šŸŽ“ļø Vulnerable U | #080

YubiKey cloning attack, Russian military hackers wanted by FBI, Uncovering an Iranian Counterintelligence Op, Russian paying popular US social media influencers, Founder mode, and more!

Read Time: 9 minutes

Howdy friends!

This week has been a week of meeting people Iā€™ve long talked to on the Internet. Itā€™s always funny to wind up in a zoom or in real life hanging out with someone who youā€™ve spoken to for over a decade online.

Social media makes for strange parasocial bonds with folks to the point you feel like youā€™ve known each other a long time. This happened 3 separate times to me this week.

There must be a German word to describe this feeling.

Letā€™s get vulnerable!

ICYMI

šŸ–Šļø Something I wrote: This thread about North Korea burning a Chromium 0-day

šŸŽ§ļø Something I heard: This podcast showcasing all the new AI dev tools lowering the knowledge bar on basic software creation. Weā€™re in for a wild ride. Cursor and v0 are very cool and useful.

šŸŽ¤ Something I said: I ran through how some researchers found SQL injection in a critical TSA website that wouldā€™ve let them edit the Known Crew Member database.

šŸ”– Something I read: My buddy Danielā€™s post about our current state of work culture. This quote has lived rent free in my head since I read it: ā€œThe ideal number of employees in any company is zero.ā€

šŸ“£ Sponsor

Start building automated security workflows - for free 

Break away from traditional SOAR with Tines, the workflow automation platform built by security practitioners, for security practitioners.

Customers at Mars, Elastic, and McKesson use Tines workflows for security operations, threat intelligence, access management, and more.

You can start building in Tines today with the always-free Community Edition. It includes:

- Access for three builders and unlimited viewers
- Three active workflows with 5000 daily events
- API and template library (plus 800+ pre-built workflows)
- Secure and private AI features

Vulnerable News

Donā€™t freak out! That is a scary headline. But for 99% of you reading this, you should not do anything. Itā€™s important to know this is possible, but it is very hard to pull off. If youā€™re threat model wouldā€™ve included spyware by a nation state in the past, you might want to listen up. Looking at you .gov, journalists, activists, etc. Especially if you cross a lot of borders.

The attack is a complicated side channel attack that requires some expensive equipment, a lot of time, and really jacking up the yubikey device itself. So the attack scenario here: you lose possession of your yubikey for an extended period of time, your username and password are already stolen, and you somehow donā€™t realize the invasive tampering because they put it all back together well enough. Also if they had the key and your creds, they can just login right there and that is almost always enough. This scenario would mean they want extended access without you knowing about it.

Either way, cool research to read up on how they did it. Side channel attacks always blow my mind.(read more)

What do you think? Is this a big deal?

Login or Subscribe to participate in polls.

The DOJ just dropped the hammer on five Russian military hackers, accusing them of being the brains behind the WhisperGate attack on Ukraine.

The U.S. government's got photos of these guys and details about their secret meetings. They're even offering a cool $10 million bounty for each hacker. The feds couldn't resist throwing some shade, calling these alleged cyber-baddies "baby faces." (read more)

Looks like Mandiant's just blown the lid off an Iranian counterintelligence op that's been running since at least 2017. They've been setting up fake job sites, complete with Israeli flags and landmarks, to lure in Farsi speakers who might be working with foreign intelligence agencies.

They've been casting a wide net, targeting folks in Syria and Lebanon too. The whole thing's pretty elaborate, with fake social media accounts, Telegram chats, and even a YouTube channel. It's like they're running a shady HR firm, but instead of finding you a job, they're trying to figure out if you're a spy. (read more)

Looks like some big-name right-wing social media stars got caught up in a Russian propaganda scheme. The Justice Department just dropped the hammer on two RT employees for allegedly funneling millions through a company called Tenet Media to pay American influencers for videos pushing pro-Russian narratives.

Tenet Media employs a bunch of popular right wing influencers, including folks like Benny Johnson and Tim Pool, who claim they had no clue about the Russian connection. They thought they were just getting sweet deals from a media startup backed by some rich European dude. Now everyone's scrambling to distance themselves faster than you can say "nyet."

There is a lot floating around about this one, sharing some:

The cyber espionage game is getting a bit incestuous. Google's Threat Analysis Group caught Russian-backed APT29 using the same exploits as some shady commercial surveillance vendors to hack Mongolian government sites. It's like they're all shopping at the same cyber weapons store.

The attackers were using watering hole attacks to target both iOS and Android users. They even managed to swipe some exploits that were previously used by Intellexa and NSO Group - we love a recycling queen.

The good news is, these were mostly n-day exploits, so if you're keeping your devices updated, you should be in the clear. If you needed motivation to stop ignoring your updates for your phones, apps, or browsers, here ya go. (read more)

I also made a video about this one too.

This post caused all sorts of drama and meme storms on social media. Paul Graham's is a prolific essay writer and has put out a ton of great content over the years. If youā€™re unfamiliar, Paul runs Y Combinator, a famous startup incubator in SF. In this piece he's basically saying that the conventional wisdom about scaling companies is total BS, at least for founders. According to him when founders try to run their companies like "professional managers," it often ends in disaster.

The ā€œFounder Modeā€ merch dropped the same day from folks making a joke about it all. (read more)

Wow, that's quite the deep dive into hacking Wyze cameras by Hidden Layer.

They went all out on these things, rooting devices and poking at their "Edge AI" person detection. They found a command injection vulnerability in the V3 Pro that let them run arbitrary code by feeding it a crafted Wi-Fi SSID.

They also cracked open the V4 cam (literally - desoldered the flash chip) to get at its firmware. Turns out the same vulnerability was reintroduced there.

Then they started messing with the AI model itself. They figured out how to run inference on arbitrary images and even tweak detection thresholds. Their experiments with overlapping objects showed you could potentially fool the camera by holding up pictures of cars or dogs. Not super practical, but pretty fun research.

Sounds like there's more to come on physical world attacks in part 2. Can't wait to see what other AI shenanigans they get up to. (read more)

WordPress is such a punching bag. There's a bug in the LiteSpeed Cache plugin that looks pretty nasty. Itā€™s a popular caching tool, used by over 6 million sites, has a critical vulnerability (CVE-2024-44000) that could let attackers take over your site.

The issue is with the debug logging feature, which was accidentally logging session cookies. LiteSpeed has patched it in version 6.5.0.1, but with millions of sites potentially still vulnerable, it's update time! And while you're at it, purge those old debug logs and maybe slap an .htaccess rule on there for good measure. This isn't LiteSpeed's first rodeo with security issues lately, so stay on your toes. (read more)

The RansomHub gang is at it again, this time claiming they've snagged 93 GB of data from Planned Parenthood of Montana. They're doing the usual ransomware dance - threatening to leak everything unless they get paid. Planned Parenthood has confirmed there was a "cybersecurity incident" on August 28th, but they're playing it close to the chest on details.

This isn't Planned Parenthood's first hack. They've had a few other breaches in recent years, including one that hit 400,000 patients in LA back in 2021. The nonprofit is working with cybersecurity folks to get systems back online, but no word yet on whether any patient data was actually stolen.

RansomHub's been busy this year - apparently they've hit over 200 victims already. (read more)

Had a number of people DM me about this one. Folks are worried their payment info tied to their metro accounts is impacted.

Before you start panicking about your Oyster card balance, they're saying customer data is safe for now. The main impact seems to be on the corporate side, with the backroom systems at HQ taking the brunt of it. They've even asked some folks to work from home if they can - probably to keep things running smoothly while they sort this mess out. (read more)

Anyone surprised? China's digital propaganda machine is revving up for the 2024 U.S. election. They've got this network called Spamouflage that's been creating fake accounts pretending to be politically engaged Americans. These trolls are stirring the pot on hot-button issues like gun control and the Israel-Hamas conflict, trying to get everyone riled up and distrusting the election process.

What is wild is they're not even taking sides - they're just out to cause chaos. One of their accounts, the "Harlan Report," was posing as a conservative news outlet on TikTok and racked up millions of views before getting the boot. When called out, they gave some cryptic response about being a clown and fearing for their safety. Classic troll behavior. China, of course, denies everything, but with U.S. intelligence agencies already on high alert for foreign meddling, this is definitely something to keep an eye on as we head into election season. (read more)

Any Harry Potter fans? I guess whoever named this malware is. This is a great report by Proofpoint about some hackers are out there slinging malware they've dubbed "Voldemort.ā€ The Dark Lord is targeting folks worldwide, masquerading as tax authorities to trick people into clicking.

The whole setup is pretty wild. They're using Google Sheets for command and control, abusing Windows search features, and even throwing in some Cloudflare tunnels for good measure. It looks like espionage is the endgame here, the jury's still out on who's behind it all. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay