🎓️ Vulnerable U | #073

AT&T Breach and the Snowflake saga, CloudFlare state of AppSec Report, Apple Spyware warning, How to Tell if you've been hacked guide, and more!

Author

Matt Johansen
July 18, 2024

Read Time: 5 minutes

Howdy friends!

Took a quick trip to NYC this week. So many folks I ran into thanked me for all the Vulnerable U content. I can’t tell you how much this kind of thing means to me. It is hard to do something for 73 weeks straight and hearing this makes it worth it.

Are you all gearing up for BlackHat/DEFCON? I’m already exhausted thinking about it.

It really is a beautiful city

ICYMI

🎧️ Something I heard: Ryan Naraine and Dave Aitel debate on nation-state hacking responsibilities

📣 Something I think you’ll like: We talk a lot about AI security here, I’m excited for this fireside chat on how AI companies are fighting the trust stigma of their industry.*

🎤 Something I said: Ran through a new malvertising campaign that is happening on Facebook, Linkedin, and YouTube.

🔖 Something I read: Started reading Deep Work by Cal Newport. Any of you read this one yet?

*Sponsored

📣Sponsor

Join the Fireside Chat: the State of Trust in AI

AI is rapidly transforming industries, so building trust with potential buyers and sellers has become crucial. Here’s your opportunity to learn how AI companies can demonstrate trust and ensure their security practices are robust, secure, and aligned with the highest standards.

Join Vanta on August 13 at 10 PST for a fireside chat with three leading AI companies - Factory, avoMD, and Stravito, where leaders will discuss:

  • How their organizations currently leverage security best-practices and build trust in AI practices

  • The importance of compliance with AI frameworks such as ISO 42001 and NIST AI Risk Management Framework (RMF)

Vulnerable News

AT&T Breach and the ongoing Snowflake Saga

I swear I hit send on last week’s newsletter just a few hours before the AT&T news broke. Feels like an eternity ago in the news cycle here. (Follow my socials for more real-time shenanigans)

TL;DR - AT&T stored some crown-jewel level data of theirs in Snowflake. As we’ve been seeing a lot the last few months, any Snowflake customers without MFA are getting popped left and right. This data included all call and text logs for AT&T customers as well as location data.

Some run-downs and follow-on stories:

The original SEC filing: Link

Did the hacker actually delete the AT&T Data?

Login or Subscribe to participate in polls.

Long-time readers know this, but I LOVE a good report put out by companies with large and/or unique piles of data. Bonus points if there are lots of good data visualizations.

Cloudflare did just that this week with their state of Application Security report. Some key takeaways for me: A timeline of a JetBrains vulnerability that highlights from when the PoC dropped to Cloudflare first seeing exploit traffic took only 22 minutes. They go ahead to claim that the only way for defenders are going to get ahead of this is to use AI, which I think is a big claim.

The other big one for me here is that nearly 7% of Internet traffic is DDoS related. And that about a third of all Internet traffic is bots. Just always wild for me to hear these stats. (read more)

Zscaler's ThreatLabz recently took a deep dive into APT41's latest tricks, uncovering a new malware loader called DodgeBox. This malware uses clever tactics like DLL sideloading and call stack spoofing to slip past security defenses. DodgeBox's job is to deploy a backdoor named MoonWalk, which sneakily uses Google Drive for command-and-control communications. (read more)

Apple is ringing the alarm bells again with a new warning about spyware attacks targeting iPhone users in 98 countries. This is the second time in a few months they've sent out such an alert. Users in India have already reported getting these warnings.

The spyware is nasty stuff—it can sneak into your iPhone and access everything from your encrypted messages to your audio and video, often through zero-click attacks that don’t even require you to do anything, like clicking a link. Apple's recommending Lockdown Mode to stop these attacks, but it does make your iPhone a bit clunkier to use. If you think your iPhone might be infected, turning it off and on again can help temporarily. And if you're in a high-risk group, like journalists or activists, you might want to consider getting a new phone. For most people, the risk is low, but it’s always a good idea to stay on top of software updates and be careful with what apps you download.

If you get one of these alerts, take it seriously! (read more)

TIL that CISA runs red teams against random federal agencies - and then tells us about the results! I actually didn’t know this and it is very interesting. They highlight the success of this particular red team exercise in great detail. But I have to share this quote directly from the linked article as its too good:

For the first five months of the assessment, the target FCEB agency failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity.

Detection issues were suspected earlier in the proceedings. The RAT, which was injected in the Solaris phase of the exercise, caused 8GB of network traffic to flow through its C2 seemingly without alerting anyone at the agency, for example.

After CISA eventually put the agency out of its misery, weekly meetings were held with its security team and sysadmins which led to "measurable improvements in response times for known techniques and behavior-based detections that uncovered previously unknown tradecraft."

I chuckled at “eventually put the agency out of its misery” followed by starting to hold weekly meetings that I imagine the tone of which weren’t great to be on the receiving end of. (read more)

Supply chain hackers are back at it, slipping about 60 new malicious packages into the NuGet package manager. The campaign, which started in August 2023, uses a technique called IL weaving to hide bad code inside .NET binaries. They even used look-alike characters to make fake packages that look just like popular ones, tricking developers into downloading them. (read more)

What a fantastic guide put out by TechCrunch. I get questions like this a lot so this is an instant share. The guide goes through a bunch of popular web apps like Gmail, Facebook, Outlook, Apple, etc. and tells you exactly how to check who has been accessing your account. (read more)

My bug bounty friends got really excited about this one. XSS is always everywhere and a great source of income for bounty hunters. Filter bypass techniques are very valuable!

Stefan Schiller from Sonar explains why specifying charset information in HTTP responses is crucial to avoid Cross-Site Scripting (XSS) vulnerabilities. He shows how the lack of a charset attribute can allow attackers to inject malicious JavaScript by manipulating the character encoding a browser assumes. (read more)

Had a friend say that this training would be a great place for anyone who is looking to get into hardware hacking to get started. It is at BlackHat so it costs some coin but I trust the friend who recommended it! (read more)

Researchers have spotted a new version of the BeaverTail macOS malware, crafted by North Korean hackers. It poses as a legit browser-based video call app, MiroTalk, but it's designed to steal your information once it gets on your machine. This latest variant is embedded in a macOS disk image and looks just like the real MiroTalk site, which makes it even trickier to spot. (read more)

Jeez.

Would be their largest acquisition ever. Says a lot about how the market is valuing cybersecurity. Heard some folks in the finance space saying things like “what would be more valuable in the future than cybersecurity” citing the AT&T hack as evidence why it would be worth so much.

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay