🎓️ Vulnerable U | #085

Government Wiretaps, AI Girlfriends getting hacked, Microsoft, Firefox, Palo Alto Networks, and Qualcomm vulns, and more!

Read Time: 8 minutes

Howdy friends!

Writing to you from a mile high in Denver airport on my way home. This city has really changed vibes since I was last here pre-Covid. Acutally! Now that I think of it. It was JUST pre-covid, I was on a business trip here when shutdown rumors were starting and we all cut short and got home ASAP because we thought flights would be grounded.

Anyway, Colorado your state is beautiful thanks for having me. A lot has happened while I was here so I was sneaking into empty conference rooms in a random WeWork to make videos about it all. (you might notice my audio sounded a bit more echoey, those empty glass boxes aren’t great acoustics)

Let’s get into it all!

ICYMI

🖊️ Something I wrote: This thread about the government wiretap story below. Caught a …bit of attention.

🎧️ Something I heard: I like this YouTube channel. Kurzgesagt – A.I. Humanity’s Final Invention?

🎤 Something I said: Fake recruiter coding tests delivering malware

🔖 Something I read: Turn the Ship Around! For a leadership off-site.

📣 Sponsor

Find and fix risky sharing in Google Drive

The risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing.

However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.

Material Security’s Data Protection for Google Drive helps control sensitive data sprawl with intuitive search and bulk remediation.

Gain control over the complex and vast data repository without getting in the way of daily use – security without impacting productivity.

Vulnerable News

It shouldn’t be news that the U.S. government requires all of its broadband providers to build in a wiretap capability, but when I talked about this on socials that seemed surprising to some people. If a 3 letter agency with a warrant shows up to AT&T and Verizon, they have to be able to let them collect the info they want.

The news here is that China has been abusing this wiretap system and taking advantage of these law enforcement requests.

The other crazy part is that they sat undetected for months. Wiretapped the wiretap... I must’ve missed this episode of The Wire. Someone at HBO got on this, bring back the old cast, and go after cybercrime. (read more)

This one is insane. Some AI girlfriend generator got popped and the data leak includes all the prompts users used to create their chatbots. This includes a ton of illegal, underage, and generally disgusting requests. The other part is that a lot of people signed up with their real email accounts so you can really dig through and find out who these sickos are.

Read Troy Hunt’s thread as he dives around this data. It’s sick stuff. (read more)

Chaining bugs is always fun for me. It was something I really specialized in when I was doing more hands on web app hacking. Here we’ve got some researchers who saw a CVE come out for Palo Alto that let an attacker reset the admin password with a simple unauthenticated HTTP request.

They looked at that and thought, hmmm if that is so easy I bet there is more we could do there. And there was! They found 3 more bugs they could chain together including OS Command Injection, SQL Injection, and topped it off with cleartext sensitive info. Good write-up of their thought process and findings. (read more)

📣 Sponsor

Stay on top of AI governance!

Nudge Security discovers all genAI accounts ever created by anyone in your org, as well as the OAuth grants that link them to other apps. With Nudge Security, you have visibility of all apps, users, authentication methods and OAuth grants, and can vet unfamiliar tools with security profiles for each provider.

This is an ol’ fashioned web defacement. We used to have culture in hacks before ransomware. Here we’ve got a javascript pop up alert box that says they’re hacked and to expect to see all the info in haveibeenpwnd soon.

The wayback machine is considered sacred ground by many in our field. Modern day Library of Alexandria. It’s a lot of work cataloging and keeping a copy of …the Internet. - Don’t have a lot of details on this one yet but I’m keeping an eye on the who, how, why. (read more)

Love a good transparency report. OpenAI coming out with details of how they’ve been disrupting disinformation campaigns using their ChatGPT platform. They've taken down over 20 operations this year alone, which is pretty wild when you think about it. With all the elections coming up, they're clearly on high alert for any state-sponsored shenanigans or covert influence campaigns trying to weaponize their tech.

The cool part is they're not just swatting these threats away - they're studying them to figure out how bad actors might use AI for nefarious purposes. OpenAI's dropping a threat intel report to share what they've learned.

The report details several case studies of cyber operations and influence campaigns that were disrupted, including:

  • SweetSpecter: A suspected China-based group targeting OpenAI employees with spear phishing

  • CyberAv3ngers: An Iranian group researching vulnerabilities in industrial control systems

  • STORM-0817: An Iranian actor developing malware and social media scraping tools.

Overall, there isn’t data showing that AI has led to any major breakthroughs in malware creation or audience building for threat actors. (read more)

I don’t really understand this one yet. Breach notification from Fidelity went out to 77k people. But it’s light on details. It also says “a third party accessed and obtained certain information without authorization using two customer accounts” - Huh? Two customer accounts were able to then access 77k other users info? But it also says the info doesn’t include access to your Fidelity account(s). I’m unclear about how all that lines up, but they’re doing the normal credit monitoring thing for everyone impacted. (read more)

TL;DR - PATCH! - Mozilla just dropped a patch for a nasty vuln (CVE-2024-9680) that's already being exploited in the wild. As we see a lot in browser vulns, it is a use-after-free issue. This time in the Animation timelines feature.

This thing's rated a whopping 9.8 out of 10 on the CVSS scale. Low complexity, no user interaction needed, and high impact across the board. If you're running Firefox, you'll want to upgrade to version 131.0.2 ASAP. (read more)

“Actively Exploited” and “Microsoft” - should perk your ears up.

This month's Patch Tuesday is serving up fixes for two actively exploited bugs, and they're doozies. One's just a platform-spoofing issue, but the other? Remote code execution with system-level privileges. Yikes.

These bugs are in components attackers love to target, like the Microsoft Management Console and MSHTML. And now that the patches are out, you can bet other bad actors are already reverse-engineering them to cook up their own exploits. (read more)

We’ve covered water systems being targetted a few times in the last year here on VulnU. FBI and CISA have come out to say that it will continue to be a target for other state-sponsored hacking campaigns. This time the victim is American Water.

You know what else I learned through this? That the water industry is consolidating. American Water is publicly traded, 6,500 employees, and handles 14 states worth of water and wastewater operations. So them getting popped is taking off 14 states worth of water digital services. They’re saying the actual industrial control systems controlling the water are not impacted, but they’ve taken down all their customer portals, billing, etc.

Smells like ransomware to me but I’m hearing mumblings that we haven’t heard all the details here publicly yet. I’ll keep you up to date as I can confirm any more details. (read more)

GitLab just dropped a bunch of security updates, with the headliner being a critical flaw that could let unauthorized users run CI/CD pipelines on any branch they want.

The bug's got a CVSS score of 9.6, which generally translates to "fix this yesterday." GitLab's putting out patches covering versions all the way back to 12.5. They're also tackling a handful of other high-severity issues, including one that lets attackers impersonate other users. (read more)

Qualcomm just disclosed a pretty nasty bug in their DSP service that's already being exploited in the wild. Google's TAG team and Amnesty International caught wind of it, which tells me its serious business. We're talking potential memory corruption here.

This impacts a whole slew of Qualcomm chips, from FastConnect to the Snapdragon lineup. Qualcomm's playing it cool, telling users to bug their device manufacturers for patches. But with Google TAG hinting at "limited, targeted exploitation," you've gotta wonder who's in the crosshairs. Activists and journalists might want to keep an extra eye out, given the usual suspects in these targeted attacks. (read more)

Wow, this is a wild one. Looks like hackers are getting creative and hijacking AI models to power their own sketchy chatbots. Here's the gist:

Attackers are targeting AWS Bedrock to steal access to AI models like Claude. They're using exposed AWS keys to check for model availability, request access, and then start pumping out prompts - mostly for some pretty NSFW roleplaying chatbots. The Permiso team caught one attacker sending over 75,000 prompts in just two days, almost all sexual in nature. They're using jailbreak techniques to bypass content filters and even venturing into some seriously dark territory.

While they couldn't pin down the exact service behind it, there's a good chance it's linked to sites like Chub.ai that host AI roleplaying bots. AWS and Anthropic are aware and working on patches. For now, the key takeaway is to lock down those AWS keys and keep a close eye on any Bedrock usage in your accounts. This LLM hijacking trend is only going to heat up from here. (read more)

Looks like we've got a new player in the ransomware game, and they're not messing around. This unnamed group has been quietly wreaking havoc for about two years, hitting around 200 organizations a month with a MedusaLocker variant called BabyLockerKZ. They're mostly targeting Europe and South America, but the US isn't off the hook either.

What's interesting is their mix of off-the-shelf and custom tools. They're using some standard stuff like Mimikatz, but they've also got this fancy GUI tool called Checker that makes lateral movement a breeze. The BabyLockerKZ ransomware itself is pretty similar to its parent, MedusaLocker, but with a few tweaks here and there. (read more)

Miscellaneous mattjay

If you caught this reference, you’re cool:

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay