🎓️ Vulnerable U | #034

10,000+ Cisco Devices Hacked by 0day, North Korea funneling millions with fake remote workers, APT exploiting WinRAR 0day, A New Malvertising Campaign, & more!

Read Time: 9 minutes

Howdy friends!

Happy season 2 of Diablo 4 to all those who celebrate. Me and @Jhaddix played on stream and answered infosec questions for anyone who hopped on the other night. Was so much fun that I’d like to do that kind of thing again. Play some games and help some folks get into the field? What could be better?

If you feel so inclined, reply to this thread if that sounds like something you’d be interested in more regularly. And if you’re playing Diablo, reply with what class you’re trying for season 2 - I went with a Shred Druid for the first time, and it’s been fun.

10 years ago this week. Recording LiquidMatrix Security Podcast live @ SecTor 2013 w/ Dave Lewis, Ben Sapiro, and James Arlen

Take a look at the blog I wrote this week:

Everyone’s goal is to not get hacked. That goal is meaningless.

Conventional wisdom is that setting specific, actionable goals is the key to success—ensuring our networks are impenetrable, our data is safe, and our businesses are secure. For years, many of us have approached our infosec practices with this goal-oriented mindset, but the reality is that this approach often falls short.

What truly matters isn’t the goal itself, but the system we implement to achieve it. As legendary football coach Bill Walsh says, “The score takes care of itself.” In other words, it’s not the end result that we should be obsessing over, but rather the process we follow to achieve it.

Understanding the difference between goals and systems

James Clear talks about this in his book, Atomic Habits. How the pitfall of focusing on goals causes a few common problems to arise. I’d like to approach this same concept through an information security lens and explore what lessons we can learn from it.

In this episode:

  • 10,000 Cisco devices backdoored through unpatched 0-day

  • The Rise and Fall of Digital Bandits 'ACG'

  • Amazon adds passkey support as new passwordless login option

  • Discord is full of malware activity

  • The forgotten malvertising campaign

  • Government-backed actors exploiting WinRAR vulnerability

  • Allied Spy Chiefs Warn of Chinese Espionage Targeting Tech Firms

  • Lazarus Group Targeting Defense Experts with Fake Interviews via Trojanized VNC Apps

  • Thousands of remote IT workers sent wages to North Korea to help fund weapons program

  • Twitter glitch allows CIA informant channel to be hijacked

  • and more!


🖊️ Something I wrote: Been talking a lot about the 23andMe breach - I wrote a blog about privacy and credential stuffing.

🎧️ Something I heard: Been listening to The Comfort Crisis on Audiobook. Recommend it so far. Digs into the benefits of embracing discomfort.

🎤 Something I said: Summed up the news over on YouTube and even started a TikTok recently if that is your jam.

🔖 Something I read: Great post by a friend of the show Mike Privette, 25 lessons from a long cybersecurity career


🤖 Wondering how to defend against QR code phishing attacks? 🤖 

Sublime detects and decodes QR code attacks with
open-source detection rules.

Deploy a free Sublime Security instance to effectively block attempts without impacting legitimate email traffic.

Be up and running in production in minutes and self-host it for free.

Vulnerable News

Please get your management consoles off the Internet.

A zero-day vulnerability in Cisco devices running IOS XE software is being actively exploited, granting attackers full control over compromised networks. The vulnerability, rated with a maximum severity of 10, allows attackers to create admin accounts, leading to unauthorized activities. Can read the original report from VulnCheck here

  • Widespread Impact: Over 10,000 switches, routers, and other Cisco devices have been compromised, indicating the extensive reach and severe impact of this vulnerability.

  • Advanced Exploitation: Attackers are exploiting the vulnerability to execute commands deeply within the compromised devices, showcasing the depth of access and control gained through this exploitation.

  • Urgent Protective Measures: In the absence of a patch, immediate implementation of protective measures and vigilant monitoring are crucial to safeguard networks from potential compromises and unauthorized activities. (read more)

I love the journalism coming out of 404. This is a great profile on why most folks stay away from the blackhat money allure.

Hackers known as 'ACG' lived a lavish lifestyle funded by their cybercrimes. The group, led by Braiden Williams, specialized in SIM swapping to steal Bitcoin and other cryptocurrencies. Their heists and blatant displays of wealth made them both notorious and targets within the hacking community. However, their activities escalated from digital thefts to physical violence and threats, affecting innocent people.

Why is this important?

  • Cyber Crime Turned Physical Threats: ACG's transition from online theft to real-world violence highlights the dangerous convergence of cybercrime with physical brutality. This new realm of crime shows that hackers are not just behind keyboards; they are now armed and causing real harm.

  • The Rise of SIM Swapping: ACG's primary method of theft, SIM swapping, is a growing concern. It allows hackers to take control of a victim's phone number and, consequently, their digital life and finances. This technique is becoming more prevalent and sophisticated.

  • Impact on Innocents: ACG's actions, especially their threats and violence, have affected innocent individuals, including minors. Their activities have led to a wave of bomb threats against schools and universities, framing innocent people as culprits. (read more)

I’m just going to keep celebrating the passkey adoptions. Last week we talked about how Google made passkey the default auth method. This week, Amazon introduced passkey support as a new passwordless login option, enhancing user security against information-stealing malware and phishing attacks.

Passkeys allow users to utilize biometric controls or PINs linked to devices such as phones, computers, and USB security keys for logging in, eliminating the need for passwords.

Why is this important?

  • Enhanced Security: The introduction of passkeys as a login option offers users enhanced security, reducing the risk of password theft through phishing attacks or malware.

  • User Convenience: Passkeys provide users with a more convenient login option, utilizing biometrics or PINs and eliminating the need to remember or manage multiple passwords.

  • Implementation Limitations: Despite the security benefits, the implementation of passkeys on Amazon comes with limitations, such as the inability to manage passkeys individually and regional restrictions on their use. (read more)

Discord, a popular communication platform, especially among gamers, is being exploited by malicious actors to deliver malware and exfiltrate sensitive information.

Trellix, in collaboration with Threatray, has unveiled that malware families are abusing Discord's features, such as their Content Delivery Network (CDN) and webhooks for malicious operations.

  • Exploitation of Discord's Features: Malware utilizes Discord's CDN and webhooks to download additional malicious files and exfiltrate information, blending malicious traffic within legitimate Discord traffic to evade detection.

  • Variety of Malware Involved: A range of malware, including information stealers and Remote Access Trojans (RATs), has been found exploiting Discord, indicating a broad and evolving threat landscape.

  • Potential APT Involvement: A sample targeting Ukrainian critical infrastructures was discovered, suggesting that sophisticated APT actors might be considering the use of Discord for malicious campaigns, adding a new dimension to the threat landscape. (read more)

These stories are the reason I hate sites that force you to turn off your adblocker. They are effectively saying: “Please make yourself less safe online in order to consume our content.”

A sophisticated malvertising campaign has been discovered, which utilizes Google searches to deliver custom malware payloads discreetly. The campaign targets popular software like Notepad++ and PDF converters, using malicious ads that lead to the download of harmful payloads.

  • Advanced Evasion Techniques: The campaign uses refined tactics like system fingerprinting and unique, time-sensitive downloads to bypass detection mechanisms and target specific users.

  • Targeted Software: Popular software like Notepad++ and PDF converters are being targeted, indicating that the attackers aim to exploit commonly used applications to maximize their reach.

  • Increased Sophistication: The campaign’s complexity, including the use of unique IDs for tracking and delivering payloads, underscores the evolving sophistication of malvertising threats, necessitating advanced defensive strategies. (read more)

Google’s Threat Analysis Group (TAG) has observed multiple government-backed hacking groups exploiting a known vulnerability (CVE-2023-38831) in WinRAR, a popular file archiver tool for Windows. Despite the availability of a patch, the vulnerability continues to be exploited, allowing attackers to execute arbitrary code. TAG has identified various campaigns by state-backed actors from countries like Russia and China, who have used sophisticated tactics to exploit this vulnerability for malicious purposes. Additional coverage over on Decipher on this one as well.

  • Sophisticated Exploitation: The attackers are using intricate methods, such as hosting malicious files on anonymous file-sharing services and leveraging various lures, to exploit the vulnerability effectively.

  • Importance of Timely Patching: Despite the availability of patches, the continued exploitation of this vulnerability underscores the critical need for timely software updates to maintain cybersecurity. (read more)

A resurgence of the fake browser update scam has been observed, with a novel twist to evade mitigation efforts. In this write-up on Krebs, we see how hackers have been exploiting vulnerable websites, presenting users with fraudulent browser update notifications.

When users click on these updates, malicious payloads, including information-stealing trojans, are delivered. Innovatively, attackers are now hosting malicious files on a decentralized cryptocurrency blockchain, making the takedown of these files challenging for security experts and law enforcement.

  • Evolution of Tactics: The scam has evolved, with malicious files now being hosted on a decentralized, anonymous cryptocurrency blockchain, complicating mitigation efforts.

  • Specific Targeting: The fake browser update notifications are tailored to the specific browser a visitor is using, making the scam appear more legitimate and increasing the likelihood of users downloading malicious files. (read more)

Microsoft has discovered a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack targeting banking and financial services organizations. The attack, initiated by a compromised trusted vendor, involved AiTM and BEC attacks across multiple supplier/partner organizations, aiming for financial fraud. The attackers used indirect proxy methods, allowing them more control and flexibility in tailoring phishing pages, stealing session cookies, and bypassing multi-factor authentication (MFA).

Why is this important?

  • Complex and Multi-Stage Attack: The AiTM attack is sophisticated, involving multiple stages such as phishing, session cookie theft, and BEC, showcasing the complexity and evolution of threat tactics.

  • Abuse of Trusted Relationships: The attack originated from a compromised trusted vendor, exploiting the trusted relationships between vendors, suppliers, and partner organizations, making detection more challenging.

  • Evolving Threat Tactics: The use of indirect proxy methods and the ability to bypass MFA highlight the continuous adaptation and evolution of threat tactics, necessitating advanced and proactive defense strategies. (read more)

In an unprecedented gathering at Stanford University, intelligence chiefs from the United States and its allies highlighted the escalating threat of Chinese espionage aimed at stealing technology, particularly in Silicon Valley. The FBI estimates that over half of Chinese espionage activities aimed at technology theft occur in this region.

The meeting aimed to engage the private sector in a collective effort to counteract this "unprecedented threat," urging companies to bolster defenses against theft of technological innovations and intellectual property.

  • Shift in Espionage Focus: The meeting underscored a strategic shift in Chinese espionage activities, focusing more on technology theft from Silicon Valley rather than governmental institutions in Washington.

  • Engagement of Private Sector: Intelligence chiefs are seeking to engage the private sector more actively, emphasizing the need for collective action and enhanced security measures to protect technological innovations. (read more)

The Lazarus Group, linked to North Korea, has been deploying a sophisticated campaign, "Operation Dream Job," targeting defense and nuclear engineers. The attackers use trojanized versions of Virtual Network Computing (VNC) apps as lures, offering fake job interviews to potential victims.

The malicious apps, once opened, activate additional payloads, including known Lazarus Group malware, to profile the compromised hosts. The campaign primarily targets businesses involved in defense manufacturing, such as radar systems, military vehicles, and weaponry.

  • Sophisticated Lures: The Lazarus Group is using trojanized VNC apps and fake job interviews as lures, demonstrating the sophistication of their tactics to deceive and compromise targets.

  • Targeting Defense Industry: The campaign is specifically aimed at the defense industry, including sectors like radar systems and military vehicles, indicating a strategic focus on acquiring sensitive and classified information. (read more)

This one is wild to me. A ton of North Koreans moved to China or Russia and got remote jobs in the US. They would pay US residents to use their Internet as a tunnel to appear to be working from the States. They then funneled their earnings back to North Korea and even stole info from their employers. (read more)

A cybersecurity researcher, Kevin McSheehan, exploited a vulnerability on the CIA's official Twitter account, redirecting a channel used for recruiting informants to his own Telegram channel.

The CIA’s account on Twitter, aimed at gathering intelligence from a network of spies and informants worldwide, displayed a link to a Telegram channel for secure communications. However, due to a flaw in displaying the link, McSheehan was able to hijack it, raising concerns about the potential interception of sensitive intelligence by hostile nations. (read more)

In other news, your machine learning blockchain-powered threat intel-focused Kubernetes sidecar that detects anomalies in any blip of traffic is pointless because everyone still uses “admin” as their password. (read more)

Miscellaneous mattjay

I did a live stream with my friend Ed over at Cribl on a “state of the union” of cybersecurity. 30-minute casual convo over lunch:

My day job changed.

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen