🎓️ Vulnerable U | #033

23andMe Hacked, MGM Breach cost $110 Million, War Sparks Hactivism, and More

Read Time: 8 minutes

Howdy friends!

A lot going on in the whole world, and I hope all my readers are safe and stay that way. Thinking of all those impacted by the violence in Israel. I know some of us are getting auto-response emails from our cybersecurity colleagues who’ve been called up from reserves in the draft.

Stay safe. And let’s get into it this week.

One of my remote coworkers came to ATX - of course showed him some good food!

I had more thoughts than social media would let me get across on the 23andMe incident from this week:

There have been a ton of reports this week that 23andMe suffered a credential stuffing attack. The result of this was the attackers collected profile data about as many users as possible using a feature known as DNA Relatives.

Once they collected all this data they decided to start to leak parts of the list focusing specifically on Ashkenazi Jews. After that they started selling all of the data collected in data packs.

During all of this reporting on an obviously emotionally charged topic - 23andMe announced they had not been hacked. This was just users who reused their passwords from other sites and THOSE sites had been hacked.

Now your caught up and I’d like to have a discussion about this entire event and focus on a few questions:

- What is the threat of giving your DNA information to these private companies like 23andMe or Ancestry?

- Where do you personally draw your risk line between privacy and life enrichment?

- Is credential stuffing a data breach?

In this episode:

  • 23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews

  • MGM Breach cost $110 Million

  • Hacktivism erupts in response to Hamas-Israel war

  • IBM’s X-Force uncovers global NetScaler Gateway credential harvesting campaign

  • Google makes passkeys the default sign-in method for all users

  • HTTP/2 Zero-Day Vulnerability Results in Record-Breaking DDoS Attacks

  • Microsoft Warns of Nation-State Hackers Exploiting Critical Atlassian Confluence Vulnerability

  • Patch Tuesday, October 2023 Edition

  • Microsoft introduces Bug Bounty for flaws found in their AI implementations

  • Record $7 billion in crypto laundered through cross-chain services

ICYMI

🖊️ Something I wrote: A thread on dark money orgs fighting our right to privacy.

🎧️ Something I heard: Great conversation about modern masculinity.

🎤 Something I said: My take on the news over on YouTube

🔖 Something I read: This great post talking about the nuance of the Israel/Palestine situation.

Vulnerable News

This news broke the day last week’s newsletter came out. I’ve covered it over on YouTube and had a Twitter thread get a …bit… of attention. 👀 

If you missed all that:
A) subscribe to my YouTube and follow my Twitter ;)
B) The TL;DR is some attackers who compromised 23andMe accounts via credential stuffing. Once inside those accounts, they scraped data via the ‘DNA Relatives’ feature and compiled as much as they could. They then leaked millions of lines of data targetting Ashkenazi Jews and those of Chinese descent.

Why It's Important:

  1. Sensitive Nature of Data: The nature of data held by 23andMe makes it a significant target, as it handles sensitive genetic information.

  2. Rising Trend: Credential stuffing attacks are becoming more common, highlighting a broader issue.

  3. Hack or Hate Crime: This combo data breach and racially targeted data leak makes it particularly spicy.

An interesting part about this in the cybersecurity community is that 23andMe says they weren’t hacked. It’s just folks reusing passwords fault. This week’s blog (link at top of this email) goes into my thoughts on the privacy implications of 23andMe services in general, giving your DNA to private companies, and if credential stuffing is hacking at all. (read more)

You’ll see this stat in every sales deck disguised as a conference talk from here on, so I wanted to show you first. MGM filed its regulatory paperwork this week and claimed a loss of about $100 million from their hack and an additional $10 million in incident response costs. (Congrats Mandiant) (read more)

The ongoing conflict between Hamas and Israel has spilled over into the digital realm, with a surge in hacktivist campaigns. Various hacking groups are launching cyberattacks as a form of protest and to show solidarity with either side of the conflict.

Why It's Important:

  1. Digital Extension of Physical Conflict: The cyberattacks represent a digital manifestation of the ongoing real-world conflict, showcasing the evolving nature of warfare and protest.

  2. Variety of Attacks: The range of attacks, from simple to sophisticated, indicates the diverse capabilities of hacktivist groups involved in the conflict.

  3. Global Repercussions: Such cyber conflicts can have broader global implications, affecting various sectors and potentially leading to widespread disruptions.

These attacks range from website defacements to more sophisticated attacks, reflecting the use of cyberspace as a battleground for political and ideological disputes. (read more)

We talked about this vuln when it first came out. Well, now some researchers have discovered a campaign targeting those who’ve been slow to patch. The 0day dropped in July, and by August, there were hundreds of compromised Citrix boxes showing up on Shodan.

IBM’s X-Force has discovered a global phishing campaign targeting Netscaler Gateway users. The attackers aim to harvest credentials by deploying phishing pages that mimic Netscaler Gateway login portals.

Why It's Important:

  1. Widespread Targeting: The campaign’s global reach signifies a broad threat landscape, affecting users worldwide.

  2. Sophistication: Hosting phishing pages on compromised WordPress sites shows a level of sophistication, making the attack more deceptive.

  3. Focus on Netscaler Gateway: Targeting Netscaler Gateway, a popular tool, indicates a strategic focus to maximize the impact of the campaign.

These fraudulent pages are hosted on compromised WordPress sites, making it challenging to discern them from legitimate login pages, which increases the likelihood of credential theft. (read more)

Let’s go! This might be a light at the end of the tunnel for passwords. An absolutely huge step for passkey tech coming way sooner than I would’ve guessed.

Google has transitioned to making passkeys the default sign-in method for all users, enhancing account security. Passkeys, a two-step verification method, involves users confirming their identity by responding to a prompt sent to a registered device after entering their password.

Why It's Important:

  1. Enhanced Security: Passkeys offer an additional layer of security, making it more challenging for unauthorized users to access accounts.

  2. User-Friendly: Passkeys provide a balance between enhanced security and user convenience, promoting broader adoption of two-step verification methods.

  3. Proactive Measure: By making it a default, Google is taking a proactive stance toward encouraging better security practices among users.

Excited to see more follow suit. (read more)

This is one of those vulns that if it impacted you, it really impacted you. Attackers found a way to leverage a built-in feature of the HTTP/2 protocol to break DDoS records.

“This novel zero-day vulnerability attack, dubbed Rapid Reset, leverages HTTP/2’s stream cancellation feature by sending a request and immediately canceling it over and over.

By automating this trivial “request, cancel, request, cancel” pattern at scale, threat actors are able to create a denial of service and take down any server or application running the standard implementation of HTTP/2.

Furthermore, one crucial thing to note about the record-breaking attack is that it involved a modestly-sized botnet, consisting of roughly 20,000 machines.”

Why It's Important:

  1. Unprecedented Scale: The sheer volume of the attack signifies a new level of threat in the DDoS landscape.

  2. Zero-Day: The exploitation of an unknown vulnerability.

The attack peaked at 2.5 Tbps, making it one of the largest DDoS attacks ever recorded. Google did a co-writeup with CloudFlare here - (read more)

A record-breaking $7 billion has been laundered through cross-chain services in the cryptocurrency domain, as per a report by Elliptic. These services allow users to move assets between different blockchains, providing a method for criminals to obscure the origins of illicit funds.

Why It's Important:

  1. New Laundering Method: Cross-chain services are emerging as a novel method for laundering money, indicating an evolution in criminal tactics.

  2. Regulatory Gaps: The lack of regulation and oversight in these services makes them attractive for illicit activities.

  3. Magnitude: The substantial amount laundered signifies the scale and potential risk associated with these services.

The report emphasizes the need for regulation and oversight in the cross-chain services to prevent their misuse for money laundering and other illegal activities. (read more)

Some academic research presented findings analyzing 435 code snippets that were made by GitHub’s AI Assistant ‘Copilot’ - They detail their testing methodology and results in great detail in this paper.

TL;DR - The security industry is safe so far.

“Our results show: (1) 35.8% of the 435 Copilot generated code snippets contain security weaknesses, spreading across six programming languages. (2) The detected security weaknesses are diverse in nature and are associated with 42 different CWEs.” (read more)

Calling all bug hunters. We’ve got greenfield ripe for some bounty picking! Time to test out your AI hacking chops. Microsoft is paying up to $15k for bugs like Inference Manipulation, Model Manipulation, and Inferential Information Disclosure. (read more)

We talked about the Confluence vuln last week - well now Microsoft has issued a warning regarding nation-state hackers targeting it. The adversaries, dubbed "NICKEL," are primarily focusing on disrupting government agencies, think tanks, and non-governmental organizations. (read more)

I know a lot of us were on our toes for this one. Last week one of the maintainers of curl cryptically talked about a major security issue that he was going to drop in a few days. Well, curl is everywhere, so we all got a bit worried a la log4j. But it turned out to be mostly a nothingburger. (read more)

Microsoft’s Patch Tuesday for October 2023 has been released, addressing 71 security vulnerabilities across a wide range of its products. Four of the vulnerabilities are classified as critical, with the rest being important. (read more)

As Kevin said in the article: “It’s quite likely that you have never heard of libcue before, and are wondering why it’s important. This situation is neatly illustrated by xkcd 2347:”

This bug is installed by default on a lot of open-source operating systems. Also always love easy-to-exploit, high-impact bugs hiding in strange places. (read more)

Helluva opening line to an article: “When you buy a TV streaming box, there are certain things you wouldn’t expect it to do. It shouldn’t secretly be laced with malware or start communicating with servers in China when it’s powered up. It definitely should not be acting as a node in an organized crime scheme making millions of dollars through fraud. However, that’s been the reality for thousands of unknowing people who own cheap Android TV devices.” (read more)

Miscellaneous mattjay

Nate is the man. This talk is really good and he’s the perfect person to give it

A poem by Danusha Laméris on the value of small kindnesses:

“I’ve been thinking about the way, when you walk

down a crowded aisle, people pull in their legs

to let you by. Or how strangers still say “bless you”

when someone sneezes, a leftover

from the Bubonic plague. “Don’t die,” we are saying.

And sometimes, when you spill lemons

from your grocery bag, someone else will help you

pick them up. Mostly, we don’t want to harm each other.

We want to be handed our cup of coffee hot,

and to say thank you to the person handing it. To smile

at them and for them to smile back. For the waitress

to call us honey when she sets down the bowl of clam chowder,

and for the driver in the red pick-up truck to let us pass.

We have so little of each other, now. So far

from tribe and fire. Only these brief moments of exchange.

What if they are the true dwelling of the holy, these

fleeting temples we make together when we say, “Here,

have my seat,” “Go ahead — you first,” “I like your hat.”

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay