🎓️ Vulnerable U | #066

Operation Endgame! Cyber Force, North Korean spies, Chrome Zero Days, and more!

Author

Matt Johansen
May 30, 2024

Read Time: 9 minutes

Howdy friends!

Busy week! Flew back from the West Coast on Memorial Day weekend after watching my niece graduate. Well… watched what I could through snot and tears since I was a blubbering mess while she gave the commencement speech she didn’t tell anyone she got picked to give. I remember this kid in diapers! Super proud of her.

Time is a funny thing.

Lot’s of news this week, let’s get into it!

ICYMI

🖊️ Something I wrote: I wrote a long thread about North Korean spies infiltrating over 300 US companies via identity theft and some help from a woman in Arizona.

🎧️ Something I heard: A fantastic walkthrough of my buddy Dan Miessler’s AI project called Fabric. The very popular YouTuber, NetworkChuck, showcased it to his millions of subs so I guess the secret is out.

🎤 Something I said: A rundown of a CISA official talking about weaknesses in telco’s being exploited to track and spy on Americans.

🔖 Something I read: The great Clint Gibler of TL;DRsec’s latest edition had a great section on Entrepreneurship featuring some of my favorite people. Zane Lackey (Signal Sciences), Jon Oberheide (Duo), Haroon Meer (Thinkst Canary), and more. All great reads!

Vulnerable News

Are you picturing a Thanos snap? How about a bunch of mugshots with Matrix backgrounds? Well apparently you’re in good company with global government law enforcement officials…

Law enforcement agencies in the US and Europe launched Operation Endgame, targeting cybercrime platforms like IcedID, Smokeloader, and Trickbot. Touted as the largest operation against botnets, it aims to disrupt the infrastructure supporting malware "droppers" and "loaders," crucial components in cybercrime for installing malware.

  • Scope and Scale: The operation, involving Europol and multiple countries, arrested four suspects and took down over 100 servers across 10 countries.

  • Takedown Targets: Over 2,000 domain names used for dropper infrastructure were seized.

  • High-Profile Arrests: Suspects in Armenia and Ukraine were arrested, and eight fugitives were added to Europol's "Most Wanted" list.

  • Financial Impact: One suspect reportedly earned EUR 69 million in cryptocurrency from criminal activities.

  • Strategic PsyOps: Authorities are now using psychological tactics to disrupt cybercriminal trust networks, inspired by previous successes like the LockBit ransomware takedown.

Operation Endgame promises ongoing actions and updates via their dedicated website, operation-endgame.com, with an absolutely ominous countdown upfront there. Methinks they’re trying to scare up some other hackers. (read more)

“But the limitations of the current structure — with cyber officers and enlisted personnel spread across the Army, Navy, Air Force, and Marine Corps — are more apparent and the implications are more dangerous than ever before.”

The House Armed Services Committee just approved a new amendment for a study on creating a U.S. Cyber Force. This came just before they passed the massive defense bill for 2025. Rep. Morgan Luttrell and others pushed for this, aiming to fix the issue of Cyber Command not getting enough skilled cyber pros from the current military branches.

Despite some pushback from Democrats like Rep. Adam Smith, the amendment made it through. Now, it’s headed to the full House for a vote.

Next up, the Senate will take a look. If all goes well, we could see a new branch of the military focused entirely on cyber threats.

Keep an eye out for more updates as this bill moves through Congress. (read more)

Do you think there should be a new branch to the US military focused on Cyber Threats?

Cyber Force and Space Force certainly feel like silly SciFi names, but I do see the logic in both of their creation.

Login or Subscribe to participate in polls.

Is there any pharma patient’s data left to be stolen after the Change Healthcare breach?

Pharma giant Cencora (formerly AmerisourceBergen) is notifying people that their sensitive medical information was stolen in a cyberattack earlier this year. The breach included names, addresses, birth dates, health diagnoses, and medication details.

Cencora got this data through its partnerships with big-name drug makers like AbbVie, Acadia, Bayer, Novartis, and Regeneron. The cyberattack started on February 21 but wasn’t publicly disclosed until a week later.

So far, Cencora has informed about half a million individuals, but the actual number affected could be much higher, considering the company serves millions of patients. They posted a notice on their website for those they couldn’t directly contact. (read more)

Chrome is getting absolutely blasted this year. I know those of you with forced update windows while trying to login to work are getting sick of having to restart while you’re running late for a meeting.

I also invite all of my readers to look in the top right of your browser right now and click that update button if it is red. I do a good job of shaming anyone who screenshares with me with a red update button. Browser and OS updates are critical!

These aren’t just updates, they’re updates tied to active exploitation in the wild. Just do it! (read more)

Spyware app pcTattletale got hacked, and its website was defaced with its own internal data. The hacker, who claimed responsibility, posted links to the stolen files on the site briefly.

Security researcher Eric Daigle recently found a flaw in pcTattletale that leaks screenshots from infected devices, but the company ignored his warnings. The hacker, however, used a different method to get in, tricking the servers into handing over private keys for their Amazon Web Services account.

pcTattletale is a "stalkerware" app that lets users secretly spy on Android and Windows devices. It’s supposed to run invisibly, making it hard to detect and remove.

We just covered on VulnU last week that pcTattletale was used to compromise check-in systems at several Wyndham hotels, leaking guest info. This hack adds pcTattletale to the growing list of spyware companies that have lost control of sensitive data. (read more)

Kaspersky has found a new twist on ransomware that uses BitLocker, Windows' own encryption tool, to lock up your data. Here's how it works:

Attackers use a VBScript to take over the system. First, the script checks if the system's suitable. If it is, it starts resizing and partitioning local drives using Windows tools like WMI and diskpart. The script also messes with the registry to disable RDP, enforce smart card use, and configure BitLocker without TPM.

Next, the script deletes the current BitLocker protectors and sets up a new encryption key that only the attackers control. They use PowerShell to enable BitLocker with this new key. The key is a random mix of numbers, letters, and special characters, created using system-specific info. This info is then sent to the attacker through a hidden web address.

After encrypting the drives, the script cleans up by deleting itself and any logs that might reveal its actions, turns on the firewall, deletes all firewall rules, and shuts down the system. When the victim tries to access their system, they're faced with a BitLocker screen asking for the decryption key. (read more)

Alexander Yuk Ching Ma, a 71-year-old former CIA officer from Honolulu, has pleaded guilty to conspiring to deliver national defense information to China. Ma, along with his relative and co-conspirator, both held top-secret clearances during their time with the CIA.

  • The Espionage Plot: In 2001, after leaving the CIA, Ma and his relative met with Chinese intelligence officers in Hong Kong. Over three days, they handed over classified U.S. defense information and received $50,000 in return. They also agreed to continue assisting Chinese intelligence.

  • FBI Sting Operation: In 2003, Ma applied for a job with the FBI in Honolulu. The FBI, aware of his Chinese connections, hired him to monitor his activities. From 2004 to 2012, Ma worked under surveillance.

  • More Espionage: In 2006, while still monitored by the FBI, Ma got his relative to identify two individuals in photos provided by Chinese intelligence. This info was classified U.S. national defense material. (read more)

Chirag Tomar, an Indian national, confessed to stealing over $37 million in crypto by creating a fake Coinbase Pro site. He and his crew set up a lookalike site in June 2021 to trick people into entering their login details and 2FA codes. Victims were then directed to call fake Coinbase reps, who used remote access to take over their accounts.

Tomar transferred the stolen crypto to his own wallets, quickly converting and moving it around. He spent the money on luxury items and extravagant trips. He was arrested at Atlanta airport in December 2023 and now faces up to 20 years in prison and a $250,000 fine. The sentencing date hasn't been set yet. (read more)

A proof-of-concept exploit for a vulnerability in Fortinet's FortiSIEM has been released by security researchers. This vulnerability, CVE-2024-23108, allows remote command execution as root without needing authentication. Discovered by Horizon3’s Zach Hanley, it affects FortiSIEM versions 6.4.0 and above and was patched in February.

The flaw is a command injection vulnerability that can be exploited via crafted API requests. Initially, Fortinet denied the severity of the flaw, but later confirmed it as a variant of a previous issue, CVE-2023-34992.

Three months after the patch, Horizon3 published the PoC, highlighting that attempts to exploit this vulnerability will leave logs showing failed commands with datastore.py. The PoC can execute commands as root on any exposed and unpatched FortiSIEM devices.

Fortinet’s vulnerabilities are often targeted by ransomware and cyber espionage groups. In recent incidents, Chinese hackers exploited other Fortinet flaws to deploy malware in corporate and government networks.

If you’re using FortiSIEM, make sure to patch! (read more)

The U.S. Treasury just sanctioned three Chinese nationals for running the 911 S5 proxy botnet. This service hijacked Windows computers to route internet traffic through infected PCs, making it a favorite among cybercriminals from 2015 to 2022.

Yunhe Wang, one of the main operators, was arrested and charged with facilitating billions in fraud, including pandemic relief scams. His partners, Jingping Liu and Yanni Zheng, were also sanctioned for laundering the stolen money through real estate purchases.

911 S5 initially shut down after a 2022 data breach but rebranded as Cloud Router, continuing operations with a new name. Recently, Cloud Router went offline, marking the end of its operations. (read more)

Microsoft has spotted a new North Korean hacker group called Moonstone Sleet (formerly Storm-1789). These guys are mixing old-school tactics with new tricks to steal money and spy on companies.

Moonstone Sleet is setting up fake companies and job offers to bait their victims. They use trojanized versions of legit tools, have created a malicious game, and even developed custom ransomware. They’ve been caught using a trojanized version of PuTTY, sneaky npm packages, and a fake tank game called DeTankWar to spread their malware.

Initially, they had some overlap with another North Korean group, Diamond Sleet, but now they’re doing their own thing with unique methods. They’ve been using social media and freelancing platforms to distribute their malware.

In early 2024, they created fake companies like StarGlow Ventures and C.C. Waterfall to fool potential victims. They even sent out phishing emails to build relationships with organizations for future attacks. (read more)

Just got eyeballs on this one

Credentials Leaking with Subdomain Takeover

I was reading this cool vulnerability research about stealing API keys out of localstorage via subdomain takeover by Truffle Security

They buried the lede! Truffle squatted all vulnerable subdomains (that they could find) themselves so hackers couldn't...

An app called ReadMe lets folks test some stuff out in browser by pasting their API key in. This gets stowed in localstorage. If an attacker registers the subdomain associated with their ReadMe instance, they can potentially trick the user into leaking the API key. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay