Read Time: 7 minutes

Howdy friends!

I just got back from speaking at a conference in Philly, which I haven’t been to since I was a kid. It was a quick trip, so I didn’t get to explore much, but I stayed in the heart of downtown and really enjoyed myself and had some great food.

Loved some of the food so much I made a video about it and went semi-viral on TikTok where I subsequently got dragged by half of Philadelphia for calling one of their landmarks (Reading Terminal) a “cute little market.” I can only assume this would be like me going to Times Square and calling it an adorable little part of town. I made my penance by replying to comments saying, “I’m so sorry. Go Birds! 🦅”

Preview of my blog this week on the industry latching on to our mental health issues and addictions:

ICYMI

🖊️ Something I wrote: Inside ExxonMobil's Alleged Hack-for-Hire Campaign Targeting Climate Activists

🎧️ Something I heard: The Daily did a really good job covering the Salt Typhoon telecom hacks.

🎤 Something I said: I dug into what some people are saying about SMS scams and number-warming

🔖 Something I read: I was at the bookstore when it opened for the Wind and Truth release. I’m about 300 pages in (out of 1300!)

Vulnerable News

Threat Actors Exploit Flaw in Cleo File Transfer Tools ‘En Masse’

Heads up if you're running Cleo's file transfer tools - some active exploitation is happening now of CVE-2024-50623. The patch they initially pushed (v5.8.0.21) is still vulnerable. Oops. They've released a proper fix in v5.8.0.24, but not before at least 10 businesses got popped, with researchers seeing attacks targeting consumer products, food, trucking, and shipping companies.

In my favorite testimonial yet, I shared about this hack on Instagram, someone DM’d me saying their company used this software and then a few hours later came back and said they were popped and found it because of my post. 💪 

If you're running Harmony, VLTrader, or LexiCom, you'll want to grab that new patch ASAP. Until then, get those servers behind a firewall and maybe disable the Autorun directory that the attackers are abusing. This is just the latest in a string of file transfer tool compromises we've seen lately - remember MOVEit? Seems like these tools are becoming threat actors' favorite new playground. (read more)

After Salt Typhoon Hack, Wyden Calls For Telecom Security Mandates

Looks like the Salt Typhoon hack is finally forcing some action in DC. Sen. Wyden's dropping a new bill that would make the FCC actually do its job and set some real security rules for telecoms. About time, considering Chinese hackers are still camping in the networks of AT&T, Verizon, T-Mobile, and others - to the point where the feds are telling Americans to stick to encrypted messaging apps.

The proposed Secure American Communications Act would require telecoms to check if their systems can be tapped without authorization (wild that this isn't already required) and get third-party security audits. Wyden's not mincing words either, basically calling out both the telecoms and FCC for letting foreign spies in. Given AT&T's had three separate security incidents this year alone, maybe some mandatory security requirements aren't such a bad idea. (read more)

Russian APT Secret Blizzard Piggybacks on Other Groups' Infrastructure

Russian APT Secret Blizzard has been playing Grand Theft Infrastructure with other nation-state hacking groups. Microsoft caught them hijacking the command and control servers of six different APT teams, including Pakistan's Transparent Tribe. They're basically setting up shop in someone else's house and using their tools to spy on targets in South Asia.

The really interesting part is how they're doing it. Once they take over another group's server, they drop their own tool called Arsenal (built on QtFramework) and sometimes the TinyTurla backdoor. They've even been piggybacking on Transparent Tribe's CrimsonRAT deployments. Pretty clever way to minimize effort while maximizing reach, even if the targets aren't always exactly what they're after. (read more)

Hackers Infect 8,000,000 Smartphones As ‘SpyLoan’ Drains Bank Accounts, Steals Sensitive Data for Extortion

A report just came out about some "SpyLoan" malware that's already infected 8 million phones through fake loan apps. These scammers are getting creative - they're cloning legit financial apps on Google Play, complete with matching logos and branding. Once installed, they demand all sorts of personal info and docs, then use that data for everything from straight-up bank account drainage to good old-fashioned extortion.

The apps are particularly nasty in how they operate - death threats for missed payments, harassing your contacts, and even AI-generated blackmail content. They mainly target users in developing nations across Africa, South America, and Southeast Asia. The usual "verify app legitimacy" advice applies here, but let's be real - when these things are convincing enough to slip past Google Play's screening, that's easier said than done. (read more)

Securing your Communications - Bob Lord

Gosh I love Bob. He’s dropping some truth bombs about securing your comms in the wake of compromised telcos. His main message is to encrypt everything, and Signal is your best bet for both personal and business use. He's not messing around either - telling enterprise leaders they've got 30 days to get their act together and make end-to-end encryption the standard for all business chats.

The rest is pretty much security basics on steroids - ditch SMS MFA for FIDO/passkeys, use a password manager, and for the love of all things holy, stop using WeChat and Telegram. He's also got some spicy takes, like saying no to personal VPNs (they're not the security silver bullet those endless YouTube sponsorships would have you believe) and suggesting everyone enable Lockdown Mode on their iPhones. TL;DR All networks are hostile now, so act accordingly. (read more)

Agentic Security Marketmap

Here's a great rundown of what's happening in AI security startups - turns out there's been a massive boom in companies using AI agents for security work since April. Brandon Dixon's been tracking this space and put out a pretty comprehensive market map showing three main trends emerging: incident triage (basically SOAR 2.0 but with AI), code vulnerability scanning (think automated security engineers), and security copilots (AI assistants that help security teams get stuff done). (read more)

U.S. Indicts 14 North Koreans in Fake IT Worker Scheme

Remember those North Korean IT workers we've been talking about all year? Well, the DoJ just indicted 14 of them. These folks managed to scam their way into remote tech jobs at U.S. companies and rake in a cool $88 million over six years. They even had internal "socialism competitions" where they'd compete to see who could generate the most money for North Korea.

The scam was pretty in depth - they'd pay Americans to show up for interviews, create fake company websites (sometimes with hilariously bad copy), and even resort to extortion when companies caught on. The two companies behind it, Yanbian Silverstar and Volasys Silverstar, had over 130 "IT warriors" on payroll. Uncle Sam's offering $5M for more info on these guys, though I suspect they're probably chilling somewhere with no extradition treaty. (read more)

Yahoo cybersecurity team sees layoffs, outsourcing of ‘red team,’ under new CTO

This sucks. The Paranoids @ Yahoo was one of the oldest, largest, and highest reputation internal security teams in the industry.

A lot of good talent was built and trained there. Past bosses of mine, founders of companies you all have heard of, and a lot of my colleagues all went through there.

“Overall, the company has laid off or lost through attrition 40 to 50 people from a total of 200 employees in the cybersecurity team since the start of 2024” (read more)

Android is making it easier to find unknown trackers to prevent stalking

Android's stepping up its anti-stalking game with some updates to their unknown tracker alerts. Now when your phone spots a sketchy tracker following you around, you can pause location updates for 24 hours - basically going dark to whoever might be tracking you. They're also adding a "Find Nearby" feature to help you actually locate the physical tracker and disable it.

This is part of that broader industry push to combat tracker stalking we've been seeing lately, following some pretty grim cases of AirTags being used for nefarious purposes. Google and Apple are both backing a new spec called "Detecting Unwanted Location Trackers" that works across both platforms. Nice to see the tech giants actually working together on safety features for once. (read more)

Location Data Firm Offers to Help Cops Track Targets via Doctor Visits

Well this is terrifying. Fog Data Science is selling cops access to a massive location tracking database, and they're explicitly asking for info about targets' doctor visits to help track them down. For less than $10k a year, local police can access billions of data points from over 250 million devices. That's way cheaper than competitors like Venntel who charge $100k for similar data.

The timing couldn't be worse given the post-Roe landscape. While other location data firms like Safegraph and Placer.ai backed off from selling healthcare facility visit data after getting called out, Fog is leaning into it - straight up asking cops for doctor office addresses in their intake forms to help unmask people of interest. Between this and the recent Babel Street revelations about tracking devices to abortion clinics across state lines, the surveillance implications are pretty grim. (read more)

Miscellaneous mattjay

Watch me get dragged by all of Philadelphia in my comments for not knowing what Reading Terminal was

@vulnerable_matt

Best part of traveling for work. Trying all the food from around the world.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay