TLDR Information Security 2025-11-19

Simplify hybrid network protection on AWS (Sponsor)

Securing hybrid workloads can be complex. Fortinet FortiGate Next-Generation Firewall (NGFW) integrates with AWS Gateway Load Balancer to simplify hybrid protection through centralized inspection, routing, and policy control.

Learn how Fortinet and AWS help teams maintain visibility, streamline compliance and reduce management overhead.

🔓

Attacks & Vulnerabilities

EchoGram Flaw Bypasses Guardrails in Major LLMs (2 minute read)

EchoGram is a technique that exploits training data gaps in LLM guardrails by injecting "flip tokens" (nonsensical strings, such as "=coffee") that cause both false positives and bypasses of safety controls in GPT-5.1, Claude, and Gemini. The attack is effective against both LLM-as-judge and classification-based guardrails. Researchers estimate that attackers can replicate the method within three months. Security teams face dual threats - malicious prompts that bypass defenses and legitimate requests being falsely flagged - leading to alert fatigue in critical sectors such as finance and healthcare.

Surveillance Tech Provider Protei Was Hacked (2 minute read)

Protei, a Russian telecom company that develops technology to enable phone and internet companies to conduct web surveillance and censorship, was hacked. The attackers defaced its website and stole 182GB of data, including confidential emails. The threat actor defaced the website with the message "another DPI/SORM provider bites the dust," referring to the company's sales of deep packet inspection and other internet filtering technologies developed for the Russian lawful intercept system.

Princeton University Data Breach Impacts Alumni, Students, Employees (2 minute read)

Princeton University disclosed a data breach after a hacker accessed a database with personal details of alumni, donors, faculty, students, and parents. The attack, traced to a phishing call, compromised information like names, addresses, emails, and donation records, but not passwords or financial data.

🧠

Strategies & Tactics

How I Overlooked the Problem and Shot Myself in the Foot (4 minute read)

This author disabled and deleted Identity & Access Management (IAM) users before updating associated Terraform state and key policies while migrating from legacy IAM users to SSO in an AWS environment, inadvertently locking access to an AWS KMS key. Terraform applied changes but masked the fact that the EKS cluster continued to use the orphaned key, causing permission failures and locking out key management until AWS Support intervened. Security teams should ensure IAM and key-policy transitions are sequenced and validated, maintain Terraform state accuracy, and treat KMS keys as high-risk break-glass resources during cloud IAM migrations.

The realities of CISO burnout and exhaustion (4 minute read)

CISOs are facing a surge in burnout driven by accelerating threats, shrinking budgets, and increasing executive accountability for breaches. The evolving role now spans governance, risk, crisis management, and business strategy, creating sustained cognitive load and operational fatigue that raises organizational and even national-security risk. Security leaders should prioritize realistic resourcing, delegation, mental-health sustainability, and board-level alignment to ensure that essential defensive capabilities do not degrade under chronic pressure.

Stealing Microsoft Teams Access Tokens in 2025 (4 minute read)

Microsoft Teams stores its auth_cookie in a DPAPI-encrypted value in the Cookie database of the embedded Chromium browser used by Teams. The key used to encrypt the cookie can be retrieved from the Local State file in the Teams cache and used in conjunction with the nonce to decrypt the auth_cookie using AES-256-GCM. This auth_cookie can then be used with GraphSpy to retrieve and send messages on Teams.

🧑‍💻

Launches & Tools

🆕 StrongDM launches Leash: open-source policy enforcement for AI agents (Sponsor)

AI agents are the fastest-growing class of identity. They're connecting to tools and systems 24/7 - requiring a new approach to access control. Leash is StrongDM's new open-source project that extends runtime control to agentic systems. Leash works at kernel level (<1ms latency overhead) to evaluate agent activity against human-readable guardrails. Read the blog

SAMDump (GitHub Repo)

This tool extracts offline Windows SAM, SYSTEM, and SECURITY registry hives and parses them to extract hashed credentials for analysis. It's intended for use by red-team or forensic practitioners to recover NTLM/LM hashes for further brute force or audit activities. Infosec professionals should treat any accessible hives as a high-risk indicator, ensure live system backup integrity, enforce privilege separation for hive access, and validate detection around unusual hive reads or exfiltration.

Nudge Security (Product Launch)

Nudge Security helps organizations secure SaaS and AI usage by providing real-time visibility, risk detection, and automated policy enforcement. It uncovers risky integrations, monitors AI/data access, and addresses identity security gaps across apps and users.

90DaysOfCyberSecurity (GitHub Repo)

This repository contains a 90-day cybersecurity study plan, along with resources and materials for learning various cybersecurity concepts and technologies. The plan is organized into daily tasks and covers topics such as Network+, Security+, Linux, Python, Traffic Analysis, Git, ELK, AWS, Azure, and Hacking.

🎁

Miscellaneous

Iranian Hackers Target Defense and Government Officials in Ongoing Campaign (4 minute read)

APT42 (aka SpearSpecter) targets senior defense/government officials through social engineering, extending attacks to victims' family members to increase pressure. The campaign deploys TameCat malware, a PowerShell backdoor using Telegram/Discord for C&C that performs reconnaissance, credential theft, and data exfiltration while evading detection through in-memory execution and obfuscation.

Widespread Cloudflare outage blamed on mysterious traffic spike (3 minute read)

A major Cloudflare outage temporarily knocked many major websites and platforms offline due to a spike in unusual traffic, which overwhelmed a configuration file and caused core systems to crash. Although not caused by an attack, the outage impacted services like X, ChatGPT, Amazon, and Spotify.

CISA, Eyeing China, Plans Hiring Spree to Rebuild its Depleted Ranks (3 minute read)

Given a 40% vacancy rate in pivotal areas, CISA has announced plans to increase hiring in 2026 to replace its depleted workforce and remain competitive. CISA will prioritize hiring liaisons between CISA and critical infrastructure, as well as utilize the DHS's Cyber Talent Management system. CISA will also offer exemptions to its return-to-office policy and strengthen partnerships with colleges and universities to attract top talent.

⚡

Quick Links

Codacy: Security Scans Your Devs Won't Bypass (Sponsor)

Secure all your code, dependencies and infrastructure effortlessly, with a unified platform that's built-in, not bolted on. Try Codacy for free

Microsoft Azure Blocks 15.72 Tbps Aisuru Botnet DDoS Attack (2 minute read)

Azure mitigated a record 15.72 Tbps DDoS attack from the Aisuru botnet, which has infected over 700,000 IoT devices.

Celebrating 15 years of Meta's Bug Bounty Program (2 minute read)

Meta has paid out $4 million through its bug bounty program in 2025, bringing the total awarded by the social media giant since the creation of the program to more than $25 million.

Cabify driver database allegedly stolen by hackers (1 minute read)

Hackers claim to have stolen 430,000+ Cabify driver records.

Love TLDR? Tell your friends and get rewards!

Share your referral link below with friends to get free TLDR swag!

https://refer.tldr.tech/03c142dc/8

Track your referrals here.

Want to advertise in TLDR? 📰

If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.

Want to work at TLDR? 💼

Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them!

If you have any comments or feedback, just respond to this email!

Thanks for reading,
Prasanna Gautam, Eric Fernandez & Sammy Tbeile

Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.