🎓️ Vulnerable U | #084

Cloudflare thwarts the largest DDoS ever seen, Mandiant chases a hacker who faked his death, Lockbit and Evil Corp law enforcement info, Adult AI sites are a front for Russian Hackers, and more!

Author

Matt Johansen
October 04, 2024

Read Time: 9 minutes

Howdy friends!

Busy week! If you haven’t noticed, we’re more than a newsletter now and are writing original news stories over on vulnu.com - this has been a lot of fun getting some new writers on boarded and working on building out a newsroom. Add to RSS, share around, all that jazz as we work on getting our site’s traffic and reputation up. Appreciate all the support!

I threw a party at my house this week and when the dust settled it seemed like a rave had just left. I don’t think I’ll ever be done cleaning. But a good time was had by all! Hope you all got to connect with people you love this week, as it is the best thing keeping me going right now.

ICYMI

🖊️ Something I wrote: This thread on an AppSec bug letting researchers hack any Kia

🎧️ Something I heard: This demo for OpenAI’s new Canvas feature which is going to make a lot of the AI coding helpers like Cursor squirm a bit

🎤 Something I said: How Mandiant tracked a hacker who faked his own death to avoid paying child support

🔖 Something I read: A leadership book my team is going through - Turn the Ship Around!

📣 Sponsor

Your Remote Workforce is a Ticking Time Bomb!

Hybrid and remote work expand your company's surface area of attack beyond the corporate firewall when:

  • Employees introduce shadow IT to their devices.

  • Devices with company data connect to home networks with default settings.

  • Public Wi-Fi vulnerabilities are exploited when remote employees roam.

  • You need to develop a strategy to secure your remote workforce.

Learn how to take your first steps with a free copy of ThreatLocker®'s latest eBook on how to secure remote workforces.

Vulnerable News

I saw the reports of this attack come through and was super excited for their write-up. It is a bit sparse on details that I would’ve hoped to read, like who the target was, but alas! The attack was two prong, both trying to exhaust CPU resources and bandwidth.

The devices used in the attack included ASUS routers compromised with a recent CVE, DVRs, and other home IoT devices. This attack was massive but got absorbed by Cloudflare’s Anycast network. Read my summary and the full writeup for more details. (read more)

The UK's National Crime Agency just dropped a bombshell, linking LockBit's big shot Aleksandr Ryzhenko (aka Beverley) to the infamous Evil Corp. Turns out, this guy's not just a random hacker - he's supposedly the second-in-command of Evil Corp.

The NCAs Operation Cronos is really stirring the pot, showing how these Russian hacker groups are more tangled up than we thought. They even brought LockBit's dark web leak site back from the dead for a hot minute to prove their point. Ryzhenko's apparently besties with Evil Corp's head honcho, Maksim Yakubets, who's got his own fan club in the U.S. government (and not in a good way). (read more)

CISA's vulnerability disclosure platform is blowing up, with twice as many critical bugs reported last year compared to 2022. Turns out, hackers are pretty stoked about poking around government systems (legally, of course).

The feds might've been fashionably late to the VDP party, but they're making up for lost time. With 51 agencies now on board and over 3,200 researchers submitting reports, it's like a nerd's playground out there. NASA's even saying researchers are "very excited" to engage with them. Who knew hacking the government could be so... wholesome? As more agencies jump on the bandwagon, expect to see even more bugs squashed in the coming months/years. (read more)

📣 Sponsor

Stay on top of AI governance!

Nudge Security discovers all genAI accounts ever created by anyone in your org, as well as the OAuth grants that link them to other apps. With Nudge Security, you have visibility of all apps, users, authentication methods and OAuth grants, and can vet unfamiliar tools with security profiles for each provider.

A Network of AI ‘Nudify’ Sites Are a Front for Notorious Russian Hackers

Protecting Democratic Institutions from Cyber Threats (Microsoft Actions against Star Blizzard)

Looks like Microsoft's Digital Crimes Unit is playing whack-a-mole with some Russians. They just took down a bunch of domains used by a group they're calling "Star Blizzard.” These guys have been busy, targeting NGOs, journalists, and think tanks. With the U.S. election looming, Microsoft is touting this as a critical point in time disruption.

MS teamed up with the DOJ to seize over 100 websites. They're hoping this will slow Star Blizzard down, especially with all the election shenanigans we're worried about. But they'll pop up somewhere else soon as they’re always rolling new infra. At least Microsoft's getting some good intel out of this too. Good job to the crew working on this one. (read more)

Interpol's been busy, nabbing eight suspects in Côte d'Ivoire who were running a rather large phishing operation. These guys were all about those QR code scams, tricking Swiss folks into handing over their personal info on fake payment sites. They managed to swipe over $1.4 million before getting caught.

But it's not just about the money - this bust is part of a bigger operation called Contender 2.0, which has been cracking down on all sorts of cyber baddies in Africa since 2021. BEC schemes, romance scams, you name it. It's like whack-a-mole. And while they've caught these guys, the hunt's still on for more victims and stolen cash. (read more)

North Korean Hackers Target German Missile Maker with Fake Job Offers

Wow, North Korea's really upping their phishing game, huh? This time they've set their sights on Diehl Defence, a German company that's been selling missiles to South Korea. NK doesn’t love that they do that.

The Kimsuky crew (aka APT43 for the cool kids) went all out with this one, crafting some pretty convincing fake job offers from US arms companies. They even did their homework on German work conditions to make it look legit. It's not just Diehl Defence in the crosshairs; the BSI says other German orgs are getting hit too. Seems like North Korea's trying to fund their military the old-fashioned way: by stealing crypto and corporate secrets. (read more)

Wow, looks like the pig butchering scammers are getting even craftier. They've managed to sneak fake trading apps onto both the Apple App Store and Google Play, targeting folks across Asia-Pacific, Europe, and the Middle East. These apps, part of what Group-IB is calling UniShadowTrade, are built using the UniApp framework to work on both iOS and Android.

I’m used to seeing this stuff in Google Play store, but Apple is much harder to get an app approved so I wanted to look into it. This is sneaky!

Before displaying the login page, the iOS application performs several checks. It checks the device model, as the application is only designed to run on mobile phones. First, it checks the current date and time. If the date is earlier than 22 July 2024, 00:00:00, the application launches a fake activity with formulas and graphics. We assume that this condition must bypass Apple’s checks before being published to the store. As we can see, this simple trick allows cybercriminals to upload their fraudulent application to the Apple Store.

Group-IB

The scam's pretty slick - they lure victims through dating apps, get them to install these legit-looking trading apps, and then slowly bleed them dry. The apps even support multiple languages to cast a wider net. (read more)

Alright, let's break this down. Looks like WatchGuard got a pretty gnarly bug in their SSO Client and Authentication Gateway.

The fun part? This bug's been out there since June. They're promising a patch by the end of October, but until then, you’re on your own. Their workaround? "Just don't use SSO, bro." Real helpful, guys. If you're stuck with this setup, you might want to get cozy with Windows Firewall rules to at least put up some kind of barrier. (read more)

These are the Iranians that started the whole JD Vance dossier thing. They hacked the Trump campaign’s personal devices and started trying to pitch the stolen info to reporters. None of which took the bait at the time.

While these dudes are probably never gonna see the inside of a U.S. courtroom, the feds are making it clear they're onto their game. The $10 million bounty on their heads is just the cherry on top. (read more)

The Irish Data Protection Commission just slapped Meta with a €91 million fine for storing millions of Facebook and Instagram passwords in plaintext. I thought this headline was wrong when I read it. Plaintext?!

This mess-up dates back to 2019, and some of these plaintext passwords were apparently just sitting pretty in their systems since 2012. Meta claims they took "immediate action" to fix it, but c'mon, storing passwords in plaintext in 2019? (read more)

Heads up, Zimbra users - time to patch your mail servers ASAP. There's a nasty remote code execution bug (CVE-2024-45519) that's already being exploited in the wild. The flaw's in the postjournal service and lets unauthenticated users potentially run commands due to some sloppy input sanitization. Zimbra dropped fixes last week, but the bad guys didn't waste any time - exploitation attempts kicked off just a day after a proof-of-concept was published.

If you're running Zimbra, grab the latest update for your version pronto. The attackers are trying to set up webshells on vulnerable servers, which is bad news bears. Oh, and if you're not using the postjournal service, maybe consider turning it off entirely. (read more)

Two British-Nigerian men sentenced over multimillion-dollar business email scam

These two guys were up to no good. First - they hacked some emails. Then they used the info in there to perpetrate some scams. Example: Found out info about a major construction project going on at a university in North Carolina. They setup a similar enough looking domain to one of the contractors. They were able to trick the accounts payable department in sending them millions instead of the legit contractor. FBI brought the hammer down on this one and they’re going to be doing some time. (read more)

T-Mobile's getting a slap on the wrist for their data breach shenanigans. The FCC's hitting them with a $15.75 million fine and some new security homework, like network segmentation and MFA. Not exactly chump change, but for a company raking in billions, it's more like a stern talking-to than a real punishment.

This isn't T-Mobile's first rodeo either - they've had breaches in 2021, 2022, and 2023, spilling sensitive customer data like social security numbers. The FCC's been on a bit of a telecom crackdown lately, with AT&T and TracFone also getting similar fines. But let's be real, these penalties are like parking tickets for these giants. Maybe it'll make them tighten up their security game, but don't hold your breath for a complete overhaul. (read more)

Miscellaneous mattjay

I need to do this but put a Crowdstrike logo somewhere

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay