Read Time: 9 minutes

Brought to you by:

Howdy friends!

I got to do a cool thing this week. I went with some other security founders from ATX and watched a lecture from Ryan Holiday. I’ve read a bunch of his books over the year and I enjoy the way he looks at and reframes life. I’d say my favorite of his is The Obstacle is the Way that I read as part of a book club years ago.

His lecture talked a lot about his favorite topic, Stoicism, and sometimes felt like he was a pastor for the church of Stoics. Reading from the books from Roman and Greek thinkers of thousands of years ago.

I took away a bunch of lessons, and honestly a surprising sense of envy towards Ryan. Jealousy isn’t a common emotion for me, but he seems to have created a life for himself that and mindset, discipline, and freedom that is enviable.

But I’ll leave this with 1 quote he said about interviewing George Raveling -

“He’s been doing it for decades. It’s helped him make it to 88—88 years in a world that tried to break him, that discriminated against him, that made him an orphan, that threw every obstacle it could in his way.

But here he is, every morning, putting his two feet on the ground next to the bed and saying:”

Gonna try to remember that one. Let’s try to choose to be happy today.

Make me even happier and upgrade to VulnU Premium because this week’s interview dropping is with the legend. The GOAT. Rachel Tobac.

ICYMI

🖊️ Something I wrote: A former TOR operator is being harassed by the FBI who his wife is saying is trying to basically torture him to get him to decrypt an exit node for them

🎧️ Something I heard: The Strange Math That Predicts (Almost) Anything

🎤 Something I said: I talked about child exploitation in online gaming

🔖 Something I read: Michigan lawmakers call for total VPN ban as part of a proposed 'public morals' bill - *eyeroll*

Vulnerable News

One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens

I think this was one of the most under-talked-about security stories ever. I've only really seen chatter about this among my threat intel and private chats. It didn't make nearly enough headlines.

This is probably the most impactful Entra ID bug you'll read about… ever. Researcher Dirk-jan Mollema found a way to get Global Admin access in literally ANY Entra ID tenant using Microsoft's own internal "Actor tokens." These undocumented tokens are what Microsoft uses for backend service-to-service communication, and they had a critical flaw in the Azure AD Graph API that didn't validate which tenant the token came from. So you could grab a token from your own lab tenant and use it to impersonate any user, including Global Admins, in any other tenant.

oh. did I forget to mention? zero logs generated. none.

Microsoft fixed it within days of the July report, but the potential impact was insane - complete access to every tenant's data, ability to modify anything, bypass Conditional Access, the works. The attack could even scale exponentially through B2B guest relationships, where reading one tenant's guest users would give you the keys to their home tenants. Microsoft says they didn't see any abuse based on their telemetry, but given the complete lack of logging, that's not super reassuring. (read more)

Shadow IT May Hide - But Intruder Seeks*

Intruder’s security team ran an experiment: how much Shadow IT could we uncover using only public data? The answer: way too much.

From backups with live credentials to admin panels with no authentication.

If those assets never make it into your vulnerability management program, they stay invisible to you, but not to attackers. Intruder helps you discover them first and keep them secure. Read the full research to make sure your Shadow IT doesn’t make headlines.

Read more. ← Matt's note: Intruder is building something really cool, and these examples are super eye-opening on what they could see so easily.

*Sponsored

Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service

Microsoft just took down a phishing operation called RaccoonO365 that was making credential theft stupidly easy for wannabe cybercriminals. Do we call them skids in phishing land?

They seized 338 websites through a court order after tracking this "phishing-as-a-service" that let anyone with zero technical skills steal Microsoft 365 logins. Since July 2024, this thing grabbed at least 5,000 credentials from 94 countries and targeted over 2,300 US organizations, including 20+ healthcare systems. The mastermind appears to be Joshua Ogundipe from Nigeria, who built up quite the enterprise with 850+ Telegram subscribers and pulled in over $100k in crypto payments.

This really represents the democratization of cybercrime - RaccoonO365 was literally advertising new AI-powered features, just like every other f’n company on the planet. “Use our new AI powered widget to make attacks even more effective!” Microsoft is using some interesting tactics to fight back, including blockchain analysis tools to trace crypto payments and partnerships with companies like Cloudflare (whose write-up is also very good) for rapid takedowns. These operations always try to rebuild, so this is more like whack-a-mole than a permanent fix. The real takeaway is that phishing-as-a-service is exploding, and organizations better have their MFA game tight because the barrier to entry for bad actors just keeps getting lower. (read more)

Senators, FBI Director Patel clash over cyber division personnel, arrests

FBI Director Kash Patel got grilled by Senate Democrats over cybersecurity staffing cuts during what amounted to the exact kind of shit show you’d expect this hearing to be. When two podcasters are the head of the FBI I don’t really expect much.

Senators are claiming the Trump administration's proposed $500 million FBI budget cut will slash cyber division personnel in half, with resources getting shifted toward immigration enforcement and oddball investigations like the Tesla task force. Dick Durbin and other Dems were basically saying "hey, maybe don't gut cyber operations while China's running wild with Salt Typhoon and Volt Typhoon."

Patel fired back with some impressive-sounding numbers - 409 arrests (up 42%) and 169 convictions - insisting the cyber mission isn't suffering. He got a bit cagey when Senator Hirono asked who's replacing departed cyber officials, saying he wouldn't name them "so you can attack them." Classic DC hearing theater, but the underlying tension about prioritizing cyber versus other law enforcement missions is real.

I can be a realist about cutting budgets and layoffs. Plenty of these things have loads of inefficiencies and can stand to lose some people. But cut in half seems a bit nuts from an outsiders perspective. Do you think our FBI cyber force felt like it was double the size it should’ve been? (read more)

The Future of DevSecOps: 7 Trends You Can’t Ignore*

DevSecOps is moving fast, and the 2025 report shows how.

Datadog analyzed data across thousands of organizations to reveal 7 key patterns, like the link between leaner builds and fewer flaws, or how faster shipping rewrites dependency risk. The details are worth a look!

Read the Report. ← a must read for the week

*Sponsored

North Korean operation uses ChatGPT to forge military IDs as part of cyberattack

Kimsuky (APT43) is getting down with ChatGPT (yeah you know me!), using it to forge South Korean military ID cards in their latest phishing campaign. The North Korean APT group managed to trick OpenAI's system into creating realistic-looking government IDs by framing their requests as "mock-ups" or "sample designs." I didn’t realize, though it seems obvious now, that of course GPT generated images would be full of metadata saying that they were indeed GPT-generated. (see photo above)

This is part of a pattern we're seeing where North Korean actors are using AI tools like the rest of us. They've been using similar techniques to generate fake résumés and online personas for IT workers trying to land overseas jobs. The Kimsuky campaign embedded these fake IDs in phishing emails that looked like they came from legitimate South Korean defense agencies. (read more)

224 Android malware apps taken down behind massive ad fraud campaign

In the Play Store! Not even fake side loaded stuff.

They were part of "SlopAds" - a massive ad fraud operation generating 2.3 billion fraudulent ad requests daily. These apps, downloaded 38M times across 228 countries, would generate tons of fake clicks for ads to generate revenue.

The malware would actually work like a legitimate app if you downloaded it normally, but if you came through their ad network, it would download encrypted configs and use steganography (what years is it?!) to hide malicious code in PNG images.

They used Firebase Remote Config to deliver malware modules and had a whole infrastructure of C2 servers and 300+ promo domains ready to scale up. The "FatModule" malware they deployed would spin up hidden WebViews to generate fake ad impressions, primarily targeting users in the US (30%), India (10%), and Brazil (7%). While Google's cleaned house and updated Play Protect, HUMAN's researchers think these actors will be back with new tricks given how sophisticated their operation was. (read more)

Multiple compromised CrowdStrike npm packages, continuing the "Shai-Hulud" supply chain attack that has now impacted nearly 500 packages

(read more)

Apple Backports Fix for CVE-2025-43300 Exploited in Sophisticated Spyware Attack

Apple just backported a fix for CVE-2025-43300, an ImageIO vulnerability that's been getting abused in spyware attacks. This one's interesting because WhatsApp confirmed their own bug (CVE-2025-55177) was being chained with Apple's.

The unique thing here is that Apple’s patch fixes not just to current iOS 18 and macOS users, but backporting all the way to iOS 15 for older devices like iPhone 6s and first-gen iPad Pro. They also dropped a massive security update bundle with 14 other CVEs covering everything from sandbox escapes to root privilege escalations. No evidence the other bugs were exploited, but when Apple backports this aggressively, you know the original flaw was being hammered pretty hard in the wild. (read more)

US government charges British teenager accused of at least 120 ‘Scattered Spider’ hacks

Getting the absolute book thrown at him. 95 years of charges.

As is the case for most of these Scattered Spider hackers that get caught, they are a 19-year-old British kid. This time, it’s Thalha Jubair, allegedly a key player in the Scattered Spider crew that's been ransoming anyone they could. They've been pulling off social engineering attacks by just calling IT helpdesks and pretending to be employees who forgot their passwords.

The FBI seized Jubair's servers and found evidence linking him to at least 120 company breaches, with victims coughing up over $115 million in ransom payments. One fun highlight: these guys actually broke into the US Courts system (remember when we covered that a few weeks ago?) to search for information about their own sealed indictments. Jubair was sitting on about $36 million in crypto when they grabbed his servers, though he managed to move $8.4 million out as the feds were closing in. He's also facing charges in London for hitting Transport for London's systems. (read more)

Malicious Listener for Ivanti Endpoint Mobile Management Systems

CISA dropped a detailed malware analysis for some nasty stuff targeting Ivanti Endpoint Mobile Management systems. Threat actors chained together CVE-2025-4427 and CVE-2025-4428 to drop malicious listeners that basically turn your EPMM server into their server. They delivered the malware in Base64-encoded chunks through HTTP GET requests to dodge signature detection.

The malware comes in two flavors, both designed to intercept HTTP requests and execute arbitrary code. Set 1 uses a fake Apache HTTP package to hide a listener that waits for specific headers and encrypted payloads. Set 2 masquerades as a legitimate MobileIron service component. Both can dynamically load and execute new classes, giving attackers persistent access to do whatever they want. Ivanti patched these back in May 2025, but if you're still running unpatched EPMM systems, CISA's got YARA rules and IOCs ready to help you hunt for this stuff. (read more)

Chrome update patches zero day under active exploitation

Don’t ignore that browser update this week!

“[NA] High CVE-2025-10585: Type Confusion in V8. Reported by Google Threat Analysis Group on 2025-09-16
[$15000] High CVE-2025-10500: Use after free in Dawn. Reported by Giunash (Gyujeong Jin) on 2025-08-03
[$10000] High CVE-2025-10501: Use after free in WebRTC. Reported by sherkito on 2025-08-23
[TBD] High CVE-2025-10502: Heap buffer overflow in ANGLE. Reported by Google Big Sleep on 2025-08-12
Google is aware that an exploit for CVE-2025-10585 exists in the wild.” (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay