🎓️ Vulnerable U | #117

Microsoft massive malware takedown, Russia hacking Ukraine logistics targets, 100s of fake Chrome extensions, and much more!

Author

Matt Johansen
May 23, 2025

Read Time: 8 minutes

Brought to you by:

Howdy friends!

What a week for graduations. Caps, gowns, and proud parents everywhere you look. Seeing college grads strutting around town and high school families getting misty-eyed really drives home how fast time moves, no matter how hard you try to slow it down. Hats off to everyone going through it this week. Well earned to both the students and parents.

ICYMI

🖊️ Something I wrote: The best leaders in cybersecurity don’t just manage, they advocate for their team members.

🎧️ Something I heard: It’s important to stay on top of all the major AI releases as best we can in our industry. Claude 4 dropped. Google I/O was packed with updates.

🎤 Something I said: openai user privacy nuked in court

🔖 Something I read: I like when people do these “this is what peaked my interest this week” post. More of you do this please. Stephan has been doing them lately and I’ve really appreciated it.

Vulnerable News

Win for the good guys this week as Microsoft and friends took down Lumma Stealer, the largest infostealer operation out there. They seized 2,300 domains and cut off nearly 400,000 Windows implants from phoning home. Microsoft is now sinkholing traffic from infected devices, giving defenders some valuable telemetry while starving the criminal affiliates of their precious stolen credentials.

Don't pop the champagne just yet. Lumma's operators are pros at infrastructure resilience. They've been using EtherHiding to stash payloads in Binance Smart Chain contracts and their delivery mechanisms span everything from fake CAPTCHAs to malvertising. The bad guys will be back with fresh infrastructure, but this buys everyone some breathing room. (read more)

Tired of slow, noisy vulnerability scans that leave you guessing? NightVision’s API-first security platform delivers continuous, proof-based testing so your team can find and fix real vulnerabilities before they hit production. With their visionary combination of SAST and DAST they can find APIs you never knew existed.

  • Instant Results: See actionable findings in minutes, not days

  • Context-Rich Proofs: Eliminate false positives with request-level evidence

  • Seamless Integration: Plug into any CI/CD pipeline or workflow

Discover how NightVision can shrink your attack surface and accelerate releases. Check out their demo today.

*Sponsored

Remember that whole drama about the US pausing cyber ops against Russia? Turns out it was just a one-day timeout, according to House Armed Services cyber subcommittee chair Don Bacon. The DOD's "rapid response" social media account straight up denied any pause happened, which Rep. Vindman called "an outright lie."

The Pentagon's cyber policy lead Laurie Buckhout wouldn't comment on specifics but confirmed they're keeping "a number of elements on the table" for both offensive and defensive operations against Moscow. I don’t know what the hell is going on but this feel mismanaged both operational and in public relations. (read more)

The UK's Legal Aid Agency got hit with a data breach that's particularly nasty. It exposed sensitive info of domestic abuse survivors who've applied for legal aid since 2010. Addresses, contact details, and financial data of potentially 2M+ people. The British government is taking their usual stance of not paying ransoms, so it might be a matter of time before this data hits the dark web.

Some of the data could reveal locations of women's refuges, which are kept strictly confidential for obvious safety reasons. The Ministry of Justice is scrambling to identify high-risk individuals (abuse survivors, asylum seekers) before the data drops, but reaching everyone affected will be tough. While they've got a legal injunction against sharing the data, we all know how effective those are against anonymous threat actors operating from hostile jurisdictions. (read more)

APT28 (aka Fancy Bear) has been running a massive cyber espionage campaign targeting companies involved in Ukraine aid logistics since 2022. The GRU-linked group is hitting organizations across NATO states and Ukraine, particularly those in defense, transportation, and IT services. Basically anyone helping coordinate and deliver aid to Ukraine.

They’re using password spraying and phishing and also exploiting vulnerabilities in Roundcube, Exchange, and VPNs. Once inside, they're particularly interested in email access, using tools like HeadLace and MASEPIE to maintain persistence while hunting for info about aid shipments. They've even compromised cameras at Ukrainian border crossings to track aid deliveries in real-time. (read more)

A nasty privilege escalation bug in Windows Server 2025's new delegated Managed Service Account (dMSA) feature lets attackers take over any Active Directory account, even if you're not using dMSAs. Akamai's researchers found that the "BadSuccessor" exploit abuses how permissions are handled during account migrations, letting attackers with minimal access elevate to domain admin.

The attack works by manipulating a single attribute that controls account succession, essentially tricking the Key Distribution Center into granting the attacker's account all permissions of any targeted AD user. While Microsoft works on a fix, the main defense is locking down dMSA creation permissions and auditing any changes. Akamai released a PowerShell script to help identify who has these dangerous permissions in your domain. (read more)

The legal battle between Delta and CrowdStrike over last July's massive outage continues! A judge just greenlit Delta's lawsuit, though dropped the fraud claims while keeping negligence and computer trespass on the table. CrowdStrike's lawyers are playing it cool, saying worst case they're looking at "single-digit millions" in damages due to contract limits.

Delta's facing a separate class action from passengers: 7,000 canceled flights, $500M in estimated costs, and 3,000+ passenger complaints.

While other airlines recovered in 3 days, Delta took 5, leading to some awkward questions from the DOT. CrowdStrike claims Delta rejected their help, Delta says the offer came too late, and Microsoft's over here saying Delta ghosted their support calls entirely. The class action adds another layer, alleging Delta tried to sneakily get passengers to waive their legal rights with partial refunds. This one's going to be interesting to watch. (read more)

Over 100 malicious Chrome extensions are masquerading as legit tools like VPNs, AI assistants, and crypto utilities. DomainTools caught these fake extensions connecting to attacker infrastructure to steal cookies and run remote scripts. They're even impersonating big names like Fortinet, YouTube, and DeepSeek AI through convincing fake domains.

The extensions actually provide some of the advertised functionality while quietly doing their malicious work in the background. The "fortivpn" extension, for example, acts as a proxy server and can run arbitrary JavaScript from remote servers. While Google has removed many of these, some are still lurking in the Chrome Web Store. Given that stolen session cookies could be used to breach legitimate VPN devices and corporate networks, this is more than just your typical cookie theft campaign. (read more)

Fake Kling AI Facebook Ads Deliver RAT Malware to Over 22 Million Potential Victims

A malvertising campaign is impersonating Kling AI (that new Chinese image gen tool with 22M users) through Facebook ads, leading victims to fake sites like klingaimedia[.]com. Instead of getting cool AI-generated content, users get served a nasty RAT payload hidden in a ZIP file using some clever Unicode tricks. The malware checks for analysis tools, sets up persistence, and ultimately drops PureHVNC, a RAT targeting crypto wallets and banking sessions.

CheckPoint tracked 70+ promoted posts from these fake pages, with evidence pointing to Vietnamese actors (who seem to love Facebook malvertising lately). I talked about it a few weeks ago, but we saw similar Vietnamese groups pushing the Noodlophile stealer through fake AI tools. Meta's having a rough time with scams in general, especially from Southeast Asian operators running everything from romance schemes to trafficking rings. (read more)

Major carriers AT&T, T-Mobile, and Verizon have been failing to notify senators about government surveillance requests on their phones, despite being contractually required to do so. Sen. Wyden's investigation found that one unnamed carrier even handed over Senate data to law enforcement without any heads up. This hits particularly hard given the 2021 revelation that the Trump admin secretly obtained call/text logs of 43 congressional staffers and 2 House lawmakers in 2017-2018.

The carriers claim they're now following notification requirements, but smaller players like Google Fi, US Mobile, and Cape have been doing it right all along. They notify customers about government demands whenever legally permitted. While Senate-issued phones now have some protection through updated contracts, personal and campaign phones remain vulnerable. The bigger concern here is how this surveillance undermines the separation of powers. If law enforcement can secretly track senators' locations and communications, it directly impacts their ability to do their jobs independently. (read more)

The Coinbase hacker is trolling blockchain sleuth ZachXBT, sending an on-chain "L bozo" message complete with an NBA player meme after swapping a casual $42.5M from Bitcoin to Ethereum via THORChain. This is the same crew behind December's Coinbase data breach that compromised personal info of nearly 70,000 users. Since being called out, they've continued moving funds around, converting ETH to roughly $45M in DAI stablecoins. Coinbase refused their $20M ransom demand and instead put a $20M bounty on their heads.

Meanwhile, THORChain is catching heat as the money-moving platform of choice for crypto criminals. The protocol's swap volume exploded after the $1.4B Bybit hack (likely North Korea's Lazarus Group), generating $5M in revenue from processing $5.4B in swaps. Drama hit when a THORChain developer quit after the community voted against blocking Lazarus-linked transactions. Between the lawsuits piling up against Coinbase and their estimated $180-400M in breach-related costs, this is far from over. (read more)

Turkish intelligence just busted what they're calling one of the most sophisticated spy rings they've ever seen. Seven Chinese operatives were caught red-handed using IMSI-catchers (fake cell towers) to eavesdrop on Uyghurs and Turkish officials. The operation had apparently been running for five years, with the ringleader setting up legitimate-looking shell companies as cover.

They trick nearby phones into connecting to them instead of real cell towers, letting the operators vacuum up calls, texts, and location data within about 50 meters.

To smuggle the devices around they broke it into components with different couriers bringing antennas, batteries and other parts separately to avoid detection. The gang was self-funding by hacking Turkish bank accounts and sending the intelligence directly back to a handler in China they called the "big boss." Turkish officials noted this operation was much more sophisticated than other foreign spy rings they've caught, which typically relied on more traditional surveillance methods like GPS trackers or visual monitoring. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay