- Vulnerable U
- Posts
- šļø Vulnerable U | #081
šļø Vulnerable U | #081
Fortinet breached, Recorded Future acquired for over $2b, FBI's cryptocurrency fraud report, New Android Malware, Fake coding interviews, and more!
Read Time: 8 minutes
Howdy friends!
Iāve barely had a free half hour in my days this week. Who is accepting all these meetings? Oh itās me? Man, that guy is to blame for a lot of my problems.
I have one wish for all of you in the coming weeks. May your local weather make a hoodie appropriate. Cozy blessings upon all of your houses.
Letās get vulnerable:
ICYMI
šļø Something I wrote: This crazy SQLi in a critical TSA website story.
š§ļø Something I heard: What if Eminem was a one man folk band? (Why does this hit so hard?)
š¤ Something I said: I donāt have a face for this kind of camera quality, but I was on the Decipher podcast live in BlackHat and they had a pro crew there to capture it.
š Something I read: Iāve been working with a health coach the last few years, Robbie. Heās been an incredible resource for me and balancing my schedule, mental health, and still helping me lose over 50lbs and keep working out. Heās not paying me for this but I wanted to give him a shout out. Hit him up if youāre in the market for that kind of thing.
š£ Sponsor
A compromised account shouldn't compromise all accounts.
Email accounts are a fast way for attackers to gain access to a wide range of systems that result in costly data breaches.
The level and depth of accessibility from a compromised email reaches far across the enterprise, yet the typical controls are often no more than an authenticated user sessionāwhich can be hijacked or bypassed by sophisticated attackers.
Material Security limits lateral account takeovers by adding a simple authentication step to access password resets and other identity verification messages.
Detect compromised email accounts and reduce their blast radius with Material.
Vulnerable News
Oof, here we go again with Fortinet. Theyāve been having a bad time the last few years.
A hacker going by "Fortibitch" (points for creativity, I guess) claims they've snagged 440GB of Fortinet's data from their Microsoft SharePoint server. They're even sharing access to an S3 bucket where they've supposedly stashed the goods. Fortinet's confirmed a breach, but they're being pretty tight-lipped about the details.
The company says it was a "third-party cloud-based shared file drive" that got hit, and only a "limited number of files" were accessed. They're claiming it only affects a "small number" of customers, but who knows what that really means in corporate-speak.
Also. What the hell did I just read with this one:
Wild. (read more)
Billion. With a B. Thatās a huge acquisition for cybersecurity and for Mastercard, their biggest in the space yet. Here is a great writeup I saw on LinkedIn:
Congrats Recorded Future. I know fans of their fraud intel products who are watching and hoping things donāt change too much. (read more)
Looks like 2023 was a banner year for crypto scammers, with losses hitting a whopping $5.6 billion. That's a 45% jump from 2022, which is pretty wild. The FBI reports scammers getting creative with fake dating apps, bogus liquidity mining schemes, and scam blockchain games.
Investment fraud made up 71% of those losses. California got hit the hardest, racking up over a billion in losses. As for protection, the FBI's advice boils down to: be skeptical, do your homework, and don't fall for those "we can recover your stolen crypto" scams. Oh, and maybe think twice before mixing your gaming and investment wallets. (read more)
We've got a new Android malware making the rounds in Central Asia. This "Ajina.Banker" malware is spreading through Telegram channels disguised as legit banking and government apps.
The threat actors behind this are getting pretty crafty. They're localizing their approach, tailoring their bait to each region's interests. There are also signs that they've automated parts of their distribution process, which seemed interesting to me.
Once installed, Ajina.Banker goes to town, snags SIM info, and installs financial apps and SMS messages. Newer versions even throw phishing pages into the mix. Oh, and it's got some tricks to avoid uninstallation, too. (read more)
This one is fun. Green Berets from the 10th Special Forces Group carried out a mock cyber infiltration. One team hacked a buildingās WiFi, breaking into its security systems and shutting down the cameras and door locks. After that, another team did a military free fall, trekked 7 miles, and easily got into the now-unsecured building. To cover their tracks, they dropped some signal jamming equipment on their way out.
Interesting read for me on how cyber warfare can be combined with traditional special ops. And they even Rick Rolled the target network. (read more)
I covered this story last week, and weāve already had arrests. The NCA just nabbed a 17-year-old in Walsall for the cyber attack on Transport for London earlier this month. Talk about a quick turnaround - the attack happened on September 1st, and they had the kid in cuffs by the 5th.
Unrelated, but kinda related, I just saw RiskyBiz publish that the NCA is close to collapse due to underpaying and brain drain. - āA UK anti-corruption organization has published a report this week warning that the UK's top police investigative bodyāthe UK National Crime Agency (NCA)āis close to a critical collapse, describing it's current state as "on its knees." (read more)
This one piqued my interest because I know a lot of people who use Selenium grid or similar tools for various testing or web scraping.
Itās typically used for running browser tests in parallel, but apparently, its default configuration leaves you completely exposed.
The bad guys are using this to pull off two main tricks:
Proxyjacking: They're installing apps like IPRoyal Pawns and EarnFM to sell your bandwidth without you knowing. Turning your server into a proxy for who knows what.
Crypto mining: They're dropping XMRig miners to mine Monero on your dime. Classic move.
If you're running Selenium Grid, for the love of all that's holy, enable authentication. It's not on by default, which is crazy but important to realize. (read more)
Woah, I remember this one when it happened. What an awful story and data leak.
The settlement covers about 135,000 people whose info was compromised. Payouts range from $50 to $70,000, depending on how badly you were affected. They've got this tiered system:
Everyone gets at least $50 for having basic info leaked.
$1.3 million set aside for folks who had sensitive medical or employment data exposed.
$4.55 million for those who had non-nude but sensitive photos leaked.
The big one: $52 million for people who had nude images posted online.
The original "Jane Doe" plaintiff is getting $125,000 for her bravery in starting this whole thing. (read more)
Remember snow days? Well now weāve got ransomware days. 18,000 kid school district in Washington state shut down the first week of school due to them detecting āunauthorized accessā
The Highline Public Schools district had to shut down all 34 of its schools. We donāt have details but it smells like ransomware.
Meanwhile, across the pond, Charles Darwin School in England got whacked by the Black Suit ransomware gang. These guys are bragging about snagging 200GB of data, including all sorts of info on students and staff. The school's looking at three weeks of digital downtime.
I posted a video of this story and got a lot of comments and messages saying schools are a really hot target right now and are completely unprepared for these attacks. Hope they can figure out some help soon. (read more)
Hereās a fun new way people are getting hacked. Fake coding tests during fake job interviews! They message you on LinkedIn pretending to be a recruiter, the example shows they pretend to be Capital One. They instill a sense of urgency as you only have so much time to complete the coding skills assessment. They tell you to make sure the project runs on your machine before you start, aka make sure the malware runs. It is base64 encoded in the init python files which just phones home to the C2 for further instructions. Stay on your toes if youāre on the job market!
Oh side note, the researchers tied this campaign back to North Koreaās Lazarus group. Theyāre known for targeting crypto users and platforms so Iām guessing this campaign would be no different. (read more)
These are the scary reports. But a must read if youāre in charge of any sort of network security. This is a very detailed breakdown of behavior evolving for this botnet operator named after the port they target, 7777. Their targets are expanding, their techniques are getting better, and theyāre getting stealthier. (read more)
Looks like Belarus is trying to catch 'em all... conspiracy theory edition! A defense ministry official there is claiming Pokemon GO was some kind of Western spy tool. Apparently, a lot of Pokemon were hanging out near a military runway. Listen. Iām just trying to catch that rare shiny Pokemon, not your military secrets.
This isn't the first Pokemon-related paranoia. Russia, Indonesia, Kuwait, and Egypt all got their Pokeballs in a twist over the game back in the day. China still has it banned, though plenty of players have found ways around that. (read more)
Some security folks from watchTowr Labs got bored during Black Hat and decided to poke around WHOIS servers. They noticed the .mobi domain had switched its WHOIS server, so they snagged the old expired domain for 20 bucks. Turns out, that was a goldmine.
Millions of systems were still querying this old domain, including big-name security companies, government agencies, and even certificate authorities. The watchTowr team set up their own WHOIS server and started getting flooded with queries.
If they were bad guys, they could've potentially messed with TLS/SSL certificates for major domains like google.mobi or microsoft.mobi. (read more)
Miscellaneous mattjay
Thanks for your email! Unfortunately, I have filled my pockets with stones and am making my way to the sea.
ā Katie Rich (@katiemaryrich)
6:48 PM ā¢ Sep 8, 2024
OpenAI just released its new AI model, OpenAI o1 (internally known as Project Strawberry/Q*)
The wait is finally over.
Here's the model coding an entire video game from a prompt š¤Æ
The model can think before it answers and is better at math and programming challenges.
Theā¦ x.com/i/web/status/1ā¦
ā Rowan Cheung (@rowancheung)
5:20 PM ā¢ Sep 12, 2024
Founder mode.
ā Bojan Tunguz (@tunguz)
1:00 PM ā¢ Sep 12, 2024
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay