🎓️ Vulnerable U | #098

Gravy Analytics massive location data breach, Fake nuclear scare breakdown, License plate cameras open to the public, and so much more!

Author

Matt Johansen
January 10, 2025

Read Time: 7 minutes

Howdy friends!

Staying warm? I’m not.

I’m also bummed to be missing the final Shmoocon today. Fun fact: Shmoo was my first ever security conference and it really changed the trajectory of my career over 15 years ago. Bruce and Heidi along with their team really built something special that was so worth going to, it was even one where I’d show up without a ticket just to be nearby. Congrats to them on the legendary run.

Who all was there the year we got stuck in the hotel due to the snow? Drove out of DC that week on the center median of I-95 because it was all they had cleared until I was damn near New Jersey.

ICYMI

🖊️ Something I wrote: What I think of when I hear the Whitehouse announce a “Cyber Safe” label

🎧️ Something I heard: I’ve been rallying on this a lot lately because I keep seeing “security experts” say it. Marcus does a great job: You Don't Need To Buy a VPN To Stay Secure On Public Wi-Fi

🎤 Something I said: Revisited this fun video from 2024 (my top one on some platforms) that ran through the XZ supply chain attack that almost was an Internet wide catastrophe.

🔖 Something I read: We’re All Trying to Find the Guy Who Did This - Mark Zuckerberg is at war with himself.

Vulnerable News

Well this is a nightmare. Hackers have reportedly breached Gravy Analytics, one of those sketchy location data brokers that sells your smartphone tracking data to everyone from the FBI to marketers. They claim to have snagged millions of users' precise location histories going back to 2018, plus root access to Gravy's servers and their S3 buckets. The hackers are now threatening to dump it all unless Gravy responds within 24 hours.

This comes right after the FTC cracked down on Gravy for selling sensitive location data. The breach exposes just how dangerous it is to have companies hoarding this kind of data. We're talking exact GPS coordinates and timestamps that could be used to track people's movements across multiple countries. Gravy's site is currently down and their new parent company Unacast isn't commenting. (read more)

Chinese APT actors managed to breach Treasury Dept. systems through BeyondTrust, a third-party provider. While they're calling it "unclassified" data that was accessed, lawmakers aren't buying the downplay, especially since Treasury holds some of the most sensitive financial intel around. The breach specifically hit OFAC (the folks who handle sanctions), which makes this particularly interesting timing.

The attack vector is a classic supply chain hit - the attackers nabbed a cloud service key from BeyondTrust and used it to remote into Treasury workstations. Lawmakers want answers by January 10th about which Chinese APT is behind this, what exactly they accessed, and how Treasury plans to prevent round two. This comes right on the heels of that Salt Typhoon telecom breach, so China's clearly been busy this holiday season. (read more)

Here's a wild one about how fake radiation readings and drone sightings sparked a nuclear panic last month. Also, Kim Zetter rules.

Someone figured out they could upload bogus data to GQ Electronics' radiation map (turns out anyone can do it, no authentication needed), showing crazy high radiation levels in NY and NJ. Mix that with mysterious drone sightings in the area, and suddenly you've got Joe Rogan, reality stars, and "experts" spreading theories about government drones hunting loose nukes.

Absolutely bonkers how easily this spread despite the readings being obviously fake - like 178,173 cpm in Utica when normal levels are 5-60 cpm. Security researcher Ruben Santamarta points out this could be a preview of scarier things to come if someone manipulates official radiation monitoring systems instead of just a public map. GQ's solution is to just slap a disclaimer on it telling people to check official sources instead. (read more)

Backdooring Your Backdoors - Another $20 Domain, More Governments

The watchTowr team just dropped some wild research about hijacking hackers' backdoors by registering expired domains. For about $20 per domain, they were able to intercept callbacks from over 4,000 active web shells, including some on government systems in Bangladesh, China, and Nigeria. Turns out a lot of these shells were actually backdoored themselves, designed to phone home to domains that the original authors let expire.

They found shells trying to masquerade as Lazarus Group (North Korea's infamous APT). They even caught attackers who thought they were being clever by password-protecting their shells - only to have those same shells leak the passwords back to watchTowr's newly registered domains. They're handing the domains over to Shadowserver Foundation to prevent any future abuse. (read more)

Treasury just dropped sanctions on a Chinese company called Integrity Tech for their ties to Flax Typhoon - a state-backed group that's been causing headaches since 2021. The timing is spicy given that Treasury itself just got hit by Chinese hackers in December, specifically targeting their sanctions office (OFAC).

The feds say Flax Typhoon used Integrity Tech's infrastructure for attacks between 2022-2023, targeting critical infrastructure across the US and globally (with a special focus on Taiwan). This follows the FBI's takedown of their botnet back in September. Now any US transactions with Integrity Tech are blocked, and they have to report any company assets they control. (read more)

Looks like Motorola's got some explaining to do about their license plate readers. A security researcher, Matt Brown, bought one off eBay and found hundreds of these surveillance cameras are just... streaming to the open internet. No login required. Even better, someone built a proof-of-concept tool that can automatically scrape the feeds and track car movements in real-time. About 170 exposed cameras have been found so far.

Motorola's response is pretty much what you'd expect - they're calling it a "legacy device" (translation: not our problem anymore) and blamed customers for misconfiguring them. They're promising a firmware update with "additional security hardening" but researchers point out the fundamental issue remains - these devices are inherently vulnerable even on private networks. This isn't even the first time ALPRs have been caught streaming in the wild - similar issues were found in 2015 and 2019. (read more)

HHS just slapped an $80K fine on Elgon Information Systems after a ransomware attack exposed 31,000 patients' data. The interesting part isn't the fine (pretty small tbh) but that it's part of a broader crackdown on healthcare orgs that aren't taking HIPAA seriously. OCR says ransomware reports are up 264% since 2018, and they're done playing nice.

The breach itself is a classic case of poor security hygiene - Elgon didn't even notice the intruders for six days until they found the ransom note. Now they're stuck with three years of OCR monitoring on top of the fine. This is only the second penalty under OCR's new Risk Analysis Initiative, following a $90K hit to Bryan County Ambulance last October. Message is clear: do your risk analysis or pay up. (read more)

Casio got hit with ransomware back in October, and we're finally getting the damage report. The Underground ransomware crew managed to snag 200GB of data after successfully phishing their way in, impacting about 8,500 people total. Most of those affected were Casio employees (6,456 of them), whose personal info including names, DOB, and taxpayer IDs got leaked. Some business partners and customers got caught in the crossfire too.

They're saying they didn't pay the ransom and most services are back up, but some employees are already reporting spam - probably from their leaked data being put to work. (read more)

Meta's throwing in the towel on professional fact-checking and going full X-style with community notes. Zuck and co announced they're ditching their third-party fact-checking program in the US, claiming they want to "return to free expression." They're also loosening restrictions on hot-button topics like immigration and gender identity, which is raising some eyebrows among regulators and advocacy groups.

The EFF's take is pretty spot-on - content moderation at scale is basically impossible to get right, but completely abandoning professional fact-checking in favor of crowd-sourcing truth... what could possibly go wrong? (read more)

No this isn’t that other Ivanti bug, this is a new one. There's a zero-day being actively exploited in Connect Secure VPN appliances. The critical bug (CVE-2025-0282) lets attackers execute code without authentication, and Mandiant says Chinese state actors have been hitting it since mid-December. While patches are out for Connect Secure, Policy Secure and ZTA Gateway users will have to wait until January 21st.

Ivanti VPN appliances got popped in 2024 too, leading to a CISA breach. If you're running Connect Secure, grab their Integrity Checker Tool to see if you've been compromised. If you have, time for a factory reset and patch. (read more)

PowerSchool, the biggest K-12 education software provider in North America, just confirmed they got hit with a pretty gnarly data breach. Hackers used stolen creds to break into their customer support portal and made off with some sensitive data. Student SSNs, medical info, grades, and more. The company serves over 50 million students, though they haven’t shared exactly how many were affected.

PowerSchool actually hired a company called CyberSteward to negotiate with the hackers and paid them off to delete the data. They claim the data won't be published, but they're pretty light on details about how they can be sure about that. Just a "trust us" response after paying an extortion demand. (read more)

iTerm2 users had a bug that's been logging all their users’ SSH session data to a readable file on remote hosts. The issue affects versions 3.5.6 through 3.5.10 and happens when you're using either the it2ssh command or have SSH integration enabled with Python 3.7+ on the remote system. All that juicy terminal I/O gets dumped into /tmp/framer.txt where other users might be able to read it.

Developer George Nachman dropped version 3.5.11 to fix this one, and they've completely yanked the logging code out. If you're running an affected version, you'll want to update ASAP and maybe check those remote systems for any leftover log files. Props to the team for the quick fix and transparency. (read more)

Miscellaneous mattjay

This made me lol

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay