🎓️ Vulnerable U | #054

Google Eng stole AI secrets for China, Giant US Healthcare Payment System still down weeks later from ransomware, APLHV took the money and ran, TikTok close to being banned, Cyber pros are turning to crime and giving up on CISA, Predator Spyware Report and sanctions, and more!

Read Time: 9 minutes

Howdy friends!

I hope the Spring Break season is going well. The only wet T-shirt contest I’ve got going on is how regularly I immediately spill my coffee on myself if I wear white. I swear the lighter the shirt, the more magnetized it is to my drinks. Newton’s 5th law had something to do with if I wore white, Mom cooked spaghetti.

Anyway, if you’re going somewhere fun, send me pictures so I can live vicariously.

You may have noticed I’ve started attracting some newsletter sponsors. It would mean the world to me if you’d check them out, as they help support all this work I put in every week. This week’s sponsor, Prowler, has over 9k stars on GitHub and seems like a great tool for you AWS security heads out there!

ICYMI

🖊️ Something I wrote: It is ironic, but I constantly have to remind myself to practice mindfulness. It's so easy to fall out of it. I come back to my guide on it often.

🎧️ Something I heard: Luxury isn’t about price. It’s about getting exactly what you want. One of my favorite lines in the conversation between Sam Parr and Shaan Puri. This particular episode of My First Million was too good not to share.

🎤 Something I said: The comment section on this video, where I discuss the Change Healthcare ransomware, is full of real-life people who have been impacted by it.

🔖 Something I read: This article on how you can be tracked via ad networks on many mobile apps is insane. You need to read this. It’s incredibly important to understanding your privacy. It is also an entire book that just came out, and I’m looking forward to getting into it.

📣 Sponsor

Open Cloud Security with Prowler SaaS CSPM

Break free from expensive, complex, and closed security solutions. 

With Prowler SaaS, enjoy the freedom and transparency of an open-source core with an easy-to-use and powerful CSPM SaaS solution.

Try Prowler SaaS for free and join thousands of engineers in the Open Cloud Security Movement.

Vulnerable News

This one should raise eyebrows for those of us working for high-profile companies. I shared this article and found some statistics that estimate that 1 in 500 tech employees is compromised. It wasn’t immediately clear to me in this case if Google found them or if .gov spotted it first, but some folks with better reading comprehension than me spotted in the indictment that it was Google who caught the data leakage.

The investigation found that the spy stole info on chip designs and AI systems. This was all discovered after his resignation, and that’s when the FBI got involved. He was already working as a CTO of an AI company in China. (read more)

We’ve covered this for a few weeks now. It just keeps getting worse. Who the hell knew this company was so load-bearing on all health care payments? At first, it seemed like the hardest hit was folks trying to get their drugs from pharmacies.

Now, I’ve made a few videos on this that got quite a bit of attention, and the comments section is full of ripple effects I hadn’t considered. MANY small practice therapists or family medicine pros who are close to having to go out of business since they haven’t been paid in weeks.

Folks who work in any medical care billing department are writing me in nothing short of a depressed panic that this has been the hardest time in their career. A lot of people have strong feelings about money when it comes to healthcare, especially in the U.S., but all of those aside, this seems to have absolutely crippled the system.

One ransomware attack on a company many had never heard of shouldn’t bring this much healthcare infrastructure to its knees. Hug Ops to all those responding to this incident and any healthcare workers on the front lines trying to navigate. I also hope anyone who hasn’t been able to get their necessary meds has been able to figure out a workaround. (read more)

This one also got bananas because ALPHV/Blackcat took this $22 mil from someone, presumably Change Healthcare, and ran. At first, they said, "Everything is off, we decide," and "GG." Then, they put up an FBI seizure page that was found to be fake. vx-underground has a great summary:

The money trail is interesting on this one! (read more)

It looks like this time might be a bit more real? Casey at Platformer gives us 3 reasons why he thinks this time is different: the unprecedented speed with which the bill passed out of the House Energy and Commerce Committee, the bipartisan support it has garnered along with active cooperation from the Biden administration, and TikTok's own significant concern and lobbying efforts against the bill, indicating the company perceives a real and substantial threat to its operation in the U.S.

I can go either way on this one. I’m a fan of the app but obviously if there is things ByteDance has done counter to U.S. agenda in favor of China, I’d understand the reaction. Based on what I’ve seen data on, an outright ban seems a bit much. Google has been caught doing similar things but not for another nation.

There are also some major First Ammendment concerns about supressing speech on an entire platform.

Where do you stand on this ban? Reply to this email or write me on Twitter.(read more)

“Disgruntled cybersecurity workers, including code developers and AI experts, are offering their services on the dark web for extra cash. On top of that, other professions whose work may have been jeopardized by machine learning are also hiring themselves out to criminals.”

This used to be a hot topic when bug bounty programs were fairly new. I’d hear it all the time that we had to offer the hackers enough money to make the trade-off of doing the illegal thing with the vuln not worth it. If the 0day could fetch 7 or 8 figures on the dark web, we have to offer a fair rate, not a T-shirt, sticker, and a high five.

Well, it seems like economics is at it again. Between layoffs, the escalating value of cyberattacks, and the AI wave, folks are seeking extra income for their skills.

This one got me: “I’m a voice actor,” reads one. “I can help with jobs that require making calls, I can act like a loan applicant to get loans secured, I can also act like an employee of a bank, phone company, etc and [...] conduct social engineering ops.”

The actor adds: “Legit voice acting work has slowed down for me, and I need to raise capital urgently. Let’s work. I have an American accent.” (read more)

CISA has been working to collaborate with the private sector for a few years now. It seems those of us on the private side don’t feel like they’re getting much out of it, and if anything a bigger target is being painted on them because of it. CISA also got caught up in a ton of the Trump 2020 election fraud claims which collected some more extreme types who were drooling for people to attack and blame.

“We absolutely need this type of collaboration,” said a senior threat analyst at a half-billion-dollar security firm, who like others interviewed for this story was granted anonymity as a condition of speaking candidly on the matter. “But right now, CISA, JCDC, is a dumpster fire.”

It goes on…

“Three Stanford University researchers who helped CISA address disinformation have faced legal challenges and online harassment. In December, the CTI-League’s founders, including Rogers, received death threats after media reports claimed they helped hone CISA’s alleged censorship strategy — a charge the group denies.” (read more)

A sophisticated phishing campaign dubbed "CryptoChameleon" is making headlines for its targeted attacks against FCC employees and prominent cryptocurrency platforms, including Binance, Coinbase, Kraken, and Gemini. These cybercriminals leverage a highly convincing phishing kit to orchestrate a multi-faceted social engineering assault that mimics official communication channels to deceive victims into surrendering sensitive information.

These kits are getting scary good and easier to deploy. They’re indistinguishable from legit sign-on pages like Okta and Google. They even interact with the victim in real time, so even after taking the credentials, they’ll give an MFA prompt and the legitimate destination post login, making it harder for victims to even realize they were just phished.

Researchers at Lookout have evidence suggesting over 100 victims in this campaign. Roll your Yubikeys sportsfans. (read more)

The whole PDF of this report is worth the read - https://go.recordedfuture.com/hubfs/reports/cta-2024-0301.pdf

If you’ve read for a while, you know I’m a sucker for a good “unique pile of data” meets “detailed report and data visualization.” - It’s the peanut butter and chocolate of infosec reading for me. This one dives into some hard data about the Predator Spyware Ops, including counterterrorism efforts but also targeting civil society.

If you’ve followed the Citizen Lab stuff on Pegasus, this will also be of interest for you. (read more)

We have to be easier to trick than this. This is rough. In the same week that the other Air Force member leaked Top Secret info in his gaming discord channel, we have someone else falling for some very fake people on a dating site convincing him to send state secrets. (read more)

We are Passkey fans here at Vuln U, and this post does a fantastic job breaking down what they are and introducing implementation considerations to make sure you get it done right. It also breaks down the tradeoffs you make for passkeys vs. hardware tokens, but the great leap you make from passwords. (read more)

I’m still a cloud security nerd at heart even as my day job has moved a bit away from it. This goes through all the major cloud providers and techniques that have been seen in the wild for lateral movement. Often times we hyper fixate in indicators of compromise and initial access points, which I understand, BUT once an attacker is in, they don’t get an invisibility cloak. Watching for lateral movement and intelligently alerting is key.

A friend of mine once told me something that stuck: “Any sufficiently sophisticated attacker will be indistinguishable from a privileged insider.” Plan accordingly. (read more)

How can you not love a blog that includes a section called: Executing code and pwning pipelines

And sums up with a line like this: “By adding a few lines to a Terraform state file, you can take over a deployment pipeline. In most environments, that’s worse than modifying code because it’s silent but has the same implications. If an attacker can modify the Terraform state file it’s game over and bad times ahead. “

Pipeline attacks are sneaky and a good thing to learn about. Check it out! (read more)

Great conference put on by great people. Most of which are personal friends of mine. Also happens to be in Hawaii if you’re looking for an excuse to get out there. They’re actively looking for talks, so go submit one!

The LinkedIn post here is good but their report is also worth the read - https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence

TTPs, Vuln details, attribution, and more! I’m a sucker for a good threat actor report. (read more)

Miscellaneous mattjay

I love this so much being a North Eastener

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay