🎓️ Vulnerable U | #106

US stand down against Russia, Microsoft intel on Silk Typhoon, Some spicy polymorphic malware, a super huge and instantly spun up botnet, and much more!

Author

Matt Johansen
March 07, 2025

Read Time: 11 minutes

Brought to you by:

Howdy friends!

Happy SXSW week for those who celebrate. For those of you who’ve never been, imagine Disney World but instead of children every single person has a startup. And they all show up in Austin at the same time.

For me, it means go to a few events and then just deal with not being able to drive or go to any of my normal food/coffee spots for a few weeks.

I read a meme this week that said “Seasonal Depression always sounds fake, until the sun comes out and I realize life is worth living again”

About 30% of you said you missed my mental health content when I polled you a few weeks ago. I’ve been hyper focused on my video content lately but I did get to write a new mental health post, here’s a sneak peek:

According to this new report, 60% of cybersecurity pros are itching to jump ship. And it’s not just about chasing the next fat paycheck. It’s about the mental toll of a field where being overworked and undervalued isn’t the exception—it’s the norm.

The Price Tag on Mental Health

Sure, we’re making six-figure salaries. Security architects and engineers are cashing in over $200K a year. But when only one in three would recommend their employer, something’s rotten in paradise.

I found this at the top of the r/cybersecurity subreddit this week and the comments were …enlightening. As one redditor bluntly put it, “Overworked and underpaid is MO.” The numbers might look sexy, but the daily grind is anything but glamorous.

The problem isn’t just the long hours or the constant firefighting. It’s the lack of career progression, the endless meetings with what many feel are clueless execs, and that gut-wrenching feeling of being treated like an expendable resource. One comment summed it up:

“Yeah. The execs don't care about cyber security until there's a breach. Then they blame us for not doing enough. Even though they don't provide the budget asked for in order to get the tools and people necessary to have a good program.”

That’s not just burnout—that’s a broken system.

Link to continue reading.

ICYMI

🖊️ Something I wrote: The Loneliness Tax: We're All Paying It

🎧️ Something I heard: Tib3rius talking about his run in with Microsoft Support

🎤 Something I said: mozilla. what are you doing? My run through of the new firefox Terms of Serivce removing all mention of not selling your data from their site.

🔖 Something I read: This guy is building a tool that uses AI and fake Calendly links to waste cold DMers time.

Vulnerable News

Microsoft Details Silk Typhoon’s IT Supply Chain Attacks

Love a good Microsoft intel report. This time on Silk Typhoon, a Chinese espionage crew that's getting craftier with their supply chain attacks. Instead of going after the big fish directly, they're nabbing API keys and credentials from IT providers, then using that access to compromise downstream customers - particularly state/local governments. They're using everything from zero-day exploits to plain old password spraying. Unsurprisingly they're finding corporate passwords on GitHub too. (They should check out my homies at TruffleHog)

Once they’re in, these actors are particularly interested in data related to China interests, U.S. policy, and law enforcement investigations. They're also pretty thorough about covering their tracks - resetting admin accounts, dropping web shells, and clearing logs of their activity. They were even implicated in that Treasury Department OFAC hack back in December, where they leveraged a stolen API key from BeyondTrust. (read more)

Building trust requires collaboration across every department—from engineering to security to sales—working together as one team.

Join Vanta on March 19 as we introduce new product capabilities designed with teamwork in mind. You’ll see how Vanta can help you collaborate easily with your extended team of employees, vendors, auditors, and customers—and win together.

Hear from an all-star lineup of industry leaders who will share tips on creating a shared culture of responsibility around trust and security.

Speakers include:

  • Anthony English, VP Security / CISO at WorkJam

  • Nicole Dobias, Senior Counsel at Ironclad

  • Jeremy Epling, CPO at Vanta

  • Jadee Hanson, CISO at Vanta

*Sponsored

Side note - I’m really excited Vanta has decided to sponsor Vulnerable U, I actually really love this product and I think they’ve normalized security program creation for companies that would otherwise not know where to start. I advise a bunch of startups and have seen it in action, and it makes a big difference. Please do yourself, and me, a favor and check them out.

Ok this story is weird. Someone is lying. I followed a lot of reporting on this over the last week, and I’m still unclear on what actually went down. First up, The Record broke the story about DoD telling Cyber Command to stand down: Exclusive: Hegseth orders Cyber Command to stand down on Russia planning

Then The Guardian came out and said CISA officials were receiving memos, or verbal orders to “nix” all projects related to Russia: Trump administration retreats in fight against Russian cyber threats

Then CISA denied this on Twitter. But they did so in a “fake news” sort of way that sounded a bit off for the agency. They also RT’d some very political posts.

These were the main stories when I decided to cover this on YouTube. TL;DW - I conclude that we ordered Cyber Command to stand down offensive ops during negotiations and that the rest seems blown out of proportion.

Then Kim Zetter put out an article, and they came to the same conclusion I did. Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia? (Story updated)

Days later, DoD came out and denied the whole original reported order even existed. Story broke on Bloomberg: Pentagon Denies Report of Halt in Cyber Operations Versus Russia (archive link)

So somebody is lying. Smart money is on the reporting being good from these sources, but a few explanations to me is that .gov needs to deny to save face during these negotiations. Or that some sources aren’t informed about the whole big picture.

I’d say this all happening in the week of kicking Zelenskyy out of the White House, and making enemies of Canada/Mexico, while Elon runs around saying US should leave NATO - signs port to this reporting is accurate.

A new botnet called Eleven11bot just burst onto the scene and is already setting DDoS records. Nokia researchers spotted it in late February and say it consists of around 30,000 webcams and video recorders (though there's some debate, with estimates ranging from 5,000 to 86,000 devices). What's wild is that it managed to deliver a 6.5 Tbps attack - the largest volumetric DDoS ever recorded, beating the previous record of 5.6 Tbps. The US has the highest concentration of infected devices at 24.4%, followed by Taiwan and the UK.

This appears to be yet another Mirai variant (remember that nasty IoT botnet from 2016?), targeting TVT-NVMS 9000 digital video recorders running on HiSilicon chips. What's particularly concerning is how quickly it assembled - most of these IPs had never been seen in DDoS attacks before suddenly joining the party. It's hammering various targets including communications providers and gaming infrastructure, with some attacks causing multi-day service degradations. (read more)

Two New Yorkers were just arrested for a ticket heist that netted them over $600K in profit. The scheme involved a StubHub contractor named Tyrone Rose who used his backend access to intercept ticket URLs before they could be emailed to legitimate buyers. Instead of letting Swifties get their precious Eras Tour tickets, Rose redirected almost 1,000 tickets to his accomplice in Queens, NY who then resold them right back on StubHub.

StubHub eventually caught on and reported them to authorities, leading to grand larceny and computer tampering charges that could land them 3-15 years in prison. (read more)

VMware just dropped patches for three bugs in ESXi, Workstation, and Fusion that are already being exploited in the wild. This isn't a "patch when convenient" situation - CISA immediately added all three to their Known Exploited Vulnerabilities catalog. What makes this particularly interesting is that Microsoft's Threat Intelligence Center discovered and reported all three vulnerabilities, which suggests some sophisticated threat actors are behind the exploitation.

The bugs work together as a nasty chain - CVE-2025-2224 lets attackers execute code as the VMX process, CVE-2025-2225 enables an arbitrary kernel write leading to sandbox escape, and CVE-2025-2226 leaks memory from the vmx process. Together, that's a full VM escape toolkit. If you're running VMware products in your environment, you'll want to prioritize these patches that came out March 3rd. The fact that these are already being exploited means the clock is ticking. (read more)

Unit 42 intel reports are must reads in this house. This one is on a threat actor called JavaGhost that's been doing some AWS gymnastics for their phishing infra. They started out defacing websites back in 2019 but shifted to running phishing campaigns around 2022. Their specialty seems to be compromising AWS environments to send phishing emails using the victim's own infrastructure - clever since it bypasses email protections and puts the bill on someone else's tab.

What's particularly interesting is how they're stepping up their game. They're now using advanced evasion techniques previously only seen from the notorious Scattered Spider group. They'll grab exposed AWS keys, generate temporary credentials to sneak into the console without triggering alarms, then set up phishing infrastructure using Amazon SES and WorkMail. For persistence, they create admin IAM users and even leave a calling card - EC2 security groups named "Java_Ghost" with the description "We Are There But Not Visible." If you're running AWS, the article includes some solid hunting queries to see if these ghosts have been haunting your environment. (read more)

Well this is awkward. Kaspersky Lab's networks are now routing traffic for "Prospero OOO," one of the most notorious bulletproof hosting providers in Russia. For those not in the know, Prospero is basically cybercrime central, hosting ransomware control servers, malware distribution, and phishing sites galore. They operate under names like BEARHOST and actually advertise with lines like "if you need a server for a botnet, malware, or phishing... we completely ignore all abuses without exception."

Kaspersky has denied working with Prospero, claiming their network might just be appearing as a technical prefix due to some telecom provider relationships. The timing is particularly spicy given that Kaspersky's products were banned from US government agencies in 2017 and completely banned from US sales as of July 2024. Internet routing records show this cozy arrangement started in December 2024. Whether it's transit service or DDoS protection that Kaspersky is providing, security experts aren't impressed - as one researcher put it, "providing DDoS protection to a well-known bulletproof hosting provider may be even worse" than just routing their traffic. (read more)

Proofpoint just uncovered a wild new malware campaign, UNK_CraftyCamel, that's going after aviation and satellite comms companies in the UAE. The attackers are showing some skills with their use of polyglot files (files that can be read as multiple formats) to hide their malware. They're also using a compromised account from an Indian electronics company to send targeted spear-phishing emails that lead to a custom Go backdoor called Sosano.

The infection chain is pretty clever - the attackers send a ZIP that looks like it contains normal business files, but it's actually stuffed with malicious LNK files and polyglot PDFs that eventually load the Sosano backdoor. The backdoor itself can execute shell commands, change directories, and download additional payloads. (read more)

Oh this is nasty. Researchers at SquareX Labs found a way for malicious Chrome extensions to basically shape-shift into other extensions like password managers and crypto wallets. Once installed, the malicious extension can check what other extensions you have using the chrome.management API (or sneakier methods if needed), then temporarily disable your legitimate extension while mimicking its appearance. They demonstrated this with 1Password - the fake extension changes its icon, pops up a convincing "session expired" message, and tricks you into entering your master password into what looks like the real deal.

The even nastier part is once it has your credentials, it switches back to its original form and re-enables the real extension, so you'd likely never notice the swap. SquareX has reported this to Google, but there aren't any mitigations in place yet. (read more)

Microsoft just patched a pretty nasty RCE in their KDC Proxy (CVE-2024-43639). The bug is an integer overflow caused by not checking Kerberos response lengths. An attacker could point your KDC Proxy at their malicious server, which would return a specially crafted message with a length of ~4.3 billion bytes. This overflows a 32-bit integer during ASN.1 encoding, leading to buffer manipulation that can ultimately execute arbitrary code.

Good news is this is relatively limited in scope - only affects servers explicitly configured as KDC Proxy servers (KDCSVC), not domain controllers. No attacks detected in the wild yet, but if you're running this service, patch immediately. (read more)

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay