šŸŽ“ļø Vulnerable U | #127

Russian ISP hacked, Spilled Tea, New Ransomware data, A ton of scamming gaming sites, and much more!

Read Time: 8 minutes

Brought to you by:

Howdy friends!

Its time folks. Gearing up for summer camp. I ordered some new portable camera/audio toys to hopefully grab some good content while there. I’ve got the talks I’m going to picked out. I’ve got the meetups and parties I’m going to on the calendar. Let’s have some fun, looking forward to meeting some of you IRL! Please say hi if you see me.

I dropped a big wad of cash to reserve a cabana for us on Thursday so come on down to the pool for a lunch meetup. I’ll be down there from about 11:30-3.

And thank you so much for those of you who have upgrade to the paid version of Vulnerable U. I’ve got the team over here hard at work making the premium content something that will be worth the upgrade. For you early adopters, THANK YOU.

ICYMI

šŸŽ§ļø Something I heard: This great video by Theo about creating your own luck

šŸŽ¤ Something I said: Run through of CitrixBleed2 situation. Which I think is one of the crazier vulns of 2025.

šŸ“£ Something I think you’ll dig: Email security’s EDR moment is here*

šŸ”– Something I read: Thread: Facebook once bought a VPN app for $120M and turned it into a surveillance tool that spied on 33M+ users' entire phones for years.

*Sponsor

Vulnerable News

Great report out of Microsoft's threat intel team about Secret Blizzard (aka Russian FSB Center 16, Turla, and a bunch of other names). They've been targeting foreign embassies in Moscow using adversary-in-the-middle attacks at the ISP level - basically sitting on Russian internet infrastructure and intercepting diplomatic traffic. The attack starts with a captive portal redirect that tricks targets into downloading ApolloShadow malware disguised as a Kaspersky certificate installer.

It looks like they're leveraging Russia's SORM surveillance system to pull this off at scale. Once ApolloShadow is installed, it does all the persistence tricks: installs root certificates to bypass TLS, modifies firewall rules, sets networks to private mode, and drops a backdoor admin account called "UpdatusUser." The obvious defense is routing all traffic through encrypted tunnels or satellite connections, but if you're a diplomat working in Moscow using local internet, you're basically screwed. First time we've seen confirmed evidence of this actor operating at the ISP level, which is a pretty significant escalation. (read more)

New data from Harmonic Security reveals that 22% of files and 4.37% of prompts submitted to GenAI tools contain sensitive content like source code, credentials, and PII. This research analyzed 1 million prompts between April and June 2025.

In Q2 alone, the average enterprise saw 23 new GenAI tools in use…including hidden AI features in common SaaS apps.

With much of this usage occurring via personal accounts, enterprises need visibility, data monitoring, and context-aware controls to prevent leaks.

*Sponsored

The Tea Situation

Well a lot happened with this ā€˜Tea’ app last week. If you missed it all - it’s a women’s only ā€œdatingā€ app which boils down to Yelp for men. Billed as an app to help women stay safe from crappy men they might be dating. Think, those ā€œare we dating the same guy?ā€ Facebook groups but as it’s own app. Well this thing didn’t exactly have a security review, and it stored way too much sensitive info. Here are some videos on it: Original Breach - 2nd Breach - LowLevel did a good one too:

Microsoft's investigating whether their early warning system for cybersecurity companies got leaked to Chinese hackers, who then used that intel to exploit SharePoint vulnerabilities before patches were even released. Attacks started hitting SharePoint servers on July 7, literally the day before Microsoft released their patch publicly. Over 400 organizations got hit, including the US National Nuclear Security Administration.

Microsoft's MAPP program includes at least a dozen Chinese companies who get advance notice of vulnerabilities. Chinese law also requires these companies to report any security flaws to their government within 48 hours. So you've got Chinese firms with legitimate access to Microsoft's vulnerability info, but they're also legally obligated to share with Beijing. Microsoft's basically stuck between wanting to help the good guys patch faster and potentially feeding intel to state-sponsored hackers. Tough spot to be in. (read more)

Ransomware gangs are getting more aggressive with their extortion tactics - 40% of victims now report receiving physical threats against employees and their families. Beyond the usual system lockouts and data destruction threats, attackers are tracking executives' internet activity, finding their homes, and identifying where their kids go to school.

While attacks dropped slightly (78% of orgs hit vs 83% last year), recovery times are getting longer - only 23% bounced back within a day compared to 39% in 2023. Multiple attacks are becoming the norm, with 73% of victims getting hit more than once. And paying doesn't guarantee safety - 15% of those who paid never got working decryption keys, and 3% had their data leaked anyway. Good to keep an eye on all these stats and trends. (read more)

Attackers don’t need your passwords anymore. With deepfakes and social engineering, they strike during employee onboarding, account recovery, and device changes. That’s why forward‑thinking companies are adding adaptive identity checks with Persona’s Know Your Employee. It’s the easiest way to stop imposters without slowing down your team. Protect your workforce today (better late than breached).

*Sponsored

This is dumb. Political theater getting in the way of A) our actual cybersecurity talent B) someone’s career. They’re trying to get Jen Easterly removed from her position at West Point. A thinly veiled attack on a non loyalist in the guise of ā€œher work to counter misinformation about elections and the COVID-19 pandemic amounted to censorshipā€ - There was no censorship. I especially like the closing two lines in juxtaposition:

She'd barely been announced as a Distinguished Chair in the social sciences department when Army Secretary Dan Driscoll ordered the academy to terminate her agreement. The whole thing got started when Laura Loomer (yes, that Laura Loomer) complained on social media about "Biden holdovers" undermining Trump's administration. (read more)

UK Ruining The Internet?

This is getting a bit out of hand. Now the UK is banning VPNs since they’re being used in the most obvious turn of events ever to get around all the Internet restrictions the government has put in place. I’m in full camp if the government is saying ā€œSave the children!ā€ - it is bullshit and there is something else at play. It’s just like the war on encryption. Here is a great run through video:

UNC2891 is back at it with ATM fraud, but this time they're getting creative with Raspberry Pis. They physically planted a 4G-enabled Pi into a bank's network switch, giving themselves a backdoor into the ATM infrastructure. The goal was to deploy their CAKETAP rootkit (which spoofs card verification messages) for unauthorized cash withdrawals, but they got caught before pulling it off.

I really honed in on how they maintained persistence even after the Pi was discovered - they had a backup backdoor running on the mail server. (read more)

Chinese military researchers are concerned about Starlink's potential role in US military operations across nuclear, space, and cyber domains. While the details are light in this report, it's worth tracking given China's ongoing push to develop anti-satellite capabilities and the growing militarization of space. This follows their 2022 complaints to the UN about Starlink's close encounters with their space station. (read more)

China's internet watchdog (CAC) just dragged Nvidia in for questioning over alleged backdoors in their H20 AI chips - specifically calling out "tracking and positioning" and "remote shutdown" capabilities. This comes right after the US quietly gave Nvidia the green light to resume H20 sales to China, and suspiciously close to the new Chip Security Act requiring GPS-style tracking in exported AI chips.

China's getting paranoid about foreign silicon right as $1B worth of restricted Nvidia chips (B200, H10, H200) showed up on their black market. The H20 was Nvidia's attempt to thread the needle between US export controls and Chinese market demands by deliberately hobbling their Hopper architecture. Nvidia flatly denies having any backdoors, but this escalation shows how messy the US-China semiconductor chess game is getting. (read more)

Here's a fun one - scammers have built an empire of over 1,200 fake gaming sites all pretending to partner with Mr. Beast and other influencers. They try to hook you by saying if you sign up you get $2,500 in free credits to play their surprisingly polished games. But when you try to cash out your "winnings," surprise! You need to make a $100 cryptocurrency "verification deposit" first. Of course, that money disappears and your winnings were fake all along.

A 17-year-old Discord user called Thereallo got fed up with the spam and did some detective work, discovering all these sites share the same chatbot API and are clearly one massive operation. It's like pig butchering's faster, cheaper cousin - instead of weeks of romance scamming for big payouts, they're grabbing smaller amounts from tons of people with way less effort. (read more)

Allianz Life just joined the growing club of insurance companies getting pwned this month. Hackers social-engineered their way into the company's customer relationship database on July 16, making off with SSNs, names, addresses, and birth dates for the "majority" of their 1.4 million customers. Familiar helpdesk social engineering we’ve been seeing lately - someone probably called pretending to be a locked-out employee and talked their way into the system. (read more)

Orange, the French telecom giant, just disclosed they caught hackers in their network on July 25. Their cyberdefense team isolated the compromised system, but the containment efforts caused some service disruptions for business and consumer customers, mainly in France. So far it doesn’t look like any data was stolen.

Certainly smells like Salt Typhoon to me. They’re the ones behind the attacks we've been seeing hit telecom companies worldwide - you know, the Chinese state hackers who've been having a field day with AT&T, Verizon, and others. Orange isn't pointing fingers yet, but the timing and target profile fit the pattern. With 294 million customers across Europe, Africa, and the Middle East, Orange is definitely a juicy target. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay