🎓️ Vulnerable U | #086

Hacker behind National Public Data hack arrested, Fake North Korean IT workers are now extorting employers, Google TAG report on zero-day usage being up YoY, Russia and Iran active exploitation campaign details, and more!

Author

Matt Johansen
October 18, 2024

Read Time: 8 minutes

Howdy friends!

Hello from 38,000 feet. On the road again, to the dismay of my family, so I tried to make this one quick. Less than 24 hours in SF to host SnooSec tonight. I look forward to these, and getting the security community together for some talks and networking feels good. The feedback I get when running these meetups is that it feels reminiscent of the infosec industry of a decade ago.

This will hit your inbox after I have already hosted the event, but I hope to see some of you there.

ICYMI

🖊️ Something I wrote: Government Wiretaps in U.S. Internet Providers Infiltrated by Chinese Hackers

🎧️ Something I heard: I get to talk to Dan more often then most but it was cool to hear him publicly talk about how all his projects fit together and his vision for all of this. Fabric is a tool me and a bunch of friends use often for prompt management.

🎤 Something I said: I was on Paul Asadoorian’s new podcast - Below The Surface - to talk about the Chinese wiretap story and a lot more. Should be published soon here.

🔖 Something I read: I did it. I’m finished with all the released books of Brandon Sanderson’s Stormlight Archive. Excited for the 5th book to come out in a few months.

📣 Sponsor

Stop wasting time on vulnerabilities that don’t matter!

Most appsec tools produce lots of noise, lots of work, and not a lot of confidence.

It’s time to focus on true reachability, and find vulnerabilities where they actually matter - in runtime.

Oligo’s deep visibility into running applications allows precise, real-time understanding of application risk.

The result?

  • 90%+ noise reduction

  • Container-to-code visibility

  • Instant zero-day response

  • Third-party application insight

Deployed in minutes, results day one. No theoretical modeling, code instrumentation, or painful integrations.

Vulnerable News

Hey remember that breach where nearly all SSNs were stolen last month? Well that company, National Public Data, has filed for bankruptcy this week. AND the Brazilian authorities have arrested the hacker behind the breach who goes by USDoD.

This wasn’t his only breach, he was also behind a CrowdStrike breach recently where he leaked a lot of their internal threat actor data and IOCs. Shockingly, CrowdStrike has people on staff with the skills to figure out who hacked them, and they built a report on USDoD and allegedly leaked the report anonymously to Brazil law enforcement. USDoD basically confirmed the report on his identity by saying “Thanks for doxing me!” - and now he’s been arrested. (read more)

We’ve covered a few of these stories. Like KnowBe4 and a few others who are hiring people, mailing them laptops, unknowingly those laptops are being setup at a laptop farm and actually just serving as remote access to a North Korean spy.

Well, looks like those North Korean IT workers are upping their game from just stealing jobs to full-on extortion. Secureworks is reporting that these fake employees are now demanding ransom after they've been fired for "poor performance."

The scam's pretty slick - they get hired using stolen identities, insist on using their own laptops, and then start siphoning off company data. Once they're booted, they hit the company with ransom demands, complete with proof of the stolen goods. (read more)

The feds finally caught up with those Anonymous Sudan folks. Two Sudanese dudes are in hot water for running a DDoS ring that targeted some pretty big fish - we're talking FBI, DoD, and even some hospitals.

These guys weren't just script kiddies either. They had some serious tools with cool names like "Godzilla Botnet" and "SkyNet"” And because cybercrime is all about that side hustle, they were also selling access to their attack tools. But here's a pro tip: if you're gonna do cybercrime, maybe don't go after U.S. government agencies and hospitals. (read more)

Google's Mandiant team dropped some eye-opening stats about 2023's vulnerability landscape. The headline maker - A whopping 70% of exploited flaws were zero-days. That's a major shift from the usual 60/40 split we've been seeing in recent years.

But wait, there's more! The time-to-exploit has plummeted to just 5 days on average. Remember when we had a comfy 63 days to patch things up back in 2018? Those were the days. Now it's a mad scramble to lock things down before the bad guys come knocking. It’s why detection engineering is getting more important. Get those incident response chops tested and automate what you can. (read more)

Iran's back at it. CISA just dropped a new advisory warning that Iranian hackers are going after U.S. critical infrastructure with some good old-fashioned brute force attacks. They're hitting everything from healthcare to energy sectors, trying to guess passwords and spam MFA prompts until someone slips up and lets them in.

Once they're in, these actors are snooping around for more credentials and selling access to other cybercriminals. CISA's advice? Use strong passwords (duh) and actually turn on that second factor authentication. (read more)

Code Execution, Data Tampering Flaw in Nvidia NeMo Gen-AI Framework

Nvidia's NeMo framework flagged a pretty gnarly security flaw that could let bad actors execute code and mess with data on systems using the platform. It's all about a path traversal issue in the SaveRestoreConnector - basically, if you're not careful with your .tar files, you might be toast.

Not exactly end-of-the-world stuff, but definitely something you want to patch ASAP if you're running NeMo. They've pushed out a fix on GitHub, so if you're using this gen-AI framework for your LLMs or other AI fun and games, you'll want to upgrade to version r2.0.0rc0 or later. (read more)

The (now-patched) Microsoft flaw was being exploited by North Korean threat actors earlier this year, according to a new alert.

Speaking of North Korean hackers, this time they’re exploiting a Microsoft Scripting Engine flaw to push malware through ads. They compromised an ad agency's server to inject their malicious code into toast ads - you know, those annoying pop-up notifications on your desktop. And get this - it was a zero-click attack, meaning users didn't even need to interact with the ad to get infected.

The funny part for me while reading this is that this vulnerability was in Internet Explorer, which Microsoft officially killed off in 2022. But apparently, some ad programs are still using IE-based components. Insert “What year is it?!” memes. (read more)

While we’re asking what year it is, SolarWinds is back in the hot seat. Remember that whole supply chain fiasco from a few years back? Well, they've got a new headache with their Web Help Desk product. Turns out there was a critical hardcoded credential just sitting there, waiting to be exploited. And wouldn't you know it, the bad guys found it and are having a field day.

CISA's added this to their Known Exploited Vulnerabilities list already. SolarWinds says they've patched it up, but with over 800 instances still exposed online as of last month, it's a safe bet not everyone got the memo. If you're running Web Help Desk, might want to double-check you've got that 12.8.3 HF2 update installed. (read more)

This meme made me laugh.

CVE-2024-23113 is a format string vulnerability allowing remote code execution without authentication. As the meme says, these kinds of bugs are just not seen these days. Not a good look for Fortinet. The Shadowserver Foundation has identified more than 87,000 Fortinet devices that are still vulnerable to this flaw. (read more)

Hit that update button Firefox users. Your tabs will be ok. And if they’re not, consider it a fresh start.

Looks like there's a nasty bug (CVE-2024-9680) that's already being exploited in the wild. Mozilla pushed out patches for Firefox and Thunderbird for this use-after-free vulnerability in the Animation timeline component.

The Tor Project's also in on the action, patching up their browser too. While they initially thought Tor users might be targeted, they've since backpedaled on that claim. Still, with CISA adding this to their "Known Exploited Vulnerability" list. Props to Mozilla for their quick response though - 25 hours from alert to fix is pretty impressive. (read more)

The Russian SVR is getting fancy with some Bluetooth exploits. The FBI, NSA, and their UK buddies are now reporting about their investigation here. They're spilling the tea on specific vulnerabilities and tactics the SVR is using, which is pretty rare for these agencies.

What's really wild is the range of targets these guys are going after - from government agencies to critical infrastructure and even random companies that catch their eye. They're not just sticking to the usual suspects. The SVR's got some serious skills, including the ability to do their own vulnerability research and exploit development. And they've been exploiting Bluetooth flaws that can be triggered over the air. (read more)

Friend of VulnU, Mike over at Return On Security, wrote up a great look at AI and security as it comes to the shared responsibility model. The gist is that as AI becomes more ubiquitous, we need a clear framework for who's responsible for what when it comes to keeping these systems secure. It's not just on the service providers or just on the users - it's a team effort.

The article breaks down different AI deployment models, from public SaaS offerings like ChatGPT to on-premises setups, and outlines the security responsibilities for each. It's a bit like a "you build it, you run it" approach, but for AI security. The key takeaway for me is the more control you have over your AI setup, the more security responsibility falls on your shoulders. So if you're thinking of running your own AI models in-house, be prepared to up your security game across the board. (read more)

I love all the content coming out on detection engineering this year. It’s a topic I’m growing more passionate about and I think it is one of the better ROI areas a security team can focus on these days.

So, you're trying to figure out what makes a "good" detection, huh? It's tricky, mixing objective metrics with a whole lot of "it depends." The Shannon Signal Score is trying to wrangle this chaos into something measurable. It looks at stuff like how well the detection aligns with actual threats, how robust and precise it is, what kind of operational headache it might cause, and whether it's actually useful in your specific environment.

The idea is to give you a way to say, "Yeah, this detection is worth our time" or "Nah, let's focus elsewhere."

The cool thing about this framework is it's flexible - you can tweak it based on what matters most to your org. Maybe you're all about minimizing false positives, or perhaps you're more concerned with catching every possible threat, even if it means more noise. And they're even throwing LLMs into the mix to help evaluate some of the trickier, more subjective parts. At the end of the day, it's about finding that sweet spot between coverage, cost, and actually being able to do something with the alerts you get. It's not perfect, but it's a solid start for putting some method to the madness of detection evaluation. Worth a read. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay