Read Time: 9 minutes

Brought to you by:

Howdy friends!

I got whacked with a 102 degree fever this week which apparently is near a death sentence at my age because I was useless. Couple that with sweating and tossing and turning through the night and it just bombed my week. I’m on the up and up now, and actually out enjoying some beautiful weather down by a river as I write this.

I wish I knew more about bird watching, because there is some really active nests right above me as mama bird circles over me making sure I’m cool. A pretty big hawk from my amateur analysis. Days like these are so important to me, even though I’m out here with a laptop I’m still getting a chance to be mindful and take in the surroundings outside the city life for a bit.

Wish I could teleport you all here for a few, 70 degrees and no man-made noise within earshot. Make sure to enjoy the spring wherever you’re at.

ICYMI

🖊️ Something I wrote: High Pay, Low Respect: 60% of Cybersecurity Pros Want to Change Jobs

🎧️ Something I heard: AI & The Future of Education - got my wheels turning on what kind of world the next generation is entering

🎤 Something I said: Did you read about the HR SaaS drama? Rippling supposedly caught a spy from their competitor Deel? And they did it with a slick honeypot.

🔖 Something I read: I finished Elantris this week. Nice easy read compared to the Stormlight Archive which was all consuming for a bit there. ★★★★☆ 4/5 for me.

Vulnerable News

Exclusive: US suspends some efforts to counter Russian sabotage as Trump moves closer to Putin

The US has hit the pause button on countering Russian sabotage and disinfo operations since Trump took office. Reuters reports that several national security agencies have stopped coordinating efforts that were tracking Moscow's shadow war against Western nations. The Biden admin had set up cross-agency working groups with European allies to monitor everything from arson attacks to cable-cutting incidents, but those regular meetings have gone unscheduled since January. FBI's election interference work has been shelved, and DOJ teams seizing Russian oligarch assets have been disbanded.

This shift comes as Trump warms relations with Putin, including their recent chat where they agreed to a 30-day halt on targeting each other's energy infrastructure. Former officials are worried this is basically "blinding ourselves to potential acts of war." One particularly concerning intelligence nugget: last year, US agencies picked up that Russia might try to detonate an incendiary device on a plane over US airspace, which prompted increased cargo screenings. While Russian sabotage activities in Europe did decrease late last year, intelligence officials expect Moscow to keep up its hybrid warfare campaign as long as the West supports Ukraine. (read more)

What’s driving success for 900+ security leaders?*

The new IDC Voice of Security 2025 results are in!

Register for this upcoming webinar on March 26 with Tines and AWS for the most important findings from the 900+ security leaders surveyed including:

→ 72% of leaders report increased workloads, yet 58% consider their teams to be "properly staffed"
→ Flawed performance metrics that prioritize speed and volume over efficiency, like number of incidents handled or number of alerts, may be holding teams back
→ The most common AI use cases for teams are summarization (36%) and threat intelligence analysis (35%)

Register Now!

*Sponsored

Matt’s note: You already know I LOVE reports like this one above. I’m always excited when folks run a survey like this, it is no small feat and gives us incredibly valuable insights. Side benefit of it being run by Tines, one of my all time favorite companies in our space. I’ll be for sure checking that out. Thank you Tines for being a long long time supporter of Vulnerable U.

CISA fires, now rehires and immediately benches security crew on full pay

The CISA red team drama continues with a bizarre new chapter. After firing 100+ penetration testers and support staff due to DOGE unit contract cuts, CISA was forced to rehire them... only to immediately bench them on paid administrative leave. This stems from a federal judge ruling that found the DOGE unit's mass termination of probationary government workers unlawful, affecting around 25,000 federal employees.

About 130 CISA staffers got their jobs back but are now in a weird limbo - getting paid but not allowed to work while legal proceedings continue. They announced this on their website since they apparently couldn't reach everyone they'd fired. CISA already struggles to compete with private sector salaries, this won’t help. The Maryland lawsuit that triggered this is separate from the California case we saw last week, suggesting this saga isn't over yet. (read more)

ChatGPT Vulnerability Exploited Against US Government Organizations

An SSRF vulnerability in ChatGPT (CVE-2024-27564) is getting some attention from attackers, with a big jump in activity this week. The bug lets attackers inject crafted URLs into the pictureproxy.php file to make arbitrary requests, and it doesn't need authentication. While it's been known since September 2023, Veriti just caught someone weaponizing it against US government orgs and financial institutions globally.

About a third of the targeted organizations are actually vulnerable due to misconfigured protection systems. Veriti's basically saying "hey, just because it's rated a medium severity doesn't mean you can ignore it" - and they're right. The fix is straightforward: patch the vulnerability, check your IPS and firewall configs, and keep an eye on those logs for known attacker IPs. (read more)

Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files

A major supply chain attack hit the popular GitHub action tj-actions/changed-files (used by 23k+ repos) and several reviewdog organization actions. Between March 14-15, attackers used a compromised PAT from @tj-actions-bot to inject malicious code that dumped CI/CD secrets from runner memory straight into public workflow logs. They modified historical version tags to point to their malicious commit, meaning even existing workflows pulled the compromised code.

The compromise appears to have started with reviewdog/action-setup, which then cascaded to tj-actions/eslint-changed-files and ultimately tj-actions/changed-files. Jeez this just tells me how deeply interconnected GitHub Actions dependencies are - the 23k directly affected repos are just the tip of the iceberg since many are actions themselves. If you used any of these actions during the attack window, rotate your secrets ASAP and check your logs for base64-encoded data dumps. For the future, pin your action versions to full SHA-1 hashes instead of tags, and consider implementing branch/tag protection rules to prevent similar attacks. (read more)

Poisoned Windows shortcuts found to be a favorite of Chinese, Russian, N. Korean state hackers

A Windows shortcut vulnerability that Microsoft won't patch has become a favorite for state-sponsored hackers. ZDI researchers found 11 different APT groups from North Korea, China, Russia, and Iran exploiting this bug since 2017, with NK groups like Kimsuky and APT37 being particularly fond of it. The technique lets attackers disguise malicious files as innocent shortcuts - think malware masquerading as a PDF, complete with the right icon.

Microsoft's brushing it off as "low severity," saying Windows Defender can catch these attacks. But with 300+ US victims across government, crypto firms, and defense orgs, that seems optimistic. NK's groups are showing a ton of coordination in their attacks, sharing techniques and tools. And they're getting creative, APT37's adding tons of whitespace and junk to their .lnk files to dodge detection. (read more)

Municipalities in four states are struggling with cyberattacks limiting services

Multiple US municipalities are getting hammered right now with ransomware attacks causing major service disruptions. Cleveland Municipal Court has been offline for 3 weeks (claimed by Qilin gang), Atchison County KS just shut down, and several New England localities are struggling with outages. The Strafford County attack is particularly rough - they can't access medical data for nursing homes and their prosecutor called it "debilitating" during an attempted murder trial.

The timing is interesting as Comparitech just dropped research showing ransomware attacks on US government orgs have doubled in recent years, with 525 attacks causing $1.09B in downtime between 2018-2024. They've already logged 9 confirmed attacks in 2024, with another 17 claimed but unconfirmed. Qilin's involvement is notable since they've been hitting UK healthcare targets too - seems they're expanding their government focus. (read more)

Malicious Android 'Vapor' apps on Google Play installed 60 million times

Another day, another malware campaign slipping through Google Play's defenses. The "Vapor" operation managed to sneak 331 malicious apps onto the store, racking up 60M downloads before detection. These weren't your average junk apps - they used a gnarly little post-install payload delivery to bypass Google's initial screening. Once installed, they'd pull down malicious updates from C2 servers, hide themselves from the app drawer, and overlay full-screen ads that users couldn't escape from. Some even tried phishing Facebook/YouTube credentials and credit card info.

The apps masqueraded as utilities like fitness trackers and QR scanners, with the top offenders each hitting 1M+ downloads. What's particularly interesting is how they bypassed Android 13's security controls that normally prevent apps from dynamically disabling their launcher activities. If you want to check if you've been hit, there's a full list of the 331 apps in the article. The campaign mainly targeted users in Brazil, US, Mexico, Turkey and South Korea, generating about 200M fraudulent ad requests daily before getting shut down. (read more)

Data breach at stalkerware SpyX affects close to 2 million, including thousands of Apple users

A stalkerware company called SpyX was breached in June, exposing nearly 2 million people's information. Just the latest example of these crap surveillance apps not protecting the data they should never have to begin with. Turns out around 17,000 Apple accounts had their usernames and passwords exposed in plaintext. The operators never bothered to notify anyone about the breach (shocking, I know).

Troy Hunt from Have I Been Pwned got his hands on the data and marked it as "sensitive" in his database, meaning only you can check if your info was leaked. This makes SpyX the 25th mobile surveillance operation since 2017 to leak victim data, showing just how shit this whole industry is. Google's already pulled a related Chrome extension, and Apple was notified about the compromised accounts. If you're worried about stalkerware, the article includes some solid removal advice - especially enabling two-factor auth on your accounts. (read more)

DollyWay World Domination: Eight Years of Evolving Website Malware Campaigns

First off, who knew GoDaddy had this kind of security research team? Kudos on this writeup.

This is quite the operation. GoDaddy Security just dropped details on "DollyWay World Domination," a malware campaign that's been quietly owning WordPress sites since 2016. 20,000+ compromised sites over 8 years, with 10,000 currently active and generating millions of redirects monthly.

The attackers use a four-stage injection chain that's nearly impossible to detect with static analysis, cryptographically signed payloads, and a distributed network of compromised sites acting as command and control nodes. They even update WordPress and fix broken sites to maintain control! Their reinfection mechanism disables security plugins and constantly re-obfuscates their code, making it incredibly difficult to clean up. If you miss just one infected file during cleanup and someone visits the site, everything gets reinfected. Their current goal is simple but profitable - redirecting visitors to scam pages through VexTrio/LosPollos affiliate networks. (read more)

China's MSS Doxxes and Threatens Taiwanese APT Operators

The Ministry of State Security just published names, photos, ID numbers and job titles of four alleged cyber operators from Taiwan's Information Communication Electronic Force Command. This is their second round of outing Taiwanese hackers, but this time they added an explicit threat of "lifelong prosecution" for these "separatists." Once these folks are publicly ID'd, they face real risks if they travel to places like Hong Kong or countries with strong Chinese ties.

Three Chinese security firms dropped supporting reports within a day of the MSS post. Security analysts see this as China's direct response to the US "name and shame" strategy that's been used against Chinese hackers for years. Unlike the detailed US indictments that tell a convincing technical story, the Chinese posts are heavy on propaganda and light on technical details. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay