🎓️ Vulnerable U | #099

Biden's cybersecurity executive order, Anatomy of a voice phishing hack, PlugX malware campaign and subsequent FBI kill switch on it, Fortinet's bad week, FTC sues GoDaddy for not doing security basics, and much more!

Read Time: 8 minutes

Brought to you by:

Howdy friends!

99 editions of Vulnerable U on the wall. 99 vulnerable u’s. take one down, pass it around… you know the rest.

Hard to believe we’ve been rocking at this for 99 weeks straight. Every. Single. Thursday night I put this together. Labor of love.

What should we do to celebrate episode 100 next week?

Statute of Limitations

ICYMI

🖊️ Something I wrote: Shoutout to the 'first managers who believed in us' club.

🎧️ Something I heard: My homie John Hammond did a documentary style video - The State of Cybercrime [2024]

🎤 Something I said: Did you notice I was back on my YouTube game? Put up a few videos this week diving deeper into topics I covered in short form. Check it out! How do you like the new format?

🔖 Something I read: My homies over at Project Cyber are launching the Cyber Pathways Mentorship Program to empower future women cybersecurity leaders. Volunteer as a mentor today!

Vulnerable News

Biden just dropped a new cybersecurity executive order that's got some teeth to it. The big focus is on companies selling tech to the government - they'll need to prove their development practices are secure and be more transparent about their security measures. Cloud providers will have to publish security guidance, and there's a new "Cyber Trust Mark" requirement coming for IoT devices by 2027.

Trump has already been elected and will take over soon, and Biden's cyber team hasn't even met with Trump's incoming folks yet. So, while these are solid measures, who knows if they'll stick around once the new administration takes over? (read more)

The research team over at Harmonic Security analyzed prompts submitted into GenAI tools in Q4, 2024. Here are the key findings:

→ 46% of sensitive data found was customer data (insurance claims, billing info, payment details)
→ 27% was employee data (payroll and PII)
→ 64% of ChatGPT users used the free tier, with 54% of sensitive prompts entered into it

Organizations risk losing their competitive edge if they expose sensitive data. Yet at the same time, they also risk losing out if they don’t adopt GenAI and fall behind.

See more findings and learn how to move beyond “block” strategies to manage GenAI risks effectively in this new report, The Spectrum of Data Leaked into GenAI, Q4 2024.

*Sponsored

Heres a sneaky one - threat actors are distributing malware disguised as a PoC exploit for the recent Windows LDAP vulnerability (CVE-2024-49113). They forked the legit "LDAPNightmare" repo but swapped the Python files with a UPX-packed executable that drops PowerShell scripts and exfiltrates system info to an FTP server. Just straight targeting security researchers.

The original vuln is actually interesting - it's a DoS in LDAP that Microsoft patched in December along with a RCE (CVE-2024-49112). But the real story here is how attackers keep having success with this "fake PoC" technique. Always be suspicious of random exes in Python projects, people. (read more)

RedDelta's back at it. This Chinese APT (also known as Mustang Panda/Twill Typhoon) has been hitting NGOs across Asia with a custom version of the PlugX backdoor. (My friend Jaime said “Hello PlugX my old friend”) They've switched up their infection chain - first using LNK files to MSI downloaders, then moving to spearphishing links that load remote HTML. Pretty standard APT stuff, but they're using Cloudflare's CDN to hide their C2 traffic.

The group's been around for 13 years and mainly targets organizations in Taiwan, Myanmar, Vietnam, and Mongolia, with some activity in the US too. They seem particularly interested in Buddhist activists and academics in the region. Recorded Future's analysis suggests they'll keep evolving their tactics, especially as geopolitical situations develop. (read more)

In an update to that PlugX story, the FBI just pulled off a neat trick with some help from French authorities - they managed to remove the PlugX malware from thousands of infected machines by basically telling it to delete itself. The Feds estimate over 45,000 US computers connected to the malware's C2 server since September.

The French got access to the command and control server and used PlugX's own built-in commands against it. It's part of a broader push by the DOJ to actively disrupt these threats rather than just chase the perpetrators. Similar to what we saw with their operations against Volt Typhoon and APT28, they're getting more aggressive about cleanup rather than just investigation. (read more)

Microsoft's going after some hackers who found a way to abuse Azure OpenAI to generate forbidden DALL-E images. The crew built a custom tool called "de3u" that uses stolen API keys to bypass content filters, essentially turning it into a hacking-as-a-service operation. They even had their tool logging which prompts triggered content filters so they could learn from the responses.

What's interesting here is Microsoft's legal approach - they're not just using the usual CFAA playbook, but also bringing RICO charges against these folks. That's the heavy artillery usually reserved for organized crime. The operation's been running since July 2024, and while Microsoft doesn't know exactly how the API keys were stolen, they're asking the court to shut down the infrastructure and lock these folks out permanently. Pretty wild to see AI abuse cases starting to get the organized crime treatment. (read more)

Fortinet just dropped patches for a critical auth bypass bug that's already being exploited in the wild. Arctic Wolf caught wind of this first, spotting attacks in December targeting FortiGate firewalls with exposed management interfaces. The flaw (CVE-2024-55591) lets attackers gain super-admin privileges through some Node.js websocket trickery - pretty nasty stuff if you're running FortiOS or FortiProxy.

The good news is it only affects devices with HTTP/HTTPS management enabled on WAN interfaces. The bad news? Attackers are already having a field day - creating new admin accounts, trying to set up SSL VPN access, and using DCSync to dump Active Directory creds. If you're running versions 7.0.0 to 7.0.16 of FortiOS or certain versions of FortiProxy, time to patch up or at least disable those HTTP/HTTPS admin interfaces. (read more)

To pile on to the bad week for Fortinet, the "Belsen Group" just dropped config files and VPN credentials for 15,000 FortiGate devices on the dark web. The 1.6GB leak includes sensitive stuff like firewall rules and private keys, all neatly organized by country. Kevin Beaumont thinks this is tied to that CVE-2022-40684 zero-day from 2022, which makes sense given all the devices were running FortiOS versions from that era.

Even though this data is from 2022, it's still pretty spicy. Network configs don't change that often, and if admins haven't rotated those credentials (spoiler: many probably haven't), attackers just got handed a goldmine of potential access. Beaumont's planning to release a list of affected IPs so admins can check if they're exposed. If this sounds familiar, it's because we saw something similar in 2021 when 500k Fortinet VPN creds got leaked from an older vuln. (read more)

The FTC is cracking down on GoDaddy's years of sloppy security practices. Turns out the hosting giant has been running quite the loose ship since 2018 - no proper MFA, weak logging, poor network segmentation, and they weren't even monitoring their security logs properly. These failures led to multiple breaches between 2019-2022, including a nasty one where attackers had access to their cPanel hosting environment for years.

Now GoDaddy's being forced to clean up their act with mandatory MFA for everyone (employees and customers), regular third-party security assessments, and they have to stop making misleading claims about their security practices. (read more)

Microsoft's first Patch Tuesday of 2025 is a doozy - they're fixing three actively exploited zero-days in Hyper-V. All three bugs let authenticated local attackers elevate to SYSTEM privileges through the NT Kernel Integration Virtual Service Provider. Microsoft's being pretty tight-lipped about the exploitation details, but given they're already being used in the wild, you'll want to patch these ASAP.

The whole January update fixes 159 CVEs (up from December's 71), including some nasty 9.8 CVSS scores. The standouts are an RCE in Windows OLE that can be triggered just by previewing a malicious email in Outlook, an EoP in NTLM V1 that's apparently super reliable to exploit, and an unauthenticated RCE in the Windows multicast transport driver. Busy month for Windows admins! (read more)

WIRED just dropped a crazy investigation about potential surveillance tech at the 2024 DNC in Chicago. Working with the EFF, they found evidence suggesting a cell-site simulator (basically a fake cell tower that can intercept phone data) was active near a hotel housing Midwest delegates. The smoking gun was a suspicious pattern where a "cell tower" asked for a device's IMSI number before immediately disconnecting - something that normal towers don't do.

Here's where it gets murky - nobody's owning up to it. Chicago PD says it wasn't them, Secret Service is doing their usual "no comment on methods" dance, and DHS is ghosting reporters. While it could be legitimate law enforcement activity (with a warrant), it could also be foreign actors or someone else entirely. The timing is interesting too, given the protests happening around the convention. (read more)

If you're running Rsync - time to update. Google's Cloud Vulnerability Research team found six bugs, including a nasty heap buffer overflow that could lead to RCE. The bug happens when attacker-controlled checksum lengths exceed MAX_DIGEST_LEN, letting them write outside the sum2 buffer. There's also a path traversal vulnerability that could let malicious servers write files wherever they want.

This is a big deal since Rsync is basically everywhere - Red Hat, Gentoo, Arch, and SUSE are all affected. The fix is out in version 3.4.0, so you'll want to get that installed ASAP. Five of the six bugs came from Google's team, and all the details are now public, so expect to see exploitation attempts soon. (read more)

Star Blizzard, our favorite Russian spear-phishing crew, got creative after their domains got seized in October. Instead of their usual email tricks, they started targeting WhatsApp accounts in November by sending fake invites to join Ukraine NGO support groups. They sent broken QR codes first to bait responses, then followed up with codes that actually hijack WhatsApp Web sessions.

Microsoft caught this campaign and while it was short-lived (just November), it shows how these groups adapt when their old tricks get burned. After the DOJ seized 180+ of their phishing domains, they needed new ways to dodge detection. The target list is still the same though - they're after academia, defense contractors, government orgs, and now DOE facilities. (read more)

Miscellaneous mattjay

I’ve been cracking up at this since I read it -

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay