Read Time: 10 minutes

Brought to you by:

Howdy friends!

Actually got to go to the movies this week. Like with adult friends. Wild! (parents get it) - We saw Weapons, and it was fantastic. Perfect balance of scary, creepy, and campy.

If you saw it, did you also immediately think of this? Or am I too chronically online?

Got some more feedback on VulnU Premium this week that some of my paying subs wanted a breakdown of what I saw in Vegas that was worth digging into, so I’ll work on that this weekend for the next edition to go out. We also just did the next mental health interview, but our first one with RSnake, which is already out, is going to be hard to beat for a while. Check it out if you haven’t!

And thank you to everyone who has upgraded so far. Putting a lot of elbow grease into making it worth your time and dollars. It really helps support what we’re doing around here. Thank you!

ICYMI

🖊️ Something I wrote: I wrote a bunch of code recently. I’m working on documenting what I’m working on but until then check out Daniel’s post about his AI stack that has been inspiring me to work on what I’m working on.

🎧️ Something I heard: Hank Green - Don't Follow Your Dreams, Follow Your Tools

🎤 Something I said: most major password managers vulnerable to 0-day clickjacking attack

🔖 Something I read: Been rattling around my head since I read it. “There is no such thing as Shadow IT or Shadow AI” - Chris Hoff

Vulnerable News

Blistering Wyden letter seeks review of federal court cybersecurity, citing ‘incompetence,’ ‘negligence’

Ron Wyden is absolutely torching the federal judiciary's cybersecurity game right now. The Oregon senator’s letter to Chief Justice John Roberts is a must read. This comes after news broke that Russian hackers breached federal district courts and made off with sealed case data - exploiting vulnerabilities that apparently sat unfixed for five years. Wyden's calling out "incompetence" and accusing the courts of "covering up negligence" when it comes to protecting some seriously sensitive stuff like national security documents and sealed criminal cases.

Wyden's particularly annoyed that they're still using weak multifactor authentication while everyone else moved on to better solutions ages ago. He’s calling for the National Academy of Sciences to come in for an independent review because the judiciary keeps stonewalling congressional oversight. This thing is insane, if you wanted to do business with the fed you’d have to follow MUCH more stringent rules then they are following themselves.

I couldn’t stop reading this one line. The rest of the government mandated MFA in 2015, then realized it wasn’t good enough and moved to FIDO2 in 2022. The courts are JUST NOW getting to MFA by end of 2025 (yet to be seen) and it’s not even the phishing resistant kind. Rules for thee and not for me. (read more)

Your Biggest Cybersecurity Threat Isn’t What You Think*

Forget hackers and malware; your biggest vulnerability is human. Mimecast’s State of Human Risk 2025 report reveals 94% of organizations fell victim to social engineering attacks last year. Why? Attackers are leveraging AI, deepfakes, and timing to exploit human nature.

The solution? Human-centric strategies like just-in-time training, real-time simulations, and fostering psychological safety. Ready to tackle the real challenge?

Download the report now.

*Sponsored

Storm-0501’s evolving techniques lead to cloud-based ransomware

Microsoft's threat intel team tracked how this crew evolved from your typical "encrypt files, demand payment" approach to full-blown cloud-based extortion. Instead of deploying malware to lock up endpoints, they're now pivoting from compromised Active Directory environments into Azure, escalating privileges to Global Admin level, then rapidly exfiltrating massive amounts of data before nuking storage accounts and backups. Think less "your files are encrypted" and more "we stole everything and deleted your backups."

The attack chain is pretty cool - they compromise Entra Connect servers, use tools like AzureHound for recon, and exploit trust relationships between domains to hop between tenants. Once they hit Global Admin privileges, they create federated domain backdoors for persistence, expose storage accounts to the internet, vacuum up data with AzCopy, then systematically delete Azure resources including snapshots, restore points, and recovery vaults. They even tried encrypting remaining data with customer-managed keys before deleting the keys. Microsoft's packed this report with detection queries and mitigation guidance. (read more)

Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats

Google's Threat Intelligence team uncovered a Chinese espionage campaign targeting diplomats in Southeast Asia. The attackers (UNC6384) are using a captive portal hijack - you know those annoying hotel/airport WiFi login pages? They're intercepting those redirects to deliver malware disguised as an Adobe plugin update. The malware chain uses legit code signing certs from a Chinese company (who's either compromised or in on it) and some evasion techniques involving Windows message queues and Thread Local Storage to deploy their SOGU.SEC backdoor.

They're chaining together multiple techniques - from social engineering with HTTPS certificates to make the fake update page look legit, to abusing Windows features like callback functions to hide their code execution. Google's tied this to previous campaigns they've seen using the same infrastructure and tools. (read more)

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift

I’m seeing a lot of chatter about this one. I think the impact is broader then we’re hearing about publicly so far.

A major data theft campaign hit Salesforce customers through compromised Salesloft Drift OAuth tokens. The attacker (UNC6395) pulled data from corporate Salesforce instances between Aug 8-18, hunting for AWS keys, Snowflake tokens, and other juicy creds. They were thorough enough to clean up their tracks by deleting query jobs, but logs still caught them running systematic queries across Accounts, Users, Cases, and Opportunities.

In response, both Google and Salesforce have killed the compromised tokens and yanked Drift from the AppExchange. If you're using Saleslift Drift integrations anywhere, assume compromise - you'll want to review all connected apps, rotate those credentials, and dig through logs looking for those Tor exit nodes and sketchy user agents they've helpfully listed in the IOCs. Saleslift brought in Mandiant to help clean up this mess. (read more)

Biometric Authentication + FIDO2: Workforce Access That Stands Up to Deepfakes*

Deepfakes and voice clones are common tools used in credential-based attacks targeting the workforce. The FIDO standard points the way to delivering phishing-resistant, passwordless access using biometrics, but what about AI-powered deepfakes? This whitepaper breaks down the FIDO2 specification and discusses how to harden your passwordless deployment against the threats of deepfakes. What you'll learn:

• How verified biometrics enable secure login and recovery

• How FIDO2 fits into a modern workforce authentication strategy

• Why liveness detection is critical to stopping deepfake attacks

*Sponsored

Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver Payloads

FortiGuard Labs spotted a phishing campaign that's been doubling in size every two weeks. The attackers are sending fake voicemail notifications and purchase orders that contain HTML attachments. These redirect victims to personalized phishing pages that actually grab the target company's logo and display their domain to make everything look legit.

Once victims download the malicious ZIP, it kicks off a multi-stage attack using UpCrypter. The malware's got all the bells and whistles - anti-VM checks, process scanning for analysis tools, steganography to hide payloads in images, and registry persistence. End goal is deploying RATs like PureHVNC, DCRat, and Babylon RAT for full remote control. The campaign's hitting manufacturing, tech, healthcare, and other sectors globally, so definitely one to watch out for. (read more)

Russia weighs Google Meet ban as part of foreign tech crackdown

Russia's mulling a ban on Google Meet after the service had some hiccups last week that left over 2,300 users complaining about frozen calls and missing audio. Deputy IT committee chairman Andrei Svintsov is floating the usual line about Western apps being potential spying tools, though Russia's internet regulator says they didn't actually restrict Meet this time around. The outages might've just been caused by everyone jumping to Meet after Russia blocked voice and video calls on WhatsApp and Telegram earlier this month.

This is all part of Russia's broader push to get people off foreign apps and onto their homegrown stuff. Starting in September, they're forcing all new smartphones to come pre-loaded with Max, their state-backed messaging app that's basically trying to be Russia's answer to WeChat. WhatsApp's calling it what it is - an attempt to push Russians toward "less secure services to enable government surveillance." Authoritarian playbook: create problems with secure foreign apps, then offer your own surveillance-friendly alternatives as the solution. (read more)

Nearly 2,000 Malicious IPs Probe Microsoft Remote Desktop in Single-Day Surge

Greynoise spotted something interesting.

On August 21 - nearly 2,000 malicious IPs suddenly started hammering Microsoft RDP services, which is a massive jump from the usual 3-5 per day. <oxyclean>But wait! There’s more!</oxyclean> hours after they published this, they spotted an even bigger wave with over 30,000 IPs doing the same thing. About 92% of these IPs were already flagged as malicious, mostly coming from Brazil but exclusively targeting US systems.

Their hypothesis is that we’re right in the middle of back-to-school season when universities and schools are spinning up RDP labs and onboarding thousands of new accounts with predictable usernames. These scanners aren't just knocking on ports - they're specifically testing for timing flaws that leak valid usernames, setting up the perfect foundation for credential stuffing attacks. What's particularly noteworthy is that GreyNoise research shows these kinds of scanning spikes often precede new vulnerabilities by about six weeks. Time to double-check those RDP configurations. (read more)

Citrix fixes critical NetScaler RCE flaw exploited in zero-day attacks

Nope. Not the same citrix RCE zero-days I talked about recently. These are brand new ones! Yay! There's a critical RCE flaw in NetScaler ADC and Gateway devices that's already being exploited in the wild. CVE-2025-7775 is a memory overflow bug that lets attackers execute code remotely without authentication, and Citrix confirmed they've seen active exploitation happening.

Oh and with a follow up, 28,000 devices still on the internet and vulnerable.

There are zero mitigations for this one. Citrix is basically saying "patch or pray," and given their track record with Citrix Bleed and Citrix Bleed 2, that's not exactly reassuring. The researchers who found this (shout out to Horizon3.ai and crew) probably saved a lot of people from much worse. If you're running NetScaler in any of the vulnerable configurations, time to hit that update button and maybe grab some coffee and assume compromise. (read more)

Hackers use fake NDAs to deliver malware to US manufacturers

Check Point's discovered a phishing campaign called "ZipLine" that's targeting U.S. manufacturing companies. Instead of cold emailing victims, the attackers are using companies' own "Contact Us" forms to start conversations. They pose as potential business partners, spend weeks building trust through email exchanges about NDAs and partnerships, then eventually send malicious ZIP files hosted on Heroku.

The whole social engineering angle is fun since the victim company naturally responds to what looks like a legitimate business inquiry. The payload they're dropping is called MixShell, a custom implant that uses DNS TXT tunneling for command and control with HTTP fallback. (read more)

Anthropic AI Threat Intel Report - How cybercriminals are using Claude

Woah. How cool? Anthropic’s first threat intelligence report. It's a wild ride through how criminals are abusing Claude for everything from "vibe hacking" to romance scams. The standout case involves a cybercriminal who used Claude Code to automate entire data extortion campaigns. Reconnaissance, credential harvesting, network penetration, and even crafting psychologically targeted ransom notes. We’ve finally moved beyond AI just giving advice to hackers. Now it’s actively executing operations across 17+ organizations, including government and healthcare targets.

The North Korean IT workers are using AI to fake their way through technical interviews and maintain remote jobs at Fortune 500 companies, all while being completely dependent on Claude to write code or even communicate professionally.

There's a thriving ransomware-as-a-service market where UK-based actors are selling AI-generated malware for $400-$1,200, complete with advanced evasion techniques they couldn't implement themselves. Anthropic's being transparent about these incidents - they're banning accounts, sharing intel with authorities, and building better detection systems. But Pandora is clearly out of the box on AI-powered cybercrime. (read more)

Salt Typhoon Exploits Cisco, Ivanti, Palo Alto Flaws to Breach 600 Organizations Worldwide

Salt Typhoon's been busy. The Chinese APT group has reportedly breached 600 organizations across 80 countries since at least 2019, with a particular focus on telecoms, government, and critical infrastructure. They're exploiting known vulns in Cisco, Ivanti, and Palo Alto edge devices to get initial access, then pivoting through networks like they own the place. Once they're in, they're modifying router configs, setting up GRE tunnels for persistence, and capturing TACACS+ traffic to steal admin creds. (read more)

CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems

I’m going to have to make a really long video about this one, aren’t I? A ton of government agencies just released a joint “how to protect against China” playbook and its massive.

This advisory on Chinese state-sponsored hackers (you might know them as Salt Typhoon) who've been having a field day with global telecom and network infrastructure since 2021. They're going after the backbone stuff, compromising routers and switches at ISPs and telecoms to build what's essentially a global espionage dragnet.

The advisory reads like a masterclass in living off the land - these actors know network infrastructure inside and out. The document includes a treasure trove of IOCs, custom SFTP tools they use for data staging, and some pretty specific hunting guidance. If you're running network infrastructure, especially in telecom, this one's worth the read - all 37 pages of it. (read more)

TransUnion says hackers stole 4.4 million customers’ personal information

TransUnion just disclosed a major breach affecting 4.4M customers through a compromised third-party app. They're being pretty vague about which app was hit, but we know the exposed data includes SSNs. Worth noting that while Equifax paid out $700M for their 2017 breach, TransUnion hasn't mentioned any compensation plans yet.

They're offering the usual "free credit monitoring" - because apparently the best solution to a credit bureau losing your data is... more credit bureau services. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay