- Vulnerable U
- Posts
- 🎓️ Vulnerable U | #093
🎓️ Vulnerable U | #093
Big Vulnerable U Announcement, US Telcos still currently owned by China, Scattered Spider arrests, Crypto Supply Chain attacks, and much more!
Matt Johansen
December 06, 2024
Read Time: 8 minutes
Howdy friends,
Hope you all had a great Thanksgiving (if you celebrate) and are leaning into this wonderfully fake, time-isn’t-real month of December. We're in FULL "circle back next year" mode. Calories? Don’t count. KPIs? What are those?
Big news: Vulnerable U is now my full-time gig! 🎉 After years of your incredible support, I’m beyond excited to take this leap. You made this possible—thank you from the bottom of my heart. The sponsor calendar for Q1 is already filling up, and I can’t wait to see what we accomplish together.
Even bigger news: Vulnerable U is growing! I’ve launched Vulnerable Media, an agency focused on technical marketing for cybersecurity companies. We’re already working with amazing clients to help them:
Tell their stories like an insider (because we’ve bought these products too).
Craft campaigns that resonate with the infosec community.
Deliver killer writing, blogs, social media, and SEO strategies to stand out.
Imagine your ideal customer in your Slack channel helping shape your strategy—and also delivering technical content without having to explain it to the writer. That’s us.
If your team could use a marketing partner who actually knows how to spell Kubernetes (and pronounce it), hit me up.
Thanks for letting me share this milestone with you all. A more official launch is in the works.
P.S. This week’s blog is about how cultivating meaningful in-person relationships has saved my sanity lately—timely advice for anyone feeling the same way. Check it out:
Quick stats: Smoking a pack a day increases your mortality risk by 83%. Being lonely? That'll kill you 90% faster. Yet we have warning labels on cigarettes and celebration posts for "grinding alone." Make it make sense. [Source]
I wrote about the loneliness epidemic a year ago, and holy shit, did that strike a nerve. My inbox looked like a confessional booth. CTOs, junior analysts, and everyone in between sharing stories that boiled down to: "I thought it was just me."
Plot twist: It's not just you. It's not just the rich CEO (though yeah, they're lonely too – cue the tiny violin). It's all of us.
We've optimized ourselves into isolation. We've A/B tested our way to efficiency and automated our connections right out of existence. Slack has replaced water cooler talk. Zoom has replaced lunch breaks. And Twitter/X/whatever-the-hell-it's-called-now has replaced meaningful discourse.
The Math Doesn't Math
- 2-3 close friends in 1990
- 0.9 close friends in 2023
- Infinite LinkedIn connections
Something's broken here, folks.
ICYMI
🖊️ Something I wrote: Inside ExxonMobil's Alleged Hack-for-Hire Campaign Targeting Climate Activists
🎧️ Something I heard: According to Spotify wrapped I heard a lot of Blink 182’s new album. But I’m shocked Hot Mulligan wasn’t number 1.
🎤 Something I said: Someone hit me up on LinkedIn this week and said they thought my interview on Tine’s podcast was super insightful. Always cool to hear that things resonate.
🔖 Something I read: My homies rez0 and Rhynorater launched an AI hacking assistant that I’m super hyped about.
📣 Sponsor
Practical Guide to Cloud Detection & Response
Cloud attacks are evolving, so is detection and response.
For modern security teams, the cloud presents both a blessing and a curse. Abundant telemetry allows for unparalleled visibility and control, but traditional security tools (like SIEM and EDR) fall short in addressing the complexities and scale of cloud infrastructure.
That’s why a new category of tools is emerging – Cloud Detection and Response (CDR).
This practical guide covers
→ What is Cloud Detection and Response (CDR)
→ Why you need a CDR solution (and how other tools fall short)
→ Key benefits & capabilities of CDR tools
Vulnerable News
Whoa, this is a big deal. The FBI - yes, the same folks who've been fighting against encryption for years - is now telling Americans to use encrypted messaging apps. Why? Because Chinese hackers (Salt Typhoon crew) have apparently been having a field day with at least eight U.S. telecom networks, potentially snooping on private calls and texts of government officials.
The scope of this thing is wild - we're talking dozens of countries affected, and these hackers are still in the networks, and the telecoms can't seem to kick them out. When the FBI does a complete 180° on encryption, you know things are serious. It's like they finally had to admit "okay fine, maybe those crypto nerds were right all along about needing strong encryption by default." (read more)
Interpol just dropped some impressive numbers from their latest cybercrime crackdown - 5,500 arrests across 40 countries and $400M in seized assets. Operation HAECHI V (July to November) was targeting the less glamorous side of cybercrime - your romance scams, voice phishing, and BEC attacks. While these might not get the same attention as ransomware gangs, they're actually causing massive damage globally.
The highlight reel includes taking down a Beijing voice phishing operation that had racked up $1.1B in losses, and a pretty slick save where they recovered almost all of a $42.3M BEC hit on a Singapore company. They're also flexing a new tool called I-GRIP that helps them freeze stolen funds before they vanish into the crypto void. Not bad for a few months' work. (read more)
Here's a wild one - remember that Russian influencer who was always flexing expensive watches and running Moscow hotels? Turns out Ekaterina Zhdanova was allegedly running one of the biggest crypto money laundering operations Western law enforcement has ever seen. The NCA and FBI say she was the mastermind behind the "Smart Group" network that helped Russian oligarchs, ransomware gangs, and other criminals clean their dirty crypto.
The scheme was pretty clever - they'd take crypto from Russians needing to dodge sanctions, then coordinate with drug gangs across Europe to swap it for cash. We're talking billions moving through this system annually. Zhdanova's currently in French custody, and authorities just dropped sanctions on a second network called TGR Group that worked with her operation. Quite the fall from grace for someone who told fashion magazines she was "probably a chameleon" - turns out that was more accurate than they knew. (read more)
Heads up Zabbix users - time to patch those servers. A nasty SQL injection vulnerability just dropped (CVE-2024-42327) that's scoring a spicy 9.9 CVSS. The bug lets non-admin users with API access potentially take over the whole server through the user.get endpoint. With 83,000 internet-exposed instances out there, this one's worth paying attention to.
Zabbix dropped fixes in versions 6.0.32rc1, 6.4.17rc1 and 7.0.1rc1. They also disclosed a few other high-severity issues including arbitrary code execution and some auth bypass shenanigans. Given Zabbix's widespread use in banking, healthcare and government, this is one you'll want to patch sooner rather than later. (read more)
The FTC just dropped the hammer on some data brokers who've been playing fast and loose with our location data. Gravy Analytics and Mobilewalla got busted for tracking and selling sensitive location info - we're talking visits to medical facilities, religious spots, and even people's private homes. Between 2018-2020, Mobilewalla alone collected over 500 million unique advertising IDs paired with precise location data.
The FTC's not messing around here - both companies are now banned from selling this kind of sensitive data (except for some narrow national security cases), and they've got to delete all their historic location data. Plus, they need to make sure anyone they sold this data to in the last three years deletes it too. This is part of a broader FTC crackdown on data brokers, with similar actions against InMarket and X-Mode earlier this year. (read more)
Another Scattered Spider member got nabbed - this time it's 19-year-old Remington Ogletree who allegedly pulled off some major telecom hacks. The kid managed to breach two telcos and a financial institution, using the access to blast out 8.5 million phishing texts posing as crypto exchanges and gaming companies. This led to about $4 million in stolen crypto.
This is part of a bigger crackdown on Scattered Spider (you might remember them from the MGM and Caesars hacks). Five other members were charged last month, and they previously grabbed a 17-year-old in the UK. The timing's interesting too - coming right as US officials are warning about Chinese state hackers targeting phone companies to spy on Trump and other political figures. Seems like telecoms are having a rough time lately. (read more)
A decade-old Cisco ASA WebVPN bug from 2014 is getting some fresh attention. The Androxgh0st botnet has been poking at this ancient XSS vulnerability (CVE-2014-2120), enough to get CISA to add it to their "actively exploited" list. While the bug itself isn't particularly spicy (CVSS 4.3), the fact that it's still finding targets 10 years later is pretty wild.
The real story here isn't the vulnerability - it's the fact that there are still unpatched ASA boxes out there from 2014. If you're running one of these dinosaurs, maybe it's time to dust off that change management process and get patching. Having your security appliance compromised via a bug old enough to be in middle school is not the kind of thing you want to explain to the board. (read more)
While all you crypto folks celebrate Bitcoin hitting $100k - Solana's Web3.js library just had a nasty supply chain attack. Two compromised versions (1.95.6 and 1.95.7) were sneaked onto npm after someone got access to a publish account. The malicious code was designed to steal private keys and drain wallets, which is about as bad as it gets for crypto libraries that see 350k+ weekly downloads.
Good news is they caught it pretty quick (window was only about 5 hours on Dec 2nd) and the bad versions have been yanked. But if you were unlucky enough to have grabbed those versions, GitHub's saying to treat any machine that ran them as completely owned - time to rotate ALL the keys from a clean system. Regular users with non-custodial wallets should be fine, but developers and bot operators might want to check their dependencies ASAP and upgrade to 1.95.8. (read more)
Researchers found a way to hijack SSO logins without even touching your main identity provider. They create accounts on other IdPs (like Apple or Google) that match your company's domain and then use those to log into your downstream apps. One 15-year-old researcher managed to pull this off against hundreds of companies through Zendesk, getting access to everything from support tickets to connected Slack workspaces.
The gnarly part is that this bypasses all your fancy security controls on your main IdP. You can have the most locked-down Okta instance in the world with hardware keys and everything, but if an attacker can create a matching account on another IdP your apps trust, game over. About 60% of apps don't even check if you're legit when adding new SSO login methods. Time to start watching those IdP activation emails like a hawk and lock down those domain verifications where you can. (read more)
Miscellaneous mattjay
Me reverse engineering: Haha fuck yeah!!! Yes!!
Me engineering: Well this fucking sucks. What the fuck.
— Battle Programmer Yuu (@netspooky)
6:59 PM • Dec 3, 2024
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay