Read Time: 5 minutes

Howdy friends!

Slow news week eh? Weakness of a weekly newsletter, sometimes breaking news feels like an eternity ago. Can you believe CrowdStrike happened since the last Vulnerable U? I barely want to cover it in this one since it has been covered to death.

I spent a bunch of time setting up a new home for Vulnerable U btw, so if you’re reading this on the web you’ll notice it has a shiny new domain. This is the first week of VulnU.com - I plan to structure the site a bit differently since this has really taken off way more than my blog on mattjay.com and become it’s own thing.

Stay tuned for some more launches and announcements in that vein soon. We’ve got some more stuff coming to bring the "Mental Health in Tech” content back to the newsletter that has been lacking for a few months.

ICYMI

🖊️ Something I wrote: I’ve been talking to some younger folks about their careers lately so wanted to resurface this piece I wrote about Finding Your Moat.

🎧️ Something I heard: My buddy John Hammond was on CNN! Love seeing the homies succeed. Go John go!

🎤 Something I said: Got to talk to Brian over at Impart about the future of AppSec and API Security. Was a really good one going through history of WAFs and where we see it all going. Check it out!

🔖 Something I read: This piece on Age Gating social media for kids mental health. A line: “If we want the platforms to make their products safe for children, we need to change the incentives — force them to bear the cost of their damage.”

Vulnerable News

Anyone can Access Deleted and Private Repository Data on GitHub

I held a meetup a few months ago where Dylan, the founder of Truffle, came and gave an off the books talk on this one - and now it’s public. TL;DR - Nothing is ever deleted on GitHub.

Accidentally pushed an API key or some other secrets? Thought you deleted it and wrote over the commit history so it wouldn’t show up? Too bad, it is accessible. He has found some even worse stuff than API secrets in there while looking. Like certain AI companies training data sets they accidentally pushed. Anyway, Truffle does awesome stuff and go dive down this crazy rabbit hole, especially if you use GitHub. (read more)

Exploiting CheckPoint security appliances (CVE-2024-24919)

Gosh I love the hacker community. So CheckPoint puts out a CVE but with no real bug details. Just says hey you gotta patch because this is under active exploitation. So what do the researchers do? A reverse engineering patch diff!

The patch is on the right. In the comments it mentions path traversal. So guess what they went and found?

By manipulating the file paths in HTTP requests, attackers can read arbitrary files on the system, including critical ones like the shadow password file. This means any attacker could potentially access highly sensitive data, which is far more severe than Check Point’s advisory suggests. (read more)

KnowBe4 Hired a North Korean spy without knowing it

mattjayy

View more on Instagram

This is a wild one. Glad they caught it so fast and were transparent with us about it all. (read more)

CrowdStrike offers a $10 apology gift card to say sorry for outage

I honestly thought this was fake when I read it so I didn’t repost it anywhere. Then I noticed it was Lorenzo at TechCrunch who reported and though hmm that seems legit. Then I talked to some customers who got the email. This is just a bad look.

Contrast this with the actually legitimately awesome apology by their CSO Shawn Henry - https://www.linkedin.com/posts/shawn-henry-372bb74b_on-friday-we-failed-you-and-for-that-im-activity-7220983915421806592-VhPP/ Some highlights:

“On Friday we failed you, and for that I'm deeply sorry. I’ve been in my professional life for almost 40 years, and my North Star has always been to “protect good people from bad things.” …

But this pales in comparison to the pain we've caused our customers and our partners. We let down the very people we committed to protect, and to say we’re devastated is a huge understatement. …

I, and the entire company, take that personally. Thousands of our team members have been working 24/7 to get our customer systems fully restored. The days have been long and the nights have been short, and that will continue for the immediate future. But that is part of the promise we made to all of you when you put your trust and protection in our hands.”

This coming in the wake of what I’m reading is going to be billions in damages. Reuters: Fortune 500 firms to see $5.4 bln in CrowdStrike losses, says insurer Parametrix - and they added: “financial losses globally from the outage could total around $15 billion”

It’s usually cool when genpop is talking about cybersecurity, it wasn’t that cool this week was it? (read more)

APT45: North Korea’s Digital Military Machine

Mandiant dropping a new report on APT45 out of North Korea. Some seriously concerning things in this report about shifting of tactics. NK has long been focused on espionage mostly against South Korea. It seems they’re becoming more financially motivated and even getting more brazen against critical infrastructure. They share an example of a hack of a nuclear power plant in India.

Some quotes that stand out is that there is no ethics considerations here, if dictator says he wants blueprints for missiles, somebody goes and gets them. Now they’re becoming more financially motivated and even targeting hospitals, this will be a growing concern. NK backed ransomware will be a thing if this all is right, and no 3 letter agency will be able to go impact that at all. (read more)

Walsall teenager arrested in joint West Midlands Police and FBI operation

Another alleged Scattered Spider member went down for the string of hacks last year, culminating in the MGM and Caesars ransomware. The kid is 17 years old. The arrest follows the apprehension of a 22-year-old member in Spain. Ransomware groups proving to be filled with young European men. (read more)

Data breach exposes US spyware maker behind Windows, Mac, Android and Chromebook malware

Stalkerware gets hacked again. I’d say it couldn’t happen to better companies but the real victims are the folks that were being spied on. Because now not just the people spying on them have that info, so do these hackers. Also the CEO found out about the breach when the reporters at TechCrunch reached out to him for comment… Woof. (read more)

Meta Removes 63,000 Accounts Linked to Sextortion Scammers (Trigger alert: self harm)

That is a lot of bots. Tens of thousands accounts taken down traced back to a Nigerian scam group. They were busy tricking men that they were young girls and hitting on them. There were scripts that they followed to get the men to send them explicit pictures. Once they got them they’d flip the script and threaten to share all of those photos with the victim’s family and friends if they didn’t pay them. This caused many of them to commit suicide or otherwise self harm, which I’m sure raised the stakes for Meta to thwart this operation. Kudos on the takedown. (read more)

New Chrome Feature Scans Password-Protected Files for Malicious Content

Cool feature Google. Scanning encrypted and password protected files. (read more)

Critical ServiceNow RCE flaws actively exploited to steal credentials

Threat actors are exploiting critical RCE flaws in ServiceNow to steal credentials from government and private organizations. Discovered by Assetnote, these flaws (CVE-2024-4879, CVE-2024-5178, CVE-2024-5217) allow attackers to chain vulnerabilities for full database access, with exploits quickly surfacing on GitHub. ServiceNow released hotfixes on July 10, 2024, but many systems remain vulnerable. (read more)

French police push PlugX malware self-destruct payload to clean PCs

I always love the ol’ good guy hack. This can really only be done by governments or law enforcement since any hacking is illegal, but here is an operation where French officials used a malware payload to kill a malicious malware infection. I remember some botnet researchers back in the day needing to jump through crazy hoops to not actually hack a botnet to take it down and had to cleverly sinkhole it since they couldn’t do what the police did here. Always fun to read about. (read more)

Simple ‘FrostyGoop’ malware responsible for turning off Ukrainians’ heat in January attack

A newly discovered malware named FrostyGoop has been identified as responsible for a cyberattack that cut off heat to 600 buildings in Lviv, Ukraine, during a severe winter freeze. The malware manipulated temperature readings in the heating utility's control systems. This attack marks the first confirmed instance of malware directly sabotaging a heating utility. The hackers had infiltrated the network months earlier via a MikroTik router vulnerability. (read more)

Network of 3,000 GitHub Accounts Used for Malware Distribution

GitHub deals with the misuse of their platform a lot for people either distributing malware or using it as a C2 (Command and control of botnets). This case was fairly sophisticated, though, as there were over 3,000 GitHub accounts that were working on hundreds of repos in order to increase their legitimacy. They starred, forked, contributed to, and otherwise interacted with the repos so that the victims would land on them and they would seem legit.

They then used these legit seeming repos to very successfully fool lots of people to download malware. So successful that they started selling access to this distribution mechanism, Distribution as a Service. Basically, having other malware authors pay them to deliver their payloads very convincingly. (read more)

Miscellaneous mattjay

Honestly, is Zuck wrong?

Hope everyone printed some overtime from all of this.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay