This week’s Department of Know is hosted by Rich Stroffolino with guests Nick Ryan, former CISO, and Chris Ray, Field CTO, GigaOm
Missed the live show? Check it out on YouTube
The Department of Know is live every Monday at 4:00 p.m. ET. Join us each week by registering for the open discussion at CISOSeries.com
React Native Metro bug impacts thousands of servers
Researchers at JFrog found that threat actors are exploiting a flaw in Metro, the native JavaScript bundler for React Native projects. By default, Metro can expose development-only HTTP endpoints for local use to external network interfaces. On Windows, the bug allows for executing arbitrary OS commands through POST requests, while on macOS and Linux, it can allow for limited parameter control on arbitrary executables. JFrog disclosed the vulnerability in November and observed exploitation beginning on December 21st. There are currently about 3,500 exposed React Native Metro servers online.
Moltbook shows the dangers of vibe coding
Moltbook, a Reddit-like forum designed for use by AI agents, was vibe coded into existence by Matt Schlicht just a few days ago. It quickly saw a bunch of agents join up, boasting over a million members. But security researchers from Wiz and 404 Media found that the platform had a misconfigured Supabase database that allowed for read and write access to its entire production database. This leaked data on account holders, authentication tokens, private messages between agents, and allowed for deleting or editing any and all site content. It also showed that about 17,000 human owners were behind the swarm of bots, and had no mechanism to verify if a user was an agent or human.
CISA is silently updating vulnerability notices
CISA’s Known Exploited Vulnerability catalog has become an industry mainstay for patching and for providing guidance on patching timelines for government agencies. However, GreyNoise researcher Glenn Thorpe noted that the agency is not giving notice when it changes its “known ransomware use” indicator from “unknown” to “known.” He argues this represents “a material change in your risk posture” that changes organizational priorities. In an analysis, Thorpe identified 59 flipped vulnerabilities affecting Microsoft, Ivanti, Fortinet, and Zimbra. Of these, 39% confirmed to be used in ransomware campaigns in 2025 were added before 2023.
APT28 attackers abuse Microsoft Office zero-day
CERT-UA says Russia-linked APT28, also known as Fancy Bear, is already exploiting a newly disclosed Microsoft Office zero-day, to target Ukrainian government agencies and organizations across the EU. The bug went from disclosure to active exploitation in days, with phishing emails delivering malicious Word documents that quietly pull down malware and deploy the COVENANT post-exploitation framework. Microsoft has released patches, but CERT-UA warns attacks are likely to increase as many users delay or are unable to update. (The Register)
Huge thanks to our episode sponsor, ThreatLocker
GSA embeds CMMC-like cybersecurity requirements into civilian contracts
General Services Administration is expanding the use of mandatory cybersecurity maturity language across civilian federal contracts, including IT and professional services vehicles. While not branded as CMMC, the requirements mirror CMMC principles by enforcing NIST 800-171 alignment, system security plans, incident reporting, and supplier accountability as contractual obligations rather than guidance. This effectively broadens CMMC-style enforcement beyond DoD contractors to a much wider civilian vendor base, many of whom do not view themselves as “federal cybersecurity regulated.”(Washington Technology)
CISA gives federal agencies one year to rip out end-of-life devices
This operational directive issued on Thursday is in response to ongoing and widespread exploitation campaigns from sophisticated hackers. The devices, such as load balancers, firewalls, routers, IoT edge devices and many more, remain vulnerable, especially to those with ties to nation-states, said CISA Executive Assistant Director for Cybersecurity Nick Andersen. He clarified that this directive is not a response to any one incident or compromise.
AWS intruder becomes admin in under 10 minutes with AI assistance
A digital intruder “broke into an AWS cloud environment and in just under 10 minutes went from initial access to administrative privileges, thanks to an AI speed assist.” This is according to a research team from Sysdig Threat Research who observed the break-in on November 28, and noted it stood out “not only for its speed, but also for the multiple indicators suggesting the criminals used large language models to automate most phases of the attack, from reconnaissance and privilege escalation to lateral movement, malicious code writing, and LLMjacking – using a compromised cloud account to access cloud-hosted LLMs.” The attackers initially gained access by stealing valid test credentials from public Amazon S3 buckets.