safe-wallet-transactions-on-a-hardware-wallet

US charges Chinese nationals in cyberattacks on Treasury, dissidents and more | The Record from Recorded Future News https://therecord.media/doj-charges-chinese-nationals-isoon-cyberattacks-treasury

Former top NSA cyber official: Probationary firings ‘devastating’ to cyber, national security | CyberScoop https://cyberscoop.com/joyce-china-probationary-firings-devastating-congress/

U.S. pauses intelligence sharing with Ukraine used to target Russian forces - The Washington Post https://www.washingtonpost.com/national-security/2025/03/05/us-ukraine-intelligence-sharing/