News & Commentary

The two exploits that consumed me last week 😅

Happy new year — aaaand we’re off! 😅

Last week was busy for me with two cyber “incidents“ capturing my attention.

The first one was a vulnerability impacting SonicWall, a cybersecurity company that serves managed service providers (MSPs). It’s a critical vulnerability that lets hackers infiltrate systems without a password (authentication bypass). The vulnerability impacts firewall versions Sonic 7.1.x and 8.0.0-8035.

The good news is that a security update is available, so if you’re a SonicWall user with SSL VPN or SSH management enabled, get to patchin’.

Then, we have Gravy Analytics.

Gravy Analytics is a popular location data broker that stores data from a lot of well-known apps: MyFitnessPal, Candy Crush, and, uh, Tinder and Grindr. 😅 Hackers proudly announced that they’d stolen terabytes of sensitive information from Gravy Analytics, such as location coordinates of app users. I was able to confirm that more than 300,000 people’s email addresses had been leaked on an online database.

Interestingly, just last month, the FTC focused its sights on Gravy Analytics, proposing an order that would forbid the company from “selling, disclosing, or using sensitive location data in any product or service.” It makes sense — organizations that exist solely for data collection and aggregation are attractive targets for threat actors. And then there’s the privacy concerns, because app users didn’t consent to having their location data tracked.

So…needless to say, stay tuned on this one. 👀

Microsoft releases one heck of a Patch Tuesday update 🩹

…did I mention happy new year — and we’re off? 😅 

Microsoft’s first Patch Tuesday update of 2025 listed a record-breaking 159 vulnerabilities. (We are 14 days into the new year, folks!) Eight of these vulnerabilities are zero days (fun), and three of those zero days are actively being exploited in the wild (fun fun).

If nothing else, pay attention to CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335. These vulnerabilities are frightening because they allow privilege escalation, meaning an attacker could sneak in and gain SYSTEM privileges. And let’s try not start off 2025 by giving hackers free rein. 😭

CrowdStrike job applicants, beware: Cybercriminals are targeting you 🎯

Applied for a job at CrowdStrike recently? Tread your inbox carefully, as threat actors are impersonating recruiters to do their dirty deeds.

Bad actors are sending emails requesting that candidates schedule an interview by downloading a “CRM application,” which is actually an executable for a cryptominer:

And get this — hopeful candidates get to “select” a Windows or Mac version, making the whole thing feel even more authentic.

Talk about the illusion of choice. 😅

Be very careful out there, job seekers.

Just Hacking Training Update 🤓

I’m extremely excited to announce the immediate release of Dark Web & Cybercrime Investigations. This labor of love has been months in the making and includes some of my extensive research… who am I kidding… my playing! 😉 But what’s this course all about?

With 15 videos, tons of content, hands-on exercises like how to create your own onion site and quizzes to test your knowledge, you’ll learn how to uncover cybercrime. From a history of the dark web and details of the seedy under-belly of the internet, to what a job in this field actually requires, you’ll get a broad understanding of the entire underworld ecosystem and how to navigate it, as well as what your organizations or clients might expect from a Cybercrime Investigator! 🔍

I’m also pleased to let you all know that as a Special Release Offer, I’m going to lop off 20% of the $125 cost. This way, you’ll get a launching pad into a possible career in the dark arts for ONLY $100! ⌛

Additional training releases this month include a playable CTF archive and Free Upskill Challenges (UCs):

• CTF – Snyk 2023 Fetch the Flag by the JHT Team

• UC – Virtualization by seclilc

• UC – Quantum Computing by Ellie Daw

• UC – Quantum Programming by Ellie Daw

On Deck for February 2025 & Beyond!

• Level Up OSINT Course by Mishaal Khan

• Intro to Shellcode Loaders Course by Dahvid Schloss

• HAL – OWASP API Top 10 Part 1 of 3 by Katie Paxton-Fear

• Numerous Courses, HALs, UCs & CTFs every month throughout 2025!

Come hang out with us hackers in Discord and engage with me, our All-Star instructors, students, and the rest of our community.

Here’s a stream-of-consciousness-esque preview of what’s coming up. 👀

• I recently accepted an invitation to do a keynote presentation for a local security conference. That’s all I can say for now. 😉

• January and February are absolutely jam-packed with content! Expect more scambait videos, game hacking with Unreal Engine games, malware analysis, and dark web spelunking. Will also be doing some some collabs with very cool people very soon.

• I’m hoping to get involved with DARPA and ARPA-H’s Artificial Intelligence Cyber Challenge (AIxCC) — wish me luck!

• I’m in the beginning stages of planning a livestream with my friend NetworkChuck.

• I’ll be at Wild West Hackin’ Fest next month! 🤠

Love this thing? Have some pointers on how I can make it better? Please reply to this email and let me know. I really want these newsletters to be worth reading to you, and your feedback makes that possible!

Hope to hear from you soon!