Notices by Kevin Beaumont (gossithedog@cyberplace.social)

@faker it always amused me where people were up in arms about China having a law to force vuln disclosure to their government prior to public disclosure... when the US already does that.

Nice, The Last of Us picked up for season 3 before season 2 airs.

For anybody confused, they split the 2nd game over multiple seasons. It's a very long game. https://www.hollywoodreporter.com/tv/tv-news/the-last-of-us-renewed-season-3-1236185857/

@thatoneguyjm.bsky.social they split the second game into multiple seasons

@badsamurai they do! but they also keep firing people and freezing recruitment (happened on the Windows engineering team too), so it's quite hard to fix something when nobody will pay for it.

Another thing I'd say is apply pressure to Microsoft to fix the root cause of these kind of issues.

I think I've told the story before around DWM priv esc, where one came into MS and we sat on the call to the engineers and they went 'yeah, there's thousands of these in DWM that we know of. We fixed this one.'

Why didn't they fix the rest? Resource. Easier to just play whackamole each month.

MS currently world's biggest org in stock market, they can afford to invest in Windows security.

Personally I wouldn't rush around patching zero days in Windows for priv esc every time you see a headline, as

a) there's one almost every month now

b) this is something like the 6th in CLFS alone

c) you're patching months (and in some cases years) after ransomware groups started using said privilege escalation exploit - your risk horse already bolted

So just keep calm and patch as usual. Wider question is how to stop people getting endpoint access.

In a similar thing, you can see Black Basta running around with a local priv esc vuln in Windows for several months in this thread below.

The pattern is basically ransomware groups can afford to buy or pay to develop local user -> local admin exploits, and not be discovered for extended periods of time.

From a defence point of view, assume ransomware groups can easily get local admin rights - and don't pay ransoms as it is directly funding the problem for all.

https://cyberplace.social/@GossiTheDog/114099698664591260

Regarding CVE-2025-29824, the vuln in CLFS linked to a ransomware group.

First off, Microsoft write up is good (aside from the eyeroll attempt to sell Copilot, using no useful functionality).

Also, blog actually mentions it's a zero day - MS need to keep _consistently_ calling zero days in its own products zero days.

Microsoft don't say when exploitation started - but I just crawled some EDR telemetry with a friendly vendor, looks like it goes back at least 9 months.

https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/

@zorg_the_blue @badsamurai yes but you can't sell that

Amazon US are cancelling stock inventory orders from China https://www.bloomberg.com/news/articles/2025-04-09/amazon-cancels-some-inventory-orders-from-china-after-tariffs

If anybody needs the handwavy email from Oracle.

This is so much jedi mind tricks it should be framed in a gallery - they managed to disclose a cybersecurity incident without saying cybersecurity or security or even what was compromised.

> In recent weeks, the Administration and Congress have made significant changes that threaten to negatively impact vital lupus research, drug development and public health initiatives, including the reorganization and significant staff reductions at the U.S. Department of Health and Human Services (HHS) and cutting the Lupus Research Program at the Department of Defense (DoD).

More from @lupusorg and how to take action yourself to protect Lupus research:

https://www.lupus.org/news/protecting-the-future-of-lupus-research-programs-and-care?utm_source=Mastodon&utm_medium=social

@badsamurai IOFA is their main sales pitch.. I've had a demo and I'm still not sure what it actually means :blobcatcomfypeek:

The BBC report there is aggressive sale of US government bonds happening https://www.bbc.co.uk/news/live/cp8vyy35g3mt?post=asset%3A88198ce0-2ff6-4aef-b68a-221046550789#post

@hologram follow more people 🤣

Siri phone Seth Rogen and tell him to bring his biggest bong around

What a time to be alive

Got no shares or savings account or retirement planning, finally pays off

I watched a YouTube video earlier of Big Brother in Germany informing housemates of COVID-19 for the first time, and now the algorithm is feeding me all the world’s Big Brother contestants finding out.

The videos are.. quite surreal. Ones like, Brian arguing about cereal.. then Brian finding out 30k people are dead, then Brian crying because the show got cancelled and now he can’t be on TV.

Watch Oracle PR their way out of their responsibilities.. they’ve managed to publish a security incident notification and have the press run it as a denial. https://insight.scmagazineuk.com/oracle-further-dismisses-breach-rumours-in-customer-communication