- Vulnerable U
- Posts
- šļø Vulnerable U | #087
šļø Vulnerable U | #087
Alert fatigue, government tracking via your phone, Fortinet bad times, SharePoint active exploitation, and more!
Matt Johansen
October 25, 2024
Read Time: 8 minutes
Howdy friends!
Iāve got a pretty awesome Halloween costume planned. Iāll share pictures next week but you all will get a kick out of it.
My blog of the week is about Alert Fatigue. Some stats on the reality, the impact, and how to combat.
At some point in my career, I found myself staring at my monitor at 3 AM, having just been woken up by an alert that paged my phone. It turned out to be bullshit. This happened every time I was on call. Each notification demanded attention, screaming its urgency through my bleary eyes. Was this the real threat among the false positives? Or was I about to ignore something critical while my tired brain struggled to focus?
Sound familiar?
Alert fatigue in cybersecurity isn't just a technical problem ā it's a mental health crisis waiting to happen. We've built incredible detection systems that are slowly burning out the very people they're meant to help. It's like being the boy who cried wolf, except now we have machines crying wolf thousands of times per day, and we're still expected to catch the real wolf when it shows up.
ICYMI
šļø Something I wrote: The U.S. wiretap system got wiretapped by China.
š§ļø Something I heard: Any of you also space nerds? I went down the rabbit hole for the probe weāre about to send to Jupiterās moon Europa. This deep dive to the engineering behind all of the instruments on board and the complex mission is awesome.
š¤ Something I said: I got to be on Paul Asadoorianās podcast āBelow the Surfaceā
š Something I read: Boy, 14, fell in love with āGame of Thronesā chatbot ā then killed himself after AI app told him to ācome homeā to āherā - A lot to think about here in what weāre building and how minors will interact with it.
š£ Sponsor
Are genAI tools integrated with your other apps?
Nudge Security discovers all genAI accounts ever created by anyone in your org, as well as the OAuth grants that enable data-sharing across apps. With Nudge Security, you can:
Discover all genAI tools ever used in your org
See all users, authentication methods, and OAuth grants
Surface and revoke risky OAuth grants
Get alerted of new genAI tools or integrations
Vet unfamiliar tools with security profiles for each provider
Get your free genAI inventory in minutes.
Vulnerable News
Yes this headline is meant to invoke emotion and no this tool isnāt new. But I support the goal of this post in trying to break through the āI have nothing to hideā crowd.
Babel Street's Locate X tool is basically a stalker's dream come true, US law enforcement agencies, and literally anyone who wants it and just says theyāre with the government apparently are buying it up. Privacy researchers got their hands on the tool and showed how it can track people visiting abortion clinics, including following one person's entire journey from Alabama (where abortion is illegal) to a Florida clinic. The tracking is so precise it can show exactly where someone lives, works, and everywhere they stop along the way.
The wild part is this all happens without a warrant - agencies just buy the data like they're shopping on Amazon. The location info comes from regular apps and mobile ads on people's phones, and while Apple and Google have tried to limit this kind of tracking, the data is still flowing freely through brokers and ending up in tools like Locate X. At $28k a pop, it's giving law enforcement a pretty convenient way to bypass those pesky warrant requirements. (read more)
Anthropic just dropped an update to Claude that lets it directly control computers. The AI can now type, move the mouse, take screenshots, and even run bash commands. While this sounds cool for automation, security folks are already sweating about the implications. Rachel Tobac points out how criminals could use this to scale up malware distribution.
It also does this by taking real time screenshots of your computer and sending it back to their API. Remember the Microsoft Recall debacle? Its that, but it can also click things.
Anthropic's own documentation warns that Claude might ignore user instructions and follow random commands it finds on websites or in images instead. They're basically admitting their AI could fall for prompt injection attacks against itself. But hey, they recommend taking "relevant precautions" to minimize risks. This is going to be a hard one to guardrail appropriately. (read more)
This is a great report put out by Microsoftās Threat Intelligence on the growing trend of healthcare institutes getting hammered by ransomware. They put a lot of production value into this one with good videos and infographics. Worth a look.
Healthcare is getting absolutely hammered by ransomware, and the ripple effects are worse than you might think. When hospitals get hit, it's not just about stolen data - nearby hospitals get overwhelmed with redirected patients, leading to some scary stats. We're talking about stroke survival rates dropping from 40% to 4.5% at "unaffected" hospitals during attacks, and emergency room wait times shooting through the roof.
This also makes a juicy target because they're known for actually paying the ransoms (53% paid up in 2024, averaging $4.4M per payment). Combine that with typically understaffed IT teams, legacy systems that are a pain to update, and the fact that rural hospitals often have just one IT generalist handling everything from printer jams to cybersecurity - it's a mess. (read more)
Lazarus group is back at it with some Chrome zero-days. They set up a fake NFT tank game site (complete with social media presence) to lure in crypto folks, then used a type confusion bug in Chrome's V8 engine to break out of the sandbox and steal crypto. Pretty sophisticated stuff - they even tried to get crypto influencers to promote the fake game.
What's wild is they based it on a legit game, copying the logo and design (probably from stolen source code). The real game devs noticed $20k in crypto mysteriously vanishing from their wallet right after this fake site launched. Kaspersky found and reported the zero-day (CVE-2024-5274), which Google patched in Chrome 125. Just another day in North Korea's billion-dollar crypto heist operation. (read more)
Samsung's latest flagship phone got pwned at Pwn2Own Ireland this week. Ken Gannon from NCC Group chained together 5 vulns to get shell access and install an app, netting himself a cool $50k. Pretty impressive considering this is their newest device.
Interestingly, no one took up the challenge to hack the Pixel 8 or iPhone 15, despite bigger bounties of up to $250k on the table. The event's been pretty lucrative overall though - hackers have already earned nearly $850k in just two days, with everything from smart home hubs to NAS devices getting popped. (read more)
Akira ransomware is getting a makeover. After spending early 2024 just stealing data for ransom, they're back to their old double-extortion tricks with a shiny new C++ encryptor for both Windows and Linux. They've downgraded from ChaCha20 to ChaCha8 - probably trying to speed things up at the cost of some security margin.
These folks have been pretty successful since early 2023, making tens of millions by exploiting Cisco VPN and VMware ESXi vulns. They're particularly fond of targeting ESXi environments since it lets them encrypt a ton of stuff without much lateral movement. (read more)
Grandoreiro is a banking malware that goes all the way back to 2016, and itās back with some new tricks. Despite law enforcement nabbing some of the gang members, the remaining crew is still out there evolving their code. They've added fancy new features like domain generation for C2, and mouse tracking to fool anti-fraud systems.
What's particularly interesting is how they're distributing this thing - massive 390MB files pretending to be AMD drivers to dodge sandboxes, plus they're using CAPTCHA to mess with automated analysis. The malware's gotten pretty sophisticated with self-updates, keylogging, and even Outlook monitoring. (read more)
Fortinet is just a punching bag lately. There's a new nasty one in the wild targeting FortiManager. The bug (CVE-2024-47575) lets unauthenticated attackers remotely execute code, but the interesting part is they need a valid Fortinet cert extracted from a device or VM to pull it off. It's being actively exploited to steal device credentials and configurations from managed devices.
The timing here is a bit sus - seems like Fortinet knew about this for weeks before dropping the public advisory yesterday. Kevin Beaumont's been tracking this and suggests nation-state actors are using it to pivot through MSP networks. Fortinet says they haven't seen any malware or backdoors installed yet, just config theft. If you're running FortiManager, grab those patches ASAP - affected versions include pretty much everything from 6.2 through 7.6. (read more)
The SEC is throwing the book at companies who played it coy with their SolarWinds breach disclosures. Unisys, Avaya, Check Point, and Mimecast are all getting hit with fines ranging from $990k to $4M for being too vague or downplaying what actually happened. The biggest offender is Unisys, who knew they'd been hit twice with data exfiltration but described it in their annual report like it was some hypothetical scenario.
The SEC's message is pretty clear - if you get popped, you better tell your investors exactly what happened. No more of this "limited number of email messages" nonsense when you know 145 files got nabbed (looking at you, Avaya). This follows their new rule from last year requiring companies to spill the beans on material cyber incidents within four days. Guess the days of playing cyber incident PR games are over. (read more)
Symantec researchers found a bunch of popular mobile apps just casually leaving their AWS, Azure, and Twilio credentials hanging out in their code. We're talking apps like Pic Stitch (5M+ users) and several others that basically left their keys to the kingdom sitting in plain text.
The fix is pretty simple - use AWS Secrets Manager or Azure Key Vault instead of hardcoding credentials like it's 2010. (read more)
Heads up SharePoint admins - that July patch you might have skipped? Yeah, time to roll that out ASAP. Microsoft's CVE-2024-38094 is now being actively exploited in the wild, and CISA just added it to their "Known Exploited Vulnerabilities" list.
The bug requires Site Owner permissions to exploit, but once an attacker has those, they can inject and execute arbitrary code on your SharePoint server. While that might sound like a high bar for entry, remember that Site Owner isn't exactly rare in enterprise deployments. Microsoft originally dropped this patch in July saying exploitation was "likely" - turns out they were right. No word yet on who's behind the attacks. (read more)
Miscellaneous mattjay
Very clever phish.
Attacker sends a Docusign (actually from Docusign). On the signing page, the only thing is a link and ātap here to view documentā, which takes you to an MS phishing page.ā Tim Medin šŗš¦ (@TimMedin)
2:11 PM ā¢ Oct 23, 2024
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay