🎓️ Vulnerable U | #113

Verizon Data Breach report, Blue Cross self inflicted data breach, FBI cyber crime report stats, new Android malware targeting Russian military, and more!

Author

Matt Johansen
April 25, 2025

Read Time: 9 minutes

Howdy friends!

I wish infosec spring break was more like college spring break. The lobby bar at the W in SF just isn’t giving Cabo MTV House 1996.

My calendar is already crazy with some days starting at 7am coffee meetings and some late night after dinner stuff booked as well. Marathon not a sprint. - Going or not, let me know if you’re excited about anything coming out of RSA week.

ICYMI

🖊️ Something I wrote: This thread on the DOGE whistleblower got …uh… a little attention.

🎧️ Something I heard: NSA Says Fast Flux Is A National Security Threat, But What Is It?

🎤 Something I said: The FBI Became a Dark Web Banker?

🔖 Something I read: Ok ok i’ll stop saying Dungeon Crawler Carl here, even though yes I finished the 6th book already. - I also read this from 404: The Man Who Wants AI to Help You ‘Cheat on Everything’

Vulnerable News

One of my favorite security reports of the year. Many of my good friends have done their time on the team that creates this report. They bust their ass on this thing. They collect all sorts of data both public and privately through data sharing agreements on data breaches and security incidents throughout the year. Then they do DATA SCIENCE. Lab coats and shit.

It turns out we're collectively terrible at patching our VPNs and edge devices. Only 54% of zero-days in perimeter gear got fully patched last year, with a leisurely median fix time of 32 days. No wonder vulnerability exploitation shot up 34% year-over-year! Those Ivanti, Fortinet, SonicWall and Citrix boxes sitting at your network edge have become prime targets, jumping from 3% to 22% of all exploitation cases. (!!!)

Ransomware continues its reign of terror, appearing in 44% of breaches (up 37%), though there's a silver lining - more victims are telling attackers to pound sand, with 64% refusing to pay. Small businesses are getting hammered the hardest, with ransomware involved in 88% of their breaches compared to 39% for large enterprises.

And nation-state hackers are moonlighting for cash in 28% of cases, which tracks with what we've been hearing. 60% of breaches still involve someone clicking something they shouldn't or reusing passwords. - I hate this last part. Clicking things is what the Internet is built for, we have to do better security so people can keep clicking. “Don’t click shit” is dumb and doesn’t work. Here are the stats in two thousand and twenty-five to prove it!

The data also shows stolen credentials are still king (why bother with 0-days when you can just use someone's password?), and even state-sponsored hackers are hitting basic web apps because that's where the data lives now. I consider this a must-read every year if you’re in the industry. (read more)

Looks like we've got some DOGE drama, this time it backs up the whistleblower story we covered last week. An NLRB security architect claims Musk's DOGE team got admin access to the labor board's systems and helped themselves to 10GB of sensitive case data. The whistleblower, Daniel Berulis, says he caught DOGE accounts downloading suspicious code libraries from GitHub - including one that's nearly identical to code published by DOGE employee Marko Elez (who's apparently bounced between various Musk companies).

This code is designed for IP rotation to facilitate web scraping and brute force attacks - not exactly standard government business. What makes this especially sketchy is the timing - Trump recently fired enough NLRB board members to leave the agency without a quorum, and both Amazon and SpaceX are currently battling the NLRB over labor disputes. Berulis is concerned this data could be used to identify and target union organizers. After the article was published, Elez's code repo mysteriously disappeared from GitHub. Funny timing, that. (read more)

The official XRP Ledger npm package just got backdoored… Security researchers at Aikido caught five suspicious new versions of the xrpl package pushing code that steals your private keys and wallet credentials. The malicious code was added to the package on April 21st. Any private keys or seeds processed by this code were being quietly shipped off to a sketchy domain (0x9c[.]xyz) that was registered just for this attack.

With 140,000+ weekly downloads, this is a potentially massive supply chain attack on the crypto ecosystem. If you've been using xrpl versions 4.2.1-4.2.4 or 2.14.2 in the last few days, you should assume your keys are compromised and move your assets ASAP. The xrpl team has since released clean versions (4.2.5 and 2.14.3) to override the malicious packages. (read more)

CISA warns threat hunting staff of end to Google, Censys contracts as agency cuts set in

CISA's threat hunting division is feeling the budget squeeze, with the agency cutting access to two key tools used to track down cyber baddies. According to an internal email sent to over 500 staff, they're ditching Google-owned VirusTotal on April 20 and have already dropped Censys, a cyber threat intelligence service. The agency claims they're "actively exploring alternative tools," but this is happening alongside broader contractor cuts - Nightwing and Peraton folks had to turn in their company phones yesterday.

These moves come amid what appears to be a significant downsizing at CISA under the current administration. Secretary Noem has been vocal about wanting the agency to be "smaller, more nimble," particularly pulling back from disinformation efforts that some claim targeted conservatives. Just last week, we saw the chaos around the CVE Program contract, which was initially reported as being terminated before CISA hastily extended it by 11 months.

Simultaneously we got news about some big CISA departures: Two top cyber officials resign from CISA - Bob Lord and Lauren Zabierek are both huge losses and CISA is worse off without them. I’m grateful for their service for the time they were there advising. (read more)

Security teams are navigating a complex landscape of threats, innovation, and regulations. IDC recently surveyed 900+ security leaders to learn more about what’s fueling (or hindering) success across people, processes, and technology.

Watch this webinar on the full survey findings and walk away with actionable takeaways to improve team efficiency and organizational resilience.

*Sponsored

A new Android malware campaign is targeting Russian soldiers by hiding in cracked versions of Alpine Quest Pro, a mapping app reportedly used for battlefield planning. Russian cybersecurity firm Doctor Web found that these trojanized apps are being distributed through Telegram channels and Russian app catalogs as "free" versions of the premium app. Pretty clever social engineering, considering soldiers in the field might be looking for offline mapping capabilities without paying.

The malware is malwaring - it monitors real-time location changes, exfiltrates contacts, phone numbers, and steals confidential files, especially from Telegram and WhatsApp. It even specifically looks for location history logs. This mimics the exact same tactics that Russian APT groups have been using against Ukrainian forces since 2022. Google says Play Protect should catch known versions of this malware, but that won't help if you're side-loading "cracked" apps from Telegram. (read more)

Over $16 billion in losses reported to FBI in 2024 tied to computer crime

The FBI's Internet Crime Complaint Center just published their 2024 numbers, and they're fun! They logged nearly 860,000 complaints with losses topping $16.6 billion - both record highs since they started counting in 2000. Reports jumped 33% from last year, with phishing scams leading the pack at 193,407 complaints. Ransomware remains the biggest headache for critical infrastructure, with attacks up 9% from 2023.

The FBI admits these numbers are "absolutely underreported" since many victims never come forward. They're attributing the spike to both our increasingly digital lives and more people knowing they should report to the FBI. On the bright side, their work against groups like LockBit and distributing decryption keys has apparently saved victims over $800 million in ransom payments since 2022. The bureau is now calling fraud a "national threat priority" and has "surged resources" to combat it, though they're tight-lipped about specifics. Full Report: here

One of the most interesting graphics to me. The amount and complaints and losses by age group just in 2024. People over 60 lost a combined $4.8 BILLION WITH A B dollars to scams and fraud and that’s just what was reported. (read more)

Fresh vulnerability intel from VulnCheck, and Q1 2025 had 159 new exploited CVEs in the wild. If you want real stats on speed between vuln drop and exploitation: 28.3% of these vulnerabilities were exploited within just 24 hours of disclosure. That's basically zero-day territory. The usual suspects are getting hammered: CMS platforms (35), network edge devices (29), and operating systems (24), with Microsoft Windows leading the pack at 15 vulnerabilities.

The data shows exploitation reports coming from a wide range of sources (50 different organizations), with Shadow Server and GreyNoise doing the heaviest lifting. Also sort of interesting is the lag in official analysis - over 25% of these actively exploited vulnerabilities are still awaiting or undergoing analysis by NIST NVD. And if you're relying on EPSS scores to prioritize, you might want to reconsider - the report suggests it's largely a trailing indicator rather than a predictive tool for emerging threats. (read more)

Symantec just caught this Chinese APT group (also known by their hipster aliases Lotus Panda and Bronze Elgin) hitting multiple high-profile targets in a single Southeast Asian country. The victims list reads like a national security nightmare - government ministry, air traffic control, telecoms, and a construction company. These folks have been at it since at least 2009, so they're not exactly rookies.

They’re using a mix of custom credential stealers and backdoors, plus some living-off-the-land techniques. They even used tools to modify file timestamps to throw off investigators, which is pretty standard tradecraft these days. Previously, Billbug pulled off a particularly clever move by compromising a digital certificate authority in an Asian country, letting them sign malware that would slip past security tools. This is all part of China's broader cyber operations supporting their territorial claims in the South China Sea region. (read more)

The UN just dropped a report showing how Chinese and Southeast Asian crime syndicates that were raking in billions through investment, crypto, and romance scams are now expanding globally. They've moved beyond their traditional strongholds in Myanmar, Cambodia, and Laos to set up shop across South America, Africa, Europe, and even some Pacific islands.

What's wild is the scale - massive compounds housing thousands of trafficked workers forced to run these scams. East and Southeast Asia lost around $37 billion to these operations in 2023 alone, with the US taking a $5.6 billion hit. Despite some crackdowns (including one in Myanmar that freed about 7,000 workers), the syndicates are just relocating to more remote areas. The UN is basically saying we're at a "critical inflection point" - either the international community steps up now, or this becomes an even bigger global nightmare. (read more)

DPRK Hackers Steal $137M from TRON Users in Single-Day Phishing Attack

North Korean hackers are having a field day in the crypto world, with Mandiant reporting they swiped $137 million from TRON users in just one day. These state-backed actors (tracked as UNC1069, UNC4899, UNC5342, and UNC3782) are developing custom malware in Go, C++, and Rust that works across Windows, Linux, and macOS. Their primary targets are Web3 projects and cryptocurrency platforms, using everything from fake investor profiles on Telegram to bogus job offers that deliver malware through "coding assignments."

They're also running a massive operation where thousands of their IT workers apply for legitimate remote jobs at companies across the US, Europe, and Asia. These folks are using deepfakes for job interviews, creating entirely synthetic personas, and sometimes even competing against each other for the same positions. Once hired, they funnel their salaries back to Pyongyang while potentially setting up long-term access for future attacks. In one case, Mandiant found four suspected North Korean workers employed at the same company within a 12-month period. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay