🎓️ Vulnerable U | #076

3 Billion person data breach, 0.0.0.0 Day Exploiting Localhost APIs, 1Password vulnerability, $10 Million Reward for Iranian Hackers, KnowBe4 North Korean laptop farm arrest, and more!

Read Time: 6 minutes

Howdy friends!

Coming to you straight from the purgatory between BlackHat and Defcon that is Thursday. I had 3 different events between 6 and 9pm tonight I was trying to hit but I’m straight up running out of social battery and needed to get this week’s newsletter out to you all so I tapped out.

Weird, who’d’ve thunk that on day 5 of 14+ hour days on my feet I’d be petering out a bit? Oh, it’s me, I knew that.

I’m here until Sunday still if you’d like to track me down at Defcon. I may even have a few T-Shirts for folks that show me they’re subbed. Also catch me at the Bug Bounty and Adversary Villages for some fireside chats.

Let’s get vulnerable.

ICYMI

🖊️ Something I wrote: A thread about eBPF and the comments are filled with learning resources about the topic.

🎧️ Something I heard: I always love Kurzgesagt’s videos. Most recent one is on topic for us here: A.I. ‐ Humanity's Final Invention?

🎤 Something I said: Did you see we’ve been doing the LiquidMatrix podcast again?

🔖 Something I read: The CrowdStrike Root Cause Analysis - and then this thread that helps break it down.

📣 Sponsor

Worried About Security for Microsoft Copilot?

Imagine a world where SQL injection attacks can be performed in natural language AND on the most powerful apps we’ve ever seen.

As demonstrated at Black Hat 2024 by our CTO Michael Bargury, hackers can easily perform RAG poisoning & indirect prompt injection leading to remote copilot execution (RCE) attacks to fully control Microsoft Copilot; leaving security teams with four distinct challenges:

  • AI gains sweeping access to your data & uses it at its discretion

  • Legacy AppSec tools can’t secure the new attack surface that AI introduces

  • Prompt injection can trick copilots into giving up control

  • Copilot Studio enables anyone to build their own copilots

Zenity manages these risks across both enterprise copilots & AI apps, preventing data leakage, RAG poisoning, and prompt injection attacks.

Vulnerable News

Billion? With a B? This is exhausting.

We also have virtually no info here. But the company that seemingly got hacked is called National Public Data. They’re a background check company that allegedly exposed the personal info of nearly 3 billion people in an April breach.

The part that seems a bit crazy is that they still haven’t told anyone. A cybercriminal group called USDoD (not to be confused with the actual DoD) posted the data for sale on the dark web for a cool $3.5 million. We're talking SSNs, addresses going back decades, family info - the works.

National Public Data apparently scrapes this info from non-public sources, so most people didn't even know they were in the database. Now there's a class action lawsuit demanding they encrypt future data, whatever good that’ll do. If they’re hacked, encryption at rest actually doesn’t protect from much of this.

Pro tip: Maybe don't build a massive database of people's personal info if you can't keep it safe? Just a thought. (read more)

Well, here's a win for the good guys! Interpol just pulled off a major heist recovery, snagging $41 million from a Business Email Compromise (BEC) scam targeting a Singapore company. The attackers used a "new bank account" trick, spoofing a supplier's email with a slight spelling difference. The victim fell for it and wired $42.3 million to the fraudsters. But thanks to Interpol's Global Rapid Intervention of Payments (I-GRIP) system, they managed to claw back most of the cash.

This case is a textbook example of how BEC scams work and why they're so effective. It's also a rare success story in fund recovery, which is usually a lost cause in these situations. The arrest of seven suspects is icing on the cake. (read more)

This is a fun bug. Got to meet with some of the team who found this one today in Vegas. They’re giving a talk at Defcon about it. - The gist is using the 0.0.0.0 IP and some clever browser abuse, they’ve shown a way that a website can interact with locally hosted applications. Some examples they showed were if you’re running Selenium Grid or PyTorch Torchserve which host on 0.0.0.0. It seems this bug has also been around for almost 2 decades, works on all major browsers on MacOS or Linux. Windows luckily blocks this IP. (read more)

New CVE dropped for 1Password. Ears always perk up when you read about this kind of thing in such a sensitive application. Don’t sweat this one too much though as local access is required and if there is already malware on your box you’re pretty much hosed anyway. Anyway good idea to not ignore that update button if you’re a Mac 1Pass user. (read more)

US officials are dangling a cool $10 million for intel on six Iranian hackers linked to the IRGC's Cyber-Electronic Command. These guys are supposedly the brains behind Cyber Av3ngers, the group that had a field day with some poorly secured PLCs at U.S. water utilities last fall. Remember that Aliquippa, Pennsylvania water authority hack? Yep, that was them.

Now, the State Department's calling their bluff on the whole "hacktivist" shtick, pegging them as Iranian government operatives. It's part of a broader trend - we've seen similar bounties for BlackCat ransomware baddies and North Korean APT45 members recently. (read more)

Vangelis Stykas, the CTO at Atropos.ai, just dropped some juicy details at Black Hat about how he managed to turn the tables on some cybercriminals.

Some of the bugs include the Everest ransomware gang using a default password for accessing its back-end SQL databases, and exposing its file directories, and exposed API endpoints that revealed the targets of the BlackCat ransomware gang’s attacks while in progress.

Stykas said he also used one bug, known as an insecure direct object reference, or IDOR, to cycle through all of the chat messages of a Mallox ransomware administrator, which contained two decryption keys that Stykas then shared with the affected companies.

He even managed to snag decryption keys for two companies and tipped off four others before they got hit. (read more)

Remember that KnowBe4 North Korean Spy that used AI to deepfake video calls and get hired? Well it seems we nabbed the guy who was hosting the laptops for the North Koreans to let them onto the corporate networks. They took down Matthew Isaac Knoot in Nashville for running the farm, helping NK IT workers pose as good ol' American tech bros.

You may also remember that I covered the first American we took down for this same scheme, which was a woman in Arizona. There's a whole initiative now targeting these "domestic enablers."

Just say no to hosting North Korean malware out of your house, mmkay? (read more)

Looks like Windows Update just got a nasty surprise at Black Hat. SafeBreach Labs' Alon Leviev dropped a bombshell with his "Downdate" vulnerability, showing how attackers could potentially downgrade Windows to older, more vulnerable versions. This isn't just theoretical - it's inspired by real-world attacks like last year's BlackLotus UEFI bootkit.

The exploit targets a flaw in the Windows Update process, specifically in how it handles the "pending.xml" action list. By manipulating a key called "PoqexecCmdlinem", Leviev found a way to hijack the update process without raising any red flags. (read more)

If CISA says its being actively exploited, I listen. And when it says “Apache” I know it’s probably widespread so I should share this.

CISA's sounding the alarm on CVE-2024-32113, a path traversal vulnerability they've added to their Known Exploited Vulnerability Catalog. This nasty little bug affects versions before 18.12.13 and could let attackers run arbitrary commands on your servers. The feds are giving agencies until August 28 to patch up or ditch the product. (read more)

I’m a big MITRE ATT&CK fan but I also have a hard time arguing with the point this BlackHat talk out of AppOmni is making here. In tons of recent attacks, the attack chain is irrelevant - stolen creds + SSO is a gateway to hundreds of SaaS apps. Literal smash and grab.

Perhaps the biggest single revelation from the analysis is that the MITRE ATT&CK kill chain is barely relevant – or at least heavily abbreviated – for most SaaS security incidents. Many attacks are simple smash and grab incursions. “They log in, download stuff, and are gone,” explained Brandon Levene, principal product manager at AppOmni. “Takes at most 30 minutes to an hour.”

I have first-hand experience with this and have tracked these kinds of attacks across a number of organizations in threat intel-sharing groups - This summary and timeline are accurate. (read more)

Remember that Royal ransomware gang we've been tracking? Well, they've gone and got themselves a fancy new suit - BlackSuit, (see what I did there?). FBI and CISA just dropped an update confirming the rebrand and boy have they been busy. We're talking over $500 million in ransom demands since they first popped up.

These guys have been wild to track. Started as Quantum, morphed into Royal, and now they're strutting around as BlackSuit. They've hit over 350 organizations, with demands ranging from $1 million to a whopping $60 million in a single case.

Remember that massive CDK Global outage that had car dealerships scrambling for pen and paper? Yep, that was them. Looks like they're not just after healthcare anymore - they're branching out. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay