🏆 Nominations for the 2026 Burp Suite Extension Awards close THIS TUESDAY ⚠️

Week 3 of Extensibility month is almost wrapped - here's what happened, what's still to come, and how to get your nomination in before it's too late 👇

When you can make $thing enter debug mode without docs, before your first and/or after your sixth coffee you know you've spent way too much time on $thing.

@csepp lucky you!

@orlysec Physical implant + Solaris rootkit :O

(picussecurity.com) UNC2891: Anatomy of a Sophisticated Bank Heist Using CAKETAP Rootkit and Raspberry Pi-Based Attacks

UNC2891, a financially motivated threat group active since 2017, has executed sophisticated attacks on banking infrastructure using custom malware and physical access vectors. Their latest campaign in Q1 2025 involved planting a 4G-enabled Raspberry Pi on a bank’s network switch to bypass perimeter defenses, enabling ATM fraud via Payment HSM manipulation.

In brief - UNC2891 targets financial institutions with advanced Linux/Solaris malware, including the CAKETAP rootkit, to authorize fraudulent ATM withdrawals. A recent attack used a Raspberry Pi for initial access, highlighting evolving physical and digital threats to banking systems.

Technically - UNC2891 employs CAKETAP (Solaris kernel rootkit) to hook system calls like `mkdirat` and `ipcl_get_next_conn`, enabling stealthy C2 and network manipulation. SLAPSTICK (PAM backdoor) captures credentials, while TINYSHELL (backdoor) communicates over raw TCP (ports 53/443). Tools like WINGHOOK (keylogger) and STEELHOUND (in-memory dropper) facilitate credential harvesting and payload execution. The CAKETAP variant on ATM switches bypasses card/PIN verification by replaying HSM responses.

Source: https://www.picussecurity.com/resource/blog/unc2891-bank-heist-explained-caketap-rootkit-and-raspberry-pi-attack

#Cybersecurity #ThreatIntel

@troed If you could pour the 100 best sw engineers in the world to a similar case that wouldn't be effective either (the current management tier is likely insufficient to handle the numbers).

The initiative is good though, it's just easy to have the wrong expectations about short-term results.

RE: https://mastodon.social/@marver/116617742819891906

If you don't recognize "Starlette":

"Starlette is the foundation of the FastAPI Python framework."

... and everything uses FastAPI.

@troed Keep in mind that - as described in The Mythical Man-Month - suddenly throwing human resources to a project doesn't necessarily help to reach its milestones.

Patch Starlette now! If you're run it via uvicorn or other common ASGI servers then a host header parsing issue can lead to vulnerabilities leading from auth bypass up until RCE! Examples for affected packages are liteLLM, vllm, etc... Here is the X41 Advisory:

https://x41-dsec.de/lab/advisories/x41-2026-002-starlette/

[RSS] CVE-2026-9082 | Drupal SQL Injection Vulnerability

https://horizon3.ai/attack-research/vulnerabilities/cve-2026-9082/

[RSS] CVE-2026-40369: Twelve Bytes to Escape the Browser Sandbox

https://voidsec.com/cve-2026-40369-browser-sandbox-escape/

This is another writeup of a Windows sandbox escape that multi-collided during P2O

[RSS] Advisory X41-2026-002: Request Host Header not Validated in Starlette

https://x41-dsec.de/lab/advisories/x41-2026-002-starlette/

This can lead to auth bypass!

[RSS] Emulating & Exploiting UEFI: Unveiling Vulnerabilities in Firmware Security

https://www.netspi.com/blog/technical-blog/hardware-and-embedded-systems-penetration-testing/emulating-and-exploiting-uefi/

[RSS] Striga: Lifting x86 to LLVM IR with Python

https://secret.club/2026/05/21/striga.html

New from secret club!

@schrotthaufen Kids these days won't know how it is to move your friends 3rd floor apartment without an elevator, half-drunk on a narrow staircase. Sad!

@sassdawe You may enjoy https://adnauseam.io/

@schrotthaufen that must be a beast of a washing machine :D

@jonny @danluu These are unfathomably large numbers so to get a grip I looked up Shell's yearly profits (x*10^10 USD where 0<x<4), and with a wild estimate it'd take ~50 years for them to pay off this kind of money (while not investing in anything else)

@danluu part of the argument is that not just that it might not be profitable now, but that the amount of profitable that it would need to be to justify the amount of capital expenditure that has already been made and is promised is numerically impossible. JPMorgan estimated 1.2 trillion in AI debt back in december 2025, goldman sachs estimates another 500 billion in 2026. Where is the evidence that inference is profitable enough to pay off 1.7 trillion? If it was really profitable, all the publicly traded AI companies would be screaming this at the top of their quarterly reports.

A bunch of local companies had an incident when a datacenter fire triggered an extinguisher without proper nozzles installed and the shock wave of the gas killed a bunch of HDDs at once.

Now I wonder if I should move my speakers further away from my desktop machine...

https://soundcloud.com/djfernandamartins/tough-waves-36-rudosa