Read Time: 9 minutes

Howdy friends!

This week has been a week of meeting people I’ve long talked to on the Internet. It’s always funny to wind up in a zoom or in real life hanging out with someone who you’ve spoken to for over a decade online.

Social media makes for strange parasocial bonds with folks to the point you feel like you’ve known each other a long time. This happened 3 separate times to me this week.

There must be a German word to describe this feeling.

Let’s get vulnerable!

ICYMI

🖊️ Something I wrote: This thread about North Korea burning a Chromium 0-day

🎧️ Something I heard: This podcast showcasing all the new AI dev tools lowering the knowledge bar on basic software creation. We’re in for a wild ride. Cursor and v0 are very cool and useful.

🎤 Something I said: I ran through how some researchers found SQL injection in a critical TSA website that would’ve let them edit the Known Crew Member database.

🔖 Something I read: My buddy Daniel’s post about our current state of work culture. This quote has lived rent free in my head since I read it: “The ideal number of employees in any company is zero.”

Vulnerable News

YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel

Don’t freak out! That is a scary headline. But for 99% of you reading this, you should not do anything. It’s important to know this is possible, but it is very hard to pull off. If you’re threat model would’ve included spyware by a nation state in the past, you might want to listen up. Looking at you .gov, journalists, activists, etc. Especially if you cross a lot of borders.

The attack is a complicated side channel attack that requires some expensive equipment, a lot of time, and really jacking up the yubikey device itself. So the attack scenario here: you lose possession of your yubikey for an extended period of time, your username and password are already stolen, and you somehow don’t realize the invasive tampering because they put it all back together well enough. Also if they had the key and your creds, they can just login right there and that is almost always enough. This scenario would mean they want extended access without you knowing about it.

Either way, cool research to read up on how they did it. Side channel attacks always blow my mind.(read more)

US charges five Russian military hackers with targeting Ukraine’s government with destructive malware

The DOJ just dropped the hammer on five Russian military hackers, accusing them of being the brains behind the WhisperGate attack on Ukraine.

The U.S. government's got photos of these guys and details about their secret meetings. They're even offering a cool $10 million bounty for each hacker. The feds couldn't resist throwing some shade, calling these alleged cyber-baddies "baby faces." (read more)

I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation

Looks like Mandiant's just blown the lid off an Iranian counterintelligence op that's been running since at least 2017. They've been setting up fake job sites, complete with Israeli flags and landmarks, to lure in Farsi speakers who might be working with foreign intelligence agencies.

They've been casting a wide net, targeting folks in Syria and Lebanon too. The whole thing's pretty elaborate, with fake social media accounts, Telegram chats, and even a YouTube channel. It's like they're running a shady HR firm, but instead of finding you a job, they're trying to figure out if you're a spy. (read more)

How Russian operatives covertly hired U.S. influencers to create viral videos

Looks like some big-name right-wing social media stars got caught up in a Russian propaganda scheme. The Justice Department just dropped the hammer on two RT employees for allegedly funneling millions through a company called Tenet Media to pay American influencers for videos pushing pro-Russian narratives.

Tenet Media employs a bunch of popular right wing influencers, including folks like Benny Johnson and Tim Pool, who claim they had no clue about the Russian connection. They thought they were just getting sweet deals from a media startup backed by some rich European dude. Now everyone's scrambling to distance themselves faster than you can say "nyet."

There is a lot floating around about this one, sharing some:

State-backed attackers and commercial surveillance vendors repeatedly use the same exploits

The cyber espionage game is getting a bit incestuous. Google's Threat Analysis Group caught Russian-backed APT29 using the same exploits as some shady commercial surveillance vendors to hack Mongolian government sites. It's like they're all shopping at the same cyber weapons store.

The attackers were using watering hole attacks to target both iOS and Android users. They even managed to swipe some exploits that were previously used by Intellexa and NSO Group - we love a recycling queen.

The good news is, these were mostly n-day exploits, so if you're keeping your devices updated, you should be in the clear. If you needed motivation to stop ignoring your updates for your phones, apps, or browsers, here ya go. (read more)

I also made a video about this one too.

Founder Mode

This post caused all sorts of drama and meme storms on social media. Paul Graham's is a prolific essay writer and has put out a ton of great content over the years. If you’re unfamiliar, Paul runs Y Combinator, a famous startup incubator in SF. In this piece he's basically saying that the conventional wisdom about scaling companies is total BS, at least for founders. According to him when founders try to run their companies like "professional managers," it often ends in disaster.

The “Founder Mode” merch dropped the same day from folks making a joke about it all. (read more)

Ai’ll Be Watching You

Wow, that's quite the deep dive into hacking Wyze cameras by Hidden Layer.

They went all out on these things, rooting devices and poking at their "Edge AI" person detection. They found a command injection vulnerability in the V3 Pro that let them run arbitrary code by feeding it a crafted Wi-Fi SSID.

They also cracked open the V4 cam (literally - desoldered the flash chip) to get at its firmware. Turns out the same vulnerability was reintroduced there.

Then they started messing with the AI model itself. They figured out how to run inference on arbitrary images and even tweak detection thresholds. Their experiments with overlapping objects showed you could potentially fool the camera by holding up pictures of cars or dogs. Not super practical, but pretty fun research.

Sounds like there's more to come on physical world attacks in part 2. Can't wait to see what other AI shenanigans they get up to. (read more)

LiteSpeed Cache bug exposes 6 million WordPress sites to takeover attacks

WordPress is such a punching bag. There's a bug in the LiteSpeed Cache plugin that looks pretty nasty. It’s a popular caching tool, used by over 6 million sites, has a critical vulnerability (CVE-2024-44000) that could let attackers take over your site.

The issue is with the debug logging feature, which was accidentally logging session cookies. LiteSpeed has patched it in version 6.5.0.1, but with millions of sites potentially still vulnerable, it's update time! And while you're at it, purge those old debug logs and maybe slap an .htaccess rule on there for good measure. This isn't LiteSpeed's first rodeo with security issues lately, so stay on your toes. (read more)

Ransomware Gang Claims Cyberattack on Planned Parenthood

The RansomHub gang is at it again, this time claiming they've snagged 93 GB of data from Planned Parenthood of Montana. They're doing the usual ransomware dance - threatening to leak everything unless they get paid. Planned Parenthood has confirmed there was a "cybersecurity incident" on August 28th, but they're playing it close to the chest on details.

This isn't Planned Parenthood's first hack. They've had a few other breaches in recent years, including one that hit 400,000 patients in LA back in 2021. The nonprofit is working with cybersecurity folks to get systems back online, but no word yet on whether any patient data was actually stolen.

RansomHub's been busy this year - apparently they've hit over 200 victims already. (read more)

Transport for London (TfL) faces 'ongoing cyber security incident'

Had a number of people DM me about this one. Folks are worried their payment info tied to their metro accounts is impacted.

Before you start panicking about your Oyster card balance, they're saying customer data is safe for now. The main impact seems to be on the corporate side, with the backroom systems at HQ taking the brunt of it. They've even asked some folks to work from home if they can - probably to keep things running smoothly while they sort this mess out. (read more)

Beijing-Backed Trolls Target U.S. Voters as Election Nears

Anyone surprised? China's digital propaganda machine is revving up for the 2024 U.S. election. They've got this network called Spamouflage that's been creating fake accounts pretending to be politically engaged Americans. These trolls are stirring the pot on hot-button issues like gun control and the Israel-Hamas conflict, trying to get everyone riled up and distrusting the election process.

What is wild is they're not even taking sides - they're just out to cause chaos. One of their accounts, the "Harlan Report," was posing as a conservative news outlet on TikTok and racked up millions of views before getting the boot. When called out, they gave some cryptic response about being a clown and fearing for their safety. Classic troll behavior. China, of course, denies everything, but with U.S. intelligence agencies already on high alert for foreign meddling, this is definitely something to keep an eye on as we head into election season. (read more)

The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort”

Any Harry Potter fans? I guess whoever named this malware is. This is a great report by Proofpoint about some hackers are out there slinging malware they've dubbed "Voldemort.” The Dark Lord is targeting folks worldwide, masquerading as tax authorities to trick people into clicking.

The whole setup is pretty wild. They're using Google Sheets for command and control, abusing Windows search features, and even throwing in some Cloudflare tunnels for good measure. It looks like espionage is the endgame here, the jury's still out on who's behind it all. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay