- Vulnerable U
- Posts
- đď¸ Vulnerable U | #070
đď¸ Vulnerable U | #070
US bans Kaspersky, LockBit Federal Reserve Saga, CDK Global ongoing auto dealer outage, LLMs for Vulnerability Research, and more!
Read Time: 8 minutes
Howdy friends!
Writing to you from Scotland today! My family is out tracking down some Highland cows so I stayed behind for a few hours to get this out to you this week. Been a lovely few days in the UK, thanks for all of you who noticed I was here on Instagram and reached out with recommendations or offers to buy me a drink.
I can see myself spending some more time in Edinburgh in the future; what a lovely slice of the Earth. Future destination to escape Texas summer heat.
ICYMI
đď¸ Something I wrote: A look down memory lane from the last time I was in London.
âď¸ Something I think youâll like: I get a lot of messages from you all asking for help with your companyâs SOC2 compliance. I always point you to Vanta. Theyâve got a great checklist to get you going.*
đ¤ Something I said: Did you see that weâre doing LiquidMatrix Security Digest again? Catch us wherever you do podcasts, but hereâs the YouTube link.
đ Something I read: Rsnake has been on a mission this week digging into some reports of CISOs effectively taking bribes to purchase certain vendors.
*Sponsored
đŁ Sponsor
Free SOC 2 Compliance Checklist from Vanta
Are you building a business? Achieving SOC 2 compliance can help you win bigger deals, enter new markets and deepen trust with your customers â but it can also cost you real time and money.
Vanta automates up to 90% of the work for SOC 2 (along with other in-demand frameworks like ISO 27001, ISO 42001, and NIST AI RMF), getting you audit-ready in weeks instead of months and saving you up to 85% of associated costs.
And Vanta scales with your business, helping you continuously monitor compliance, unify risk management, and streamline security reviews.
Download the free checklist to learn more about the SOC 2 compliance process and the road ahead.
Vulnerable News
Alright, let's break this down. The US government just slammed the door on Kaspersky antivirus software, citing serious national security concerns. The feds are saying Kaspersky has ties with Russian intelligenceâbig surprise there. Starting late July, Kaspersky is banned from selling to US customers, and come September 29, all operations have to stop. No more sales, no more updates, nada. Current users, you've now got a seriously ticking clock to find an alternative.
The Commerce Department even slapped three Kaspersky entities on the Entity List for cozying up with Russian military and intelligence. And letâs not forget, the Treasury Department sanctioned a bunch of Kasperskyâs top brassâthough mysteriously, Eugene Kaspersky himself dodged that bullet.
This isnât just a knee-jerk reaction. This move caps off years of suspicion and mounting evidence. Back in 2017, we learned that Russian hackers used Kaspersky to swipe NSA documents, which led to the initial ban from US government networks.
Bottom line: if you're still using Kaspersky, switch to something else before September rolls around, or youâre going to be left holding the bag. (read more)
Lot of back and forth this week about if the Federal Reserve was hacked. LockBit, clearly desperate to stay relevant, recently claimed theyâd hit the Federal Reserve and swiped 33 terabytes of sensitive American banking info. Bold, right? Except, turns out, they didnât breach the Fed at allâthey hit Evolve Bank & Trust, a much smaller target. Some experts are saying this whole stunt was a blatant attempt to drum up some drama and remind the world they still exist. - Personally I think it is more of a shot across the bow of the Fed since theyâre in a long standing tug of war over the FBI taking down their domains and making it harder for them to operate. (read more)
What do you think? |
This one has been wild. Apparently, the whole auto dealership industry is run off of a handful of SaaS tools. And one of the biggest, CDK Global, got absolutely owned and has been hard down for weeks now. Dealerships and service centers were breaking out manual workaround pen-and-paper methods to try to stay in business.
Bleeping Computer reported they were knocked offline by a BlackSuit ransomware group that is demanding 10s of millions of dollars.
Iâve been updating my social media as I see info on this one and Iâve gotten dozens of DMs of folks working for companies impacted. I also heard from at least 3 individuals who have worked for tech teams associated with CDK and reported that it is a nightmare tech stack there. They told me CDK requires their customers to use Internet Explorer and an old version of Flash to even use the tool. And that internally their tech was even worse. I obviously canât confirm this part but I found it very interesting that multiple people told me this. (read more)
Googleâs Project Zero named this Project Naptime since they want to go take a nap while an AI bot does their job for them. I find that naming delightful.
Theyâve been evaluating the capabilities of LLMs for vulnerability research. So far their bots arenât great at replacing them but the data is interesting. Hereâs some details:
Principles for LLM Effectiveness:
Allowing LLMs to engage in detailed reasoning processes yields better results.
Models must interact with the environment to refine their outputs, mirroring software development practices.
Access to tools like debuggers and scripting environments is crucial for mimicking human researchers' workflows.
Automated, unambiguous verification of solutions ensures reliability and reproducibility.
Effective exploration of multiple hypotheses through independent trajectories rather than a single path.
Project Naptime Framework:
Architecture: Combines tools like a code browser, Python interpreter, and debugger to enable dynamic analysis and automatic verification.
Performance: Demonstrated up to a 20x improvement on CyberSecEval 2 benchmarks, especially in tasks like buffer overflow and advanced memory corruption.
Challenges: LLMs still struggle with real-world complexity and require more realistic benchmarks to fully gauge their capabilities.
Project Naptime's findings highlight the potential and limitations of using AI in cybersecurity, pointing towards a future where LLMs could significantly augment human efforts in vulnerability discovery. (read more)
NEW: sprawling #ChatGPT-powered pro-#Rwanda propaganda operation on @X.
More than half a million posts this year.
Used #AI / #LLM- drafted posts to propagandize, attack truth tellers & bury negative stories under inauthentic content. 1/
By @ClemsonHub
tigerprints.clemson.edu/cgi/viewcontenâŚâ John Scott-Railton (@jsrailton)
4:11 PM ⢠Jun 22, 2024
Great thread on AI-powered propaganda campaigns. This isnât an isolated incident and will only get more prevalent. Clemson University's report uncovers a sophisticated AI-powered influence campaign by pro-Kagame/RPF actors. Using over 460 accounts and issuing 650,000+ messages, the campaign leverages AI for text generation and imagery, targeting critics and promoting Kagame's regime. (read more)
Weâve got another chapter in the wild world of crypto scams. The FBI is sounding the alarm about cybercriminals posing as law firms and lawyers, promising to recover your lost cryptocurrency. Instead of helping, these fraudsters are double-dipping into victims' pockets.
Hereâs the scam: These fake law firms claim theyâre working with the FBI and the Consumer Financial Protection Bureau (CFPB). They drop names of real financial institutions and money exchanges to seem legit. Theyâll ask for your personal info, banking details, and even upfront fees, all under the guise of helping you get your money back. They might also tell you to pay "back taxes" or other bogus fees to release your funds. The FBI reports that from February 2023 to February 2024, victims lost over $9 million to these secondary scams.
Remember, legitimate authorities wonât charge you to recover stolen crypto, and they wonât ask for personal information out of the blue. If youâre ever in doubt, research the company thoroughly online and report any suspicious activity to the FBI's Internet Crime Complaint Center (IC3). (read more)
There's a fresh bug in MOVEit Transfer thatâs making waves. Weâre talking about CVE-2024-5806, an improper authentication vulnerability in the SFTP module that allows attackers to bypass security controls. This bug affects versions from 2023.0.0 before 2023.0.11, 2023.1.0 before 2023.1.6, and 2024.0.0 before 2024.0.2. Essentially, if youâre running any of these versions, youâre a sitting duck.
This isnât the first time MOVEit has been in the crosshairs. Remember the Clop ransomware gang? They exploited a different MOVEit vulnerability not too long ago, causing chaos and leading to massive data breaches. Millions of people affected and huge ransoms paid.
The FBI and CISA are all over this, providing guidance and urging swift action. Their message is clear: if youâre using MOVEit, update your systems immediately. This vulnerability is already under attack, and the longer you wait, the bigger the risk. (read more)
I love nerding out about detection engineering tactics. This post came across my feed and is super useful for any of you in Okta shops. SnapAttackâs latest blog post breaks down how to tackle Okta attacks using Dorothy and Splunk. The Okta System Log is your best friend here, providing real-time visibility into user activities. By leveraging Dorothy, a tool designed to simulate attacks, you can create realistic scenarios to identify potential vulnerabilities.
Splunk comes into play by analyzing these logs, making it easier to spot suspicious behavior and fine-tune your detection strategies. (read more)
Breakdown of a TikTok account with millions of views a month every day takes random military videos and posts text saying the US is starting an attack on Russia or an American ship sunk or NATO is losing
â SwiftOnSecurity (@SwiftOnSecurity)
1:22 PM ⢠Jun 25, 2024
People just playing the algorithm and rage bait for views. Side effect: undermining our critical thinking skills and reality. (read more)
The Biden administration is digging into China Mobile, China Telecom, and China Unicom. Why? They're worried these firms could be funneling American data straight to Beijing through their U.S. cloud and internet operations. The Commerce Departmentâs on the case, having subpoenaed these state-backed companies. Even after getting booted from providing certain services, these firms still sneak in via cloud services and internet traffic routing. (read more)
CISA just confirmed that hackers mightâve snooped on sensitive info from U.S. chemical facilities during a January cyberattack. The hackers exploited a flaw in Ivanti IT products, targeting the Chemical Security Assessment Tool (CSAT) between January 23-26. While all data was encrypted and no evidence of data theft was found, thereâs a chance the hackers got unauthorized access to critical site security plans and assessments. CISA is urging all involved to reset passwords and stay alert. (read more)
This is a fun one. Some thieves just texted a transporter posing as employees of the dealership and got them to deliver to a new destination. They then texted the dealer, showing theyâd removed the GPS trackers to gloat. Social Engineering apparently on easy mode, the driver never verified anything with the thieves. (read more)
Miscellaneous mattjay
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay