- Vulnerable U
- Posts
- šļø Vulnerable U | #107
šļø Vulnerable U | #107
CISA having a bad time, Microsoft and Google Threat Intel full of goodies this week, SSRF on the rise as per GreyNoise, and much more!
Read Time: 8 minutes

Brought to you by:
Howdy friends!
SXSW came and went. I used to love that conference, the whole city of Ausitn would transform into a Tech, TV, Film, and Music wonderland. Now itās brands youāve barely heard of throwing parties with long lines that I didnāt want to be at. Notably I couldnāt help but realize the absence of former SXSW staples: all of Silicon Valley. Entire streets used to be dedicated to Google, Microsoft, Facebook, Snapchat, Instagram, etc. - all of which were absolutely nowhere to be found.
The events I did go to and have fun at were all around creators. I got to meet some of my favorite YouTubers, and some events I went to everyone I met was behind the scenes of major social media accounts you run into in the algorithm mines. Either way, I got to catch up with some old friends, make some new ones, and even get a dose of nostalgia by watching a live podcast recording of Diggnation, which I was super into back in 07-09.
![]() | ![]() |
ICYMI
šļø Something I wrote: High Pay, Low Respect: 60% of Cybersecurity Pros Want to Change Jobs
š§ļø Something I heard: John Hammondās latest video is awesome: they tried to hack me so i confronted them
š¤ Something I said: Iāve been asked to make this a while, so here it is. A run through of all the secure messenger apps to talk about which ones are best.
š Something I read: āDesire is a contract that you make with yourself to be unhappy until you get what you want.ā - Really digging The Almanack of Naval Ravikant - and this quote hit me in the face. I need to knock off my zillow scrolling hobby looking at houses I canāt afford.
Vulnerable News
Microsoft threat intel report on a massive malvertising campaign that hit around a million devices. The attack kicks off on sketchy streaming sites (you know, the "free movie" kind) and uses a chain of redirects to eventually land victims on malicious GitHub repos. Once there, the attacker's code gets to work in multiple stages - first establishing a foothold, then stealing system info, and finally deploying either Lumma or Doenerium info stealers. In many cases, they also drop NetSupport RAT for remote access.
The attackers use legitimate files to blend in, leverage living-off-the-land binaries like PowerShell and MSBuild, and even set up Chrome remote debugging on hidden desktops to monitor browsing activity. They're also checking for security tools and adding exclusion paths to Defender. (read more)
I work with a number of companies to help build their security program. Inevitably, when trying to do business with enterprise clients, the compliance question comes up. This is where I've seen Vanta in action as it becomes the easy button to unlock bigger deals faster.
Imagine turning compliance into your secret growth accelerator. Vanta shows how implementing frameworks like SOC 2 isnāt just a checkboxāitās a powerful strategy that builds trust, speeds up sales, and unlocks enterprise deals.
Revenue Accelerator: Leverage compliance to drive growth and close deals faster.
Build Instant Trust: Demonstrate operational maturity and secure customer confidence.
Streamline Sales: Meet critical compliance standards that open doors to new opportunities.
Future-Proof Your Business: Set the stage for scalable, long-term success.
*Sponsored
CISA appears to be in serious trouble. According to insiders, the cybersecurity agency has lost around 10% of its workforce (300-400 people) in recent layoffs, with many technical experts and program leaders shown the door. Partnerships have been crippled, with international travel frozen and basic communication with other agencies now requiring special permission. Even companies are hesitant to share threat data with CISA due to fears about who might access it.
The situation is made worse by an acting director who employees describe as "tone-deaf" and "spineless," prioritizing loyalty to the administration over defending the agency's mission. With the elimination of CISA's election security program and freezes on AI initiatives, staffers are waiting for "the other shoe to drop" as more cuts loom. (read more)

SSRF exploitation is having a moment. GreyNoise just spotted a coordinated surge hitting multiple platforms simultaneously on March 9th, with around 400 unique IPs targeting at least 10 different SSRF-related CVEs. The attackers aren't just hitting one vulnerability - they're going after multiple SSRF flaws at once, suggesting this isn't random botnet noise but something more structured.
We're approaching the anniversary of the infamous Capital One breach from 2019, where SSRF was the attack vector that exposed over 100 million customer records. If your organization runs Zimbra, GitLab, VMware vCenter, or Ivanti Connect Secure, you'll want to check those patches ASAP. SSRF continues to be a goldmine for attackers targeting cloud environments where they can pivot to internal metadata APIs and hunt for credentials. (read more)
Medusa ransomware is having a grand olā time with critical infrastructure, racking up over 300 victims since mid-2021. The group's running a tight ship. While they've moved to an affiliate model, the core team still handles all the ransom negotiations themselves. They're offering their affiliates anywhere from $100 to a cool million for exclusive partnerships, which seems to be working out pretty well for them.
They aren't reinventing the wheel for initial access, just good old phishing and exploiting unpatched vulns like the recent SlashAndGrab ScreenConnect flaw. They've apparently started experimenting with triple extortion: in at least one case, after a victim paid up, another "Medusa actor" contacted them claiming the negotiator stole the ransom and demanded half the payment again for the "true decryptor." The usual pre-encryption playbook applies - killing security software, wiping backups, and offering to extend payment deadlines for just $10K per day. (read more)
Another day, another ransomware crew weaponizing Fortinet vulns. Forescout reported on "Mora_001," a new threat actor they've linked to the LockBit ecosystem. Between January and March, they chained two Fortinet vulnerabilities to compromise firewalls and deploy a ransomware variant they're calling "SuperBlack" (essentially modified LockBit). Wild part is how quickly they moved after the POC dropped: within 96 hours they were hitting unpatched devices.
The playbook is pretty standard but effective: exploit the vulns, create admin accounts with names like "forticloud-tech" or the sneaky misspelled "adnimistrator," download firewall configs, and set up automated tasks to maintain persistence. They even added backdoor VPN users by creating accounts similar to legit ones but with an added digit. (read more)

Slick phishing operation targeting hospitality workers by posing as Booking.com. The campaign, which Microsoft has linked to a threat group called Storm-1865, uses a technique dubbed "ClickFix" that exploits our natural tendency to try to fix errors. Victims receive emails about fake bad reviews or account verification, then get tricked into opening a Windows Run window and pasting malicious commands that download credential-stealing malware.
What makes this attack particularly effective is how it bypasses automated security by requiring user interaction. Once installed, the various malware strains (including XWorm, Lumma, and several RATs) go after financial info and login credentials. Booking.com confirmed their systems haven't been breached, but partner accommodations are getting hit. (read more)
Love my bug bounty hunters! Google just dropped their 2024 Vulnerability Reward Program stats, and bug hunters had a pretty good year. They handed out nearly $12 million to over 600 researchers worldwide, with some serious reward boosts across their programs - up to $300K for mobile vulns, $250K for Chrome bugs, and $151K for Google and Cloud issues. The standout programs were Android ($3.3M in payouts), Chrome ($3.4M), and the newly launched Cloud VRP ($500K since October). They even got into the AI bug bounty game, dishing out over $140K for GenAI vulnerabilities.
Android submissions decreased by 8%, critical and high-severity bugs actually increased by 2% - meaning researchers are finding fewer but more impactful issues as Android security improves. Google also ran some cool live-hacking events called bugSWAT in Vegas and Malaga, which netted participants $370K in rewards. (read more)
Heads up if you're running your own GitLab instance. They just patched nine vulnerabilities, including two critical authentication bypass flaws in the ruby-saml library that could let attackers impersonate other users. These bugs affect all versions before 17.7.7, 17.8.5, and 17.9.2. GitLab.com is already patched, but if you're self-hosting, you'll need to update manually. (read more)
Lookout researchers have uncovered "KoSpy," a nasty piece of spyware they've attributed to APT37 (aka ScarCruft), one of NK's state-sponsored hacking groups. The malware has been in the wild since March 2022, disguising itself as innocent utility apps like "File Manager" and "Kakao Security.ā Some of these were actually in the Google Play Store until recently.
Once installed, this thing can vacuum up pretty much everything on your device - SMS messages, call logs, location data, files, audio recordings, screenshots, and keystrokes. (read more)
Chinese hackers from the Volt Typhoon campaign managed to silently lurk inside a Massachusetts utility company's systems for nearly a year before being caught. The FBI tipped off Littleton Electric Light & Water Department just before Thanksgiving 2023, but the investigation revealed the hackers had been there since February. While they snagged some data, including operational procedures and grid layout information, no customer data was compromised.
Dragos, who helped clean up the mess, calls them "arguably the most crucial threat group to track in critical infrastructure." They typically get in through vulnerable VPNs and firewalls, then blend in with normal traffic using legitimate tools already on the network. (read more)
I donāt even really want to talk about this one, but I know I have to include it. DDoS happened, X blipped up and down, Elon said attack included IP addresses from Ukraine as if that was some sort of attribution. Hacktivists Dark Storm took credit. The end. (read more)
Seems the massive LastPass breaches from 2022 were behind a series of high-profile crypto heists. In a court filing this week, the Secret Service and FBI linked a spectacular $150 million cryptocurrency theft (likely from Ripple co-founder Chris Larsen) to attackers who cracked master passwords stolen from LastPass. They've managed to recover about $24 million of the stolen funds so far.
The pattern matches what researchers Nick Bax and Taylor Monahan had identified last year - victims had stored their crypto seed phrases in LastPass's "Secure Notes" feature, and many had relatively weak master passwords on older accounts with fewer encryption iterations. Despite this evidence and continuing thefts, LastPass is still saying there's "no conclusive evidence" connecting these heists to their breach. (read more)
Turns out Microsoft's Time Travel Debugging (TTD) has been quietly lying to you about how your code actually runs. Mandiant researchers discovered several bugs where TTD's CPU emulation produces different results than real hardware - a pretty big deal when you're trying to debug or analyze malware. The most notable issue was with 16-bit register operations like "pop si" that incorrectly zeroed out the upper bits of registers, causing programs to crash in TTD but run fine on real hardware. They also found AMD and Intel CPUs handle some instructions differently, and TTD was only following one implementation.
These might sound like minor technical glitches, but they have serious security implications - imagine malware purposely using these instructions to behave differently under analysis, or incident responders missing critical code paths because their debugging tools are lying to them. Mandiant responsibly disclosed all the bugs and Microsoft has patched them in TTD version 1.11.410. (read more)
Miscellaneous mattjay
I posted on Twitter like I usually do the last few days and the only 2 replies I got to my normally large engagement: 1 chatgpt bot. 2 troll basically telling me I suck. The platform is dead dead, and I'm really in mourning about it as it was my main home on the internet since 2008.
ā Matt Johansen (@mattjay.com)2025-03-12T18:44:18.648Z
Please imagine life outside the cybersecurity pipeline. I beg of you. Living is its own job experience. You can't follow my path, but I did Helpdesk for 10 years. I thought it was a shame. And now I'm proud of it and advertise. I didn't have the perspective to know what it gave me. You don't either.
ā SwiftOnSecurity (@swiftonsecurity.com)2025-03-10T22:34:40.841Z
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay