Read Time: 8 minutes

Howdy friends!

Got absolutely whacked the past week and have been really down for the count. Take your mental health seriously y’all, or it’ll force you to. I luckily had some solid incident response and am back on the rails. My lesson learned: be more proactive, less reactive.

Just in time for the hottest days of 2024 here in Texas, we’re getting absolutely cooked. Heat index 115, it’s like Vegas but with humidity for all who just got home from there. I’m still catching up on talks and research that came out that week, so much good stuff. Hope you all are recovering and can remember what you do for a living.

Anyone else get back from a week off, sit at your computer, and just forget what the hell to do with your hands? Yeah me either.

ICYMI

🖊️ Something I wrote: Was talking about the loneliness epidemic on a podcast the other day, resurfacing some thoughts I wrote about it.

🎧️ Something I heard: Heard how Samy Kamkar used a laser to listen to keystrokes

🎤 Something I said: Gave a summary of a Defcon talk where a researcher hacked some scammers back and is exposing them.

📣 Something you’ll find cool: I love Tines. I made a video showing how they enable a layered defense to phishing. Also check out this webinar with me where they’ll go over some automations with Cribl and Elastic.

🔖 Something I read: Some thoughts from my homie Keith Hoodlet on staying technical while getting into leadership.

Vulnerable News

Hardware backdoors found in Chinese key cards

I’m not sure why this one hasn’t been a bigger story. Turns out millions of RFID cards have a backdoor in them.

Quarkslab researcher Philippe Teuwen found that cards made by Shanghai Fudan Microelectronics (a big Chinese chip maker) can be cloned instantly if you know the trick.

This isn't just a China problem - these cards are used all over the US, Europe, and India. “Many are probably unaware that the MIFARE Classic cards they obtained from their supplier are actually Fudan FM11RF08 or FM11RF08S, as these two chip references are not limited to the Chinese market. For example, we found these cards in numerous hotels across the US, Europe, and India.” (read more)

Hackers steal banking creds from iOS, Android users via PWA apps

Here’s a nasty new technique. Progressive Web Apps (PWA) are a kind of middle ground between App Store and mobile browser site. You’ve probably interacted with a few of these without knowing. They get some native app permissions and capability without all the App Store scrutiny and work cross platform between iOS and Android.

Wait. Permissions? Without scrutiny? I’m shocked scammers have latched onto this. So they’re making banking apps that look a whole lot like the real thing and the hard part is just getting people to install their PWA. They’ve been doing this by social engineering or malvertising offering a fake monetary reward as a promotion for users to download the new version of their banking app. They then of course steal the creds and also can monitor a lot of other information on device. Article has way more screenshots of the attack chain that are super interesting, but hope your Polish good. (read more)

Oil Giant Halliburton Confirms Cyber Incident, Details Scarce

I heard mumblings of this one but I’m glad some news went public before I sent this week’s letter. If little ol’ me heard mumblings, I’m assuming this one is going to be rather large. Smells like ransomware, but that is speculation. Reuters is reporting some localized office issues as well as some global connectivity. We’ll see but keep an eye on this one! If it is ransom, I expect the demand will be rather large. (read more)

National Public Data Published Its Own Passwords

Remember the 14 Trillion SSNs that got breached last week? (Don’t quote me on that number, but its directionally correct) - Well it seems that an NPD record broker just left all their passwords out in the open. “Following last week’s story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.”

“The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not.”

I get that companies this small don’t have big security teams or budgets, but it’s hard not to pass a bit of judgment when you’re handling that much data that is THAT sensitive. (read more)

US Lawmakers Want Investigation Into TP-Link Over Chinese Hacking Fears

Looks like TP-Link is the latest Chinese tech company in the crosshairs of US lawmakers. Representatives from both sides of the aisle call on the Commerce Department to investigate potential security risks in TP-Link routers. Their main concern is that these devices could be an easy target for Chinese state-sponsored hackers to infiltrate US systems.

The lawmakers are citing the recent Volt Typhoon attacks as an example, even though those primarily targeted Cisco and Netgear routers, not TP-Link. They also point to a Check Point report about a Chinese APT creating malicious firmware for TP-Link routers. Interestingly, TP-Link recently split into two entities, with TP-Link Corporation now based in Singapore and the US. But given the US's history of banning Chinese tech over security concerns (looking at you, Huawei), this could be the start of a lot of troubles for TP-Link in the American market. (read more)

SolarWinds left critical hardcoded credentials in its Web Help Desk product

SolarWinds is back in the news, and not in a good way. They left hardcoded credentials in their Web Help Desk product, potentially allowing unauthenticated remote attackers to log in, access internal functionality, and modify sensitive data. This critical flaw (CVE-2024-28987) affects all versions up to 12.8.3 HF1 and scored a 9.1 on the CVSS scale.

Given SolarWinds' customer base in government and enterprise sectors, this is a big deal. They've released a hotfix (12.8.3 HF2), but it requires manual installation. If you're using WHD, you might want to prioritize this patch before we have another... well, SolarWinds situation. Oh, and while you're at it, there's another critical WHD flaw (CVE-2024-28986) that CISA added to its Known Exploited Vulnerabilities list last week. (read more)

Man Who U.S. Says Faked Death to Avoid Child Support Gets 81 Months in Prison

I saw some articles calling this guy a hacker so I was interested. It seems he just stole some doctor’s creds, so not exactly going to be wearing a Guy Fawkes mask but still a crazy story.

“According to federal prosecutors, the man, Jesse Kipf, 39, of Somerset, Ky., hacked into the Hawaii Death Registry System in January 2023 with the username and password of a doctor living in another state to create and certify his own death certificate.”

They also found searches for “California child support arrears father died” and “Remove California child support for deceased” on his laptop. Turns out you should just pay your child support. (read more)

How the ransomware attack at Change Healthcare went down: A timeline

We covered this hack extensively when it happened here on the newsletter. If you missed all that, it is one of the largest ransomware attacks of all time and it took down the payments backbone of an enormous percentage of the healthcare industry.

This is a great post with a lot more information now that we’re on the other side of most of it and it breaks it down into a full timeline of events. (read more)

Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control

Looks like Velvet Ant, one of our friendly neighborhood Chinese hacker groups, found a shiny new toy to play with. They've been exploiting a zero-day in Cisco switches (CVE-2024-20399) to gain system control and drop some custom malware. Cisco patched it up last month, but after some active exploitation in the wild.

These guys are getting craftier - they're moving from Windows systems to legacy servers and network devices to stay off the radar. Their latest trick? Breaking into Cisco switches, doing some recon, and then deploying their VELVETSHELL backdoor. It's a mashup of open-source tools that lets them run commands, transfer files, and proxy traffic. (read more)

Microsoft’s Recall AI feature won’t be available for Windows testers until October

Oh did you think Recall was going away forever? If you don’t remember, this is the feature Microsoft announced on new Copilot machines that will record everything you do on your screen at all times and make it recallable by an AI chat interface. “Hey what did Jill ask me to do in that Slack DM last week?” kind of functionality.

Well it also would grab all sorts of sensitive information and store it in a local database that upon breach could be easily snagged instead of having to bring your own keylogger or anything like that. So privacy and security folks got up in arms about it. This forced them to push back release from June until October, but I’m excited to see first look at it. I think Microsoft will have thrown a lot of effort after the massive PR nightmare and might’ve come up with some interesting solutions to this one. But I may be too optimistic. (read more)

CrowdStrike hits out at rivals’ ‘shady’ attacks after global IT outage

Oh boy was there a lot of ambulance chasing on CrowdStrike after their incident. I saw a lot of their competitors on LinkedIn basically saying it would never happen with them. I personally hate that kind of thing and I saw some other people in the industry having conversations about the incident without kicking CS while they were down. Also respect the CS leaders for still heading to Vegas and getting on stage in front of the community, I think it really helped their perception. Not sure many would’ve been brave enough to do the same while feeling al that heat. (read more)

‘No warning, no heads up’: Hundreds of Subway employees blindsided, left without final paychecks after sudden closures

It’s not often hacks actually cause a company to close up shop. In this case, a franchise owner of 23 Subways was hacked, their bank account drained, which forced them to shut their stores. Over 200 people showed up for work one day and the businesses were just no longer operating. The owner said she couldn’t order food from the supplier. This just sucks. Seems hacks aren’t FDIC insured and this was a complete draining so there was just no backup account to keep things going. (read more)

Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild

When they say “actively exploited in the wild” I listen. And I think you should too. All we got on details is: "Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page" - Thats enough for me! Run them updates folks. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay