🎓️ Vulnerable U | #077

0-Click RCE in All Windows Systems, Iranian APT Group Report, The best of Blackhat and Defcon, Kamala Harris Campaign hacking target, GitHub Vulnerability writeup, and more!

Read Time: 7 minutes

Howdy friends!

Hope you all dodged the plague if you were in Vegas last week. Posed a table top scenario on Twitter today: “Your entire infosec team is out with Covid from Defcon and you have a security incident, what do you do?”

I know a lot of people are squarely in “recovery” mode from last week. I appreciate you being here with me today though.

Let’s get to it.

ICYMI

🖊️ Something I wrote: The tabletop of your sick incident response team. I know it’s a bit tongue in cheek but a version of this is worth considering.

🎧️ Something I heard: Rich still slinging absolute gold free Cloud Security Labs. He’s up to Security Groups.

🎤 Something I said: Talked about this 0-click RCE on Windows

📣 Something I think you’ll dig: Separating the reality of AI from the Hype*

🔖 Something I read: Revisted part of the Ender’s Game universe. One of my favorite sci-fi epics. Have you read any of them? Which is your favorite?

*Sponsored

📣 Sponsor

How are CISOs approaching AI in security?  

In a new report by Tines, 50+ CISOs from the US, Europe, and Australia reveal their biggest challenges and opportunities with AI. 

74% of respondents believe that the benefits of faster decision-making by AI systems outweigh the risks. What are their next steps?

In CISO perspectives: separating the reality of AI from the hype, they share:
→ Their progress to date in leveraging AI
→ Their biggest blockers to AI adoption
→ Where they see the biggest opportunities
→ How they’re approaching AI technology

Vulnerable News

Things I don’t like to read all in one sentence: 0-Click RCE. That alone is scary enough. Next throw in: All Windows Systems. Great. So this week’s patch Tuesday included a pretty spicy meatball here with a 0-click RCE that impacts all windows boxes with IPv6 enabled. Which I’d venture to guess is almost all of them unless you specifically disabled for some reason.

The saving grace here is that so far nobody is seeing any exploitation and I haven’t seen PoC code. But I would absolutely not wait to get this patch out.

If for some reason you can’t patch (please just patch), here is a quick one liner to disable IPv6

I’m a bit confused why more people aren’t spinning up about this one. 0-Click RCE in all of Windows should be a noisy event. I’m hoping it’s just because there isn’t a PoC and not because everyone is still in Vegas recovery mode. (read more)

Does your org roll Patch Tuesday everytime fast enough? Or do you need to do something special when they're this spicy?

Login or Subscribe to participate in polls.

Oh I love a Google TAG report. This is one of the best Threat Analysis Groups out there and it is always full of good data. This week it’s on an APT group out of Iran dubbed APT42. They’ve seriously picked up their phishing and targeting Israel and US heavily. Both major US political parties have had their campaigns targeted and/or infiltrated by this group.

APT42 uses phishing kits like GCollection and DWP, which are capable of bypassing multi-factor authentication. Their approach includes detailed reconnaissance and exploiting specific email security settings. Check the full report for other IOCs and other details. It’s a great writeup. This one also broke out of our infosec echo chamber into mainstream news. (read more)

I wouldn’t call this a complete list by any means but it is a good list!

I’d say there were some other solid bits of research to come out but I liked this list a lot. (read more)

Generally we’re talking about this kind of thing when it comes to spyware. This is similar in that it is a company that sells a GPS tracker for keeping tabs on family, pets, vehicles, etc. - The company’s name is Trackimo and the hacker said the whole thing was “a bit shoddy.” Broke in with an easily guessed password and was able to look up location history of any other user’s devices.(read more)

The “could” in this headline is doing a lot of heavy lifting, but Kaspersky is linking tools and tactics of some recent hacks against Russian government to some Chinese threat actor groups.

The attackers deployed tools like the GrewApacha RAT, PlugY backdoor, and an updated version of the CloudSorcerer malware. GrewApacha is associated with APT31, while PlugY shares characteristics with APT27’s tools.

We’re used to both of these nations attacking us, but I don’t often hear of them going after each other so this one perked my ears up. (read more)

If you’re not a long time AppSec pro, the name might not resonate with you. But one of the early purposefully vulnerable web app projects to let you practice hacking websites was called WebGoat. This is AI Goat. An environment to practice the OWASP Top ML Risks.

Some of my earliest ever blogs in my career were tutorials on how to get WebGoat and Damn Vulnerable Web App (DVWA) running so these kinds of projects are near and dear. (read more)

We covered Trump’s campaign getting hacked last week, well this week it came out Harris was also targeted. I saw some coverage also describing that campaigns are actually fairly easy targets. The lions share of their money goes to logistics, travel, advertising, etc. So the people and tech is a bit rag-tag and a lot of personal devices being used. Makes sense it would be squishy.

I also don’t love that already between Trump, The voting machines at Defcon, and now this, we’re setting up whatever narrative happens come election time about hacker interference which is actually highly unlikely even with all of this going on. Stay smart on the headlines. I know it can be hard. (read more)

I’ve been really digging these writeups from super smart research teams uncovering bot farms and social media influence networks. This one was uncovered by CyberCX and involved over 5,000 bot accounts tied to a Chinese university and AI company. So far it seems harmless? Or at least ineffective at what it’s attempting to do.

Researchers identified the network using prompt injections to force malfunctions in the AI accounts. They observed that the most frequently engaged account was the man himself, Elon Musk. I love watching these prompt injections on bot accounts and seeing them malfunction. (read more)

I’ve seen a few attacks like this over the last few years and they are generally pretty spicy. GitHub is fairly ubiquitous and can be a blind spot for some security orgs who spend a lot of time looking at the code in GitHub and not the config itself.

The vulnerability primarily involves the leakage of GitHub tokens (e.g., GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN), which could be used by malicious actors to gain unauthorized access, inject malicious code, and push it to production via CI/CD workflows. (read more)

I hadn’t read much about this one until now. But California being a hub for much of the tech industries innovation I wanted to look a bit into this. The question posed by Casey in the article that caught my attention: “If an AI causes harm, should we blame the AI — or the person who used the AI?

The bill includes provisions like legal protections for AI whistleblowers and mandates for companies to notify the government when training large AI models. It also requires AI models to have a "kill switch" to stop operations in case of danger.

Tech companies obviously pull out the age old “this could stifle innovation” argument. And also threaten to leave the state and take their company with them. Where do you land on this? (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay