TOTP Secrets, Silent Patches, and a 2005 Malware That Rewrites History

33:0110 scenes9 speakersBriefing

01 The Briefing Got It Wrong

Chapters

01The Briefing Got It Wrong

02Sponsor — Blue Cortex AI

03APT28's TOTP Heist: Stealing the Secret Behind the Code

04Signaling or Spying? The APT28 Geopolitical Debate

05Azure AKS: The CVSS 9.9 That Disappeared

06Sofia's Compliance Crisis: When the Cloud Vendor Goes Silent

07Shai Hulud Expands: 170 Packages, Two Registries, One Trust Failure

08Fast16: The 2005 Malware That Corrupted Nuclear Physics

09VMware Fusion TOCTOU: The Developer Workstation Trap

10Synthesis: What You Do Before Tomorrow

Speakers

HalilLenaAlexJamesDr.PriyaDr.PierreTomas

▶01The Briefing Got It Wrong00:00

HalilFancy Bear isn't stealing your two-factor codes. They're stealing the secret that generates them — forever. That's where we start today.

HalilWelcome to CyberDaily Threatcast. I'm Halil Öztürkci. Let's get into it.

HalilThe afternoon briefing had the wrong top five. Cisco SD-WAN, Canvas — we've been there. If you skimmed the headlines today, you missed the actual story.

HalilThree things buried below the fold. First: APT28 — that's Fancy Bear, Russia's military intelligence cyber unit — is running a 24-month campaign across NATO's southeastern flank. Greece, Romania, Bulgaria, Ukraine. And the technique is not what you'd expect.

HalilSecond: A malware framework called Fast16 may have been sabotaging nuclear weapons simulations since 2005. That predates Stuxnet by five years. If the attribution holds, it rewrites the history of state-sponsored cyber-physical sabotage.

HalilThird: Microsoft silently patched a CVSS 9.9 — that's a near-maximum severity score — privilege escalation in Azure AKS — that's their managed Kubernetes service — with no CVE, no public advisory. Security teams have no idea if they were exposed.

HalilAnd threading through all of it: the Shai Hulud supply chain campaign has now hit 170-plus npm packages and jumped to PyPI. OpenAI, Mistral AI, UiPath — confirmed victims.

HalilThat's the episode. Let's build it properly.

▶02Sponsor — Blue Cortex AI01:59

HalilThis episode is brought to you by Blue Cortex AI and Tarhy — their autonomous SOC platform. Here's what Tarhy does: it pulls alerts from your EDR stack — Defender, CrowdStrike, Cortex XDR, SentinelOne — and its AI agents triage every single one, around the clock. Not just pattern matching. Multi-step reasoning, cross-event correlation, MITRE ATT&CK mapping, and a confidence-scored verdict — all in about three minutes. And here's the thing that matters: their Neural Timeline shows you exactly how the AI reached each decision. No black box. The results speak for themselves — sixty to seventy percent fewer false positives, eighty percent faster time to verdict. If your SOC is drowning in five thousand alerts a day, Tarhy can save twenty-five hundred analyst hours a month. Check them out at bluecortex.ai.

▶03APT28's TOTP Heist: Stealing the Secret Behind the Code03:05

HalilLena, let's start with what's actually new here technically. Because most people hear 'MFA bypass' and think phishing. This isn't that.

LenaRight. So — this is meaningfully different. APT28 isn't intercepting one-time codes in transit. They're injecting JavaScript into Roundcube webmail sessions — Roundcube is the open-source webmail platform widely used in government and military environments — and extracting the actual TOTP seed values.

AlexYeah, and that distinction matters enormously. A TOTP seed — the secret the authenticator app uses to generate codes — if you have that, you can generate valid codes offline. Indefinitely. No further access to the victim's device needed.

LenaExactly. Credential rotation doesn't fix it. Password resets don't fix it. The seed is the root of trust, and once it's stolen, the attacker has a persistent key that survives standard incident response.

HalilSo the timeline — walk me through what 24 months of dwell time looks like operationally.

LenaRecon started March 2024. Confirmed compromises ran through March 2026. Targets: military and government institutions in Greece, Romania, Bulgaria, and Ukraine. We're talking 240-plus credential sets. Military attachés in India and Bosnia. War crimes investigators.

AlexThat targeting list is what caught my attention. This isn't mass opportunistic collection. Those are very specific intelligence requirements.

LenaIt connects to a pattern I've been tracking. This aligns with APT28's — designated G0016 in MITRE's threat catalog — FrostArmada router campaign. Same NATO military and government victimology, same multi-year timeline structure. And the German BfV warning from April about TP-Link router compromises targeting German parliament and air traffic control fits the same tradecraft cluster.

HalilAlex, from an offensive security standpoint — how hard is this to execute?

AlexHonestly? Once you have an authenticated Roundcube session, the JavaScript injection to pull from the twofactor_gauthenticator plugin settings page is not deeply sophisticated. The sophistication is in the targeting and the patience. Twenty-four months of quiet persistence is the hard part.

LenaWhich is exactly APT28's tradecraft signature. They don't rush. The FrostArmada campaign showed the same structure — long dwell, surgical access, minimal footprint.

HalilJames, defensive picture. What can organizations do right now?

JamesFirst — audit your email forwarding rules and webmail session logs for anomalous JavaScript activity. Immediate. Today. If you're running Roundcube with the twofactor_gauthenticator plugin, treat that setup path as a potential attack surface.

JamesLonger term: this is not a 'TOTP is broken' story. It's a 'web-based 2FA setup pages are attack surfaces' story. The fix is FIDO2 — WebAuthn hardware tokens — where the seed never exists in a form that JavaScript can reach.

AlexRight. You can't exfiltrate what doesn't exist in software.

JamesFIDO2 migration isn't a 48-hour operation for most organizations. So the 48-hour action: disable or restrict webmail 2FA enrollment, push that flow to out-of-band channels. That removes the attack surface while the longer migration happens.

▶04Signaling or Spying? The APT28 Geopolitical Debate06:51

HalilElena, you came in with a provocative thesis on this. Let's hear it.

Dr.So — my initial read was that this was primarily strategic messaging. Four nations bracketing the Black Sea. Ukraine's war crimes prosecutors. The timing aligns with NATO forward defense discussions on the southeastern flank. My argument was: Moscow is demonstrating capability, not just collecting intelligence.

AlexI'd push back on that. Two hundred forty-plus credential sets over 24 months — that's a collection operation. Messaging campaigns don't look like that. They're louder, shorter, more deliberately exposed.

LenaAnd the targeting specificity argues against signaling. Military attachés in India and Bosnia. War crimes investigators. Those are genuine intelligence requirements, not a demonstration.

Dr.You're right. I looked at the full operational picture again and — honestly, the evidence doesn't support the messaging-primary reading.

HalilSay that more precisely.

Dr.I'm revising. This is collection-primary, signaling-incidental. The operation exists because Russia wants the intelligence — understanding Western military positioning, tracking the evidentiary trail for potential war crimes prosecutions. The quiet persistence contradicts a signaling logic entirely.

LenaThat's the right call. The 24-month dwell time is the tell. If you want to signal capability, you don't hide for two years.

Dr.What I'd maintain is that the exposure carries secondary signaling effects. Moscow didn't design this to be discovered. But once it's public — allied governments seeing their Roundcube infrastructure was silently compromised for two years — that demonstration exists whether or not it was intended.

HalilThat's a meaningful distinction. The operation wasn't designed to signal. But its exposure does.

Dr.Exactly. Intent versus consequence. And at a moment of heightened debate about NATO southeastern flank commitments, those consequences are geopolitically meaningful even if they were OPSEC failures, not strategy.

JamesFrom a defender's standpoint — honestly, the distinction matters because the response changes. If it's signaling, you escalate diplomatically. If it's collection, you focus on evicting access and protecting the intelligence pipeline. The panel's revised read points clearly toward the latter.

▶05Azure AKS: The CVSS 9.9 That Disappeared09:20

HalilPriya, let's get into the Azure AKS situation. Because 'silent patch' doesn't quite capture how strange this is operationally.

PriyaSo — the vulnerability is what researchers call a Confused Deputy attack. Azure AKS needs cluster-admin access to perform backups. To enable that, it uses a feature called Trusted Access, which creates a trustedAccessRoleBinding in the cluster. The problem: Microsoft didn't validate that the principal requesting that binding actually had Kubernetes permissions.

HalilMeaning what in practice?

PriyaMeaning someone with only the Azure RBAC Backup Contributor role — zero Kubernetes permissions, zero cluster access — could trigger the Trusted Access grant and receive cluster-admin credentials. The blast radius is any AKS cluster where that principal had backup vault scope.

AlexBackup Contributor to cluster-admin. That's a complete trust boundary collapse.

PriyaAviatrix TRC researchers assessed this at CVSS nine point nine — researcher-scored, not officially confirmed by Microsoft. Microsoft reportedly patched by May 12th, but here's the problem: no CVE, no public advisory. The patch was behavioral — changed error messages. You cannot track this through any standard vulnerability management workflow.

JamesAnd this is where I have to be honest with teams: you can't prove you weren't exposed. You can't show auditors when you 'patched' because there's no patch to point to. What you can do — query Azure Activity Logs for trustedAccessRoleBindings write operations between March and May 2026, specifically those initiated by Backup Contributor principals.

PriyaRight. And check Kubernetes audit logs for system:azure usernames achieving cluster-admin where the Azure AD token's roles claim lacks the expected permissions. That mismatch is your indicator of potential exploitation.

JamesHardening steps: remove Backup Contributor from any identity that doesn't strictly need it. Implement deny assignments preventing Trusted Access grants by non-cluster-admins. Enable Azure Policy for AKS RBAC separation.

HalilI want to flag one thing for listeners: we haven't confirmed whether Microsoft communicated anything through private channels to affected tenants. That uncertainty matters — the picture might be less completely dark than it appears.

PriyaFair caveat. But even if Microsoft notified some tenants privately, the structural problem remains: CVE-based tracking is how the industry operates. If a CVSS nine point nine can disappear without entering that system, the whole workflow is compromised.

JamesAnd the shared responsibility boundary here is entirely Microsoft's — this was a control plane trust validation failure. No customer IaC guardrail could have prevented this. Yet teams are left demonstrating due diligence to auditors without a single official document to point to.

▶06Sofia's Compliance Crisis: When the Cloud Vendor Goes Silent12:46

HalilSofia, you've been sitting with the regulatory implications of this silent patch situation. Walk us through the damage.

Dr.So, the core legal problem: NIS2 Article 21 imposes risk management obligations on essential and important entities — meaning they must take appropriate technical and organizational measures to manage network and information security risks. Article 23 requires notification within 24 hours of becoming aware of a significant incident.

HalilAnd the gap?

Dr.Without vendor transparency, how does an entity assess whether prior exposure constitutes a 'significant incident' requiring that notification? The compliance burden sits on the regulated organization, not on Microsoft. So you have entities that may have been exposed, with no disclosure to trigger their own assessment process.

JamesWhich is exactly what I ran into operationally. There's no official documentation. If you go to your auditors and say 'we believe we're patched,' you have no paper trail.

Dr.And it gets worse for US entities. SEC Regulation S-K Item 106 and the 2023 cyber disclosure rules require materiality assessment within four business days once a cybersecurity incident is detected. The board must conduct that assessment. But without vendor disclosure of the vulnerability's scope, how does the board even begin?

PierreHmm. So you have liability on the entity side — disclosure obligations — but zero corresponding obligation on Microsoft's side. That's a remarkable asymmetry.

Dr.Precisely. And FedRAMP-authorized providers — per RFC-0012 on Continuous Vulnerability Management — are required to make vulnerability reports available to all necessary parties in compatible formats. A silent patch without disclosure arguably violates that requirement. Federal agencies have a material gap in their authorization evidence packages.

HalilWhat do organizations do right now? Practically.

Dr.Three things. One: immediately query Azure Activity Logs for the March through May window and preserve that audit trail. You need evidence of what happened, or didn't happen, on your infrastructure. Two: if you're an essential or important entity under NIS2, consider voluntary notification to your competent authority explaining the vendor transparency gap. That demonstrates good faith and creates a record.

Dr.Three: SEC registrants — document the materiality assessment decision now. Why this was or wasn't considered material to the board. The process must be documented per SEC guidance, even if the conclusion is 'not material.' And then — contract review. Add specific language requiring CVE assignment and advisory publication for CVSS seven point zero and above vulnerabilities. Current standard cloud agreements have nothing on this.

PierreAnd the maximum exposure under NIS2 for getting this wrong?

Dr.For an essential entity: fines up to ten million euros or two percent of global annual turnover, whichever is higher. I'd assess actual enforcement risk at the lower end — regulators understand that vendor opacity creates genuine compliance challenges. But the inability to demonstrate a full audit trail is the aggravating factor in any enforcement action.

▶07Shai Hulud Expands: 170 Packages, Two Registries, One Trust Failure16:21

HalilWe covered the early Shai Hulud / TanStack mini-worm last week. What's materially new today, Tomas?

TomasSo — the number has grown. According to JFrog and Orca Security, we're now at 170-plus npm packages and two PyPI packages — PyPI being the main Python package registry. Aggregate reach: 200 million weekly downloads. And it's jumped registries, which is the new part.

HalilHow did it jump? That's the mechanism I want to understand.

TomasShared maintainer credentials. Developers who had their workstations infected via the npm packages had their PyPI publishing tokens exfiltrated in the same credential harvest. So the PyPI attack didn't require a separate intrusion — it was a cascading failure from the npm compromise. One credential theft, two registries poisoned.

AlexThat is a structural trust failure, not a one-time exploit. The registries treat npm and PyPI as separate trust domains. The attackers are treating them as one credential surface.

TomasExactly. And the npm side has dual infection vectors — an optionalDependencies entry pointing to an orphan Git commit, plus an embedded 2.3 megabyte obfuscated router_init.js file. Most software composition analysis tools are looking for known malicious packages. An orphan commit reference that isn't part of the main branch? Most SCA tools won't flag that.

HalilWhat's the PyPI payload doing when it executes?

TomasThe mistralai package — version 2.4.6 — executes on import. It drops a payload disguised as a temporary transformers file. Then it harvests: GitHub tokens, AWS, GCP, Azure credentials, crypto wallets. Infrastructure theft, not just data theft.

PierreAnd the confirmed victims — OpenAI, Mistral AI, UiPath — these are organizations whose API keys and cloud credentials are extraordinarily valuable. Access to an OpenAI or Mistral AI developer environment is access to model infrastructure.

TomasRight. And the malware has conditional execution logic — it skips Russian systems, randomly executes destructive commands on systems it identifies as Israeli or Iranian. That's geopolitical targeting layered on top of credential theft. This is not automated opportunism — there is design intent here.

HalilTomas, the SBOM argument. Walk me through why that doesn't solve this.

TomasAn SBOM — a software bill of materials, essentially a dependency inventory — shows you what packages you're running and their versions. The trust failure here happened at the registry level via stolen publish tokens, not at the source repository. Your SBOM shows 'clean source.' The code that arrived is not what the source said it was.

TomasWhat actually helps: Sigstore provenance attestation for packages from major maintainers. PyPI's attestations would have flagged unauthorized publishing. And: treat cross-registry identity as your blast radius. If a developer uses the same account for npm and PyPI, one compromise is one credential steal — and you've lost both registries.

JamesImmediate action if you consumed any affected versions: rotate everything. Cloud credentials, GitHub tokens, CI/CD secrets, all of it. On any build host that touched those packages. Do not wait for forensic confirmation — rotate first, investigate second.

▶08Fast16: The 2005 Malware That Corrupted Nuclear Physics20:19

HalilNow we get to the item that, frankly, stopped me when I read it. Lena, SentinelOne published the initial Fast16 research last month. Symantec has now added something. What's new, and how confident are we?

LenaSo — SentinelOne's April research established the malware's architecture and the 2005 compilation timestamp. July 19, 2005. What Symantec has now added — working with the Institute for Science and International Security and David Albright — is a deeper reverse-engineering of the targeting logic.

HalilAnd what does the targeting logic tell us?

LenaFast16 monitors uranium core density. When values approach 30 grams per cubic centimeter — just below the liquid-compression threshold where supercriticality begins — it swaps the real pressure data before it reaches the engineer's screen. The simulation shows insufficient compression. The actual calculation showed otherwise.

Dr.Hmm.

LenaThis is not espionage. It's not exfiltration. It's decision-corruption at the physics layer. The engineers trust their simulation output, and Fast16 exploits that trust at a threshold-specific level that requires genuine domain expertise in nuclear physics.

AlexAnd it predates Stuxnet by five years. Stuxnet's public timeline puts Operation Olympic Games — the US-Israeli Natanz centrifuge operation — as the acknowledged origin of cyber-physical sabotage at nation-state scale. Fast16 says that's not where it started.

LenaThe attribution evidence: the Territorial Dispute tool, leaked by the Shadow Brokers in 2017, contains a deconfliction signature for Fast16 — quote, 'NOTHING TO SEE HERE, CARRY ON.' That's NSA telling its own operators: this belongs to us or an ally, do not interfere. That's reliable but indirect attribution evidence.

Dr.And the geopolitical timing is unambiguous. 2005 was peak US-Iran tension over Iran's nuclear program. This wasn't a theoretical capability — it was deployed.

HalilElena, you raised a question about deterrence theory implications. This isn't just historical.

Dr.Correct. If Fast16 attribution and timeline are eventually confirmed — and I want to be clear, the nuclear weapons targeting details are still awaiting independent verification beyond the SentinelOne and Symantec collaboration — then the deterrence implications are serious.

Dr.Tehran's perception of Western red lines shifts. If adversary states credibly believe that computation sabotage of nuclear programs has been ongoing since 2005, Stuxnet stops looking like an exceptional escalation and starts looking like one visible moment in a longer campaign. That erodes the normative force of 'Stuxnet was exceptional.'

LenaOn confidence levels: high confidence on the 2005 dating — the compilation timestamp is verifiable. High confidence on the simulation software targeting. Moderate confidence on the nuclear weapons specificity — the convergent analysis from SentinelOne and Symantec is strong but not independently verified by a third party yet.

HalilAnd for defenders outside the nuclear sector — why does this matter to them?

LenaBecause Fast16 demonstrated that computation sabotage — not destroying data, not denying access, but corrupting the analytical output that drives physical decisions — has been a nation-state capability for twenty years. Power grid load balancing, chemical process control, structural engineering, pharmaceutical modeling. Any environment where physical consequences flow from computational output is in scope for this threat model. Most of those organizations are verifying access controls and data integrity. They are not verifying computational integrity.

▶09VMware Fusion TOCTOU: The Developer Workstation Trap24:33

HalilBefore we close, VMware Fusion CVE-2026-41702 — this one I want to handle carefully because patch verification matters here. Priya, what do we know?

PriyaSo — the vulnerability is a TOCTOU race condition. TOCTOU stands for time-of-check to time-of-use — a race condition class where the window between checking a permission and using it gets exploited. Here it's in a SETUID binary, meaning a binary that runs with elevated privileges. A local non-admin user can race that window and escalate to root.

PriyaResearchers assessed it at CVSS seven point eight — local privilege escalation, no network component. Broadcom says patch is in Fusion 26H1, released May 14th under advisory VMSA-2026-0003. Critically: Broadcom explicitly states no workarounds exist. Upgrade is mandatory.

HalilI want to flag for listeners: verify all of that directly with Broadcom before acting. Advisory status and workaround details can change, and we're relying on researcher reporting.

AlexRight. But assuming the advisory holds — the real exposure here isn't individual developer laptops. It's CI/CD pipelines running on macOS with Fusion installed.

JamesThat's exactly my priority matrix. Developer laptops in isolation? Seven to fourteen day patching window is fine. But macOS CI/CD runners? Those are crown jewels. They hold SSH keys, cloud credentials in the AWS config directory, code signing certificates, internal repository access. You get root on that machine through a TOCTOU race, you're in the supply chain.

PriyaAnd the Shai Hulud thread connects here directly. A low-privilege foothold from a malicious package, plus a local privilege escalation via Fusion, gives you root on a developer workstation. From there you're exfiltrating the exact credentials Tomas described.

JamesWhich is why the priority is: CI/CD runners patch within 48 hours. Code-signing workstations, anything with VPN or privileged network access, same window. Individual developer machines — 7 days with staging validation.

HalilThe supply chain intersection Priya just made is worth sitting with. These aren't isolated vulnerabilities — they're a chain. Malicious package gets installed on a developer machine, TOCTOU gets exploited for root, cloud credentials get exfiltrated. That's a complete kill chain starting from a poisoned dependency.

▶10Synthesis: What You Do Before Tomorrow27:27

HalilLet me pull the threads. Four major stories today, and they're connected in ways that matter for defenders.

HalilThread one: APT28 has been quietly inside NATO southeastern flank military and government infrastructure for 24 months, stealing the actual seed values behind TOTP authentication. The immediate action — audit your Roundcube webmail session logs and restrict 2FA enrollment to out-of-band channels today. The strategic action: accelerate FIDO2 hardware token migration. TOTP seeds are stealable. FIDO2 keys are not.

LenaAnd treat the exposed credential sets as fully compromised. If Roundcube was in your authentication path, assume the seeds are gone. Reissue them through a channel that JavaScript cannot reach.

HalilThread two: Azure AKS. Backup Contributor to cluster-admin via a Confused Deputy flaw — researcher-assessed CVSS nine point nine — patched silently by Microsoft with no CVE, no advisory. Query your Azure Activity Logs for trustedAccessRoleBindings write operations between March and May. Remove Backup Contributor from any identity that doesn't strictly need it. Do not rely on CVE-based tracking — verify behavioral controls directly.

Dr.And document your compliance posture now. NIS2-regulated entities, SEC registrants — the audit trail you build today is the evidence you'll need if a regulator asks whether you assessed this incident. Voluntary notification to your competent authority demonstrating the vendor transparency gap creates a good-faith record.

HalilThread three: Shai Hulud is now 170-plus npm packages and has crossed to PyPI through shared developer credentials. OpenAI, Mistral AI, UiPath are confirmed victims. Scan for malicious versions of TanStack, node-ipc versions 9.1.6, 9.2.3, 12.0.1, and mistralai 2.4.6. If any build host consumed those, rotate all credentials immediately — cloud, GitHub, CI/CD secrets. Don't wait for forensic confirmation.

TomasAnd implement Sigstore provenance attestation. Your SBOM shows a clean source. It cannot see that the published package was replaced. Attestation can.

HalilThread four: Fast16. I want to be precise here — Symantec's confirmation of nuclear weapons simulation targeting represents a significant convergence of evidence, but independent third-party verification is still pending. What we can say with high confidence: this is a 2005-era malware framework that corrupted decision-making in high-precision physics simulations, and it predates Stuxnet's public timeline by roughly five years.

JamesThe practical implication for defenders: review whether your integrity verification extends to computational outputs, not just input data and access controls. If decisions with physical consequences flow from simulation software, are you verifying the simulation is giving you true outputs? Most organizations are not.

Dr.And for policymakers: if Fast16's attribution to US-allied intelligence holds, it changes how adversaries calculate escalation thresholds. Stuxnet may not have been a maiden voyage — it may have been a visible escalation within a campaign that started years earlier.

HalilWhat we're watching tomorrow: any Microsoft communication on the Azure AKS patch timeline for affected tenants, independent verification of the Fast16 nuclear targeting claims, and whether the Shai Hulud campaign's PyPI vector expands further.

HalilThat's it for today's CyberDaily Threatcast. Stay safe. See you tomorrow. Thanks to Blue Cortex AI for sponsoring today's episode. Autonomous SOC, real reasoning, no black box. bluecortex.ai.

Episodes

Wed20May

Exploitation Overtakes Credentials: The DBIR Inflection Point

34:4711 sc

Tue19May

pgcrypto's Twenty-Year Debt, Storm-2949's Invisible Breach, and the @antv Worm

33:4910 sc

Mon18May

47 Zero-Days, No Patches: Pwn2Own Berlin's Reckoning

30:2910 sc

Sun17May

TOTP Secrets, Silent Patches, and a 2005 Malware That Rewrites History