šŸŽ“ļø Vulnerable U | #082

Mentorship in Cybersecurity and Mental Health, FBI took down Chinese botnet, Microsoft Report on Russian disinfo campaign, ServiceNow vulnerability and major exposure, Europol hacks and takes down Ghost, and more!

Read Time: 7 minutes

Howdy friends!

What a week! Me and a thousand people I know are sick. Some bug is going fast and wide. Not a lot of positive Covid tests in my circles, but social media yelled at me saying Iā€™m an idiot and that new Covid variants donā€™t show up on tests.

I realized this week it is super hard for me to take a sick day, so I really didnā€™t. Just took all my calls from home and apologized for my voice. Goal for 2025: Be able to take a day to recover if needed. Or Iā€™m sure my body will force it on me soon enough.

Quick look at a blog I wrote this week:

The Importance of Mentorship in Supporting Mental Health

Challenges: Lack of guidance and support.
Successes: Benefits of mentorship programs, how to find and become a mentor.

This one is going to be quick, but worth it. I want to talk about mentorship, specifically in the tech industry, and its impact on mental health. The idea for this article came from a brief, but endearing conversation in the office this week.

Did/Do you have a mentor?

If so, and you have a sec, tell me a bit about what that has meant for you and how you found them.

Login or Subscribe to participate in polls.

ICYMI

šŸ–Šļø Something I wrote: Thread about the pager explosion and the claims about malware

šŸŽ§ļø Something I heard: Iā€™m a big puzzle fan. Found a new one called Minute Cryptic due to some of the short videos explaining how to solve them. Think: Evil crossword.

šŸ“£ Something I think youā€™ll find cool: Understanding AI risks and best practices: Get to grips with threats like data poisoning, model theft, and adversarial attacks, plus how to mitigate them*

šŸŽ¤ Something I said: I shamed Ford for a patent they filed to spy on you in your car to serve you ads while driving based on your conversations and location.

šŸ”– Something I read: I just picked up Smart Brevity - by the founders of Axios. It was suggested reading by my CEO. Any of you read/impliment it?

*Sponsored

šŸ“£ Sponsor

GenAI Security Best Practices Cheat Sheet

The task for security teams to secure AI pipelines is no small feat.

To help, the Wiz team recently put together the GenAI Security Best Practices Cheat Sheet to provide you with the essential concepts, techniques, and mitigation strategies for improving your security.

Inside youā€™ll find:
- The top threats to watch out for
- 7 best practices for securing AI pipeline
- Practical examples (with screenshots) using Wizā€™s AI-SPM

Start fortifying your organizationā€™s GenAI security posture today!

Vulnerable News

The FBI took down a massive botnet run by a group called Flax Typhoon. We're talking hundreds of thousands of hacked IoT devices - your cameras, routers, the works. Weā€™ve talked a lot about Flax Typhoon here, and the FBI has been warning about all the compromised devices they had out there.

FBI Director Wray said they not only took control of the botnet but also cleaned up the infected devices. This is the kind of the thing ONLY the government can do. I know some botnet researchers and if they actually clean the devices up, that is also considered illegal as theyā€™d be running commands on other peopleā€™s machines.

The Chinese hackers didn't take it lying down though - they tried to migrate their bots and even DDoSed the FBI. This is all part of a bigger push by the U.S. to disrupt Chinese cyber ops, especially ones that could potentially cause "real-world harm" in a future conflict. (read more)

We covered this Iran hacking of the Trump campaign when it happened. Well now we get info that the Iranian hacking group apparently sent some of the nonpublic info over to the Biden team ā€¦who ignored it.

If theyā€™re anything like me they have a filter sending all Iranian hackers straight to spamā€¦

Idk, this just goes to show that the whole point of the hack was to sow dissent and infighting. (read more)

Microsoft's threat intel team caught two Kremlin-linked troll farms, Storm-1516 and Storm-1679, churning out fake videos to smear Kamala Harris. We're talking millions of views on bogus clips showing fake Harris supporters attacking Trump fans and made-up hit-and-run accidents. Classic disinformation playbook stuff.

Meanwhile, another Russian group called Ruza Flood (aka DoppelgƤnger) is still at it despite the US government seizing 32 of their domains. These guys are all about typosquatting - setting up fake news sites that look legit at first glance. Their "Good Old USA Project" makes it pretty clear they're aiming to get Trump or another Republican in the White House.

Microsoft's take? This is all coming straight from the top of the Kremlin. No surprise there, given Trump's, uh, "friendly" stance towards Putin. Looks like we're in for another wild ride of online manipulation as we head into election season. (read more)

Thousands of companies might be accidentally leaking sensitive info from their internal knowledge bases thanks to some ServiceNow widget shenanigans. Two separate research teams found that even if you set your knowledge base articles to "private," the widgets used to build those pages could still expose them to anyone who knows how to poke at them.

The researchers estimate 30-45%(?!) of ServiceNow customers might have this misconfiguration. (read more)

Iā€™m still a cloud security nerd even though itā€™s not my day to day focus right now, and this is cool research. Normally, when you try to connect two Transit Gateways, the destination account has to give the thumbs up. But this exploit let the source account (aka potentially anyone) force their way in if the gateways were in different regions.

You couldn't pull this off through the AWS console, but if you went straight to the API (like Terraform does), boom - unauthorized access granted. AWS fixed it pretty quick once these researchers disclosed, but it's a good reminder that even AWS has vulns.

They suggest using SCPs (Service Control Policies) to lock this down if you're worried. Basically, its you telling AWS to only let specific accounts or your org accept these peering requests. (read more)

This story sucks. But here we are.

Itā€™s common place these days for people to live stream some funeral services for loved ones who arenā€™t local or able to make it in person. Scammers are all over this trend and are making fake Facebook groups advertising fake live streams of funerals. They donā€™t half ass it either, they have the correct dates/times and even photos of the deceased.

Once tricked, you get sent to a domain that looks like some event live streaming service that asks for your payment info to watch the stream. They even solicit donations in the name of the family. Just awful shit.

Stay alert for this stuff! Anyone can fall for these things, especially when emotionally compromised during a tough loss. (read more)

Lazarus Group, tied to North Korea, has been hacking crypto projects and individuals since at least 2020. This investigation tracked 25+ hacks from 2020-2023 totaling around $200 million stolen.

Their typical MO involves phishing emails to gain access to private keys or inject malware. They've hit exchanges, DeFi projects, and high-profile individuals in the crypto space.

For laundering, they've used a mix of crypto mixers like Tornado Cash and ChipMixer, as well as bridging between chains. More recently, they've been cashing out via P2P exchanges like Paxful and Noones.

The researcher was able to trace $44 million moving through specific Paxful and Noones accounts from July 2022 to November 2023. They likely converted this to fiat via bank transfers or cash. (read more)

When Magoo writes, I read. Simple.

Heā€™s got some strong opinions on how to build out a detection program without it turning into a dumpster fire. TL;DR - Don't rush into it.

He suggests starting with the basics - get your logging sorted and focus on hardening your systems before diving into fancy detections. When you do start alerting, be super picky about quality. No half-baked alerts allowed.

He's not a fan of throwing a bunch of dedicated detection engineers at the problem right away. His view is that detection work can easily spiral out of control if you don't have the right management processes in place first.

Basically, he's saying don't let detection become this isolated pet project that creates a ton of busywork. Instead, build it up slowly alongside your other security efforts, and make sure you can actually handle the workload it generates before going all-in. Solid advice for anyone looking to avoid detection burnout! (read more)

Attackers are brute-forcing their way into FOUNDATION's SQL databases through publicly exposed ports, using default credentials like they're going out of style. Once in, they're leveraging the good ol' xp_cmdshell to run system commands and poke around the network.

The Huntress team caught wind of this on September 14th when they spotted some suspicious command-line action spawning from sqlservr.exe. They found about 500 hosts running FOUNDATION, with a sample of 33 exposed to the internet with default creds still in place. (read more)

Two young suspects, Malone Lam and Jeandiel Serrano (both barely old enough to drink), were nabbed by the FBI for allegedly pulling off a massive $230 million cryptocurrency heist. Those are nation-state numbers.

These guys apparently hacked their way into a victim's crypto accounts in D.C., swiping over 4,100 Bitcoin. But! They couldn't resist flaunting their ill-gotten gains. Luxury cars, designer bags, and living it up in nightclubs. Ever see that Denzel movie American Gangster? I always think of that fur coat at the boxing match scene in these situations.

A third suspect, known as "Wiz," soon to be acquired by Google for, is still at large, but he's not exactly a criminal mastermind either. Dude accidentally revealed his real name during a screen share. Crypto investigator ZachXBT helped crack the case, following the money trail as these guys tried (and failed) to cover their tracks. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay