🎓️ Vulnerable U | #092

Exxon hack-for-hire, Russia using Firefox and Windows 0days, Microsoft threat intel report on North Korean capabilities, Meta nuking 2 million scam accounts, and more!

Author

Matt Johansen
November 29, 2024

Read Time: 7 minutes

Howdy friends!

Happy Thanksgiving for my U.S. readers! I’m writing this stuffed with dinner and pumpkin pie. I hope you got to spend the holiday with whoever you wished: family, born or chosen. And I also hope the people at your table respected each other and you all felt warm and welcome.

2024 was a slight uptick in my life from the past few years, but the bar was low and I’ve still been through a lot recently. All of that said, I’m thankful for you all because I’d be much worse off without you.

ICYMI

🖊️ Something I wrote: For those of you checking it out, I’m active on BlueSky

🎧️ Something I heard: Marcus Hutchins talk about Bypassing App-Bound Encryption To Dump Browser Credentials - Goes through why malware can break into browser password managers.

🎤 Something I said: This crazy incident involving hopping remotely between networks that are geographically close to avoid Internet protections.

🔖 Something I read: I finished the Mistborn Trilogy recently and really really enjoyed it.

Vulnerable News

Well this is wild - Exxon apparently went full cybercrime syndicate on climate activists. They allegedly built this elaborate hack-for-hire operation through multiple cutouts (PR firm -> Israeli PI -> Indian hackers) to maintain plausible deniability while targeting over 500 activists and journalists. The operation, dubbed "Fox Hunt," used sophisticated phishing campaigns that lined up perfectly with key moments in climate litigation against Exxon.

For about $10M a year (pocket change for Exxon), they potentially derailed multiple state-level lawsuits and gained massive tactical advantages in court by weaponizing the stolen data. It's like they took the nation-state cyber playbook and productized it for corporate use. (read more)

Russian Group RomCom Used Firefox, Windows Zero Days in Recent Attacks

RomCom's been busy with some fresh zero-days. They managed to chain together bugs in Firefox and Windows for a pretty slick drive-by download attack that doesn't need any user interaction. They've apparently been running this since October, targeting companies and government agencies worldwide with their backdoor.

Mozilla and Microsoft have both patched these up (CVE-2024-9680 and CVE-2024-49039 respectively), but it's interesting to see RomCom either doing their own vuln research or having access to someone who does. If you're running Firefox, might want to hit that update button - CISA's already added both bugs to their "Known Exploited Vulnerabilities" list. (read more)

Earth Estries, a Chinese APT group, has been busy cooking up some new tricks. Trend Micro caught them using a fresh backdoor called GhostSpider in attacks on telecom companies across Southeast Asia. This thing is even modular, meaning they can swap in new capabilities whenever they want, making it a pain to detect and analyze.

They've hit over 20 organizations across different sectors and regions, with some victims compromised for years thanks to their DEMODEX rootkit. While there's some overlap with other known groups like Salt Typhoon (yeah, the ones who recently nabbed U.S. gov data), Trend Micro isn't ready to connect those dots just yet. But they're calling Earth Estries one of the most aggressive Chinese APTs out there, so that's... fun. (read more)

Well this is dystopian. A new report from Cracked Labs details how modern offices have basically turned into giant tracking devices. Companies like Cisco are using WiFi access points and other networking gear to monitor employee movements, create "behavioral profiles," and track where everyone goes.

The pushback has already started - students at Northeastern University threw a fit when they found motion sensors under their desks (rightfully so). While vendors try to justify this with buzzwords like "workspace optimization" and "energy efficiency," the report's author Wolfie Christl points out there's nothing stopping employers from misusing this data. Europe at least has some protections against this through GDPR, but US workers are pretty much at the mercy of their surveillance-happy overlords. (read more)

Buckle up for this one - a Russian spy ring in the UK just got busted with some serious honeytrap drama. Two Bulgarian dudes have already pleaded guilty, and they were running ops with two women who were apparently both dating the same spy (awkward). The group was targeting journalists and dissidents across Europe, with a particular focus on the reporter who exposed the Salisbury poisoning links.

The spies were kitted out like a Radio Shack - 221 phones, 495 SIM cards, plus all the spy gadgets you'd expect (drones, bugs, hacking tools). One of the women ran a beauty salon called "Pretty Woman" (you can't make this stuff up), while they were planning surveillance ops across London, Vienna, Valencia, and Stuttgart. They even discussed kidnapping a journalist and hauling him to Moscow. (read more)

Microsoft dropped some fresh intel at CYBERWARCON about North Korean hackers, and wow, they're getting …dare I say the word… sophisticated. These folks are running a triple threat - stealing crypto, infiltrating aerospace/defense companies, and deploying an army of IT workers who pose as legitimate developers. These fake devs are using AI to create convincing profiles, swapping faces in photos, and even experimenting with voice-changing tech for interviews.

The money angle is pretty wild - one group of NK IT workers made $370k through their schemes, while another crew (Sapphire Sleet) managed to swipe over $10 million in crypto in just six months. They're pulling this off by posing as venture capitalists or recruiters, then hitting targets with malware when they try to join fake video meetings or take skills assessments. (read more)

GEICO and Travelers are learning the hard way that skimping on security comes with a hefty price tag. NY just slapped them with $11.3M in fines after some pretty basic security fails led to 120k New Yorkers having their data exposed. The attackers then used those driver's licenses and other info to file fake unemployment claims during COVID.

Both companies had been warned about these kinds of attacks but didn't do much about it. GEICO got hit through their agent's quoting tool and didn't bother doing a full security review after, while Travelers didn't even have MFA enabled on their portal and took seven months to notice they'd been breached. Now they're both being forced to actually implement some basic security measures - wild that it took millions in fines to get there. (read more)

Meta's flexing their moderation muscles, claiming they've nuked over 2 million accounts this year tied to those nasty pig butchering scams. If you’re unfamiliar with the term “pig butchering,” - it’s where scammers pose as attractive singles or big shots, then slowly rope victims into fake investment schemes. Most of these accounts were running out of the usual suspects: Myanmar, Laos, UAE, Philippines, and Cambodia.

The FBI's numbers show why this matters - investment fraud jumped 38% to $4.57 billion in 2023. Meta's trying to get ahead of it with some fancy detection systems and law enforcement partnerships, but let's be real - as long as there are people willing to believe they've found true love with a crypto millionaire who slides into their DMs, these scams aren't going anywhere. (read more)

Threat actors are now abusing Godot Engine (a popular open-source game dev platform) to spread malware across different operating systems. They've already hit 17,000 systems since June by exploiting Godot's ability to run custom scripts - and the scary part is most antivirus engines aren't catching it.

The attackers got creative with this one, setting up around 200 fake GitHub repos with 225+ bogus accounts to make their malicious code look legit. Once installed, the malware (dubbed GodLoader) can drop nasties like RedLine Stealer and crypto miners. While it's mainly targeting Windows now, the researchers say it wouldn't take much to adapt it for Mac and Linux. (read more)

Another NHS trust has fallen victim to what's looking suspiciously like ransomware. Wirral University Teaching Hospital NHS Trust has had to break out the old pen and paper after detecting "suspicious activity" and isolating their systems. They're being pretty cagey about calling it ransomware, but when you hear about systems being pulled offline and reverting to paper processes, well... you know how these stories usually end.

The impact is pretty significant - they're having to postpone procedures and are warning about longer wait times in A&E. Maternity services were initially said to be running normally, but interestingly that statement has since been removed from their updates. The trust oversees several hospitals in the area, including Arrowe Park and Clatterbridge, so this is affecting a decent chunk of Northwest England's healthcare system. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay