- Vulnerable U
- Posts
- šļø Vulnerable U | #090
šļø Vulnerable U | #090
China hacking telecoms targeting government and political officials, Top 15 exploited bugs according to CISA, Palo Alto Networks, SAP, Microsoft, and Citrix bugs, and more!
Read Time: 8 minutes
Howdy friends!
Iāve been displaced from my house for a few weeks due to a leak forcing me to gut the bathrooms and I also got hit with some other super hard news. Throughout all of that, Iāve been handling it with surprisingly good mental well-being, where I usually wouldāve spiraled.
Not really sure why, but Iām currently attributing my resilience to either A) exercise or B) someone sneakily lobotomized me. - Or this will all hit me like a ton of bricks in a few weeks.
Either way, appreciate you all being here more than I can express. Letās get to it!
Ever feel like your personal goalposts keep moving? You achieve previous goals just in times for new ones to be your obsession? I wrote about The Myth of Arrival.
Success is weird, right? We all chase these big milestones thinking they'll make us feel amazing forever. But even after hitting those goals, that satisfied feeling tends to fade pretty quick.
Trust me, I keep learning this one the hard way.
Crushing your goals is still awesome and worth celebrating. But let's be real for a second - it's not some magic fix for happiness. The whole "I'll be happy when..." thing is a trap.
Coaches have coaches
Part of this post idea came when I saw someone I consider to be at the pinnacle of their career posting on LinkedIn about being in the market for a mentor.
Here is someone who has been the CISO of a major corporation, and a successful founder and CEO. They seem like someone others go to for help, and have a career that others would hold up and say, āIād like to be them.ā
My first reaction: āWell, if he needs a mentor, Iām absolutely fucked.ā
ICYMI
šļø Something I wrote: Canada shut down TikTokās in country operations due to national security risks
š§ļø Something I heard: Jhaddix and Daniel Miessler got together to talk shop. So of course I listened.
š¤ Something I said: A bunch of iPhones in evidence lockers just started rebooting, locking cops out.
š Something I read: This post from Bob Lord on why we shouldnāt be afraid of public WiFi: Attack of the Evil Baristas!
š£ Sponsor
Want to adopt GenAI but need data privacy guardrails first?
Harmonic Security gives security teams visibility and control around GenAI and GenAI-enabled apps.
With Harmonic, you can:
ā Track employee usage and adoption of GenAI
ā Identify Shadow AI and GenAI tools training on your data
ā Detect sensitive data leaving the business via GenAI apps
ā Coach users via inline training and nudging towards safe AI use
Learn about Harmonicās unique approach to securing sensitive, unstructured data effectivelyāwithout compromising on efficiency.
Vulnerable News
The Chinese broadband provider and wiretap hacks are causing some serious waves - CFPB just told their entire staff to ditch phones for work comms and stick to Teams/WebEx. This comes after Salt Typhoon (a Chinese APT group) managed to breach AT&T, Verizon, and Lumen's networks, potentially accessing federal wiretapping systems. While CFPB claims they haven't been directly targeted, they're clearly spooked enough to go full no-phone.
Given that Salt Typhoon has been snooping around since 2020 and their buddies at Volt Typhoon are apparently camping out in U.S. critical infrastructure (according to the FBI), this phone ban might just be the tip of the iceberg. Other agencies are likely to follow suit. (read more)
In a significant follow on to the story above, the FBI and CISA just confirmed what we've been hearing about - Chinese hackers have been running wild in U.S. telecom networks. They've managed to snag call records, target specific individuals (mostly government and political folks), and even copied data related to law enforcement requests. AT&T, Verizon, and Lumen Technologies all got hit.
Who was impacted? According to the governmentās statement, āa limited number of individuals who are primarily involved in government or political activityā are impacted, but we donāt know more about the specific number and the roles that these individuals maintain within the government or politics.
Iāve got a few guesses though! (read more)
North Korea's BlueNoroff crew is back at it with a fresh Mac malware campaign targeting crypto firms. They're sliding into inboxes with some pretty convincing fake crypto news headlines ("Hidden Gems in Alt Season 2.0" and other clickbait).
Interestingly, they're using a novel persistence technique by abusing zshenv config files, which sneakily bypasses Apple's usual security notifications on macOS 13.
While most NK campaigns lately have been all about that long-game social engineering, this one's taking a more straightforward phishing approach. Still has their fingerprints all over it though - same infrastructure and malware artifacts we've seen in their previous operations. SentinelLabs is pretty confident this is the same crew behind the RustBucket campaign from earlier this year. (read more)
Heads up if you're running Palo Alto's Expedition tool - there's active exploitation happening in the wild for CVE-2024-5910. The bug is about as basic as they come - just straight up missing authentication on critical functions.
CISA just added this to their Known Exploited Vulnerabilities list, which means it's not just theoretical anymore. What's weird is this has been public since July but exploitation is only popping up now. If you're running Expedition 1.2.91 or earlier, you'll want to bump that patch priority way up. This isn't the first rodeo for Expedition either - Horizon3 dropped a bunch of similar vulns back in October. (read more)
A new report from Infoblox dropped about DNS hijacking that's worth paying attention to. They're calling these attacks "Sitting Ducks" because of how ridiculously easy they are to pull off - no need to hack registrar accounts, just exploit some basic DNS misconfigs. They found about 800k vulnerable domains out there, with 70k already compromised. The attackers are using these hijacked domains for everything from malware distribution to phishing campaigns.
The criminal groups are also working together, playing hot potato with the hijacked domains in what they're calling "rotational hijacking." One group will use it for a bit, then hand it off to another.
The main players are Vacant Viper (pushing AsyncRAT and DarkGate), Horrid Hawk (running investment scams), and a few others. They're even using sophisticated traffic filtering through something called AntiBot Cloud to maximize their success rates. (read more)
source: Taylor Lorenz
Threads is having its QAnon moment, but make it blue. Meta's Twitter alternative is drowning in election conspiracy theories from liberal users claiming everything from Starlink satellite hacks to Biden playing 5D chess by... losing elections on purpose? The platform's attempts to limit political content have backfired spectacularly, creating an info vacuum where wild theories are spreading unchecked.
What Iām eyeballing is how this mirrors the right-wing conspiracy movements we've seen before, complete with its own "Liberal Q" figure. While Russian disinfo campaigns are definitely still a thing, there's zero evidence of actual election hacking.
The real story here isn't about hacked voting machines - it's about how social media platforms keep failing at handling political content moderation, and how the collapse of trust in traditional media is creating perfect breeding grounds for conspiracy theories on both sides. (read more)
Google just dropped their latest scam report and surprise surprise - the bad guys are getting craftier with AI. They're seeing a rise in something called "cloaking" where scammers show different content to Google versus regular users, playing hide and seek with the moderation systems. Think fake shopping sites that look legit until you actually try to buy something.
The fun doesn't stop there - they're also seeing more deepfakes of public figures pushing crypto scams (because of course they are), and a rise in app cloning schemes. Google's fighting back by rolling out some new toys like live scam detection in their Phone app using their Gemini Nano AI. They've already blocked 5.5 billion sketchy ads this year alone, which is... a lot. (read more)
The big one this month is a high-severity XSS bug (CVE-2024-47590) in Web Dispatcher. The good news is it only affects folks who have enabled the Admin UI, but if that's you, an unauthenticated attacker could potentially execute arbitrary code through some crafty link clicking.
SAP dropped fixes for seven other flaws too, mostly medium severity stuff in NetWeaver and Host Agent. Nothing too wild - just your standard missing auth checks, info disclosure, and privilege escalation issues. No word on active exploitation, but you know how these things go. Patch if you can, or at least consider those temporary workarounds like disabling Admin UI if patches aren't feasible right now. (read more)
CISA and friends just dropped their "Most Popular Bugs of 2023" list, and it's a greatest hits album nobody wanted. The usual suspects are here - Log4Shell still partying like it's 2021, and that crusty old Microsoft Netlogon bug from 2020 refuses to retire. But the real stars of the show are the edge security devices - Cisco IOS XE, Fortinet, and Barracuda are all getting plenty of unwanted attention from attackers. (read more)
Holiday shoppers! - there's a massive Chinese fraud operation running nearly 5,000 fake shopping sites right now. They're impersonating big names like North Face, IKEA, and Wayfair with steep "Black Friday" discounts. The sites look legit at first glance and even use Stripe for payments, but they're stealing card details and phone numbers (likely for future 2FA bypass attempts).
The operation, dubbed "SilkSpecter," uses Google Translate to match visitor language and various tracking tools to optimize their scam. The Chinese connection comes from their infrastructure choices and code analysis. Pro tip: stick to official brand sites and maybe think twice about those too-good-to-be-true deals popping up in your social feeds. (read more)
Patch Tuesday just dropped and Microsoft's keeping their security team busy with 92 CVEs to patch up. The spicy ones this month are two actively exploited bugs - a Task Scheduler privilege escalation flaw (CVE-2024-49039) that lets attackers run restricted RPC functions, and an NTLM hash disclosure bug (CVE-2024-43451) that can be triggered by something as simple as right-clicking a malicious file.
Microsoft's already at 949 CVEs for the year, making 2024 their second-biggest patch year ever (and December isn't even here yet). While they're being tight-lipped about the details of the exploits in the wild, these two active ones should probably jump to the top of your patch priority list. There's also some nasty RCE bugs in Kerberos and .NET that are worth keeping an eye on. (read more)
Strela Stealer is upping their phishing game. Instead of poorly written fake invoices, they're using actual stolen emails from previous victims to spread their malware. The group behind it (Hive0145) has been hitting organizations across Europe, particularly in Spain, Germany, and Ukraine, stealing Outlook and Thunderbird credentials which they then use to fuel their next round of attacks.
They've gone from occasional hits to weekly campaigns since mid-October. The malware itself isn't revolutionary, but the self-sustaining nature of using stolen legit emails to compromise more accounts is pretty effective. (read more)
New Citrix RCE just dropped for their Virtual Apps and Desktop products. The bugs (CVE-2024-8068/8069) are in the Session Recording feature and it's looking ā¦interesting. First bug gets you NetworkService Account privileges if you're an authenticated user in the domain, then you can chain that with the second one for remote code execution.
The researcher who found it, Sina Kheirkhah, points out it's using the notorious BinaryFormatter for deserialization (always a fun time) and it's accessible over HTTP. Given Citrix's track record of making CISA's "most exploited" lists, you'll probably want to patch this one quick. Affects current version and several LTSRs - fixes are out as of Nov 12. (read more)
Miscellaneous mattjay
This made me laugh way too hard
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay