🎓️ Vulnerable U | #069

Microsoft before Congress, New details on Snowflake Saga, CDK Auto Dealership Hack, Mandiant's APT Writeups, Biden to ban Kaspersky, and more!

Author

Matt Johansen
June 20, 2024

Read Time: 6 minutes

Hey friends

Was planning on writing this from the plane last night, but the laws of physics were not on my side. My vote to whatever politician mandates airplane seats be large enough to open a laptop.

Have you ever played a game where you all tried to come up with the most mediocre superpowers you’d want to have? Dumb bonfire things I did growing up. Well, one of mine is the ability to fall asleep on planes on command. I can’t sleep at all on them so the 10 hours to London last night is really hitting me about now.

Here’s a pic of me the last time I was here. In a glass case of emotions:

I’m over here playing tourist with 9 of my family members being the stereotypical loud Americans trying to get a big table in small cafes.

ICYMI

🖊️ Something I wrote: Avoiding Security Obstructionism - been thinking about this one lately

🎧️ Something I heard: Latest Pivot podcast episode which touched on the Stanford Internet Observatory potentially being shut down. Talked about Alex Stamos and crew and what they’re doing over there to combat Internet Disinformation.

🎤 Something I said: Did you notice we’ve been doing the LiquidMatrix podcast again? (Our episode numbering is in Hex so if you’re new here, we’ve done over 100 of them years ago).

🔖 Something I read: This thread and article on CISOs being financially tied to vendors they wind up purchasing. popcorn.gif

PARTNERING WITH VANTA

Join the Live Session: Automating SOC 2 and ISO 27001 Compliance

Whether you’re starting or scaling your company’s security program, demonstrating top-notch security practices and establishing trust is more important than ever.

Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money — while helping you build customer trust.

And, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Join Vanta’s 45-minute live session on July 9th at 12 pm PST to see the platform in action and ask your questions.

Vulnerable News

Congress is calling out Microsoft for ignoring security warnings, which led to major cyberattacks, including the infamous SolarWinds hack by Russian hackers. An investigation revealed that Microsoft dismissed an engineer's alerts about a product flaw in 2017, impacting millions, including federal employees. Now, Microsoft President Brad Smith admits past failures and promises a security culture overhaul.

One interesting idea I heard come out of this was Smith saying he’d tie bonuses to cybersecurity performance. (read more)

What do you think?

How do you view tying bonuses to cybersecurity performance?

Login or Subscribe to participate in polls.

Here's the latest drama on the Snowflake saga: Hackers from ShinyHunters claim they snagged Ticketmaster data by breaking into Snowflake accounts via a third-party contractor, EPAM Systems. They got in by compromising an EPAM employee's computer in Ukraine with malware, grabbing unencrypted credentials stored on the machine. With no MFA in place, those credentials opened the door to Snowflake accounts. Ticketmaster wasn't the only target—Santander and others got hit too. EPAM denies any role, but the hackers shared some pretty convincing evidence. It's a wild ride, and it seems like the story's still unfolding. (read more)

Turns out pressure works. The whole security community yelling about this feature first made it turned off by default, and now they seem to have Recalled Recall. I’m bullish on AI, and I think features like this will have a future, but needs to be done right. In contrast, look at how Apple just announced its massive AI integrations. (read more)

This one is wild and I’m seeing lots of coverage from non-security sources. I’ve also seen some of those sources claim that 50% of American car dealerships are down from this attack. The news sources aren’t claiming that from what I can see. So I’m a bit confused about the overall impact, but either way, it seems like a very large amount of car dealerships are down and unable to do business for a few days. I’ll keep following this one to see what new details we get. (read more)

This is awesome. I get asked a lot on social media how to get into cybersecurity. I’m not saying this is a perfect roadmap guaranteed to land you a six figure salary. But this gist is amazing.

If you’re here from my IG and looking to get into the industry here is my actual advice based on this link. Make your own version of this gist and just catalog everything you’re learning as you learn it. Write about what you learn and share the roadmap. You’ll do a few things with this: you’ll retain more by teaching as you learn, you’ll pay it forward for anyone else trying to figure out their own path, and you’ll get a feedback loop faster for any experienced people following along telling you you’re spending your time well or poorly. (read more)

This write-up dives into how Fickle Stealer is spreading through multiple attack chains. This malware is all over the place, using spear-phishing emails with malicious attachments, drive-by downloads from compromised sites, and even sneaky malicious ads. The attackers are getting crafty with social engineering to trick users into running the payload, which then swipes sensitive info from their systems. With so many ways to spread, Fickle Stealer is proving to be a real headache, easily adapting to different security setups and dodging traditional defenses. Definitely worth checking out! (read more)

This one was fun. Kraken is a crypto exchange, and they got a bug bounty report from a security research company. The bug is fun in its own right, attackers can initiate a deposit, and before the deposit actually takes they can withdraw money. Turning it into a fake money printer, not actually stealing from other users. But the researchers then did this with $3million worth of crypto and didn’t give it back. Instead, asked the CISO of Kraken to talk to their sales team. (read more)

Mandiant is on fire with great reports on threat actor groups. This is no exception. Must read.

UNC3886, a suspected China-linked actor, has been up to some attacks with gnarly tactics, targeting global organizations. After initially exploiting vulnerabilities in FortiOS and VMware, they moved on to deploying custom malware and rootkits like REPTILE and MEDUSA for persistent access. They even used tools like LOOKOVER to sniff out TACACS+ credentials. Mandiant's deep dive covers everything from their use of zero-day exploits to their complex persistence mechanisms across network devices and VMs. For those in the trenches, this is a goldmine of intel. (read more)

Biden to ban US sales of Kaspersky software over Russia ties, source says

The Biden administration just announced a ban on U.S. sales of Kaspersky software, citing concerns over the company's ties to Russia. This move affects major U.S. customers like critical infrastructure providers and state and local governments. Commerce Secretary Gina Raimondo highlighted the risks, noting that Moscow's influence over Kaspersky poses a significant threat to national security.

The ban, set to kick in on September 29, extends to downloads, updates, and even resales of Kaspersky products. This follows years of scrutiny over Kaspersky's alleged connections to Russian intelligence, with prior bans on federal networks. With tensions high due to the Ukraine conflict, the U.S. is doubling down on minimizing potential cyber threats from Russia. (read more)

Eclypsium just dropped some serious intel on a new vulnerability in Phoenix SecureCore UEFI firmware, affecting multiple Intel Core processors. The flaw, tagged CVE-2024-0762 with a CVSS score of 7.5, lies in the TPM configuration and can lead to a buffer overflow and code execution. Discovered initially on Lenovo ThinkPad and Yoga models, this issue extends to various Intel families like AlderLake, CoffeeLake, and more, potentially impacting hundreds of PC products.

This vuln allows local attackers to gain persistent access at the UEFI level, bypassing OS-level protections. Phoenix and Lenovo have rolled out updates, but it’s crucial for everyone using affected devices to patch up. (read more)

The ransomware gang Qilin has claimed responsibility for the severe disruption at London hospitals, targeting Synnovis, a pathology provider. This attack, which they say was deliberate, aimed to create a healthcare crisis. Qilin's spokesperson admitted they knew the consequences, stating the attack was politically motivated, though experts question this claim, noting Qilin typically targets sectors for financial gain.

The gang demanded a $50 million ransom but cut off negotiations when Synnovis stalled. They've threatened to leak over a terabyte of stolen data. Qilin claimed they exploited a zero-day vulnerability but didn't provide specifics, leaving room for speculation about their actual methods. This attack has resulted in over 1,500 canceled operations and appointments, with severe impacts on patient care in London. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay