Read Time: 8 minutes

Brought to you by:

Howdy friends!

Being full time on Vuln U has yet to really hit me. I started to quantify how much content I made this week and it’s really nuts. I’m glad I get to work on new and fun ways to communicate all of this to you whether is my short form videos on Instagram or deep dives on YouTube, I’m having a blast and working super hard.

I was in my office until 10pm last week writing the newsletter, and today will be about the same after shooting 4 videos earlier today and writing 3 news articles. Not complaining, just letting you all know the hustle is real and thank you for the support!

ICYMI

🖊️ Something I wrote: Build Your Connection Stack - Daily: Text someone who isn't your spouse/partner (I literally have “Good Friend Time” in my calendar as a reminder)

🎧️ Something I heard: I’ve watched a lot of content by this dev creator, ThePrimeagen, but I never knew his backstory. Good listen for anyone going through it and hoping to pull out of the nose dive.

🎤 Something I said: This fun run through of Sam Curry hacking Subarus

🔖 Something I read: WhatsApp says Israeli mercenary spyware company Paragon targeted scores of users around world.

Vulnerable News

Musk’s DOGE agents access sensitive personnel data, alarming security officials

Well this is …concerning - Musk's Department of Government Efficiency (DOGE) team has gotten their hands on sensitive OPM data covering millions of federal employees. Administrative access to personnel systems granted within days of Trump's inauguration, with some DOGE agents being fresh faces in their 20s from Musk's companies. The data includes everything from SSNs to disciplinary records, and they've got permissions to install software and modify system logs.

I heard through the grapevine that they are installing Splunk systems, which might be an upgrade, depending on what is there. But hilariously, someone pointed out “the irony of a department supposedly about government wasting money installing Splunk...”

Anyway, the timing couldn't be worse - they're simultaneously gutting OPM's IT security teams and halting system upgrades. Security experts are rightfully freaking out, comparing it to firing all the archers from your castle walls. The last time OPM got breached (by China in 2014), it exposed 20 million security clearance applications. Now we've got potentially unvetted folks with admin access and reports of them screaming at senior developers. Cool cool cool. (read more)

Reduce Your Phishing Triage Time by 95% with Material Security*

Security teams need to balance the critical risk of modern phishing attacks against the simple fact that there are only so many hours in a day. Far too much time is wasted on manually triaging, investigating, and remediating: every minute spent chasing false positives is a minute not spent on mission-critical tasks.

Trusted by companies like Lyft, Databricks, and Carta, Material Security helps strike the right balance with AI-powered detections and truly automated remediations across your productivity suite, along with flexible controls and granular settings that match your needs. (read more)

*Sponsored

CISA Warns of Possible Backdoor in CMS8000 Patient Monitoring Devices

CISA's raising alarms about Chinese-made Contec CMS8000 patient monitors having a potential backdoor - basically a hardcoded IP in China that can receive patient data and push file updates. These devices monitor vital signs in hospitals, so it's kind of a big deal. But here's where it gets interesting: Claroty's research team took a look under the hood and thinks it's more likely just terrible design rather than malicious intent. The IP is actually documented as part of their Central Management System.

Either way, it's still a security nightmare. The device can automatically connect to this IP, send patient data over port 515 (printer port, weird choice), and accept file updates without any verification. CISA and FDA aren't taking chances - they're telling hospitals to either kill the remote monitoring or unplug these things entirely. Claroty suggests blocking the whole subnet (202.114.4.0/24) if you're stuck with these devices. (read more)

Experts Flag Security, Privacy Risks in DeepSeek AI App

Looks like DeepSeek is speedrunning security hygiene 101. NowSecure's investigation found they're sending data in plaintext (ATS disabled), using hardcoded keys with 3DES (hello 1995!), and collecting enough device data to make a privacy advocate cry. Oh, and they left a database exposed with everyone's chat histories and API keys. Cool cool cool.

The fallout is predictable - the U.S. House, Pentagon, NASA, and several countries have already banned it. It's giving strong "we don’t even have a security engineer" vibes. (read more)

North Korean Malware Targets MacOS Devices

North Korea's at it again with their fake job interview malware scheme, but this time they're targeting Mac users with something called FlexibleFerret. The malware's pretty sneaky - it's signed with legit Apple Developer credentials and is currently flying under the radar of Apple's XProtect tool. This is part of that campaign from late 2023 where they were posing as employers to trick developers into installing malware during "job interviews."

What's clever about this one is how it mimics Apple's own security warnings to trick users, showing a fake "file is damaged" alert that looks just like Gatekeeper's. It then sets up shop using a LaunchAgent that masquerades as part of the OS. SentinelLabs says the North Korean actors keep pivoting between signed and unsigned versions to keep their campaign going, spreading through social media and even GitHub.

Check this GitHub thread where they’re trying to trick someone.

Wild! Stay safe out there if you’re interviewing. (read more)

CVE-2024-40891: Zyxel Won’t Patch Exploited Flaws in Legacy Devices

Zyxel's pulling a "not our problem anymore" move with some legacy routers affected by CVE-2024-40891. Instead of patching the command injection vulnerability that's actively being exploited, they're telling customers to just buy new devices.

These "end-of-life" routers are still being sold on Amazon, and Censys found over 1,500 vulnerable devices still online.

The bug's already being used by Mirai botnets in the wild, which is exactly what you'd expect when you've got a command injection flaw in internet-facing routers. While Zyxel notes that WAN access and Telnet are disabled by default, that's cold comfort for the hundreds of exposed devices. Bonus points for the affected models not even being listed on Zyxel's end-of-life page yet. "It's EOL when we say it's EOL, even if we're still letting people buy it." (read more)

Symphony 2025 | Palo Alto Networks’ Ultimate Cybersecurity Transformation Event*

Don’t miss Symphony 2025 – a 1-hour virtual summit for security professionals.

Get the inside track on staying ahead of adversaries, conquering the cloud, unlocking SOC transformation, and more.

Here’s your VIP pass to the future of security innovation, packed with exclusive insights, live demos, and stories from the pros.

Reserve your free spot at Symphony 2025!

*Sponsored

DoJ Seizes Domains Associated With Saim Raza Cybercrime Operation

The DoJ just took down a pretty significant cybercrime operation run by someone known as Saim Raza (aka HeartSender). They seized 39 domains and several servers that were basically running a one-stop shop for cybercriminals, selling everything from phishing kits to email extractors. They even included helpful YouTube tutorials showing how to use their "fully undetectable" tools.

According to the feds, Raza's been at this since at least 2020, and their tools have helped crime groups rack up over $3M in losses through business email compromise schemes. This takedown was part of a bigger week of cybercrime disruption - Europol also just knocked out two major forums called Cracked and Nulled. (read more)

AMD Flaw Threatens Confidential Computing on Zen Processors

Heads up AMD users - Google's security team found a pretty gnarly bug in AMD's Zen processors (gens 1-4) that could let attackers mess with confidential computing workloads. The issue (CVE-2024-56161) boils down to AMD using a weak hash function for microcode signature validation. While you need local admin privileges to exploit it, it could compromise AMD's SEV-SNP security features.

Google's being pretty tight-lipped about the full details (they even waived their usual 90-day disclosure policy), but they did demonstrate a proof-of-concept on Milan and Genoa processors. AMD pushed out microcode updates in December to fix this, so if you're running Naples, Rome, Milan, Milan-X, Genoa, or Bergamo/Siena processors, time to update that BIOS. The fix needs both microcode and SEV firmware updates on some platforms to get SEV-SNP attestation working properly again. (read more)

Thousands of ASP.NET Sites at Risk from Publicly Exposed Machine Keys

Microsoft sent a threat intel alert about ASP.NET sites - they found over 3,000 machine keys floating around in public that could let attackers execute code on vulnerable servers. Someone's already used this attack in December to deploy the Godzilla post-exploitation framework. These aren't even stolen keys from the dark web anymore - they're just sitting in public GitHub repos and documentation. (read more)

Thai Government Cuts Power to Areas of Myanmar to Curb Cybercrime Ops

Thailand just pulled a wild move in the fight against cybercrime - they straight up cut the power to several Myanmar border towns where scam operations are running. We're not talking about the usual playbook of seizing servers or freezing crypto wallets here. They literally turned off the utilities to shut down these romance scam and fraud operations that have been causing havoc. (read more)

Critical RCE bug in Microsoft Outlook now exploited in attacks

We talked about this bug a bit ago - that nasty RCE bug from last year (CVE-2024-21413) is now being actively exploited in the wild. The vulnerability lets attackers bypass Protected View using a clever trick with the file:// protocol and an exclamation mark in URLs. Once exploited, they can steal NTLM creds and run arbitrary code. CISA's giving federal agencies until February 27th to patch.

What makes this particularly spicy is that you don't even need to click anything - just previewing a malicious email in Outlook's Preview Pane is enough to trigger it. It affects pretty much every flavor of Office. (read more)

Critical Cisco ISE bug can let attackers run commands as root

If you've got read-only admin access on Cisco ISE, you can basically get root through some janky Java deserialization and API authorization bypass tricks. The worst one scores a casual 9.9 out of 10 on the CVSS scale, so... yeah, might want to patch that.

Good news is there's no evidence of exploitation yet, and Cisco's already pushed fixes for most versions (except 3.0 - time to migrate if you're still running that). While you're at it, they also dropped some high-severity IOS and NX-OS patches for DoS bugs, but those aren't as urgent. The SNMP fixes are coming in February/March, with some temporary mitigations available if you're worried. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay