- Vulnerable U
- Posts
- 🎓️ Vulnerable U | #096
🎓️ Vulnerable U | #096
Phished employee pushed malicious chrome extension, Lockbit dev arrested, FBI shuts down secret Chinese police station in NYC, and more!
Matt Johansen
December 27, 2024
Read Time: 9 minutes
Howdy friends!
Merry Xmas, Happy Hanukkah, Happy New Year, and all that jazz!
On Xmas Day I woke up to a great present. There are officially 20,000 of you subscribed to Vulnerable U! 🍾 - Now that this is my full time gig I can’t really explain how grateful I am for you all to be here. I have a lot planned for 2025 to bring more and better security content to you all.
I read that there was some sort of quad-demic going around with all sorts of viruses, flu, rsv, etc. I think my family won the jackpot and landed all possible options. Think we hit a 100% infection rate and all have been spending a few days fighting off the plague. Hope you all faired a bit better than us. I’m writing this to a chorus of people hacking up a lung in various rooms around the house.
ICYMI
🖊️ Something I wrote: How Silicon Valley turned isolation into a business model, and what we can do about it
🎧️ Something I heard: This may be one of the best YouTube videos I’ve watched in a while to dig into something like this. Exposing the Honey Influencer Scam
🎤 Something I said: Did an interview with Safety Detectives. - they asked me a lot about Vulnerable U and how I see the infosec field moving forward. Short and sweet read.
🔖 Something I read: T-Pot - The All In One Multi Honeypot Platform
📣 Sponsor
Thank you to all our sponsors in 2024!
If you’re interested, our 2025 sponsor schedule is open. We’re already booking into Q2 at this point but let us know how we can be part of your outreach and help you connect with the infosec community in a meaningful way next year.
Vulnerable News
This is a really nifty attack vector on Cyberhaven - their Chrome extension got compromised after an attacker phished an employee and gained access to their Chrome Web Store admin credentials. The malicious version (24.10.4) was live for about 31 hours over Christmas, collecting webpage info and browser cookies from users and sending them to attacker-controlled domains.
Cyberhaven took about an hour to yank it once they spotted it. The timing here is pretty clever (and nasty) - launching during Christmas when security teams are running skeleton crews. What's interesting is that researchers are seeing connections to other compromised extensions, suggesting this might be part of a larger campaign. Cyberhaven's working with Mandiant now and pushing out version 24.10.6 with better telemetry. If you're running their extension, they're saying don't remove it (to preserve artifacts) but do rotate any non-FIDO2 passwords and API tokens. (read more)
Another day, another healthcare breach - this time it's Ascension, one of America's biggest private healthcare systems, getting hit by Black Basta ransomware. The May attack compromised 5.6 million patients' and employees' data, including the spicy stuff like medical records, payment info, and SSNs. Started with an employee downloading what they thought was a legit file (narrator: it wasn't).
The impact was pretty severe - their MyChart system went down, they had to track everything on paper like it was 1995, and even had to divert emergency services. Black Basta's been on a tear lately, especially in healthcare, and they've already collected over $100M from 90+ victims. Ascension's offering the usual "we're sorry" package - two years of identity monitoring and a million bucks in insurance coverage. But with medical records involved, that feels a bit like putting a band-aid on a gunshot wound. (read more)
It seems another LockBit domino has fallen. The DoJ just charged Rostislav Panev, a dual Russian-Israeli national they say was one of LockBit's core developers since 2019. When Israeli authorities nabbed him in August, they found admin creds for their dark web repo and control panel on his computer. He even admitted to writing code for disabling AV, spreading malware across networks, and those annoying printer spam ransom notes.
The numbers are pretty wild - LockBit hit over 2,500 victims (1,800 in the US alone) and squeezed about $500M in ransoms out of them. Some big names got popped too, including what sounds like ICBC ($449k ransom) and Boeing. This arrest is part of the ongoing cleanup after law enforcement took down LockBit's infrastructure in February. Between this and nailing their alleged leader in May, it's been a rough year for them. (read more)
Heads up if you're running BeyondTrust's Privileged Remote Access or Remote Support - there's a nasty command injection vulnerability (CVE-2024-12356) under active attack. The bug lets unauthenticated attackers execute OS commands with site user privileges, which is particularly concerning given these tools already have privileged access to enterprise networks.
BeyondTrust pushed an automatic fix on Dec 16 to cloud customers, but if you're running on-prem, you'll need to patch manually. CISA's already added this to their Known Exploited Vulnerabilities list, which tells you how serious they think this is. No details yet on who's exploiting it, but given these products are basically keys to the kingdom, you probably don't want to wait around to find out. (read more)
Mossad just revealed they spent years selling boobytrapped walkie-talkies and pagers to Hezbollah. The spy agency created fake companies, marketing campaigns, and even hired unwitting salespeople to convince Hezbollah to buy over 16,000 walkie-talkies and 5,000 pagers, each packed with precisely calibrated explosives. When they finally triggered them in September, it caused absolute chaos in Lebanon.
The technical details are fascinating - they had to make the pagers bulky enough to fit explosives but not so suspicious that no one would buy them. They even tested ring tones to ensure people would pull them out of their pockets (takes about 7 seconds on average, apparently). (read more)
The FBI just got a guilty plea from Chen Jinping for running a secret Chinese police station right in the middle of Manhattan's Chinatown. This wasn't just some random operation - it was directly connected to China's Ministry of Public Security and took up an entire floor of an office building. Chen and his buddy "Harry" Lu were basically acting as unregistered foreign agents, helping Beijing extend its reach onto US soil.
The feds caught wind of this in 2022 and raided the place, but not before Chen and Lu allegedly tried to delete their comms with their Chinese handler. Chen's looking at up to 5 years for the foreign agent charge (they dropped the obstruction bit in the plea deal), while Lu's still fighting the charges. Pretty bold move by China to set up shop like this in NYC - it's apparently their first known police station in the US, though probably not their last attempt at this kind of thing. (read more)
Apache dropped a holiday surprise with three gnarly vulnerabilities, including a SQL injection in Traffic Control (CVE-2024-45387) that scored a whopping 9.9 CVSS. The bug lets privileged users execute arbitrary SQL commands through crafted PUT requests. They also patched an authentication bypass in HugeGraph-Server and a critical RCE in MINA (that one scored a perfect 10.0).
The timing here is fun… releasing these fixes between December 23-25. While patches are available (Traffic Control 8.0.2, HugeGraph 1.5.0, and MINA 2.0.27/2.1.10/2.2.4), the holiday timing means slower patch adoption and potentially more exposure. Attackers love to strike during these periods, so if you're running any of these, might want to pause the eggnog and patch up. (read more)
Blowing the whistle on cybersecurity shenanigans is turning into a lucrative side hustle. Penn State's former CIO just pocketed $250k for calling out the university's creative interpretation of DoD security requirements. He's not alone either - we've got folks making $345k for exposing Dell's sketchy Army contract bids, and a former Symantec exec is about to cash in big after their $55.1M settlement.
The government's basically crowdsourcing their IT compliance audits through the False Claims Act, which lets insiders sue on behalf of Uncle Sam and grab a slice of the settlement pie. Makes sense - who better to spot technical failures than the folks on the inside? Though I imagine holiday parties get a bit awkward after dropping one of these lawsuits on your employer. (read more)
ACE (Alliance for Creativity and Entertainment) just took down what they're calling their biggest sports piracy bust yet - a Vietnam-based streaming operation that was pulling in over 821 million visits annually. The group behind Markkystreams was running 138 domains serving up pirated sports content to US and Canadian viewers, including all the major leagues. What's interesting here is the scale - this wasn't just some guy with a restream setup in his basement.
Not a lot of sympathy online on this one. I saw some math that if you wanted to watch every NFL game this year legally, it would cost you something like $850. I also saw one major site listed in this takedown that I was familiar with. I went to check it out, and it seemed like only 1 of their dozens of TLDs got taken down, so I’m not sure this really put a dent in the operation. (read more)
BadBox is bigger than we thought. Bitsight just found 190,000 infected Android devices, mostly high-end Yandex smart TVs and Hisense phones - a big shift from the cheap Android boxes we saw before. What's wild is this malware comes pre-installed on the firmware, suggesting either some manufacturers are in on it or some serious supply chain shenanigans are happening.
The botnet's mainly hitting Russia, China, India, Belarus, Brazil, and Ukraine right now. Once infected, these devices can be used for all sorts of fun stuff like residential proxying, ad fraud, and remote code installation. Between this and Germany finding 30,000 infected devices last week, it looks like BadBox is rapidly becoming one of the larger Android botnets out there. Careful with these cheap smart TVs. (read more)
North Korean hackers have a new malware called OtterCookie, targeting developers through fake job interviews. It's part of their "Contagious Interview" campaign that's been running since late 2022. The malware shows up in infected Node.js projects or npm packages on GitHub/Bitbucket, and once it's on your machine, it's particularly interested in stealing crypto wallet keys and clipboard data.
OtterCookie is joining their existing BeaverTail and InvisibleFerret malware, sometimes deployed alongside them. The November variant even changed up how it steals crypto keys, switching from built-in functionality to remote shell commands. Classic North Korean playbook, though: target developers, steal crypto, rinse, repeat. (read more)
Another hacker trying to play the "security consultant" card after getting caught with their hand in the cookie jar. Brazilian hacker Junior Barros De Oliveira is facing charges in the US after allegedly breaching 300,000 customer accounts from a New Jersey company's Brazilian subsidiary. He tried the classic move of demanding 300 bitcoin ($3.2M) to not leak the data, then later pitched himself as a helpful security consultant for the bargain price of 75 bitcoin.
The feds weren't impressed with his entrepreneurial spirit - he's now looking at up to 5 years per count for extortion and 2 years per count for threatening communications. What's particularly amusing here is how he went from "give me $3.2M or else" to "hey, let me help fix your security for a modest $800K consulting fee." Pro tip: actual security consultants typically don't start the relationship by hacking their clients. (read more)
Miscellaneous mattjay
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay