🎓️ Vulnerable U | #089

AI finding zero days, Canada kicks out TikTok, Okta lets you in without a password, and much more!

Author

Matt Johansen
November 08, 2024

Read Time: 9 minutes

Howdy friends!

This isn’t a politics newsletter. So in that, I’d like this to be a respite for you in the sea of news this week. That said, if I pretended everything was normal, that’d be pretty tone-deaf. I know many of you aren’t in the U.S., but those of you who are, please take the time you need to take care of yourself this weekend.

I’m a big proponent of the Boy Scout’s motto of “leave it better than you found it”

So, no matter what side of the coin you landed on this week, I implore us all just to wake up, dust ourselves off, and leave the world a bit better than you found it.

Today, I picked up a bunch of trash in my coffee shop parking lot instead of just walking past it. No matter how small, it felt like something in my control and made me feel a bit better. I also noticed a few people watch me do it, I wonder if the ripple effects are out there today.

ICYMI

🖊️ Something I wrote: I wrote about how to protect your sanity during the election turmoil. Please affix your own oxygen mask before helping others.

🎧️ Something I heard: The CEO of Vanta was on the My First Million podcast talking about how she started the company. Rarely hear this kind of stuff about security companies, worth a listen.

🎤 Something I said: An AI girlfriend generator got hacked, the prompts and identities of its users were leaked.

🔖 Something I read: Paul Graham’s “How to Do Great Work

📣 Sponsor

Do You Know What Software Is Running in Your Environment?

ThreatLocker® is offering a free I.T. security health report to help you monitor and visualize your environment, covering:

→ Information about executables, scripts, and libraries.

→ Files that have been accessed, changed, or deleted.

→ All network activity, including source and destination IP addresses, port numbers, users, and processes.

→ Identify and prevent installed software from communicating with entities in Russia, China, or other threat actors.

Request your software report today!

Vulnerable News

Google’s Project Zero seems to have found an 0-day with some of their internal LLM tooling.

This is a pretty wild milestone - they've got an AI that found its first zero-day vulnerability all by itself. Their "Big Sleep" AI agent (cool name, btw) discovered a previously unknown bug in SQLite, which is basically everywhere. The SQLite team patched it same day, so no harm no foul, but this is kind of a big deal since it's the first time an AI has found a real-world zero-day.

…at least that we know about publicly.

The team seems pretty stoked about what this means for the future of security research. While right now Big Sleep is only as good as existing fuzzing tools (those things that throw random data at code to find bugs), they're hoping AI could eventually help catch vulnerabilities before software even ships.

Though let's be real - while we're celebrating AI finding bugs, the flip side is the attackers can use these tactics too. Not that that’s not true of existing security tools, just important to remember when we read about these breakthroughs. (read more)

Well this was a fun one. Okta just patched a wild authentication bug where if you had a username longer than 52 characters, ANY password would work. The bug was related to how they were using Bcrypt to generate cache keys, and only kicked in when their AD/LDAP agent was down or under heavy load.

Before you panic - this was pretty limited in scope. Most orgs don't have usernames that long, and it only worked under specific conditions with their Delegated Authentication feature. Still, it was live from July to October, so if you're running Okta and have any suspiciously long usernames in your environment, might be worth checking those logs. They've switched to PBKDF256 now and patched it up. (read more)

Heads up NAS owners - particularly if you're running Synology gear. Dutch researchers just dropped details on a zero-click vulnerability in the default SynologyPhotos app that could give attackers full root access to your device. No authentication needed, and it works whether you're directly connected to the internet or using Synology's QuickConnect service. The researchers found hundreds of thousands of vulnerable devices online, with potential exposure in the millions.

The timing's interesting since ransomware crews have been hitting NAS devices hard since 2019. Synology has patched it (advisory dropped Oct 25), but since these devices don't auto-update, there are probably still plenty of vulnerable boxes out there. And now that the patch is public, it's basically a roadmap for attackers to figure out the exploit. (read more)

Those annoying "click all the traffic lights" CAPTCHAs just got cracked wide open. Researchers at ETH Zurich built a bot using the YOLO image recognition model that can nail these challenges 100% of the time. They even went the extra mile with VPNs and fake mouse movements to really sell the "I'm totally human guys, trust me" act.

Google's been trying to phase these out since 2018 with their "invisible" reCAPTCHA v3, but millions of sites still use the old version. And when v3 isn't sure you're human, it falls back to... you guessed it, the same breakable image challenges. We're entering an era where telling humans from bots is going to be a MAJOR pain in the ass. As the researchers put it, it's like trying to design a trash can that's too tough for bears but easy enough for humans - there's more overlap than you'd think. (read more)

Canada has kicked out TikTok citing national security concerns.

This headline made me laugh.

Apple might have quietly dropped a security feature in iOS 18 that's driving law enforcement nuts. Apparently, iPhones in evidence lockers are rebooting themselves after being off cellular networks for a while, which kicks them into a more secure state that's way harder to crack. Even phones in Faraday boxes aren't safe from whatever's causing this.

The cops think it might be some new feature where iOS 18 devices are telling other nearby iPhones to reboot if they've been offline too long. Matthew Green seems skeptical of that specific theory but calls the idea of phones auto-rebooting after extended network disconnection "brilliant."

Either way, forensics labs are freaking out and scrambling to isolate their evidence phones before they all go into lockdown mode. Absolutely awesome move if Apple did this intentionally. (read more)

Quick PSA: Someone is attacking Tor right now and has been for a few weeks.

There is a clever attack hitting Tor right now. Someone's spoofing Tor Exit and Directory node IPs to blast SSH port scans, triggering a flood of abuse complaints that's getting legit Tor infrastructure blocked by hosting providers. The attacker, who goes by "r00t", came out to claim responsibility after Andrew posted his findings.

If you're a hosting provider, you might want to ignore those SSH scanning complaints coming from the IPs listed here: https://pastebin.com/idKU0agt. The Tor team is working to track down the actual source of this traffic to shut it down. Pretty creative way to disrupt Tor infrastructure without actually having to break the crypto.

Also fun convo in this twitter thread about the modern state of IP spoofing. (read more)

Apache just patched a spicy RCE in Lucene.NET (CVE-2024-43383). The bug affects their 4.8 beta versions and stems from a deserialization flaw that could let attackers execute arbitrary code. They need to either intercept traffic between replication client/server or control the target replication node URL.

If you're running any version between 4.8.0-beta00005 and beta00016, time to bump up to beta00017. Pretty straightforward fix for what could be a nasty vulnerability in this popular search engine library. Props to Apache for the quick turnaround on this one. (read more)

Google Cloud is finally joining the MFA party - they're making it mandatory for all users in 2025. About time, considering 70% of Google users already use some form of MFA. The rollout will be phased, starting with new users early next year and extending to federated users by the end of 2025.

Interesting timing given all the credential-based attacks we've seen lately. Microsoft and AWS have already made similar moves, so Google's playing a bit of catch-up here. They're at least being pretty chill about it - giving plenty of heads up and resources to help with the transition. If you're feeling proactive, you can enable it now at security.google.com under the 2-Step Verification settings. (read more)

Google just dropped patches for two actively exploited Android vulnerabilities. One's in the core Android framework (CVE-2024-43093) letting attackers elevate privileges, while the other's a use-after-free bug in Qualcomm's kernel code (CVE-2024-43047).

What makes this a bit more interesting is that Google's TAG team and Amnesty International found these being used in targeted attacks. When those folks spot something in the wild, it's usually nation-state level stuff. Time to mash that update button if you haven't already - though we all know how Android updates go in practice. Pour one out for all those folks still running Android 11. (read more)

Interpol's been busy this summer with Operation Synergia II, taking down a massive network of cyber baddies. We're talking 22,000 malicious IPs and hundreds of servers linked to phishing, ransomware, and infostealers. The operation nabbed 41 arrests across 95 countries, with another 65 folks sweating it out under investigation.

What's cool here is seeing the public-private partnership in action - Group-IB, Trend Micro, Kaspersky, and Team Cymru all pitched in to help identify the bad infrastructure. Different countries got different pieces of the action too - Mongolia went ham with 21 house searches while Hong Kong took down over 1,000 sketchy servers. This follows up on their smaller operation from late 2023, showing Interpol's really ramping up their takedown game. (read more)

Another day, another phishing tactic. This time using DocuSign. The attackers are actually paying for legit DocuSign accounts and using the Envelopes API to mass-send fake invoices that look like they're from Norton or PayPal. Since these are coming from docusign.net, they're sailing right past email security.

The scam is pretty slick - they keep the invoice amounts realistic and try to get targets to e-sign, which they can then use to authorize payments. DocuSign knows about it but seems to be struggling with the fact that these are paying customers abusing legitimate features. Their response was basically "trust us, we're working on it" - which is about as reassuring as it sounds. (read more)

Side note: My friends at Sublime Security are also seeing some DocuSign tactics in the wild. Check out their new research here - Living Off the Land: Callback Phishing via Docusign comment

Interlock Ransomware Emerging as a New Force

We've got a fresh face in the ransomware scene - Interlock is making waves by targeting some big fish across manufacturing, tech, healthcare, and government sectors. They’re patient too… Hanging out in networks for weeks before dropping the payloads. For the initial compromise, they're using fake Chrome updates hosted on legitimate news sites to deploy a RAT that brings along some friends (keylogger and credential stealer).

There is also a potential connection to Rhysida ransomware - Cisco Talos spotted some code overlap and similar TTPs between the two. They're running a double-extortion playbook with both Windows and Linux variants, complete with the obligatory shame-and-leak site. The technical details (like the ".Interlock" extension and their persistence methods) suggest these aren't amateurs, and the Rhysida connection might explain why they hit the ground running. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay