🎓️ Vulnerable U | #103

What really happened with DOGE at the Treasury, Apple patches vuln likely used by spyware, Old Microsoft bugs spiking in exploit activity, some great bug bounty write-ups, and much more!

Author

Matt Johansen
February 14, 2025

Read Time: 8 minutes

Brought to you by:

Howdy friends!

I’m honestly a bit burnt out. Doing the news for a living it’s hard to tune out, and I firmly believe in tuning out. I forced myself to take a day this week and just be a potato, only to get back to it today and feel even more behind than ever. The news cycles move so fast and I feel a lot of pressure to ingest, parse, and create about it all.

I give a fair bit of mental health advice through Vulnerable U, and so I want to be transparent when I’m feeling these things. My plan: Stick to what I know works on self-care. Sleep, Exercise, Healthy Fuel, and Time to decompress. Will report back on what worked.

ICYMI

🖊️ Something I wrote: How Google Tag Manager was used to sneak in card skimmers to e-commerce sites.

🎧️ Something I heard: Civ 7 came out - My potato day involved watching a lot of my favorite Civ streamers play through the early release.

🎤 Something I said: The UK Forces Apple to Make a Universal Backdoor...

🔖 Something I read: Someone recommended The Hard Thing About Hard Things to me and I couldn’t make it past a few chapters. Does it get better? Is it worth it?

Vulnerable News

New court docs just dropped on that DOGE drama at Treasury, and it looks like earlier reporting might have overblown things a bit. Turns out Marko Elez, that 25-year-old DOGE employee, did briefly have write access to one Treasury payment database - but it was an accident that got fixed within a day. Treasury actually put some decent guardrails around his access - he could only use their locked-down laptop, couldn't connect USB drives, and was blocked from accessing external websites or cloud storage.

However, there was a red flag in the court document, said Elez “occasionally” took screenshots to share with other DOGE staffers. All the DLP in the world, and they still let them take screenshots?

The reported source code tampering might have just been Elez helping Treasury staff automate how they flag foreign aid payments for review - something they were doing manually before. He could only make changes in a sandbox environment, not production systems. While this whole situation still raises eyebrows about DOGE's role in government systems, it seems Treasury's career staff kept tighter control than initially reported. Granted we only know any of those because a court ordered they stop what they were doing. (read more)

In 2024, Flashpoint identified 123 skimming breaches, which could have potentially cost companies $80 million in fraud losses.

Fraud tactics are becoming ever more sophisticated - but real-time data and applying the most up-to-date best practices can help protect your business.

Find out how you can protect your customers - and yourself - from the mounting risk of credit card with a copy of Flashpoint’s free ebook.

This ebook covers:
Evolving credit card fraud tactics
Intelligence-driven prevention strategies
Building fraud resilience in your organization

*Sponsored

Apple just patched a spicy vulnerability that let attackers bypass USB Restricted Mode on locked iPhones and iPads. The bug, found by Citizen Lab's Bill Marczak, could disable one of Apple's key security features that normally blocks USB data connections after 7 days without an unlock. Apple’s calling it an "extremely sophisticated attack" targeting specific individuals. - If Citizen Lab disclosed it, its gotta be spyware.

The timing is interesting given Amnesty International's recent report about Serbian authorities using Cellebrite forensics tools against activists and journalists. While we don't know who was exploiting this particular flaw, it has all the hallmarks of a law enforcement forensics tool like Cellebrite or Graykey - the kind that needs physical access to devices to work their magic. (read more)

Law enforcement just pulled off a nice win against ransomware crews, taking down 8Base's leak site and nabbing four Russian nationals. The group had been running a variant of Phobos ransomware, which has hit over 1,000 organizations and pulled in about $16M in ransom payments. The operation involved 14 countries and led to the takedown of 27 servers, plus they managed to warn 400 companies that they were in the crosshairs.

What's interesting here is the connection between 8Base and Phobos - turns out 8Base was using Phobos version 2.9.1 with SmokeLoader for initial access. This comes after they nabbed another Russian national (Ptitsyn) last year for selling Phobos. The NCA says they were able to prevent a bunch of UK businesses from getting encrypted thanks to intel from the investigation, which is a nice change from the usual "too little too late" ransomware response. (read more)

Nice find! (read more)

Heads up Office users - there's active exploitation of a year-old Outlook RCE bug (CVE-2024-21413). The flaw is pretty slick - attackers can bypass Protected View by adding an exclamation mark to file:// protocol links, which then leaks NTLM creds and potentially leads to code execution. Check Point found this one last year, and while Microsoft downplayed it initially as "unlikely" to be exploited, well... here we are.

If you're running Office 2016, 2019, 365, or LTSC 2021, you're in the blast radius. CISA just added this to their Known Exploited Vulnerabilities catalog and is pushing federal agencies to patch ASAP. The fix has been available since February 2024, so if you haven't patched in a year, now would be a good time. Blocking outbound SMB traffic isn't a bad idea either if you want to prevent those NTLM leaks. (read more)

Looks like Magecart is back at it, this time abusing Google Tag Manager to slip card skimmers into e-commerce sites. Sucuri caught them injecting malicious JavaScript through GTM on at least six Magento stores. The attackers are getting clever - they're storing the skimmer code right in Magento's cms_block.content table and using GTM to load it, making it look like legitimate Google traffic.

The fun part? This is basically the same technique from that 2013 BlackHat talk about the Million Browser Botnet - using trusted services to inject malicious JavaScript. The attackers even threw in a PHP backdoor in the media directory for persistent access. Classic Magecart move, but it shows how some of these old techniques still work perfectly fine a decade later. If you're running a Magento store, might want to audit those GTM tags and check your media directory for unexpected PHP files. (read more)

Cloudflare just patched a sneaky mTLS vulnerability that let attackers bypass certificate checks through session resumption. The bug (CVE-2025-23419) meant that if you had a valid certificate for one Cloudflare zone, you could potentially use that same session ticket to connect to a different zone without proper authentication. They fixed it within 32 hours by disabling session resumption for all mTLS customers.

This write-up is awesome and I love how they detail how it slipped through - turns out BoringSSL provides an API to prevent exactly this kind of session ticket reuse, but Cloudflare wasn't using it correctly. While there's no evidence anyone exploited this in the wild, it's a good reminder that even seemingly solid security features like mTLS can have subtle implementation gotchas. Customers using API Shield with WAF rules that checked the issuer's Subject Key Identifier weren't affected. (read more)

CISA's election security team just got gutted - 17 staffers, including 10 regional specialists, were put on administrative leave pending a "review." These folks were the boots on the ground working with state and local election offices on everything from ransomware defense to protecting election workers.

The timing is pretty sus, coming right as Trump's new DHS Secretary Kristi Noem is talking about how CISA has "strayed far off mission." State election officials from both parties are actually big fans of CISA's work. Kentucky's Republican Secretary of State was just praising how valuable their ground teams were for county clerks, while Michigan's Democratic Secretary called them a "critical partner." (read more)

Remember those North Korean IT worker scams we've been tracking? Well, a security startup founder just caught two of them trying to infiltrate his company using deepfakes. Dawid Moczadło from Vidoc Security Lab says both candidates made it pretty far in the interview process - one even impressed him with their technical skills - before the video interviews exposed them.

The dead giveaway was a glitchy AI-generated faces and suspiciously ChatGPT-like answers delivered in bullet points. This follows a DoJ indictment about North Korean IT workers scamming $88M from US companies. Moczadło's particularly worried about where this is headed, noting that while today's deepfakes are easy to spot, that might not be true in a year. (read more)

Two bug bounty hunters just scored a $50K payday by finding a gnarly software supply chain vulnerability. They noticed that newly acquired companies often have weaker security, so they targeted one and found their Docker images exposed on DockerHub. Inside was not just source code, but a GitHub Actions token in the .git config and an npm token hidden in the build layers. Game over.

They could push malicious code to private npm packages that would get pulled into developer machines, CI/CD pipelines, and even production servers. And since it all happened through legitimate package registries, it would've been nearly impossible to detect. (read more)

An Italian journalist speaks about being targeted with Paragon spyware

An Italian journalist just went public about being targeted with Paragon spyware through WhatsApp - one of 90 people hit in this campaign. Francesco Cancellato, who runs Fanpage and has done some undercover reporting on fascists in PM Meloni's party, found out when Meta dropped him a "hey, your phone's compromised" note. While Paragon has since ended its contract with Italy, there are still big questions about who ordered the hack.

Cancellato's team had just exposed links between Meloni's party and far-right groups, including some antisemitic behavior in her youth wing. While he's not directly accusing the government, he notes Meloni's friendship with Hungary's Orban (who has his own history with Pegasus spyware). A government official's response was basically "well, you do undercover journalism, so what goes around comes around." Yikes. (read more)

North Korea's Lazarus Group is hitting crypto developers with an NPM supply chain attack using a new JavaScript implant called Marstech1. They've confirmed 233 victims so far, targeting Exodus and Atomic wallet users through compromised NPM packages. The implant is particularly nasty - it uses multiple layers of obfuscation including control flow flattening and anti-debugging that helped it stay hidden in software packages.

The attack was traced to a GitHub account "SuccessFriend" (now nuked) that had been building credibility since July 2024 by contributing legitimate code before switching to malware in November. (read more)

Researchers just caught some malware hiding in Hugging Face models. The attack, dubbed "nullifAI," exploits Pickle file serialization in a clever way - by breaking the file format just right, it bypasses Hugging Face's security scanner while still executing malicious code. Two models were found containing reverse shells that connect to a hardcoded IP. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay