Read Time: 7 minutes

Howdy friends!

Had a great time seeing some of you out at the Hacker Hoedown this week. Thanks to Pedram Amini from InQuest/OPSWAT for hosting. It’s always fun when people come up to me and say they appreciate Vulnerable U, and it happened more than a few times last night.

I noticed something else, this was on dirty 6th street at a bar, for those of you who don’t know - I’m 2 years sober. I used to be a frequent visitor to 6th street bars. It’s a weird almost other worldly nostalgia walking around there sober looking in those windows.

I felt like Matthew McConaughey looking through the bookcase in Interstellar. Into another dimension or a very different timeline had I not changed course. Hard to explain.

ICYMI

🖊️ Something I wrote: Talked last week about The Myth of Arrival - Feeling Incomplete Despite Achieving Success

🎧️ Something I heard: The Absolute AppSec podcast had a buddy Kinnaird on.

🎤 Something I said: FBI stated that the telecoms hacked by China impacted some government officials

🔖 Something I read: Spelunking in Comments and Documentation for Security Footguns

Vulnerable News

Attackers Target PAN-OS Zero Day

We wrote about this PAN bug before it even had a CVE last week, but since then it’s been actively exploited. Palo Alto dropped the news on Friday that attackers are using this unauthenticated RCE bug against Next Generation Firewalls in what they're calling Operation Lunar Peek.

Shadowserver found over 8,700 exposed management interfaces out there originally and now today found that 2000 of those are already compromised. If you're running PAN-OS, you'll want to restrict management interface access to trusted IPs ASAP. Not surprising to see edge devices getting hit - CISA just dropped a report showing these were among last year's most exploited targets. (read more)

VMware Confirms Exploitation of vCenter Server Bugs

Those vCenter Server bugs from the Matrix Cup competition are now being actively exploited in the wild. Two nasty ones: a heap-overflow with a 9.8 CVSS score that can lead to remote code execution, and a privilege escalation flaw sitting at 7.5. Both just need network access to work.

VMware's first patch attempt in September didn't quite stick the landing for the RCE bug, requiring a do-over in October. Now that these are being actively exploited, it's probably time to stop procrastinating on those updates. No workarounds available either - you'll need to bite the bullet and patch. Check the advisory for the fixed versions and maybe don't wait for the weekend on this one. (read more)

Microsoft Wants You to Hack Its AI

Microsoft's throwing cash at hackers again, this time with a focus on their AI and cloud stuff. They're calling it Zero Day Quest (cool name, I guess) and they're not being stingy - $4 million in bonus money on top of their regular bounties. The real juice is they're doubling all AI-related bounties permanently and adding a 50% bonus for critical bugs in specific scenarios.

They're also planning an exclusive live hacking event in Redmond next year. Top performers from the public challenge get invited to hang with Microsoft's AI red team and engineers. It's pretty clear Microsoft's sweating about AI security, which makes sense given how much they've bet on it lately. The whole thing runs until January 2025, so get to hacking! (read more)

Phobos Ransomware Administrator Extradited to U.S.

A Russian ransomware admin got scooped up in South Korea and extradited to the U.S. Evgenii Ptitsyn, allegedly one of the masterminds behind Phobos ransomware, is now facing some serious charges that could land him in prison for decades.

Ptitsyn (aka "derxan" and "zimmermanx") was apparently running the show since 2020, managing affiliate relationships and controlling the crypto wallet where victims paid up. Phobos itself has been quite the menace, hitting over 1,000 organizations and raking in $16M in ransoms. Now Ptitsyn gets to explain all about it to a Maryland court. (read more)

Two Apple Flaws Used in Attacks on Intel-Based Macs

Don’t ignore those Mac updates this time people. Apple just dropped some emergency patches for two zero-days being actively exploited on Intel Macs. One's in JavaScriptCore (their JavaScript engine) letting attackers run arbitrary code, while the other's a WebKit cookie management issue with cross-site scripting. Both were found by Google's TAG team, which usually means something is going down.

If you're running macOS Sequoia, iOS/iPadOS 18/17, visionOS, or Safari - time to hit that update button. Apple's being typically tight-lipped about the details, but when TAG finds bugs being actively exploited, it's usually worth paying attention to. Plus, WebKit flaws have a history of being abused in the wild, so probably don't sit on this one. (read more)

Fintech Giant Finastra Investigating Data Breach

Finastra, which handles software for 45 of the top 50 banks globally, just discovered someone made off with 400GB of their data. The attacker, going by "abyss0", tried selling it on BreachForums for a surprisingly modest $20k (later dropped to $10k). What's interesting is that Finastra only caught wind of this on Nov 7th, but the timeline suggests the attacker had access for at least a week before being detected.

Here's where it gets weird - right after Finastra went public about the breach, abyss0 completely vanished. Their Telegram account? Gone. BreachForums presence? Poof. Either they found a buyer and rode off into the sunset, or something spooked them enough to nuke their entire online presence. And this isn't Finastra's first rodeo - they got hit with ransomware back in 2020 but managed to recover without paying up. (read more)

Anyone Can Buy Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels in Germany

Well this is terrifying. And fantastic reporting. A joint investigation by WIRED and others found that anyone can buy location data that tracks US military and intelligence personnel in Germany - right down to their visits to nuclear weapon storage sites and (awkwardly) brothels.

They got their hands on 3.6 billion location coordinates from a Florida data broker that revealed the movements of thousands of devices at sensitive military installations, including NSA facilities and bases where Ukrainian troops were being trained.

The Pentagon has known about this risk since at least 2016 but seems powerless to stop it. The data comes from regular old advertising trackers in apps, which then gets sold by data brokers. While Congress is trying to pass some privacy bills to address this, progress is slow. In the meantime, foreign adversaries can map out US military operations and potentially blackmail personnel for a bargain price of... whatever data brokers are charging these days. (read more)

U.S. Charges Five Alleged Members of Scattered Spider Cybercrime Group

Scattered Spider's crew just got a bit smaller. The feds nabbed five members of the group that's been causing chaos since 2022, including that massive MGM Resorts hit last year. Four Americans and one Brit are facing charges for their SMS phishing campaigns that led to some pretty impressive heists, in the tens of millions in stolen data and crypto.

Their playbook was pretty straightforward but effective - blast out phishing texts to employees claiming they needed to "keep their account active," then use those harvested creds to crawl through networks. They heavily targeted Okta customers, phished the SSO creds which then gave them access to hundreds of SaaS apps.

While three of the suspects are in custody, researchers think this isn't the whole gang, so we probably haven't seen the last of Scattered Spider. (read more)

Coast Guard Warns of Continued Risks in Chinese Port Cranes

Well this is concerning. Looks like those massive cranes moving our shipping containers around (80% of them!) are basically Chinese remote controls waiting to happen. The Coast Guard just dropped a warning that these ZPMC-made cranes come with built-in backdoors that could let someone take control from afar.

The timing's interesting - this follows a February executive order beefing up maritime cybersecurity. But these remote control features are actually crucial for port operations, so it's not like we can just disable them. And with only 36% of port operators even bothering to use the Coast Guard's cybersecurity resources, we might have a perfect storm brewing here. Critical infrastructure with pre-installed vulnerabilities is not an ideal situation. (read more)

BlackSuit Ransomware Group Ramps Up Operations

BlackSuit ransomware (formerly Royal) is ramping up operations in 2024. Unit 42 has tracked at least 93 victims globally since their May 2023 rebrand, with construction and manufacturing taking the biggest hits. Despite claiming they ask for "quite a small compensation," their average ransom demand is about 1.6% of annual revenue - not exactly pocket change when the median victim revenue is $19.5M.

The group, tracked as Ignoble Scorpius, has an impressive bag of tricks, including supply chain attacks, credential theft tools like Mimikatz, and both Windows and Linux variants targeting VMware ESXi servers. They're particularly fond of using Rclone for data exfil and Cobalt Strike for post-exploitation. Most victims are US-based, and they're running a classic leak site extortion operation. Unit 42 dropped some nice detection rules if you're running their stack. (read more)

Hacker Is Said to Have Gained Access to File With Damaging Testimony About Gaetz

If the word hacker is in the headline for the New York Times, I get a lot of DMs. So I had to cover this one. However, there is virtually no details about his hack or hacker. They even state that the hacker isn’t the one to leak the data, but then don’t say who actually did leak the data.

I think “hacker” is doing some heavy lifting here, but some data from an ongoing lawsuit was stolen via a file share link. It contains testimony and evidence against Matt Gaetz, who at the time was nominated for US Attorney General, he has since stepped down. This lawsuit is unrelated to the ethics investigation going on in Congress, it is stemming from a defamation case from Gaetz’s friend who is tied up in all of this as well. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay