Read Time: 9 minutes

Howdy friends!

I feel like the year is condensing. I’m already having conversations about plans and meetings that I have to turn down in late August. Isn’t it barely summer? How is this possible?!

I did a fairly long AMA on my Instagram this week. I got so many DMs saying how grateful people were for it and asking me to do more of them. Keep an eye on my profile if you want to participate in the next one. I’ll keep the responses in my story highlights for a bit, too.

Also want to give a shout to my sponsors over the next few weeks. Checking them out is the best way to support the work I do here. Thank you in advance. It means more to me than you know!

Let’s get vulnerable.

ICYMI

🖊️ Something I wrote: This one made the rounds on LinkedIn again this week even though I wrote it back in February. “I stopped resisting things I thought were 'wrong' about me and here is what happened”

🎧️ Something I heard: I somehow ended up on the “Dirt Man” side of the algorithm and this D&D spin-off cracked me up. Unhinged.

🎤 Something I said: There is “fake news” and then there is really fake news. Ran through a report about NewsBreak, it’s foreign investors, and it’s AI generated, completely fabricated and false news stories.

🔖 Something I read: This brilliant thread: “Your fundamentals are your greatest shield. Your efforts actually matter. That is what actually prevents failure. I know. I see.”

Vulnerable News

Snowflake Saga

There are too many links on this one topic that I want to share so we’re creating an umbrella header here.

TL;DR - After a few data leaks caught attention and were rumored to be connected to a service provider, people got curious. Then it was reported Snowflake was the common thread and that they must’ve been breached. Well they themselves were technically not breached, but it seems a bunch of their customers were. Let’s dig into what we know:

This GossiTheDog thread was my first hint of something going on. But I had no idea it was related to any data breaches. THREAD: Very big cyber incident playing out at Snowflake, who describe themselves as “AI Data Cloud”. They have a free trial where anybody can sign up and upload data… and they have.

Then it started to come out that the Santander and Ticketmaster breaches were linked to Snowflake: Snowflake account hacks linked to Santander, Ticketmaster breaches

A post by a security vendor, Hudson Rock, came out detailing a Telegram conversation they seemingly had with the threat actors responsible. This conversation said that Snowflake was hacked and 400 other customers were impacted. This post caught a lot of attention obviously, but then was quickly removed.

Snowflake pointed to the fact that the post was removed as evidence it was false. They neglected to mention it was actually removed because their lawyers forced it down.

Snowflake put out a statement that they had retained Mandiant and Crowdstrike to confirm they were not breached.

However, we’ve not seen the last of their customer impact. Hundreds of Snowflake customer passwords found online are linked to info-stealing malware

And one more thread with a grain of salt as it is anecdotal. But they are saying 5 more customers impacted and not thrilled as the hacks also spiked their usage bills during the attacks. So they lost data and owed Snowflake for the privilege.

Hacking Millions of Modems (and Investigating Who Hacked My Modem)

Sam Curry puts out a ton of great research. This one is funny to me because I saw the national news coverage of Cox routers before I saw this. I got to meet Sam in SF a few weeks ago and you should absolutely follow him on socials and his blog.

This blog is a masterclass in AppSec and API testing. Sam walks you step by step what put him on the trail of this vulnerability and then how he proked and prodded until he exploited it. I’ll give you the start and the end and you’ll absolutely want to read the whole thing.

Start:

That one mysterious request led to him discovering his modem was hacked. He then found a way to hack any Cox modem.

To prove it, he used an admin API on Cox’s business portal to change his own home SSID and it worked. Absolutely wild. (read more)

This Hacker Tool Extracts All the Data Collected by Windows’ New Recall AI

If you’ve not been following the Microsoft Recall story, long and short is that they launched a new feature that takes screenshots of your screen every few seconds to feed to a local AI that you can ask questions. “Who emailed me this week asking for that report?” - but then yes any malware on your device would have a full record of everything you did or read for the last few months.

Microsoft put out info saying you’d need to physically have access to the device, that isn’t true. They also said this:

Shot:

Chaser:

Here is a great FAQ from Kevin Beaumont on everything going on with Recall: https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e

And this Wired article goes into a lot of Microsoft’s claims and what researchers are finding. (read more)

Hackers steal $305M from DMM Bitcoin crypto exchange

Japanese crypto exchange DMM Bitcoin just got hit with a massive hack, losing 4,502.9 bitcoin—that's about $305 million, making it the eighth biggest crypto theft ever. Despite this, DMM Bitcoin is reassuring customers that their Bitcoin deposits are safe and will be fully covered with help from their partner companies. (read more)

Hacked, leaked, exposed: Why you should never use stalkerware apps

Besides being ethically shitty, stalkerware apps have been historically insecure. So they go and collect a bunch of spy data on unsuspecting victims, store it, and then get hacked.

Last week, hackers broke into pcTattletale, a U.S.-based stalkerware company, and leaked its data. This is the 20th stalkerware company hacked since 2017. These apps, used to spy on partners, are not only creepy and illegal but also poorly secured, putting user data at risk. Hackers often target these companies to expose their unethical practices. (read more)

THREAD: Just received a phone call from the Hillsborough County Sheriff's Office this afternoon. Officer reads off his badge number & proceeds to ask if this is [my name] located at [my address] w/ SSN# [reads last 4 of my social]. Fuck. Was walking through Costco as I took the call.

Read this thread! This person fell for but then recognized a scam as it was going on. Super believable and tugging on your emotions and sense of urgency while pretending to be law enforcement and having a lot of data about you. (read more)

Hacker Allegedly Wanted to Become the Tech Arm of ISIS

Ummmm. What?

Jibreel Pratt, a hacker from Detroit, bought stolen credentials from Genesis Market and allegedly planned to join ISIS. He told FBI informants he wanted to help ISIS with tech and cyber attacks, and shared plans for suicide drones, remote-controlled cars with explosives, and sent cryptocurrency to support ISIS. The FBI linked him to nearly 14,000 stolen credentials and arrested him on cybercrime charges. (read more)

Thinking back to that time when some JP Morgan analysts uncovered a massive startup fraud because the data science professor who fabricated their customer data hit the Microsoft Excel row limit and just rolled with it.

Always love when normies get confused by something being capped at 256. This reminded me of that. Also this reply is gold:

Massacre of WiFi routers leaves 600,000 American families offline

A massive attack last year turned 600,000 WiFi routers into useless bricks, cutting off the internet for many rural American families. The routers were hit by "Chalubo" malware, which infected devices and wiped out their firmware, requiring replacements. Researchers believe weak credentials or exposed admin interfaces allowed the attack. (read more)

THREAD: Creating an ad network that abets fraud on a technical level is somehow legal as long as the ad network owner claims that advertisers are abusing their system. This empowers scammers and intelligence agencies to deploy malware onto unsuspecting people's computers.

I’ve long talked about the dangers of ad networks being abused. I gave a Blackhat talk way back in 2013 about it. These networks at scale have very limited capability to ensure that the ads they are serving aren’t malicious in nature. This Twitter thread shows tons of examples of malicious ads being served up by reputable ad networks. (read more)

Google Leak Reveals Thousands of Privacy Incidents

An internal Google database obtained by 404 Media reveals thousands of privacy incidents over six years, including Google accidentally recording children’s voices, leaking carpool users' trips and home addresses, and making YouTube recommendations based on deleted watch history.

I also just saw the news that they axed their Chief Privacy Officer and will not be replacing them. They’re retiring from the role altogether. (read more)

Sisense - More on the April 2024 Security Incident

What in the hell is this? This is a lesson in how not to communicate a security incident. Completely lackluster update that doesn’t say anything. I honestly think this is virtually untouched ChatGPT output. No details about how or what happened. Very vague details about what they did about it besides rotating creds and bringing in experts. This just smells weird to me. Am I crazy? (read more)

Major London hospitals disrupted by Synnovis ransomware attack

A ransomware attack hit Synnovis, a key pathology and diagnostics provider, disrupting major London hospitals like Guy's and St Thomas', King's College Hospital, and others. The attack began on June 3 and has severely impacted healthcare services, especially blood transfusions, leading to canceled or redirected procedures. Emergency care has also been affected due to the unavailability of quick-turnaround blood test results. (read more)

FBI warns of fake remote work ads used for cryptocurrency fraud

The FBI is warning about scammers posting fake remote job ads to steal crypto from job seekers. These scams involve posing as legit recruiters, offering easy tasks, and then requiring victims to make crypto payments to earn more. The FBI suggests being cautious with unsolicited job offers, never sending money or personal info, and reporting any sketchy activities to the FBI Internet Crime Complaint Center. (read more)

Keeping GenAI technologies secure is a shared responsibility

Mozilla is launching a bug bounty program specifically for LLM models (not the underlying tech) to help keep GenAI secure, and they say it's everyone's job to pitch in. They talk about the evolution of bug bounty programs and introduce their own next-gen program, 0Din. They're also hiring for several AI security roles if you’re on the market. (read more)

Operation Crimson Palace: A Technical Deep Dive

Sophos just dropped a detailed look at "Operation Crimson Palace." This big cyber-attack campaign targets Southeast Asia and is all about espionage. Hackers used phishing emails with malicious attachments to break into networks. Once inside, they used a mix of custom tools and existing malware to swipe sensitive data. The report digs into their tactics, tools, and how they got around security measures. Love a good deep dive like this one that gives you that full look behind the curtain. (read more)

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay