Read Time: 7 minutes

Howdy friends!

I’ve had an unusually high number of super forward-thinking security conversations this week. This is mostly thanks to a great local network of friends in the industry. I went to a meetup on Tuesday that was for cybersecurity founders, and it was incredibly fun chatting about where we all see things going. It also helps the crew is fantastic people.

I also got to record a few podcast episodes with friends this week and just love the ability to share and learn like this. Highly recommend you build and maintain a trusted network, it has paid dividends for me.

ICYMI

🖊️ Something I wrote: I’m feeling the build vs. buy sine wave of pain. I posed some questions and shared some thoughts on LinkedIn.

🎤 Something I said: We’re on a bit of a roll with LiquidMatrix Security Digest.

📣 Something you’ll find cool: I know I can’t stand filling out security questionnaires for vendors; Vanta is now automating that*

🔖 Something I read: Justin Gardner (aka Rhynorater) put out a “How to go Full-Time in Bug Bounty” guide. He’s one of the GOATs in the space.

*Sponsored

Vulnerable News

“Gay Furry Hackers” Claim Credit for Hacking Heritage Foundation Over Project 2025

In a contender for the best headline I’ve ever read, gay furry hacktivists came out with a bunch of politically motivated data leaks this week. Mainly aimed at the Heritage Foundation who is behind Project 2025. The chairman of Heritage then proceeded to threaten the hacking group, SiegedSec, and they promptly released that conversation as well. They then, apparently feeling the pressure, disbanded their hacking crew. Whew! A lot to unpack here.

As some other people started going through the data leak and analyzing it, it also seems like a portion of the people posing as legitimate US citizens were actually connecting from Asian IP addresses. Important note: Their corporate network wasn’t hacked; this was a WordPress blog worth of data, contributors, and comments.

VX Underground has a great summary as well: https://x.com/vxunderground/status/1811467517774397766 - (read more)

U.S. Justice Department Disrupts Russian AI-Enhanced Bot Farm

Here is a great Twitter thread breaking this one down: https://threadreaderapp.com/thread/1810720241959456883.html

In a significant operation, the U.S. Justice Department, in collaboration with international and private sector partners, has dismantled a Russian government-operated social media bot farm. This network utilized AI to create fake personas and spread disinformation, aiming to influence public opinion and sow discord in the U.S. and abroad. The FBI seized two domain names and shut down 968 social media accounts associated with this bot farm, which was reportedly developed by the Russian state-run RT news network and operated by the FSB.

The technical details of the operation are fun too. The bot farm used AI to generate realistic social media profiles that appeared to be legitimate U.S. residents. These profiles were then used to disseminate Russian government narratives on platforms like Twitter. The investigation traced the registration of these fake accounts back to email servers associated with the domains “mlrtr.com” and “otanmail.com,” controlled by Russian operatives. The FBI's investigation involved a series of subpoenas that linked these domains to Moscow-based IP addresses and eventually to individuals connected to the Russian government. (read more)

Hackers leak 39,000 print-at-home Ticketmaster tickets for 154 events

Hackers have leaked almost 39,000 print-at-home tickets for 154 upcoming events, including big names like Pearl Jam, Phish, and Foo Fighters. This is part of an ongoing extortion campaign by the threat actor group 'Sp1derHunters,' who have been targeting Ticketmaster through stolen data from their Snowflake accounts.

The breach began with the download of Snowflake databases from 165 organizations using credentials stolen by malware. In April, the group started selling data, including 560 million Ticketmaster customer records. Despite Ticketmaster’s claims that their anti-fraud technology renders stolen mobile ticket data useless by constantly refreshing barcodes, Sp1derHunters countered by leaking print-at-home tickets, which use static barcodes that can't be rotated. (read more)

Data breach exposes millions of mSpy spyware customers

Let’s dive into the latest fiasco from mSpy, the spyware app that markets itself as a tool for parents and employers but often gets used for more nefarious purposes. A recent breach exposed millions of mSpy’s customer service records dating back to 2014. Attackers accessed their Zendesk-powered support system, stealing sensitive information, including personal details, emails, and attachments like personal documents. This breach is pretty big measuring in at over 100 gigabytes of data.

The attackers exploited a misconfigured Elasticsearch database, which was left without authentication, to access mSpy’s entire support history. This included emails from high-profile users like senior-ranking U.S. military personnel and a federal judge. The dataset even revealed inquiries from U.S. law enforcement looking to use mSpy for investigations. This breach not only compromises the privacy of mSpy’s customers but also exposes the sensitive operations of its users. For a company that profits from surveillance, this level of oversight is both ironic and deeply concerning. (read more)

New Blast-RADIUS attack bypasses widely-used RADIUS authentication

Blast-RADIUS leverages a new protocol vulnerability (CVE-2024-3596) and an MD5 collision attack, enabling attackers with access to RADIUS traffic to alter server responses and insert arbitrary protocol attributes, thereby granting themselves admin privileges on RADIUS devices without needing to brute force or steal credentials.

For those of us who aren’t network protocol people, RADIUS (Remote Authentication Dial-In User Service) is WIDELY used. Switches, routers, cellular infrastructure, VPN devices, and a ton more use it. I also just can’t believe MD5 keeps rearing its head. (read more)

Chaining Three Bugs to Access All Your ServiceNow Data

Security researchers at Assetnote have unveiled an exploit chaining together three distinct vulnerabilities to gain complete access to ServiceNow data. This trifecta of flaws includes a misconfiguration, an insecure API endpoint, and a permissions handling issue, making it a critical concern for organizations relying on ServiceNow for IT service management.

By chaining these vulnerabilities, attackers can effectively bypass authentication mechanisms, elevate their privileges, and gain unrestricted access to all data within a ServiceNow environment. (read more)

Check your email logs (including Exchange Online) for an email from [email protected]. Microsoft had a breach by Russia impacting customer data and didn’t follow the Microsoft 365 customer data breach process.

The Microsoft Midnight Blizzard drama continues. It looks like they’ve sent breach notifications to tenant admin emails, which, according to their own docs, no user should have access to.

From Kevin: “The notifications aren’t in the portal, they emailed tenant admins instead. The emails can go into spam - and tenant admin accounts are supposed to be secure breakglass accounts without email. They also haven’t informed orgs via account managers.

You want to check all emails going back to June. It is widespread.” (read more)

Threat actors exploited Windows 0-day for more than a year before Microsoft fixed it

Researchers revealed that threat actors exploited a zero-day vulnerability in Windows 10 and 11 for more than a year before Microsoft patched it. The flaw, tracked as CVE-2024-38112, allowed attackers to force Internet Explorer to open despite it being decommissioned, exploiting its outdated security to run malicious code. The attackers tricked users by disguising malicious .url files as PDFs, causing Internet Explorer to execute when the user clicked the file, leading to potential remote code execution. (read more)

A recent news report stated that “a May 2024 ransomware attack was caused by an employee who downloaded a malicious file onto a company device.”

I stand with Bob Lord! Ha, I really do enjoy Bob’s realism. Bob is a long time CISO and also a proponent of making sure users aren’t scared of WiFi and are embracing FIDO auth. He also makes a great point here that we have to stop blaming users for breaches when they were just doing their jobs. You know, their daily jobs which include clicking links and downloading attachments in email. Defense in depth! Many other layers of security controls should be in place so that you’re entire network doesn’t crumble if someone clicks a link. (read more)

Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories

Supply Chain attacks are just getting more and more frequent. Secret is out! You can get malware into very popular open source packages.

In the most recent example, unknown threat actors have been distributing trojanized versions of jQuery on npm, GitHub, and jsDelivr. This attack, which was ongoing from May 26 to June 23, 2024, involved at least 68 compromised packages with names like cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets. The attackers cleverly embedded malware within the seldom-used 'end' function of jQuery, which is called internally by the popular 'fadeTo' animation utility. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay