🎓️ Vulnerable U | #105

Apple removes major encryption feature from UK, Palo Alto Networks and CrowdStrike put out awesome attacker stats reports, Major background check company breached, and much more!

Read Time: 8 minutes

Brought to you by:

Howdy friends!

Been having fun this week. Maybe it’s because the sun came out a bit? I’m already having to make plans for the summer. Isn’t that psychotic? Being an adult is weird. It’s February and I’m making August plans. If you’re reading this in a dorm room in college:

ICYMI

🖊️ Something I wrote: Shoutout to the 'first managers who believed in us' club. 🫡

🎧️ Something I heard: I’m gonna be honest. A lot of my listening time went to Civ7 streams this week. I haven’t even played the game yet, but I’m a big Civ fan. Quill18 is one of my fave streamers who has been doing runs.

🎤 Something I said: Woah my first YouTube video that got a little traction. Run through of recent attacks on Signal, WhatsApp, and Teams. (Side note: YouTube is the hardest thing I do as a creator. Props to those of you who’ve been doing it for years)

🔖 Something I read: Been going through The Almanack of Naval Ravikant - pretty solid!

Vulnerable News

The UK government just shot itself in the foot trying to backdoor encryption. Apple announced Friday they're pulling their Advanced Data Protection service from the UK entirely rather than comply with a secret government order demanding they build in law enforcement access to encrypted backups. This is exactly the kind of "pick your poison" scenario privacy advocates have been warning about for years.

To be clear, this only affects the opt-in ADP feature (which provides truly end-to-end encrypted backups that even Apple can't access) - regular iCloud backups will continue working as normal and remain accessible to authorities with a warrant. Apple's basically saying "we'd rather not offer the highest security in your market than compromise it for everyone." You've got to wonder if this is just the first domino to fall as more governments push for encryption backdoors. (read more)

Tamnoon analyzed 4.7 million alerts, showing that critical misconfigurations remain open for an average of 128 days, and that doesn’t even begin to include the 33.7% of high-severity alerts.

Inconsistent CNAPP classifications and alert fatigue show why we see such a reduced remediation time. The State of Cloud Remediation report shows that clouds remain exposed, with alerts lingering for weeks or even months and a growing backlog of 'high' alerts.

Join their live webinar on March 11th for an in-depth discussion on the State of Remediation report.

Access the Report (no email required)

*Sponsored

What. Did. I. Just. Say… Sweden's pushing for backdoor access to Signal and WhatsApp, but Signal's already said "thanks, but no thanks" - they'll exit the market before compromising their encryption. The proposed legislation would require messaging apps to retain message histories and provide access to law enforcement, something that Signal's President Meredith Whittaker points out would weaken the entire network's security. Even Sweden's own military, which uses Signal, is against the idea.

These moves keep happening despite the obvious technical reality that you can't have a backdoor that only the "good guys" can use. (read more)

Another day, another massive data breach. DISA Global Solutions - a background check and drug testing provider - just disclosed that attackers made off with personal data belonging to over 3.3 million people. The attackers had been hanging out in their systems from February to April 2024 before anyone noticed.

What got snagged is the complete identity theft package - Social Security numbers, credit/debit card info, driver's licenses, and financial account details. DISA works with tens of thousands of companies, collecting all sorts of personal data from job applicants and employees. The company admitted they couldn't even figure out the full extent of what was stolen. No details on how the attackers got in, but with a two-month dwell time, they had plenty of opportunity to poke around. If you've applied for a job that used DISA for background checks, you might want to keep an eye on your credit report. (read more)

A new malware campaign dubbed "GitVenom" has been using fake open-source GitHub projects to steal crypto and gaming credentials. The attackers have already snagged about $456K in Bitcoin by creating hundreds of repositories posing as Instagram automation tools, Telegram crypto bots, and Valorant game cracks. Once installed, the malware deploys AsyncRAT/QuasarRAT for remote control and a clipper that swaps crypto wallet addresses in your clipboard.

Interestingly, they're combining traditional RAT malware with crypto theft capabilities, targeting gamers and crypto users through the same campaign. The same threat actors are also piggybacking on major e-sports tournaments like IEM Katowice 2025, impersonating pro CS2 players to push fake skin giveaways. (read more)

The UK Home Office just launched their vulnerability disclosure program on HackerOne, but there's a massive catch - researchers who find bugs could still face prosecution under the ancient Computer Misuse Act of 1990. Unlike the Ministry of Defence's program which explicitly protects good-faith researchers, the Home Office offers zero legal protection. They're essentially asking security folks to help them while leaving them exposed to legal risks.

The CyberUp Campaign is calling out this contradiction, pointing to countries like Malta, Portugal, and Belgium that have already modernized their laws to protect ethical hackers. While the UK government keeps talking about reforming the Computer Misuse Act (written when only 0.5% of Brits had internet), nothing concrete has materialized. Labour previously tried introducing a public interest defense for hackers, but that effort stalled. Meanwhile, legitimate security research remains technically illegal, hampering the UK's cyber resilience. (read more)

Long time readers know. I love a good report put out by companies with lots of unique data. PANW fits that bill. Unit 42 dropped their 2025 IR report, and it's a fun one. Attackers are moving ridiculously fast now - 25% of data theft happens in under 5 hours, and some cases see data gone in under an hour. They're not just after quick cash anymore; they're deliberately trying to break stuff and cause chaos to force ransom payments.

I know this is based off stats, but when I advise companies I’m using 10-20 minutes as a bar for detect → lockdown a compromised account/box. If you can get under that bar, you’ll be best in class but it requires a ton of really good automation.

The North Korean insider threat situation has tripled (remember those deepfake job interviews?), and attackers are hitting organizations from multiple angles - 70% of incidents involved 3+ attack surfaces. AI is making everything worse, cutting potential attack times down to 25 minutes in Unit 42's testing. 75% of incidents had warning signs in the logs, but siloed systems meant nobody caught them in time. Cloud security is still a mess too, with 29% of incidents involving cloud environments and plenty of unmonitored shadow IT keeping defenders busy. (read more)

A massive botnet (130k devices) is targeting Microsoft 365 environments still using Basic Authentication for non-interactive sign-ins. They're specifically going after those automatic background connections where credentials are stored from previous logins - the kind you might use for email syncing or calendar access. SecurityScorecard found these attacks are bypassing MFA and modern protections by exploiting this legacy authentication method.

While Microsoft has been sunsetting Basic Auth across their services, SMTP will keep it enabled until September. If you're running M365, now's a good time to check those non-interactive sign-in logs (which often fly under the radar) and rotate any compromised credentials. The campaign appears to be running through Chinese cloud services, though attribution isn't definitive yet. (read more)

Washington state's trying something interesting - taxing companies for collecting personal data like it's a natural resource. They'll charge data brokers based on how many residents' data they collect, from $0.05/person/month for smaller players up to a $1.38M base fee plus $0.55/person for companies holding data on 5M+ residents.

The tax only hits at collection time though, not at storage, which could push companies to hoard even more data to avoid paying the tax multiple times for recollecting it. It also incentivizes consolidation, where big platforms become the primary collectors and just redistribute to everyone else.

A smarter approach would be taxing companies for keeping the data (retention tax), which would pressure them to delete what they don't need and make everyone in the data economy pay their fair share based on actual usage. (read more)

The classic Google Ads malware campaign got a meta twist - attackers are now using ads for Chrome itself as the lure. Click the ad, land on a sketchy Google Sites page, and download what looks like Chrome but actually bundles SecTopRAT, a RAT with stealing capabilities. The malware authors got clever with the execution - they add Windows Defender exclusions before dropping an encrypted payload that ultimately injects into MSBuild.exe.

And like a little forehead kiss at the end, they actually install the real Chrome browser. Found evidence they're running similar campaigns with fake Notion and Grammarly installers too. While Malwarebytes caught this one, it's an interesting example of abusing trusted platforms (Google Ads, Sites) and processes (MSBuild) to slip past defenses. (read more)

North Korea just set a new record for biggest heist in history - the FBI says they're behind a $1.5 billion cryptocurrency theft from Dubai-based exchange ByBit. The FBI warns that NK hackers are already busy laundering the funds, converting assets to bitcoin and scattering them across thousands of addresses on multiple blockchains.

Lazarus Group has become a powerhouse in crypto theft. They raked in $1.3B from crypto hacks in 2022 alone (spread across 47 separate incidents), nearly doubling their 2021 haul. Between these hacks, selling weapons to Russia for Ukraine, and even cautiously reopening for tourism, NK's finding creative ways to keep the money flowing while under every sanction known to man. (read more)

Google's security team is flagging a spike in phishing attacks against universities that kicked off last August. These aren't your "I'm a prince with millions" emails - the attackers are getting creative, sending malicious Google Forms disguised as official university communications, cloning login portals, and running two-step campaigns where they first steal credentials, then use those hijacked accounts to target more victims.

The lures range from financial aid disbursements to refund verification and urgent medical inquiries. It's a potent mix of social engineering that preys on both the trust students have in university communications and the fear of missing important deadlines. (read more)

Miscellaneous mattjay

CrowdStrike just came out with their annual intel report and I read it live over on YouTube for a few hours. First time live streaming something like that, it was fun to talk it all out. Blind react to intel reports, the new viral craze.

Here’s a quick short from a highlight stat:

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay