- Vulnerable U
- Posts
- šļø Vulnerable U | #062
šļø Vulnerable U | #062
Verizon DBIR analysis, FCC fines major telecom $200 million, Change Healthcare hack details, Dropbox Breach, Bad passwords illegal in UK, and more!
Read Time: 8 minutes
Howdy friends!
Got to run a quick trip for a friendās birthday to Albuquerque this past weekend. It wasnāt my first time there, as Iāve driven across the country many times, but it was the first time I actually hung out there. Even did a day trip to Santa Fe. Underrated corner of the country IMO, the weather was great this time of year at elevation and it was fun to escape humidity.
Gearing up for RSA? Going to be a marathon. Iāll have some Vulnerable U stickers and shirts if you find me. And Iām hosting a party at Reddit HQ with some other content creators and journalists: https://darkreddit.splashthat.com/
ICYMI
šļø Something I wrote: An overview of GitHub and GitLab being used for malware distribution.
š§ļø Something I heard: I watched Baby Reindeer on my plane rides. It is one of the hardest shows to watch Iāve ever sat down and consumed. Iām not even sure I want to finish it. Not a feel-good, but it will haunt me if youāre into that.
š¤ Something I said: I was on Tinesā podcast recently and talked a lot about careers in infosec, AppSec, security automation, and even mental health in the field.
š Something I read: This AI Report (sorry its gated) - interesting to read how this small group of companies is using (and not using) AI.
Vulnerable News
Itās DBIR week! I say it in a lot of my newsletters: I love good reports with hard-to-compile data and great data visualizations. The DBIR is the REASON I started loving these kinds of things. Some absolute legends of the industry have run this report over the years and have gone on to become CISOs of major institutions. It is extremely high quality, meticulously prepared, and a must-read for our entire industry. Iām going to cover a larger-than-normal portion of my newsletter on this one topic this week.
The report covers data from 30,458 security incidents, of which 10,626 were confirmed breaches.
Financial motives drive ~93% of all breaches, showing a slight increase in espionage motives, up to 7% from last year. These incidents mainly affect the Public Administration sector, hinting at low overall diversity in threat motives across other sectors.
As Kelly Shortridge puts it in her great analysis - āYour threat model is still money crimesā
MOVEit vulnerabilities were implicated in 1,567 breach notifications.
The increase in breaches involving third parties is up 68% from last year.
Phishing remains a significant initial attack vector, and the median time for users to fall for phishing emails is less than 60 seconds.
The DBIR introduces a discussion on the use of GenAI in cyberattacks, finding little evidence of its adoption by attackers despite its potential capabilities. - This is a nice way of saying that a lot of the āAI is aiding attackers!ā is marketing hype.
On vulnerabilities, the DBIR reports a 180% increase in exploitation from last year, with web applications being the most affected.
Read another way, stolen creds > phishing + vulns
Ransomware made up ~62% of āaction varietiesā in financially-motivated breaches while pretexting (like business email compromise) was 24%.
BUT - 96% of ransomware incidents resulted in no direct loss
Again I point to Kelly Shortridgeās post that talks about the economics of protecting against ransomware. If 96% of these incidents result in no loss, and you have some data about what the loss might be if you fall into that 4%, you can make an informed decision on how much youād want to spend on backups, and EDR each year.
A stand-out quote for me around the major increase in vulnerabilities being used for initial access: āIf we canāt patch the vulnerabilities faster, it seems like the only logical conclusion is to have fewer of them to patch.ā - Hell, yes. Vulnerability whack-a-mole is a losing battle. Work on ways to reduce the number of vulns that make it into prod, to begin with. Secure by default!
TL;DR (but please read) -
GenAI hype is hype as far as threats go.
Vulns being exploited nearly tripled from last year. Get on top of your secure by default guardrails and vulnerability management program.
Overall, protecting against stolen creds, credential stuffing, and phishing is still your biggest bang for the buck. FIDO2/Yubikey rollout and make it mandatory.
Fun fact, in 2016 I won a challenge that was a puzzle embedded into the DBIR. It was kind of a CTF with a bunch of challenges that took me a few days. (read more)
Is this your first year reading the DBIR?Either way, tell me something you learned this year from it |
The FCC has fined AT&T, Sprint, T-Mobile, and Verizon nearly $200 million for illegally sharing customers' location data without proper consent.
Key Points:
Privacy Violations: The investigation revealed that these carriers sold access to customer location data to aggregators, who then resold it to third parties, circumventing the requirement for direct customer consent.
Carrier Reactions: All fined companies plan to appeal, arguing against the FCC's findings and citing the steps taken to address the unauthorized data access.
This comes at the same time as the FTC publishing some strong signals of impending counter ācustomer surveillanceā legislation. All of this is a backdrop to more talks of major privacy legislation, a la GDPR, but for the U.S. in the form of the American Privacy Rights Act (APRA). (read more)
Maciej Pocwierz shares a cautionary tale about how an empty, seemingly innocuous AWS S3 bucket can lead to unexpectedly high charges. After setting up a bucket for a document indexing proof of concept, Pocwierz was surprised to find a bill over $1,300 due to nearly 100 million S3 PUT requests in a single day.
Security Implications: The scenario also posed significant security risks. Pocwierz experimented by allowing public writes to the bucket, quickly amassing over 10GB of data from external sources, showcasing how easily data leaks can occur through simple configuration oversights.
Proactive Measures: To mitigate such risks, AWS users are advised to use unique, complex names for S3 buckets and explicitly specify the AWS region in requests to avoid unnecessary redirects and charges.
AWS Response: AWS has acknowledged the issue and is looking into measures to prevent such charges in the future, as noted by AWS VP Jeff Barr on Twitter. (read more)
Weāve covered this hack a lot, but now the CEO of UnitedHealth was sitting before the Senate answering about this ransomware attack that crippled the U.S. medical industry. This also included our first glimpse into āhowā this hack happened, spoiler: stolen creds (I see you, DBIR), no MFA, and a Citrix portal.
We also get this awesome screenshot of a senator holding a āHacking for Dummiesā book to roast the CEO. (read more)
Dropbox disclosed an incident around their āDropbox Signā product that was discovered 4/24. This breach involved compromised emails, usernames, phone numbers, hashed passwords, and certain authentication information including API keys and OAuth tokens.
I also love this thread by Magoo who dives into why this might be more than meets the eye and hard for Dropbox to investigate. Magoo highlights the complexity of confirming whether API keys or tokens were abused during the incident. He suggests that identifying misuse of such credentials, particularly if attackers switched infrastructure, could be exceptionally challenging. (read more)
I meanā¦ This one speaks for itself:
āFor more than five years, Marriott has defended a massive 2018 data breach by arguing that its encryption level (AES-128) was so strong that the case against it should be dismissed. But attorneys for the hotel chain admitted in an April 10 hearing that it had never used AES-128 during the time of the breach.
In fact, it hadnāt been using any encryption at all at the time but rather had been using secure hash algorithm 1 (SHA-1), which is a hashing mechanism and not encryption.ā (read more)
Bad passwords are now illegal?! Well at least for manufacturers in the UK. Some new legislation just passed requiring some minimum password strength requirements for manufacturers in the UK. Imagine if you went to jail for your crappy password? High school me wouldāve been locked up fast. (read more)
A Ukrainian national linked to the notorious REvil ransomware gang has been sentenced to more than 13 years in prison. This comes after his involvement in a 2021 attack that compromised hundreds of businesses globally, including a significant breach at Florida-based Kaseya.
Extensive Impact: Vasinskyi was implicated in over 2,500 ransomware attacks, demanding upwards of $700 million in ransoms.
Significant Legal Actions: Along with the prison term, he has been ordered to pay $16 million in restitution for the damages caused by his cybercriminal activities. (read more)
Domain Fronting is when you use a trusted domain to establish a connection and then have a different endpoint on the backend responding. CDNs are popular in this technique and many of them attempt to block it. But this paper dropped said theyāre not very successful.
āThe study revealed that domain fronting remains feasible in 22 out of 30 tested CDNs, including major providers like Akamai and Fastly. This suggests that despite efforts to curb this practice, it continues to be a significant issue within CDN infrastructure.ā (read more)
Saw this tool drop for sniffing PCAPs of 2g, 3g, 4g, and some 5g comms on Qualcomm devices:
This is the first Iāve seen of this kind of sniffer, especially for 5G signals.
QCSuper "a tool communicating with Qualcomm-based phones and modems, allowing to capture raw 2G/3G/4G(and for certain models 5G) radio frames, among other things." github.com/P1sec/QCSuper
ā KF (@d0tslash)
3:53 AM ā¢ May 1, 2024
Okta has been a favorite target in recent years. A compromised Okta account generally gets you access to a lot more behind it, as is the nature of SSO. Even so, Okta has issued a warning about a significant increase in credential stuffing attacks targeting its customers. These attacks involve cybercriminals using automated tools to try stolen username and password combinations across various platforms to gain unauthorized access.
In a shocking twist, Oktaās recommendation is to turn on more of their features! (Pay them more money) for enhanced security. The current U.S. administration has been coming down on this, saying you shouldnāt be charging more for table-stakes security features.
</soapbox> There are lots of techniques to combat this, but I just recommend prioritizing it. This is active exploit data, not theoretical security best practices. Implement that impossible geo feature youāve been wanting, go fight for Yubikey budget, just block logins from anonymizing proxy services. These 3 things will stop most of these attacks. (read more)
This is just a great set of Twitter threads about common AD vulns found during pentests (first thread) and then a quote tweet with a thread of remediation steps for those common vulns.
If youāre managing an Active Directory network, this is gold. (read more)
The U.S. Senate recently reauthorized Section 702 of the Foreign Intelligence Surveillance Act (FISA), extending it for another two years. This legislation, known as the Reforming Intelligence and Securing America Act (RISAA), faced a ton of debate but still passed. The Senate defeated several amendments aimed at curtailing the scope of warrantless surveillance activities, including a significant one that would have required federal agencies to demonstrate probable cause and obtain a warrant before accessing communications involving U.S. persons.
Proponents of the law, like FBI Director Christopher Wray, defend Section 702 as a critical tool for combating foreign threats, notably cyber attacks from entities like Chinese hacking groups. (read more)
Miscellaneous mattjay
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Upcoming Appearances
Check out the party Iām hosting at RSA Tuesday night. Hosted by a bunch of your favorite infosec journalists and content creators - https://darkreddit.splashthat.com/
And Iām sponsoring the Securosis recovery breakfast.
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay