- Vulnerable U
- Posts
- đď¸ Vulnerable U | #064
đď¸ Vulnerable U | #064
CISA official whistleblows on teleco vulns, Encrypted Apple and Proton not so encrypted, Tornado Cash crypto money laundering, Telegram vs. Signal,
Read Time: 10 minutes
Howdy friends!
Getting started late tonight because I was busy jumping up and down around my living room screaming at a hockey game (Go Rangers!)
Is everyone recovering from RSA? That was a whole lot of humaning for me. I couldâve used a bit of a coma this weekend, but I had some friends' kids' birthday parties to go to. So, instead of a coma, I lit up some 5-7-year-olds in laser tag. They never saw it coming.
Got to be on a panel talking about AppSec and API Security this week here in Austin with some of my friends. Got a lot of great feedback and questions.
ICYMI
đď¸ Something I wrote: An RSA Observation about vendors talking so poorly about their competitors, they end up devaluing the whole space they play in.
đŁ Something worth checking out: Dive into Zero Trust security with Teleportâs free ebookâstraight-up useful stuff!*
đ§ď¸ Something I heard: I offered the Shared Security guys some space to record at RSA and they wound up having me stick around and talk about what we were seeing at the con. Mostly about the AI fluff and conversely, some cool AI tech I saw.
đ¤ Something I said: My talk - Stress, Mindfulness, & Mental Health in Cybersecurity @ NetNoiseCon
đ Something I read: Slackâs updated privacy policy which includes the need to manually opt out of them using your DMs, messages, and files in their new ML models. - Ironically, you canât opt out via Slack, you need to email them.
*Sponsor
Vulnerable News
This one is wild for me, but when I posted on Twitter, a lot of people seemed super familiar with some of these old vulnerabilities. The gist is that there are vulnerabilities in some backbone techs of teleco networks called SS7 and Diameter. Theyâre used when youâre roaming to route your traffic appropriately.
Well, a CISA official came out and talked about how he has seen evidence of these vulnerabilities being actively exploited to track U.S. citizens. But then went on to say these flaws could also be used to deliver spyware, monitor calls, and texts, and have even been seen to influence voters.
The other reason this is such big news is that this whistleblower is going against the official CISA response about these flaws, and the telecom companies are saying they have no evidence of exploitation. (Though we just saw AT&T say they have no idea how all of their customer data is for sale on the dark web either). The whistleblower also left off with that this is just the tip of the iceberg, so I think it is safe to assume he has evidence of our cell networks being abused by adversaries in all sorts of ways. (read more)
Ok, we know that disinformation campaigns are nothing new. But when we get a full report and details on one that is unfolding before our eyes, Iâd like to use it as a teaching moment to remember when our emotions are high, we can be easily played.
The Doppelganger network, aligned with Kremlin interests, is stirring the pot on U.S. college campuses by exploiting protests. Theyâre pumping out fake news on both sides of the Israel-Palestine debate, mimicking legit news sites to fool people. Their clever use of bots to amplify these articles on social platforms has snagged hundreds of thousands of views. This whole setup is part of a bigger Russian playbook to mess with societal cohesion in the U.S., especially with the 2024 elections on the horizon. (read more)
Alexey Pertsev, co-developer of Tornado Cash, a crypto mixer, just got hit with over five years behind bars for laundering a whopping $1.2 billion. His tool was caught washing dirty money, including cash from North Korean hackers. Although Pertsev argued that Tornado Cash runs on auto on the Ethereum blockchain and he couldnât control its use, the court didnât buy it. They said he had enough control but chose to ignore the criminal activity. This case has sparked a big debate about the responsibility developers hold for how their software is used. (read more)
What do you think? Is the developer of a crypto mixer used for money laundering responsible for how it's used? |
These bug bounty hunters are on a tear. They won a zero-day contest in 2021 that netted them a $50k bounty, and now, in the first half of this year, theyâve found 2 bugs.
SQL Injection bug write-up - https://blog.projectdiscovery.io/hacking-apple-with-sql-injection/
Remote Code Execution write-up - https://blog.projectdiscovery.io/hello-lucee-let-us-hack-apple-again/
Apple is a notoriously hard attack surface to find these kinds of bugs in for hunters, so these kinds of write-ups are always a great way to learn from some of the best out there doing it. If you like Bug Bounty content, make sure to check out JHaddixâs newsletter/training/discord and The Critical Thinking podcast. Both are friends of Vulnerable U and putting out top notch content. (read more)
đŁ Sponsor
Get your copy of OâReilly: Identity-Native Infrastructure Access Management
What is identity-native infrastructure access? Why should secret-based credentials be eliminated? How can you implement identity-based access for humans and machines across your entire infrastructure, eliminate the need for secret-based credentials, and manage permissions across varied computing resources?
Learn this and more in OâReillyâs "Identity-Native Infrastructure Access Management" book, in which authors Ev Kontsevoy, Sakshyam Shah and Peter Conrad break down the complexities of modern infrastructure security into manageable pieces, making it accessible to beginners and experts alike.
Interesting new Chinese pwn2own like competition:
Player 2 has entered the ring.
A new Chinese pwn2own style competition is now public. The list of targets is interesting, lots of edge devices and even Kaspersky. matrixcup.net/page/race/quesâŚ
â thaddeus e. grugq [email protected] (@thegrugq)
9:10 AM ⢠May 12, 2024
Spanish police got a leg up from encrypted services like Wire, Proton, and Apple to pin down an activist involved in Cataloniaâs independence push. Basically, they pulled metadata like email addresses from these services, linking up the dots to identify the person behind the pseudonym.
TL;DR - Even using encrypted services wonât protect you from a warrant if your personal info is in the metadata.
While the services keep the content encrypted, they do dish out metadata when legally pressed, which was key in this case. The involvement of multiple services shows how cross-platform data can be pieced together. (read more)
What is old is new again! Did it ever really go away? Opening malicious PDFs has been a favorite point of entry since forever. But this one is based on a popular javascript package.
Hereâs a fun tidbit: "If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value)" - So this is one to chase to see if youâre using in prod and make sure it is updated or ripped out. (read more)
Ok I saw A TON of chatter on Telegram vs. Signal this week, it seems Elon Musk was talking about it which might have spurred some attention. Also it seems Telegram is pumping out a ton of PR against Signal.
But you know who says Signal is more secure? Literally every security expert. Telegram isnât built to be a secure messenger, it has an optional and questionable encryption feature. Signal Protocol is open source and reviewed by every cryptographer on the planet. The linked thread here by Matthew Green, who is my go to expert on all things crypto (not the bitcoin kind). (read more)
Dmitry Yuryevich Khoroshev, alleged leader of the LockBit ransomware group, was charged by U.S. authorities using extensive digital footprints linked to his numerous online aliases. Authorities traced his activities from early hacker forums to recent ransomware operations. They pieced together his identity through email addresses registered to domains, ICQ numbers, and other digital traces linking back to his real-life persona. The investigation highlights a decade-long evolution from forum-based malware discussions to managing a major ransomware service. (read more)
Great report detailing a scheme named Estate that enabled cybercriminals to carry out automated phone calls to trick victims into revealing one-time passcodes, thereby bypassing security features like multi-factor authentication. The operation targeted major services like Amazon and PayPal, predominantly affecting older demographics believed to be more susceptible to such scams. A security flaw exposed Estateâs internal database, revealing detailed logs of attacks and the identities of involved members. So even the criminals have a hard time keeping security vulns from burning them. (read more)
Rapid7 identified a social engineering campaign where threat actors overwhelmed users with spam, then posed as IT support to facilitate remote access via legitimate tools like AnyDesk or Quick Assist. They then executed scripts to download additional payloads for credential harvesting and persistence, often disguising their actions as routine updates. This campaign, linked to the Black Basta group, involved complex methods like using SSH for reverse tunneling and deploying Cobalt Strike beacons, but no data exfiltration or ransomware deployment was observed in the incidents studied.
If youâre on an DFIR team, this article has some good artifacts and indicators of compromise to look out for. (read more)
Christieâs website got hacked right before a major auction week expected to rake in around $840 million. Theyâve taken the site down for now and are hustling to fix things up. Meanwhile, theyâre asking folks interested in bidding to use alternative contact details provided on their temporary site message. This hiccup comes after a previous breach last year that leaked some GPS data from artwork images. Upcoming auctions include high-ticket pieces from Warhol, Picasso, and Van Gogh, expected to fetch up to $35 million. (read more)
Europolâs expert platform got hit by hackers using stolen credentials, but thankfully, no sensitive operational data was compromised. The breach only affected a part of the Europol Platform for Experts (EPE), used for sharing non-sensitive info among law enforcement pros. The hackers claimed to have nabbed some classified docs, but Europol insists nothing critical was touched. Weâll see who is right soon, I guess. (read more)
Monday.com had to ditch its âShare Updateâ feature when phishers hijacked it to send sneaky emails that looked legit. We donât often think about project management tools as a phishing risk, but here we are. The attackers crafted emails as if they were from HR, leading unsuspecting clicks to phishing sites. Monday.com pulled the plug on this feature fast, and theyâre letting affected users know about the potential threat. Theyâre still deciding if the feature will ever make a comeback. (read more)
Imagine your cloud provider just let you know they accidentally deleted your âŚeverything?
Google Cloud accidentally wiped out UniSuperâs account during a âone-of-a-kindâ misconfiguration mishap, cutting off over 620,000 members from their superannuation funds for a week. Theyâve fixed the issue to prevent a repeat and managed to restore services thanks to backups UniSuper had elsewhere. Talk about a case study on off-site backups! (read more)
Apple just dropped some updates for iPhones, iPads, and Macs to patch up a bunch of security holes, including a memory bug that mightâve been exploited in older iOS versions. Theyâre covering everything from potential system crashes to unauthorized data access. So, if youâre running on an Apple device, itâs time to hit the update button! (read more)
Oh cool! Check out new tech police are experimenting with: the Elsag EOC Plus by Leonardo. Itâs designed to scan for any electronic signal inside moving cars, catching everything from your smartphone and Fitbit to the RFID chip in your library books.
What could go wrong?!
While itâs meant to track suspects by linking device âfingerprintsâ to car plates, thereâs a ton of concern about privacy. Do we think it could lead to mass surveillance without warrants, tracking peopleâs movements, and gathering info about personal belongings?! (read more)
GossiTheDog is a voice I listen to in this space. And in this case, the call is coming from inside the house (Microsoft)
His real name is Kevin Beaumont, and he really digs into Microsoftâs announced shift towards making cybersecurity their number one jam after getting a bit of a nudge from the US Department of Homeland Security. He chats about his time at Microsoft, sharing insights about their security setupâor the lack thereof.
Microsoft, led by CEO Satya Nadella, is now all-in on beefing up their security, setting up new rules that basically say, âHey, when in doubt, pick security over anything else.â Theyâre restructuring to make sure security isnât just a side thought but woven into everything they do. Nadellaâs making it clear to the team that if itâs a toss-up between rolling out new features or locking down security, security wins every time. (read more)
Polandâs shaking up the spyware game! Once a hot bed for spyware abuse, Poland is now setting standards on how to clean up the mess. After booting the old government accused of misusing Pegasus spyware against foes, the new crew is cracking open the books, investigating, and even letting victims know they were targeted.
This could be a game-changer, showing other countries how to tackle their spyware skeletons. Itâs early days, but the move has turned heads and could inspire others to follow suit, balancing security needs with personal rights. (read more)
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay