🎓️ Vulnerable U | #068

Apple's Private Cloud Compute, Mandiant's Snowflake and Scattered Spider Reports, Warmcookie Malware analysis, Supply Chain attack on Stable Diffusion, and more!

Read Time: 9 minutes

Howdy friends!

Gearing up for any summer travel? I know I am. Staring down the barrel of a few big trips while squeezing in a lot of work.

Also I picked up rucking a few months ago. It’s just a fancy name for walking with a heavy backpack but I hate running so this felt like a good way to get my heart rate up while going for a brisk walk. And it worked! Worked so well I actually had a hard time getting my heart rate up after a few months of doing it.

Well that problem went away very quickly now that its nearly 100 degrees. I almost passed out and was absolutely soaked this week after them. This habit just got a whole lot less casual.

ICYMI

🖊️ Something I wrote: My challenge to spend more time in the cultural epicenter of wherever you live if you don’t feel connected to it.

🎧️ Something I heard: Practical AI for Bounty Hunters by @jhaddix at NahamCon. Love that Ben puts this on every year.

🎤 Something I said: If you hadn’t heard. We’ve been doing LiquidMatrix again. (If you’re new to my life, we did over 100 episodes of this podcast for a few years, and I used to write for their blog ~15 years ago).

🔖 Something I read: The Stanford Internet Observatory is being dismantled

📣 Sponsor

What is Identity-Native Infrastructure Access?

What many teams have discovered as they've grown their infrastructure is that traditional access control systems do not scale.

Not only does the risk of a breach increase with numerous credentials and standing privileges, but forcing developers to juggle hundreds of secrets to do their jobs limits productivity and encourages insecure workarounds.

This O'Reilly book explains the concept of identity-based infrastructure access and compares it with traditional methods that rely on secrets.

Vulnerable News

Apple finally said the magic word: AI. And a lot of people cringed in anticipation for what that meant. In short: I’m very impressed. They didn’t try to be first out the gate during the craze and instead are releasing a very well-thought-out set of features that will hopefully integrate into their system naturally while preserving security and privacy. (Unlike some other mega corp AI announcements…)

Here is the issue. AI takes a lot of compute power, which your phone doesn’t have. So while some of these features absolutely will take place on device, Apple decided it was time to ship some stuff off device to their “cloud,” and instead of just pretending we’d all be cool with that, they detailed exactly all they went through to do that as securely as possible. This post is fantastic and in-depth deep dive into that endeavor.

TL;DR - They are throwing everything they’ve got at it. All the secure enclave, secure boot, etc. features on your iPhone are now on their servers. They also detail some serious cryptographic solutions that mean not even Apple Admins can access our data on these machines (or put more accurately, if a 3 letter agency shows up they can’t comply with requests to pull our private data).

Matthew Green is way smarter than I’ll ever be and has a great thread about this over on Twitter. (read more)

Ok a lot of our assumptions on the Snowflake security situation got addressed by this Mandiant report, and I’m grateful for that.

The gist: This is a broad and targeted campaign against customers of Snowflake. Snowflake itself hasn’t been compromised but seemingly hundreds of their customers have been. The M.O. here all revolves around infostealer malware on their customers devices → creds that haven’t been rotated in years → no MFA → data exfiltration.

I talked with some folks who work for similar cloud database companies and they schooled me on how hard some of these things are in that space. Some of us security folks on the sideline screaming mandatory MFA, impossible geo protections, anamoly alerting, etc. - Turns out in the very normal course of business customers of these services will backup or transfer all of their data which looks very similar to a malicious exfiltration.

Hugs to the blue team over there. I know they’re getting raked over the coals on this one. I also know they’re staring at the same pile of a million priorities and limited budget and headcount like the rest of the industry. Sending good vibes on this incident response. (read more)

What do you think? Should Snowflake mandate MFA?

Login or Subscribe to participate in polls.

I thought this was the airline. Then when I found out they’re a telecom and internet provider I searched for “Frontier Fiber” to get more news on this and this was the first result:

That’s not it either. Anyway, this is a much bigger internet provider than I realized and they seem to have a corporate relationship with Verizon. The breach forums saying over 2 million customers worth of data, but Frontier came out and notified about 750k of them. The rough part here is this breach includes credit score info and social security numbers. If you got one of these notices, I’d advise freezing/locking your credit on the 3 major credit bureaus. (read more)

Boy am I a sucker for a good malware branding and extremely detailed writeup. Kudos to the team at elastic for this deep dive into malware analysis. Also yes I would love a warm cookie, thank you.

Do yourself a favor and read this whole report. It is about a malware campaign that was delivered via fake job offer emails containing malicious files. The landing pages the emails sent you do played some common psychological games to get the targets to download. Looked legitimate, a countdown on the file as a sense of urgency, even a CAPTCHA to make you think some security is involved.

Go check out the full teardown of the code, what it did once it was on your computer, and the indicators of compromise you can look out for. Great write up. (read more)

📣 Sponsor

SaaS CTO Security Checklist:
40+ items to help you secure your app

The no-nonsense checklist covers over 40 ways to harden security across your people, processes, code, infrastructure, and more. It's organized by business growth stage - bootstrap, startup, and scaleup - so you can find the security best practices relevant to your current phase.

It’s never too late or too early to get started, no matter what stage your company is at. Now get that app secured!

What a name! Sleepy Pickle exploits the Python pickle serialization format, which is known for its security flaws. This attack involves injecting malicious payloads into a pickle file containing a serialized ML model. When the model is deserialized, the payload executes and compromises the model.

Sleepy Pickle allows attackers to:

  • Spread Disinformation: By modifying models like GPT-2-XL, it can generate harmful outputs, e.g., fake medical advice.

  • Steal User Data: It can hook inference functions to capture and exfiltrate sensitive information processed by the model.

  • Phishing: Inject malicious links into summaries generated by ML-based browser apps, leading users to phishing sites. (read more)

In the least surprising news ever, in the wake of the giant $22M ransom payout at Change Healthcare, ransomware attacks on healthcare providers has reached all time highs. Recorded Future who tracks this kind of stuff is saying that in just the 1 month after the payout, we’ve seen more healthcare companies attacked than any single month that they’ve been keeping the stats. This payment was so big, the ransomware group took the cash and ran and didn’t pay out their affiliates either, so a second ransom was demanded of Change to not leak their data. To my knowledge, that one wasn’t paid. (read more)

This is a long piece. Not many of you are going to read it all and I don’t blame you. But here is what a former Microsoft employee, turned whistleblower, is alleging:

  1. Harris identified a critical security flaw in Microsoft's AD FS, which is crucial for single sign-on to cloud services.

  2. Harris warned Microsoft about the vulnerability, fearing it could be exploited to gain unauthorized access to sensitive data.

  3. The flaw, known as Golden SAML, allowed attackers to forge authentication tokens and gain extensive access without detection.

  4. Russian hackers exploited this flaw during the SolarWinds attack, affecting multiple federal agencies, including the National Nuclear Security Administration and the National Institutes of Health.

  5. Despite Harris’s repeated warnings, Microsoft allegedly prioritized business interests over addressing the vulnerability, leading to significant security lapses.

Obvioulsy grain of salt as this is one side of the story, but it is a pretty detailed and damning story at that. I know a lot of great security people at Microsoft, some of the best in the business honestly. Just seems like it is a very big company suffering from very big company issues, those just happen to have direct customer and national security concerns. Mo’ Money, Mo’ Problems. (read more)

JetBrains has flagged a bug in their IntelliJ IDEA that could expose GitHub access tokens. The issue lies in how these tokens are stored in the IDE’s config files, which could lead to unauthorized access if the files are shared or hacked. JetBrains urges users to update to the latest IntelliJ version and check their tokens for any unusual activity. They've also provided steps to secure your tokens and update the software. (read more)

Hacking in protest! Some hackers really upset with AI art tools like Stable Diffusion, so they took it out on the people using them. A popular plugin for Stable Diffusion got popped and was distributed to the AI art tool’s users for weeks. Looks like it was stealing info on the users and exfiltrating it. (read more)

I’m a bit of a Kubernetes nerd but it is definitely a complicated ecosystem. I came across this fantastic run-through of kube logging. The author seems to have made this in frustration of the SEO optimized vendor pitches while searching for solutions in this realm, so kudos! (read more)

A 28-year-old man from Kyiv was arrested by Ukrainian police and the Netherlands' Team High Tech Crime for infecting a Dutch multinational's systems with Conti ransomware. This arrest is linked to the international Operation Endgame. Anyone else kind of a fan of this government branding of big operations like this? Helps get the attention on it. (read more)

So, it turns out the ransomware attack on Synnovis, a company that handles blood tests for hospitals in south-east London, is going to keep things messy for months. Russian hackers from the Qilin gang are behind it, and they’ve basically locked up the IT systems, causing big disruptions for around 2 million patients.

Hospitals like Guy’s and St Thomas’, and King’s College are having to cancel loads of non-urgent surgeries, including cancer treatments and planned caesareans, because they can’t run as many blood tests. The NHS is still figuring out how the hackers got in and whether they can recover all the records. (read more)

It’s a bad year to be an Internet edge device. Not a great year to be Fortinet or their customer either.

Chinese hackers have exploited a major vulnerability in FortiGate systems, compromising at least 20,000 devices worldwide. The Dutch Military Intelligence and Security Service (MIVD) discovered that these attacks are much more extensive than initially thought.

  • The vulnerability (CVE-2022-42475) allowed the deployment of persistent Coathanger malware.

  • Targets include Western governments, international organizations, and defense companies.

  • The malware remains active despite system updates, providing ongoing access. (read more)

UNC3944 aka Oktapus, Scattered Spider, etc. is a very active group that has been behind many of the headline making data breaches you’ve read about in recent years. This is a fantastic and detailed report about their shifting tactics. Seems they’re moving from their traditional SIM Swapping and SMS phishing and more to a data extortion model.

They’ve become masters of social engineering, often tricking corporate help desks to gain access to privileged accounts. They do their homework, knowing personal details like Social Security numbers and birthdates to bypass security checks. Once in, they explore internal resources like SharePoint to gather information on VPNs, VDIs, and remote work tools.

Read the full awesome report to see what to watch out for. (read more)

Miscellaneous mattjay

Turns out a lot of people following me didn’t know what I did/do. So I introduced myself:

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay