Read Time: 7 minutes

Howdy friends!

What a week! Me and a thousand people I know are sick. Some bug is going fast and wide. Not a lot of positive Covid tests in my circles, but social media yelled at me saying I’m an idiot and that new Covid variants don’t show up on tests.

I realized this week it is super hard for me to take a sick day, so I really didn’t. Just took all my calls from home and apologized for my voice. Goal for 2025: Be able to take a day to recover if needed. Or I’m sure my body will force it on me soon enough.

Quick look at a blog I wrote this week:

ICYMI

🖊️ Something I wrote: Thread about the pager explosion and the claims about malware

🎧️ Something I heard: I’m a big puzzle fan. Found a new one called Minute Cryptic due to some of the short videos explaining how to solve them. Think: Evil crossword.

📣 Something I think you’ll find cool: Understanding AI risks and best practices: Get to grips with threats like data poisoning, model theft, and adversarial attacks, plus how to mitigate them*

🎤 Something I said: I shamed Ford for a patent they filed to spy on you in your car to serve you ads while driving based on your conversations and location.

🔖 Something I read: I just picked up Smart Brevity - by the founders of Axios. It was suggested reading by my CEO. Any of you read/impliment it?

*Sponsored

Vulnerable News

US government ‘took control’ of a botnet run by Chinese government hackers, says FBI director

The FBI took down a massive botnet run by a group called Flax Typhoon. We're talking hundreds of thousands of hacked IoT devices - your cameras, routers, the works. We’ve talked a lot about Flax Typhoon here, and the FBI has been warning about all the compromised devices they had out there.

FBI Director Wray said they not only took control of the botnet but also cleaned up the infected devices. This is the kind of the thing ONLY the government can do. I know some botnet researchers and if they actually clean the devices up, that is also considered illegal as they’d be running commands on other people’s machines.

The Chinese hackers didn't take it lying down though - they tried to migrate their bots and even DDoSed the FBI. This is all part of a bigger push by the U.S. to disrupt Chinese cyber ops, especially ones that could potentially cause "real-world harm" in a future conflict. (read more)

Iran's cyber-goons emailed stolen Trump info to Team Biden – which ignored them

We covered this Iran hacking of the Trump campaign when it happened. Well now we get info that the Iranian hacking group apparently sent some of the nonpublic info over to the Biden team …who ignored it.

If they’re anything like me they have a filter sending all Iranian hackers straight to spam…

Idk, this just goes to show that the whole point of the hack was to sow dissent and infighting. (read more)

Microsoft Threat Analysis Center (MTAC) - Russia leverages cyber proxies and Volga Flood assets in expansive influence efforts

Microsoft's threat intel team caught two Kremlin-linked troll farms, Storm-1516 and Storm-1679, churning out fake videos to smear Kamala Harris. We're talking millions of views on bogus clips showing fake Harris supporters attacking Trump fans and made-up hit-and-run accidents. Classic disinformation playbook stuff.

Meanwhile, another Russian group called Ruza Flood (aka Doppelgänger) is still at it despite the US government seizing 32 of their domains. These guys are all about typosquatting - setting up fake news sites that look legit at first glance. Their "Good Old USA Project" makes it pretty clear they're aiming to get Trump or another Republican in the White House.

Microsoft's take? This is all coming straight from the top of the Kremlin. No surprise there, given Trump's, uh, "friendly" stance towards Putin. Looks like we're in for another wild ride of online manipulation as we head into election season. (read more)

Enterprise ServiceNow Knowledge Bases at Risk: Extensive Data Exposures Uncovered

Thousands of companies might be accidentally leaking sensitive info from their internal knowledge bases thanks to some ServiceNow widget shenanigans. Two separate research teams found that even if you set your knowledge base articles to "private," the widgets used to build those pages could still expose them to anyone who knows how to poke at them.

The researchers estimate 30-45%(?!) of ServiceNow customers might have this misconfiguration. (read more)

Police Hack Into ‘Ghost’, An Encrypted Platform for Criminals

mattjayy

View more on Instagram

Security Flaw in AWS Transit Gateway Peering Attachments (Patched) 

I’m still a cloud security nerd even though it’s not my day to day focus right now, and this is cool research. Normally, when you try to connect two Transit Gateways, the destination account has to give the thumbs up. But this exploit let the source account (aka potentially anyone) force their way in if the gateways were in different regions.

You couldn't pull this off through the AWS console, but if you went straight to the API (like Terraform does), boom - unauthorized access granted. AWS fixed it pretty quick once these researchers disclosed, but it's a good reminder that even AWS has vulns.

They suggest using SCPs (Service Control Policies) to lock this down if you're worried. Basically, its you telling AWS to only let specific accounts or your org accept these peering requests. (read more)

Scam ‘Funeral Streaming’ Groups Thrive on Facebook

This story sucks. But here we are.

It’s common place these days for people to live stream some funeral services for loved ones who aren’t local or able to make it in person. Scammers are all over this trend and are making fake Facebook groups advertising fake live streams of funerals. They don’t half ass it either, they have the correct dates/times and even photos of the deceased.

Once tricked, you get sent to a domain that looks like some event live streaming service that asks for your payment info to watch the stream. They even solicit donations in the name of the family. Just awful shit.

Stay alert for this stuff! Anyone can fall for these things, especially when emotionally compromised during a tough loss. (read more)

How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023

Lazarus Group, tied to North Korea, has been hacking crypto projects and individuals since at least 2020. This investigation tracked 25+ hacks from 2020-2023 totaling around $200 million stolen.

Their typical MO involves phishing emails to gain access to private keys or inject malware. They've hit exchanges, DeFi projects, and high-profile individuals in the crypto space.

For laundering, they've used a mix of crypto mixers like Tornado Cash and ChipMixer, as well as bridging between chains. More recently, they've been cashing out via P2P exchanges like Paxful and Noones.

The researcher was able to trace $44 million moving through specific Paxful and Noones accounts from July 2022 to November 2023. They likely converted this to fiat via bank transfers or cash. (read more)

Prioritizing Detection Engineering

When Magoo writes, I read. Simple.

He’s got some strong opinions on how to build out a detection program without it turning into a dumpster fire. TL;DR - Don't rush into it.

He suggests starting with the basics - get your logging sorted and focus on hardening your systems before diving into fancy detections. When you do start alerting, be super picky about quality. No half-baked alerts allowed.

He's not a fan of throwing a bunch of dedicated detection engineers at the problem right away. His view is that detection work can easily spiral out of control if you don't have the right management processes in place first.

Basically, he's saying don't let detection become this isolated pet project that creates a ton of busywork. Instead, build it up slowly alongside your other security efforts, and make sure you can actually handle the workload it generates before going all-in. Solid advice for anyone looking to avoid detection burnout! (read more)

Cracks in the Foundation: Intrusions of FOUNDATION Accounting Software

Attackers are brute-forcing their way into FOUNDATION's SQL databases through publicly exposed ports, using default credentials like they're going out of style. Once in, they're leveraging the good ol' xp_cmdshell to run system commands and poke around the network.

The Huntress team caught wind of this on September 14th when they spotted some suspicious command-line action spawning from sqlservr.exe. They found about 500 hosts running FOUNDATION, with a sample of 33 exposed to the internet with default creds still in place. (read more)

Suspects behind $230 million cryptocurrency theft arrested in Miami

Two young suspects, Malone Lam and Jeandiel Serrano (both barely old enough to drink), were nabbed by the FBI for allegedly pulling off a massive $230 million cryptocurrency heist. Those are nation-state numbers.

These guys apparently hacked their way into a victim's crypto accounts in D.C., swiping over 4,100 Bitcoin. But! They couldn't resist flaunting their ill-gotten gains. Luxury cars, designer bags, and living it up in nightclubs. Ever see that Denzel movie American Gangster? I always think of that fur coat at the boxing match scene in these situations.

A third suspect, known as "Wiz," soon to be acquired by Google for, is still at large, but he's not exactly a criminal mastermind either. Dude accidentally revealed his real name during a screen share. Crypto investigator ZachXBT helped crack the case, following the money trail as these guys tried (and failed) to cover their tracks. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay