🎓️ Vulnerable U | #122

Double Cisco CVSS 10 vulns, CitrixBleed2 Electric Bungaloo, North Koreans hiding malware in npm, Detection Engineering Field Manual, and much more!

Author

Matt Johansen
June 27, 2025

Read Time: 9 minutes

Brought to you by:

Howdy friends!

Back at home after parading around the entire lower 48. I realized I spent at least 2 nights in all 4 time zones in the last few weeks. Had a very restorative trip to Colorado celebrating my favorite person with a bunch of friends and family. Couldn’t have been a cooler trip. - I think you mountain people are on to something during the summer, it was nice to need a fire and a hoodie (he writes from Texas with a mean mug on).

If I made a premium version of the newsletter, would you sign up?

Login or Subscribe to participate in polls.

ICYMI

🖊️ Something I wrote: Data Brokers and the 2025 Minnesota Lawmaker Shooting

🎧️ Something I heard: Daniel Miessler and Marcus Hutchins couldn’t have more different opinions about AI - and they sat down to talk about it for a while!

🎤 Something I said: Did an AI actually just become the #1 bug bounty hunter in the US?

🔖 Something I read: Famous indie hacker Pieter Levels outlined a phishing campaign pretending to be a TechCrunch journalist he is experiencing.

Vulnerable News

Hi. These are bad. Double vulns, both CVSS 10. Like go drop everything and patch kind of things.

Cisco Identity Services Engine (ISE). We're talking unauthenticated remote execution with root privileges through API flaws. The first lets attackers execute arbitrary OS commands through a poorly validated API, while the second enables arbitrary file uploads to privileged directories. Both are prime paths to full system compromise.

ISE sits at the heart of enterprise network access control for major organizations, so this is a big deal. Cisco says there's no active exploitation yet, but patches are out now for versions 3.3 and 3.4. They also disclosed a medium-severity auth bypass via SAML SSO that could let authenticated users mess with system settings. (read more)

I know its a sponsor, but you know how much I love these kinds of reports right? If enough of you grab this one, maybe I should do a video about it? (Also Datadog is just awesome)

Datadog analyzed data from tens of thousands of orgs to uncover 7 key insights on modern DevSecOps practices and application security risks.

Key Insights:

  • Why smaller container images lead to fewer vulnerabilities

  • How runtime context helps you prioritize the most critical vulnerabilities

  • The link between deploy frequency and outdated dependencies

Plus, learn about proven strategies to implement infrastructure as code, automated cloud deploys, and short-lived CI/CD credentials.

*Sponsored

Not sponsored, just very coincidentally he works at Datadog who is today’s sponsor - but my homie Zack Allen, who happens to run one of my favorite newsletters, Detection Engineering Weekly - is starting a new series I’m going to be reading every release of.

So you've probably heard "Detection Engineer" thrown around lately and wondered what the hell that actually means. Turns out it's basically the new fancy name for the blue team folks who specialize in catching bad guys after they've already gotten into your network.

Zack runs a team of about 50 detection engineers and has some solid advice for anyone looking to break into the field. You need to be comfortable with code (at least basic scripting), have deep expertise in at least one security area, and actually want to work with people to solve problems. The core principle is simple: "no detection without telemetry" - if you can't see what's happening on your systems, you can't detect when something's wrong. It's all about understanding your assets, knowing what normal looks like, and building the right alerts when things go sideways. (read more)

Recon SOC spotted a phishing campaign that's abusing Zoom Events infrastructure to send convincing phishing emails from legitimate noreply-zoomevents@zoom[.]us addresses. These messages pass all the usual email authentication checks (SPF, DKIM, DMARC), making them incredibly difficult for security filters to catch. The attackers are using a "ChainLink Phishing" technique where victims click through docs.zoom[.]us links before getting redirected to either credential harvesting sites or downloading malicious ScreenConnect executables disguised as legitimate software.

What makes this particularly frustrating is Zoom's response when researchers reported it. Their first support case got closed with a dismissive "just enforce DMARC" despite clear evidence that DMARC was passing on these malicious emails. It appears the attackers have compromised legitimate Zoom Events accounts to send these campaigns, impersonating everything from the Social Security Administration to investment firms. The campaign targets both credential theft and malware delivery, so organizations need to warn users about unexpected Zoom Events emails and verify anything suspicious through independent channels. (read more)

This report floored me. Talk about cyber meeting real world consequences. These people are getting so wrapped up in crypto investment scams and pig butchering they wind up being stuck in a human trafficking compound. They they are so financially burdened they get recruited to help the scam continue to trick people.

Amnesty International interviewed 58 survivors and reviewed testimony from hundreds more, and they found that 53 compounds are still running strong despite the Cambodian government's supposed crackdowns. We're talking about prison-like facilities with razor wire and guards carrying electric batons, where trafficked workers are forced to run pig butchering scams and other cyber fraud operations. The whole industry pulls in around $40 billion annually according to the UN, so there's clearly serious money keeping this machine running. (read more)

FBI used bitcoin wallet records to peg notorious IntelBroker as UK national

Remember IntelBroker? That prolific data thief who's hit major companies like Nokia, HPE, and even the US Army? Well, the FBI just unmasked him as 25-year-old Kai West from the UK. They got him through some pretty classic OPSEC failures - he used his personal email address for both his Ramp and Coinbase crypto accounts, then tied those same wallets to his illegal activities. Even better, he was using that same personal email to watch YouTube videos about himself and his victims, then posting those videos to BreachForums.

The FBI's investigation reads like a textbook case of how blockchain analysis can burn you. They bought a stolen API key from him, traced the Bitcoin payment back to his wallet, then connected that wallet to his real identity through KYC records. West allegedly caused over $25 million in damages across 40+ victims and was apparently a BreachForums admin too. He got nabbed in France along with four other site admins, and the US is pushing for extradition. (read more)

The NHS just confirmed what we've all been dreading - a ransomware attack actually killed someone. Qilin's hit on pathology provider Synnovis last year led to one patient's death, with delayed blood test results being a contributing factor. The attack caused chaos across multiple London NHS trusts, leading to thousands of cancelled appointments and 170 patients suffering various levels of harm. King's College Hospital confirmed the death after conducting a detailed safety investigation and meeting with the victim's family. (read more)

Microsoft 365's "Direct Send" feature is getting weaponized in a pretty clever phishing campaign. This little-known feature lets devices send emails through your company's smart host without authentication - great for printers and scanners, terrible for security. Attackers are exploiting this to send internal-looking emails from external IPs, completely bypassing SPF, DKIM, and DMARC protections because the emails appear to come from inside the organization.

The campaign is hitting 70+ organizations (mostly US-based) with fake voicemail and fax notifications. Instead of malicious links, they're embedding QR codes in PDFs that victims scan with their phones to reach credential-stealing sites. Varonis found attackers using PowerShell commands to send these emails through company smart hosts from Ukrainian and other foreign IP addresses. Microsoft finally added a "Reject Direct Send" setting in April 2025, so if you're not using this feature for legitimate purposes, now's a good time to flip that switch. (read more)

ClickFix attacks just had a massive year, jumping 517% between late 2024 and early 2025. For those keeping score, these are the fake CAPTCHA tricks that get people to copy-paste malicious scripts into Windows Run or macOS Terminal.

But wait, there's more - security researcher mrd0x just dropped a proof-of-concept for "FileFix," which is basically a ClickFix cousin. Instead of fake CAPTCHAs, it tricks users into pasting what looks like a file path into Windows File Explorer's address bar. It hides a PowerShell command at the beginning of the "path" with spaces and a pound sign to treat the fake path as a comment. So when you think you're opening "C:\path\to\file\decoy.doc", you're actually running "Powershell.exe -c ping example.com" instead. (read more)

CitrixBleed is back for round two with CVE-2025-5777, and it's basically the same nightmare as before - dump memory with a simple HTTP request to grab session tokens. This time Citrix tried to downplay it initially by saying it only affected the "Management Interface" (which you shouldn't expose anyway), but then quietly updated the CVE description last night to remove that limitation. Turns out it affects Netscaler boxes configured as Gateway or AAA virtual servers, which is how pretty much every large org runs their remote access.

Kevin Beaumont's not buying Citrix's "no evidence of exploitation yet" line, especially since they said the exact same thing about the original CitrixBleed before it got hammered in the wild. The fix is the usual drill - patch your internet-facing Netscaler boxes and kill all active sessions afterward. If you're running Citrix infrastructure, time to dust off those Shodan searches and see what you've got exposed. Beaumont even called this one coming last week, so props for the crystal ball. (read more)

Everyone I’m talking to on the blue team side has a “North Korean in the recruiting pipeline” incident running right now. It is crazy how prevalent this is.

But they’re playing both sides of it. Not just trying to get hired, but also running a fake recruiter scam. Socket just caught 35 new malicious npm packages tied to the "Contagious Interview" campaign, with six still live on the registry (thankfully being removed). The attackers are posing as LinkedIn recruiters, offering remote jobs paying $200k+ to lure developers into running "coding assignments" that contain their malware.

The technical evolution here is interesting - they've moved from embedding malware directly in packages to using a new "HexEval" loader that fetches the actual BeaverTail infostealer on demand. Smart move to evade static analysis. They pressure victims during fake video interviews to disable Docker and run the code natively while screen sharing. If you're job hunting and someone sends you a coding test with dependencies like "react-plaid-sdk" or "vite-plugin-next-refresh," maybe give it a second look. The campaign is still active, so expect more packages to surface. (read more)

I was live streaming today and some people in chat asked “How the hell do we get a hold on all the MCP servers my devs are running with?” Their security team was really worried and not even sure what to do. Then I kept scrolling through the news and boom, validation for them to be scared.

Researchers at Backslash Security found hundreds of Model Context Protocol (MCP) servers - the connectors that let AI models access private data - are wide open to attacks. Out of roughly 15,000 MCPs in existence, about 7,000 are exposed on the web, and several hundred allow completely unauthenticated connections. Around 70 of these have serious vulnerabilities like command injection that could let attackers run arbitrary code. (read more)

Surge in MOVEit Transfer Scanning Could Signal Emerging Threat Activity

GreyNoise spotted something interesting happening with MOVEit Transfer scanning activity. Starting May 27th, they saw a massive spike from the usual under-10 IPs per day to over 100, then 319 the next day, and it's been consistently hovering around 200-300 daily since then. That's a pretty significant deviation from baseline, and these patterns often precede new vulnerability disclosures by a few weeks. What's telling is that 44% of the 682 scanner IPs are coming from Tencent Cloud, with the rest spread across Cloudflare, Amazon, and Google - that kind of infrastructure concentration screams organized, deliberate activity rather than random internet noise.

They also caught some low-volume exploitation attempts on June 12th targeting older MOVEit CVEs (2023-34362 and 2023-36934), which could be threat actors validating targets or testing exploits. No widespread exploitation yet, but the writing's on the wall. Time to audit your MOVEit exposure, patch those known vulns, and maybe start blocking those suspicious IPs GreyNoise is tracking. This feels like the calm before the storm, especially given MOVEit's history of being a high-value target for ransomware groups. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay