New Hak5 Video: Cybersecurity Updates and Anniversary of Crowdstrike Outage

In this new video from the @hak5 channel, Alli Diamond celebrates the first anniversary of the global outage caused by Crowdstrike and presents the latest news in cybersecurity. The video begins with a discussion on a zero-day vulnerability discovered by Microsoft in its SharePoint servers, identified by the CVE CVE 2025 53700 and evaluated with a CVSS score of 9.8. This vulnerability, named Toolsh Shell, compromised more than 75 enterprise servers, including those of governments and large corporations.

The Toolsh Shell exploit chain relies on two previous CVEs, CVE 202549706 and CVE202549704. The first allowed users to bypass authentication through a header, a vulnerability that had been patched. However, the new CVE found a way to bypass this fix. The exploit takes advantage of how SharePoint handles deserialization and control rendering via View State, a mechanism used by the ASP.NET framework to store page and control values. Attackers can extract the validation key directly from memory or configuration, then use a tool called Weisso serial to create signed and valid Viewstate payloads. These payloads can include malicious commands and are accepted by the server as trusted inputs, thus completing the RCE chain without requiring credentials.

This vulnerability only affects on-premises SharePoint server instances; online instances of SharePoint for Microsoft 365 are not affected. The CVE was quickly added to the KEV list by CISA, highlighting the urgency and severity of this vulnerability. Although Microsoft did not immediately provide a patch, mitigation measures and protection advice were published, followed by a security update.

The video also covers cybersecurity news in the United States. The Department of Defense has received a $1 billion allocation over four years to strengthen its offensive cybersecurity operations. However, this initiative contrasts sharply with drastic budget cuts for defensive operations, including those of CISA, raising concerns about potential cyber retaliation.

Finally, Alli Diamond discusses the ransomware group Hunters International, which recently rebranded to focus on extortion and data theft under the name World Leaks. Since January 2025, World Leaks has targeted 49 organizations, including Dell, threatening to disclose its product demo platform. Dell confirmed unauthorized access but assured that this environment is separate from customer and partner systems as well as Dell's network.

In conclusion, Alli Diamond invites viewers to meet her at Defcon and follow her online under the name "endingwithally." She emphasizes the importance of vigilance and online security, ending with her usual slogan: "Good luck, have fun, and don't get caught."