Read Time: 8 minutes

Brought to you by:

Howdy friends!

Fun story about today’s sponsor. Chaotic Good is run by my long time good buddy Johnathan Kuskos. He and I go way back to our days at WhiteHat Security where we were busy hacking websites all day. He’s now running his own shop and he reached out asking to support Vulnerable U, it’s crazy how far we’ve come.

Anyway, he’s one of the best AppSec pros in the business, I’m happy to help shout him out.

Mental Health Minute: Anyone else feeling super stressed lately? It feels like the year is kicking into gear and I can’t catch my breath. Literally and figuratively, stress manifests in interesting ways in my body and one of them is it feels like I haven’t taken a full breath in days. - I feel like a lot of people I’ve talked to are feeling similar.

Stress deserves it’s own blog post but I didn’t have a chance to write one for this week. Open to any tips in how you deal with stress, I’ll include whatever you all reply with in the write up I do.

ICYMI

🖊️ Something I wrote: The best leaders in cybersecurity don’t just manage—they advocate for their team members.

🎧️ Something I heard: Why the Internet is about to get worse

🎤 Something I said: AI broke hiring.

🔖 Something I read: Microsoft made a huge announcement on them finding a new state of matter which led to a breakthrough in quantum computing. This thread helped explain why we’re not positive yet.

Vulnerable News

Critical PostgreSQL bug tied to zero-day attack on US Treasury

Remember that US Treasury hack from December? Rapid7 just revealed that the attackers chained together two zero-days - the known BeyondTrust vulnerability and a previously undisclosed PostgreSQL bug (CVE-2025-1094). The PostgreSQL issue was actually crucial to making the whole attack work, letting attackers execute arbitrary code through some clever SQL injection tricks involving UTF-8 character handling.

The good news is this isn't your garden variety SQL injection - it's complex enough that Rapid7 doesn't expect to see it widely exploited outside of the Treasury incident. Still, it's a fascinating peek into how sophisticated attackers work, chaining together vulnerabilities that might seem relatively harmless on their own. PostgreSQL pushed out patches on February 13th, and they've apparently been great to work with during the disclosure process (which is refreshingly drama-free). (read more)

Red Team: Roll for Attack!*

Ready to uncover vulnerabilities before hackers exploit them?

Chaotic Good Information Security is a seasoned team specializing in proactive assessments, including internal and external network penetration testing, web application security engagements, vulnerability scanning, security training, tabletop incident response scenarios, and advisory services. We expose exploitable flaws ahead of the bad guys, making you a tougher and more expensive target.

Strengthen your defenses and book a free scoping consultation by emailing [email protected]. Mention VulnU for 10% off.

*Sponsored

CISA and FBI: China-Linked Ghost Ransomware Targets Known Flaws

CISA and FBI just dropped some intel on the Ghost ransomware crew operating out of China. These folks have been hitting targets in 70+ countries since 2021, focusing on the classics - unpatched internet-facing services and known vulns in Fortinet, Adobe ColdFusion, SharePoint, and Exchange. They're not exactly bringing their A-game though - they don't stick around long on networks and rarely actually steal sensitive data despite their threats.

They keep changing their identity - rotating executables, switching file extensions, and using different names like Cring, Phantom, and Strike. The feds say they're mostly going after low-hanging fruit across critical infrastructure, education, healthcare, and smaller businesses. Standard advice applies: patch your stuff, use MFA, segment networks. But the real story here is how successful a group can be just by targeting known vulnerabilities that should've been patched years ago. (read more)

Russian-Linked Actors Target Accounts With Device Code Phishing Tactic

mattjayy

View more on Instagram

A clever phishing campaign that's been running since August. Microsoft's tracking a Russian-linked group (Storm-2372) that's using device code authentication flows to compromise accounts. The attackers slide into DMs on Signal pretending to be someone important, chat about messaging apps, then hit targets with a fake meeting invite containing a "Security ID" - which is actually the device code they want you to enter on a phishing page. (read more)

Russian Espionage Attacks Target Signal Messenger Feature

Russian threat actors are getting creative with the app's QR device linking feature. Mandiant caught them sending malicious QR codes that, when scanned, link victims' accounts to attacker-controlled Signal instances. Once linked, the attackers get a real-time copy of all future messages without needing to compromise the actual device. APT44 (Sandworm) has even been linking captured devices from Ukrainian battlefields back to their infrastructure. (read more)

RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers

Recorded Future just dropped a detailed report on Salt Typhoon, a Chinese state-sponsored group that's been having a field day with unpatched Cisco devices. Between December and January, they hit over 1,000 targets globally, focusing on telecom providers but also sneaking into some universities. The group's exploiting two privilege escalation vulnerabilities in Cisco IOS XE to gain root access and set up GRE tunnels for persistence.

They're still at it despite getting massive media coverage and US sanctions. They've already compromised devices at a US-based affiliate of a UK telecom, a South African telecom provider, and several others. The scale suggests this is a focused campaign rather than random scanning, since they only targeted 8% of exposed devices. (read more)

How Phished Data Turns into Apple & Google Wallets

Instead of just stealing card data, cybercrime groups are turning phished credentials into Apple and Google Pay wallets through some social engineering. The scam starts with fake USPS or toll road texts, but they send them through iMessage and RCS to dodge carrier detection. When victims enter their card details and verification codes, the crooks load them into digital wallets on phones they control.

The scale is wild - researchers estimate about $15 billion in fraud over a year. These groups are selling phones loaded with multiple stolen wallets, and they've even got this wild "ghost tap" tech that can relay NFC payments globally. Banks are struggling to keep up since their usual security measures weren't built for this kind of attack. (read more)

Stalkerware apps Cocospy and Spyic are exposing phone data of millions of people

A security researcher just uncovered a major vulnerability in two stalkerware apps, Cocospy and Spyic, that's exposing data from millions of compromised phones. The bug lets anyone access victims' messages, photos, and call logs, plus reveals the email addresses of the creeps who installed the apps. 2.65 million unique email addresses between the two apps, which have been added to Have I Been Pwned's database (marked as sensitive). The technical details are being kept under wraps to avoid further exploitation. (read more)

SonicWall CVE-2024-53704 Bug Under Attack

If you're running SonicWall's SonicOS SSLVPN - there's active exploitation of CVE-2024-53704, an authentication bypass that lets attackers hijack active VPN sessions. Once they've got that, they can grab NetExtender configs, open VPN tunnels, and access private networks through the compromised account. Bishop Fox found over 4,500 vulnerable servers earlier this month, and CISA just added it to their Known Exploited Vulnerabilities list.

The patch has been out since January, but you know how these things go - plenty of orgs are still exposed. What makes this particularly spicy is that detecting exploitation isn't straightforward unless you've got some custom logging set up to catch multiple IPs using the same SSL VPN session. Given how much attackers love targeting edge security products lately, this is definitely one to prioritize patching. (read more)

An inside look at NSA (Equation Group) TTPs from China’s lense

Here's a fascinating deep dive into how Chinese security firms view NSA operations. A researcher in Australia dug through Chinese security reports (mainly from Qihoo 360 and CVERC) about how the NSA allegedly compromised Northwestern Polytechnical University. They caught the NSA through basic OPSEC failures like attacks only happening during US working hours, American English keyboard inputs, and some exposed file paths in error messages.

The technical details are pretty spicy. According to the Chinese reports, the NSA used 41 different tools, with many matching tools from the Shadow Brokers leak. Their MO involved compromising edge network devices (sound familiar?), using FOXACID for browser exploitation, and running most ops in-memory to avoid disk artifacts. (read more)

Microsoft Threat Intelligence uncovered a sophisticated macOS malware that targets users by infecting Xcode projects

Microsoft just spotted a fresh variant of the XCSSET macOS malware that's specifically targeting Xcode projects. While it's still doing its usual thing (stealing wallet info, Notes data, and system files), it's gotten craftier with randomized payload generation and is now using both xxd and Base64 encoding to stay under the radar.

The persistence game has leveled up too. It's using two methods now - one that hijacks shell sessions through .zshrc files, and another that creates a fake Launchpad that runs malicious code whenever you click the dock icon. They've also cooked up some new ways to inject payloads into Xcode projects. While Microsoft says it's only seeing limited attacks right now, this is definitely one to watch if you're doing Mac development. (read more)

Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits

Tax season scams are in full swing and they're nasty as usual. Friend of VulnU, Sublime Security, has spotted several new tactics, including a fun one where attackers impersonate CEOs asking CPAs for tax help, only to deliver the AdWind RAT malware through a fake PDF. They're also seeing DocuSign impersonation phishing and a QR code scam built with the tycoon/storm1747 phishing kit.

These attacks have become super layered. One example started with a compromised email account from a legitimate Texas company, but the email originated from Japan. The attackers are clearly betting on tax season anxiety to lower people's guards, using everything from fake W-2s to spoofed DocuSign notifications to get their hooks in. Guards up! (read more)

UK Forces Apple to Make a Universal Backdoor...

Miscellaneous mattjay

I got a version of this same DM. I thought it could be legit a reporter but never responded. Not to say if I responded it would’ve been auto-pwn but super interesting to see what the goal was.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay