Read Time: 7 minutes

Brought to you by:

Howdy friends!

Threw a tattoo party at my house this week. Buncha millennials and GenXers in a living room getting tattooed on a school night. Immaculate use of free will.

My RSA calendar is just about maxed. If you’re going, what are you excited about? What are you dreading?

ICYMI

🖊️ Something I wrote: imposter syndrome gets quieter when you start mentoring someone

🎧️ Something I heard: I’ve been really enjoying Low Level’s YouTube channel - this guy writes SAFE code using C?

🎤 Something I said: The FBI Became a Dark Web Banker?!

🔖 Something I read: I. Can’t. Stop. Listening. Dungeon Crawler Carl is just an epic series. You nerds will love it. I’ve melted through the first 4 books in the last few weeks.

Vulnerable News

Trump signs order targeting former CISA head Chris Krebs

Trump signed an executive order targeting former CISA Director Chris Krebs, the guy who got fired back in 2020 after calling that election "the most secure in American history." The order directs DOJ to investigate Krebs and revokes his security clearance, plus suspends clearances for his colleagues at SentinelOne where he now works as chief intelligence officer.

The politics here are pretty obvious - Trump called Krebs a "wise guy" while signing the order and claimed the 2020 election was "badly rigged." Democrats like Rep. Bennie Thompson are framing this as Trump "settling old political scores" rather than focusing on economic issues. Meanwhile, CISA continues to be in the crosshairs with DHS Secretary Noem (who was present at the signing) expected to implement more staffing cuts at the agency soon.

The actual announcement from the White House says this is a warning for those not showing loyalty. - I’m reading that as: if anyone at your place of work is deemed disloyal to this administration, they can and will revoke the entire company’s ability to work on government contracts. (read more)

Secure your cloud workspace before, during and after a breach*

Protecting your Google Workspace or Microsoft 365 with a patchwork of native security and point solutions leaves gaps – the biggest being visibility after an attacker has made it inside.

With deep integration and powerful automations, Material Security prevents and detects a wider range of threats, responds to active attacks faster, and secures data and accounts even after a breach. All within a platform that fits seamlessly into existing workflows–making your security team’s jobs easier, and protecting your users without slowing them down.

See Material in action today!

*Sponsored

Nissan Leaf Hacked for Remote Spying, Physical Takeover

Well, this is fun. Researchers at PCAutomotive just showed how they could remotely hijack a 2020 Nissan Leaf via its infotainment system's Bluetooth. After getting initial access, they escalated privileges and set up a persistent command and control channel over cellular. They could literally take control of the steering wheel while the car was moving, not to mention doors, lights, wipers, and other physical functions.

The disclosure process took nearly two years (started August 2023), with Nissan confirming the findings in January. The bugs finally got eight CVE numbers assigned recently. Nissan's promised to "develop and roll out technologies" to fight the attacks. Here is their slides from BlackHat Asia (read more)

Police detains Smokeloader malware customers, seizes servers (Operation Endgame)

Operation Endgame keeps rolling along as cops turn their attention from malware operators to their customers. Europol announced they've detained at least five Smokeloader botnet customers, following last year's big server seizure that took down over 100 systems used by major malware operations. Seems they're actually putting all that seized data to good use - they found a customer database that's letting them match online aliases to real people.

The Smokeloader service, run by someone called 'Superstar,' was basically offering pay-per-install botnet access that let customers do everything from ransomware deployment to webcam snooping. Some folks who got caught are apparently cooperating and letting authorities dig through their devices. Europol's set up a dedicated website for tips that's "conveniently translated into Russian." Subtle, guys. Real subtle. (read more)

Critical Fortinet Flaw Allows Remote, Unauthenticated Admin Password Change

Fortinet just patched a critical vulnerability that's pretty much as bad as they come - CVE-2024-48887 scores a 9.8 CVSS. The bug lets anyone remotely change admin passwords on FortiSwitch devices without authentication. Just point, click, own. It impacts a wide range of versions (6.4 through 7.6), so there's a good chance you've got affected gear if you're running Fortinet switches.

The good news is it was found internally by Fortinet's own developers, and there's no evidence of active exploitation (yet). If you can't patch immediately, they've offered two workarounds: disable HTTP/HTTPS access to the admin interface or restrict access to trusted hosts only. But honestly, this is straight-up "drop everything and patch" territory - updated versions are 6.4.15, 7.0.11, 7.2.9, 7.4.5, and 7.6.1. (read more)

Searching for something unknown - 30+ hidden extensions tracking over 4,000,000 users for years

Security researcher John Tuckner just uncovered a massive browser extension spying operation affecting over 4 million users. While evaluating extensions for a client, he noticed some "unlisted" extensions in Chrome (meaning they don't show up in search results) and started digging. The smoking gun was a misspelled domain "unknow.com" that appeared in 35 different extensions with suspiciously similar code patterns.

These extensions claim to offer protection from malicious software or ad blocking but actually contain heavily obfuscated code that collects browsing data, cookies, and other sensitive info. They request excessive permissions and can be remotely configured to change their behavior. Some even had the "Featured" badge in Chrome Web Store despite being unlisted(!?) The operation has apparently been running since at least 2019, with many extensions not updated in over a year. Tuckner submitted all the extensions to Google and identified numerous suspicious domains and hashes for others to check. (read more)

COACH: Your Always-On Security Investigation Guide*

Security investigations is a craft learned through practice. COACH acts as your AI-powered mentor right in your browser, guiding you through unfamiliar alerts and helping you think critically about each investigation step.

This free Chrome extension supplements your human mentors, providing guidance when you need it most.

Learn more and download COACH today.

^*Sponsored

Court document reveals locations of WhatsApp victims targeted by NSO spyware

Well, this is eye-opening. Court documents from WhatsApp's lawsuit against NSO Group just revealed exactly where their Pegasus spyware victims were located during that 2019 hacking campaign. 1,223 targets across 51 countries - all hit in just a two-month window. Mexico leads the pack with a whopping 456 victims, followed by India (100), Bahrain (82), and Morocco (69). Even Western democracies weren't spared, with victims in Spain, the Netherlands, UK, and one in the US.

This gives us a rare peek at which government customers might be NSO's power users. Mexico reportedly dropped $60+ million on Pegasus, which tracks with their high victim count. WhatsApp already won a ruling that NSO violated US hacking laws, and now they're moving to the damages phase. Other juicy details from the case: NSO's WhatsApp hacking tool license cost up to $6.8 million annually, and they disconnected 10 government customers for abusing the system. Hmmm, I wonder how many other campaigns like this are happening right now. (read more)

Hackers Spied on 100 US Bank Regulators’ Emails for Over a Year

Hackers have been lurking in the email accounts of over 100 officials at the Office of the Comptroller of the Currency (OCC) since June 2023, only getting discovered earlier this year. Access to more than 150,000 emails containing "highly sensitive" banking information from the agency that oversees trillions in assets across national banks and federal savings associations. The attackers broke in through an administrator account, and the breach was only discovered when Microsoft's security team flagged unusual network behavior.

The OCC has now notified Congress, calling this a "major information security incident" likely to harm public confidence. Senior officials were among those compromised, including deputy comptrollers and international banking supervisors. CISA has been looped in, but the OCC claims there's no indication of impact on the financial sector "at this time" - which is government speak for "stay tuned for updates." (read more)

Google announces Sec-Gemini v1, a new experimental cybersecurity model

This looks pretty slick. Google’s new security-focused model builds on Gemini's foundation but adds near real-time cyber threat intel and specialized tooling. According to their benchmarks, it's smoking the competition - outperforming other models by 11% on threat intelligence tests and 10.5% on root cause mapping. The secret sauce seems to be deep integration with Google Threat Intelligence, OSV, and other data sources.

Google's making this available for free to select organizations and researchers rather than just keeping it in-house. Their example shows how it can identify threat actors like Salt Typhoon and provide detailed vulnerability context that combines data from multiple sources. If you're in the cybersecurity space, they've got a form to request early access. It's a smart move by Google - they get to position themselves as security leaders while crowdsourcing improvements from the wider security community. (read more)

$500K financial fraud built on BEC, a domain lookalike, and a fake thread

A pretty slick BEC attack just got caught by Sublime's detection systems - this one was targeting a $500K payment diversion. The attacker went all-in on realism by impersonating a vendor named Ascent Inc., complete with a convincing-looking email thread about an invoice payment and updated ACH details. The devil was in the details though - they used the domain "ascentshvac[.]com" instead of the legitimate "ascenthvac[.]com" (spot the extra 's'? I didn’t).

The fraudster likely compromised or phished the real vendor first to steal an authentic thread, then weaponized it by creating a fake conversation requesting banking changes. Sublime caught it based on several red flags - the lookalike domain was newly registered, the message contained what appeared to be a previous thread despite the domain never contacting the company before, and classic BEC indicators around changing payment info. (read more)

Ivanti CVE-2025-22457 Under Active Attack

Another bad day for Ivanti customers. There's a nasty vulnerability (CVE-2025-22457) under active exploitation by what Mandiant believes is a Chinese threat actor. What was initially thought to be just a DoS bug fixed back in February turns out to be a full remote code execution vulnerability. The attackers are targeting Ivanti Connect Secure appliances and dropping fresh malware they're calling TRAILBLAZE and BRUSHFIRE.

The technical details are pretty interesting - this affects Pulse Connect Secure 9.1x, Ivanti Connect Secure (22.7R2.5 and earlier), Policy Secure, and ZTA Gateways. Mandiant attributes this to a group they track as UNC5221, which has a history of zero-day exploitation including previous Citrix NetScaler vulnerabilities. If you're running affected versions, don't sleep on this one - patch immediately. These edge appliance vulnerabilities are juicy targets for nation-state actors since they sit right at the perimeter of networks. (read more)

CrushFTP CVE-2025-31161 Targeted by Attackers

Heads up if you're running CrushFTP - attackers are actively targeting a nasty authentication bypass vulnerability (CVE-2025-31161) that was disclosed a couple weeks ago. The bug affects CrushFTP 10 (before 10.8.4) and 11 (before 11.3.1) and basically hands over admin access to unauthenticated attackers through a race condition in the AWS4-HMAC authorization method. Shadowserver has spotted about 1,500 vulnerable instances exposed online.

This one's serious enough to make CISA's Known Exploited Vulnerability catalog, and exploit code is already public. If you get popped, attackers can create backdoor accounts, access files, and basically take full control of your server. Patches dropped on March 21, so if you haven't updated yet, consider this your nudge. No specific threat groups identified yet, but with active exploitation happening since late March, it's likely just a matter of time before the big players jump in. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay