Read Time: 8 minutes

Howdy friends!

I’ve barely had a free half hour in my days this week. Who is accepting all these meetings? Oh it’s me? Man, that guy is to blame for a lot of my problems.

I have one wish for all of you in the coming weeks. May your local weather make a hoodie appropriate. Cozy blessings upon all of your houses.

Let’s get vulnerable:

ICYMI

🖊️ Something I wrote: This crazy SQLi in a critical TSA website story.

🎧️ Something I heard: What if Eminem was a one man folk band? (Why does this hit so hard?)

🎤 Something I said: I don’t have a face for this kind of camera quality, but I was on the Decipher podcast live in BlackHat and they had a pro crew there to capture it.

🔖 Something I read: I’ve been working with a health coach the last few years, Robbie. He’s been an incredible resource for me and balancing my schedule, mental health, and still helping me lose over 50lbs and keep working out. He’s not paying me for this but I wanted to give him a shout out. Hit him up if you’re in the market for that kind of thing.

Vulnerable News

Fortinet confirms data breach after hacker claims to steal 440GB of files

Oof, here we go again with Fortinet. They’ve been having a bad time the last few years.

A hacker going by "Fortibitch" (points for creativity, I guess) claims they've snagged 440GB of Fortinet's data from their Microsoft SharePoint server. They're even sharing access to an S3 bucket where they've supposedly stashed the goods. Fortinet's confirmed a breach, but they're being pretty tight-lipped about the details.

The company says it was a "third-party cloud-based shared file drive" that got hit, and only a "limited number of files" were accessed. They're claiming it only affects a "small number" of customers, but who knows what that really means in corporate-speak.

Also. What the hell did I just read with this one:

Wild. (read more)

Mastercard to Acquire Threat Intelligence Firm Recorded Future for $2.6 Billion

Billion. With a B. That’s a huge acquisition for cybersecurity and for Mastercard, their biggest in the space yet. Here is a great writeup I saw on LinkedIn:

Congrats Recorded Future. I know fans of their fraud intel products who are watching and hoping things don’t change too much. (read more)

FBI 2023 Cryptocurrency Fraud Report

Looks like 2023 was a banner year for crypto scammers, with losses hitting a whopping $5.6 billion. That's a 45% jump from 2022, which is pretty wild. The FBI reports scammers getting creative with fake dating apps, bogus liquidity mining schemes, and scam blockchain games.

Investment fraud made up 71% of those losses. California got hit the hardest, racking up over a billion in losses. As for protection, the FBI's advice boils down to: be skeptical, do your homework, and don't fall for those "we can recover your stolen crypto" scams. Oh, and maybe think twice before mixing your gaming and investment wallets. (read more)

New Android Malware 'Ajina.Banker' Steals Financial Data and Bypasses 2FA via Telegram

We've got a new Android malware making the rounds in Central Asia. This "Ajina.Banker" malware is spreading through Telegram channels disguised as legit banking and government apps.

The threat actors behind this are getting pretty crafty. They're localizing their approach, tailoring their bait to each region's interests. There are also signs that they've automated parts of their distribution process, which seemed interesting to me.

Once installed, Ajina.Banker goes to town, snags SIM info, and installs financial apps and SMS messages. Newer versions even throw phishing pages into the mix. Oh, and it's got some tricks to avoid uninstallation, too. (read more)

Green Berets Hijacked WiFi To Control Home Security System Then Vanish In Mock Raid

This one is fun. Green Berets from the 10th Special Forces Group carried out a mock cyber infiltration. One team hacked a building’s WiFi, breaking into its security systems and shutting down the cameras and door locks. After that, another team did a military free fall, trekked 7 miles, and easily got into the now-unsecured building. To cover their tracks, they dropped some signal jamming equipment on their way out.

Interesting read for me on how cyber warfare can be combined with traditional special ops. And they even Rick Rolled the target network. (read more)

Arrest made in NCA investigation into Transport for London cyber attack

I covered this story last week, and we’ve already had arrests. The NCA just nabbed a 17-year-old in Walsall for the cyber attack on Transport for London earlier this month. Talk about a quick turnaround - the attack happened on September 1st, and they had the kid in cuffs by the 5th.

Unrelated, but kinda related, I just saw RiskyBiz publish that the NCA is close to collapse due to underpaying and brain drain. - “A UK anti-corruption organization has published a report this week warning that the UK's top police investigative body—the UK National Crime Agency (NCA)—is close to a critical collapse, describing it's current state as "on its knees." (read more)

From Automation to Exploitation: The Growing Misuse of Selenium Grid for Cryptomining and Proxyjacking

This one piqued my interest because I know a lot of people who use Selenium grid or similar tools for various testing or web scraping.

It’s typically used for running browser tests in parallel, but apparently, its default configuration leaves you completely exposed.

The bad guys are using this to pull off two main tricks:

• Proxyjacking: They're installing apps like IPRoyal Pawns and EarnFM to sell your bandwidth without you knowing. Turning your server into a proxy for who knows what.

• Crypto mining: They're dropping XMRig miners to mine Monero on your dime. Classic move.

If you're running Selenium Grid, for the love of all that's holy, enable authentication. It's not on by default, which is crazy but important to realize. (read more)

LVHN to pay $65 million over data breach that led to cancer patient photos being posted online

Woah, I remember this one when it happened. What an awful story and data leak.

The settlement covers about 135,000 people whose info was compromised. Payouts range from $50 to $70,000, depending on how badly you were affected. They've got this tiered system:

• Everyone gets at least $50 for having basic info leaked.

• $1.3 million set aside for folks who had sensitive medical or employment data exposed.

• $4.55 million for those who had non-nude but sensitive photos leaked.

• The big one: $52 million for people who had nude images posted online.

The original "Jane Doe" plaintiff is getting $125,000 for her bravery in starting this whole thing. (read more)

Cyber crooks shut down UK, US schools, thousands of kids affected

Remember snow days? Well now we’ve got ransomware days. 18,000 kid school district in Washington state shut down the first week of school due to them detecting “unauthorized access”

The Highline Public Schools district had to shut down all 34 of its schools. We don’t have details but it smells like ransomware.

Meanwhile, across the pond, Charles Darwin School in England got whacked by the Black Suit ransomware gang. These guys are bragging about snagging 200GB of data, including all sorts of info on students and staff. The school's looking at three weeks of digital downtime.

I posted a video of this story and got a lot of comments and messages saying schools are a really hot target right now and are completely unprepared for these attacks. Hope they can figure out some help soon. (read more)

Fake recruiter coding tests target devs with malicious Python packages

Here’s a fun new way people are getting hacked. Fake coding tests during fake job interviews! They message you on LinkedIn pretending to be a recruiter, the example shows they pretend to be Capital One. They instill a sense of urgency as you only have so much time to complete the coding skills assessment. They tell you to make sure the project runs on your machine before you start, aka make sure the malware runs. It is base64 encoded in the init python files which just phones home to the C2 for further instructions. Stay on your toes if you’re on the job market!

Oh side note, the researchers tied this campaign back to North Korea’s Lazarus group. They’re known for targeting crypto users and platforms so I’m guessing this campaign would be no different. (read more)

A glimpse into the Quad7 operators’ next moves and associated botnets

These are the scary reports. But a must read if you’re in charge of any sort of network security. This is a very detailed breakdown of behavior evolving for this botnet operator named after the port they target, 7777. Their targets are expanding, their techniques are getting better, and they’re getting stealthier. (read more)

Pokémon GO was an intelligence tool, claims Belarus military official

Looks like Belarus is trying to catch 'em all... conspiracy theory edition! A defense ministry official there is claiming Pokemon GO was some kind of Western spy tool. Apparently, a lot of Pokemon were hanging out near a military runway. Listen. I’m just trying to catch that rare shiny Pokemon, not your military secrets.

This isn't the first Pokemon-related paranoia. Russia, Indonesia, Kuwait, and Egypt all got their Pokeballs in a twist over the game back in the day. China still has it banned, though plenty of players have found ways around that. (read more)

How $20 and a lapsed domain allowed security pros to undermine internet integrity

Some security folks from watchTowr Labs got bored during Black Hat and decided to poke around WHOIS servers. They noticed the .mobi domain had switched its WHOIS server, so they snagged the old expired domain for 20 bucks. Turns out, that was a goldmine.

Millions of systems were still querying this old domain, including big-name security companies, government agencies, and even certificate authorities. The watchTowr team set up their own WHOIS server and started getting flooded with queries.

If they were bad guys, they could've potentially messed with TLS/SSL certificates for major domains like google.mobi or microsoft.mobi. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay