Read Time: 9 minutes

Howdy friends!

Happy season 2 of Diablo 4 to all those who celebrate. Me and @Jhaddix played on stream and answered infosec questions for anyone who hopped on the other night. Was so much fun that I’d like to do that kind of thing again. Play some games and help some folks get into the field? What could be better?

If you feel so inclined, reply to this thread if that sounds like something you’d be interested in more regularly. And if you’re playing Diablo, reply with what class you’re trying for season 2 - I went with a Shred Druid for the first time, and it’s been fun.

Take a look at the blog I wrote this week:

In this episode:

• 10,000 Cisco devices backdoored through unpatched 0-day

• The Rise and Fall of Digital Bandits 'ACG'

• Amazon adds passkey support as new passwordless login option

• Discord is full of malware activity

• The forgotten malvertising campaign

• Government-backed actors exploiting WinRAR vulnerability

• Allied Spy Chiefs Warn of Chinese Espionage Targeting Tech Firms

• Lazarus Group Targeting Defense Experts with Fake Interviews via Trojanized VNC Apps

• Thousands of remote IT workers sent wages to North Korea to help fund weapons program

• Twitter glitch allows CIA informant channel to be hijacked

• and more!

ICYMI

🖊️ Something I wrote: Been talking a lot about the 23andMe breach - I wrote a blog about privacy and credential stuffing.

🎧️ Something I heard: Been listening to The Comfort Crisis on Audiobook. Recommend it so far. Digs into the benefits of embracing discomfort.

🎤 Something I said: Summed up the news over on YouTube and even started a TikTok recently if that is your jam.

🔖 Something I read: Great post by a friend of the show Mike Privette, 25 lessons from a long cybersecurity career

Vulnerable News

“Cisco buried the lede.” >10,000 network devices backdoored through unpatched 0-day

Please get your management consoles off the Internet.

A zero-day vulnerability in Cisco devices running IOS XE software is being actively exploited, granting attackers full control over compromised networks. The vulnerability, rated with a maximum severity of 10, allows attackers to create admin accounts, leading to unauthorized activities. Can read the original report from VulnCheck here

• Widespread Impact: Over 10,000 switches, routers, and other Cisco devices have been compromised, indicating the extensive reach and severe impact of this vulnerability.

• Advanced Exploitation: Attackers are exploiting the vulnerability to execute commands deeply within the compromised devices, showcasing the depth of access and control gained through this exploitation.

• Urgent Protective Measures: In the absence of a patch, immediate implementation of protective measures and vigilant monitoring are crucial to safeguard networks from potential compromises and unauthorized activities. (read more)

From High Life Hackers to National Menace: The Rise and Fall of Digital Bandits 'ACG'

I love the journalism coming out of 404. This is a great profile on why most folks stay away from the blackhat money allure.

Hackers known as 'ACG' lived a lavish lifestyle funded by their cybercrimes. The group, led by Braiden Williams, specialized in SIM swapping to steal Bitcoin and other cryptocurrencies. Their heists and blatant displays of wealth made them both notorious and targets within the hacking community. However, their activities escalated from digital thefts to physical violence and threats, affecting innocent people.

Why is this important?

• Cyber Crime Turned Physical Threats: ACG's transition from online theft to real-world violence highlights the dangerous convergence of cybercrime with physical brutality. This new realm of crime shows that hackers are not just behind keyboards; they are now armed and causing real harm.

• The Rise of SIM Swapping: ACG's primary method of theft, SIM swapping, is a growing concern. It allows hackers to take control of a victim's phone number and, consequently, their digital life and finances. This technique is becoming more prevalent and sophisticated.

• Impact on Innocents: ACG's actions, especially their threats and violence, have affected innocent individuals, including minors. Their activities have led to a wave of bomb threats against schools and universities, framing innocent people as culprits. (read more)

Amazon adds passkey support as new passwordless login option

I’m just going to keep celebrating the passkey adoptions. Last week we talked about how Google made passkey the default auth method. This week, Amazon introduced passkey support as a new passwordless login option, enhancing user security against information-stealing malware and phishing attacks.

Passkeys allow users to utilize biometric controls or PINs linked to devices such as phones, computers, and USB security keys for logging in, eliminating the need for passwords.

Why is this important?

• Enhanced Security: The introduction of passkeys as a login option offers users enhanced security, reducing the risk of password theft through phishing attacks or malware.

• User Convenience: Passkeys provide users with a more convenient login option, utilizing biometrics or PINs and eliminating the need to remember or manage multiple passwords.

• Implementation Limitations: Despite the security benefits, the implementation of passkeys on Amazon comes with limitations, such as the inability to manage passkeys individually and regional restrictions on their use. (read more)

Discord is full of malware activity

Discord, a popular communication platform, especially among gamers, is being exploited by malicious actors to deliver malware and exfiltrate sensitive information.

Trellix, in collaboration with Threatray, has unveiled that malware families are abusing Discord's features, such as their Content Delivery Network (CDN) and webhooks for malicious operations.

• Exploitation of Discord's Features: Malware utilizes Discord's CDN and webhooks to download additional malicious files and exfiltrate information, blending malicious traffic within legitimate Discord traffic to evade detection.

• Variety of Malware Involved: A range of malware, including information stealers and Remote Access Trojans (RATs), has been found exploiting Discord, indicating a broad and evolving threat landscape.

• Potential APT Involvement: A sample targeting Ukrainian critical infrastructures was discovered, suggesting that sophisticated APT actors might be considering the use of Discord for malicious campaigns, adding a new dimension to the threat landscape. (read more)

The forgotten malvertising campaign

These stories are the reason I hate sites that force you to turn off your adblocker. They are effectively saying: “Please make yourself less safe online in order to consume our content.”

A sophisticated malvertising campaign has been discovered, which utilizes Google searches to deliver custom malware payloads discreetly. The campaign targets popular software like Notepad++ and PDF converters, using malicious ads that lead to the download of harmful payloads.

• Advanced Evasion Techniques: The campaign uses refined tactics like system fingerprinting and unique, time-sensitive downloads to bypass detection mechanisms and target specific users.

• Targeted Software: Popular software like Notepad++ and PDF converters are being targeted, indicating that the attackers aim to exploit commonly used applications to maximize their reach.

• Increased Sophistication: The campaign’s complexity, including the use of unique IDs for tracking and delivering payloads, underscores the evolving sophistication of malvertising threats, necessitating advanced defensive strategies. (read more)

Government-backed actors exploiting WinRAR vulnerability

Google’s Threat Analysis Group (TAG) has observed multiple government-backed hacking groups exploiting a known vulnerability (CVE-2023-38831) in WinRAR, a popular file archiver tool for Windows. Despite the availability of a patch, the vulnerability continues to be exploited, allowing attackers to execute arbitrary code. TAG has identified various campaigns by state-backed actors from countries like Russia and China, who have used sophisticated tactics to exploit this vulnerability for malicious purposes. Additional coverage over on Decipher on this one as well.

• Sophisticated Exploitation: The attackers are using intricate methods, such as hosting malicious files on anonymous file-sharing services and leveraging various lures, to exploit the vulnerability effectively.

• Importance of Timely Patching: Despite the availability of patches, the continued exploitation of this vulnerability underscores the critical need for timely software updates to maintain cybersecurity. (read more)

The Fake Browser Update Scam Gets a Makeover

A resurgence of the fake browser update scam has been observed, with a novel twist to evade mitigation efforts. In this write-up on Krebs, we see how hackers have been exploiting vulnerable websites, presenting users with fraudulent browser update notifications.

When users click on these updates, malicious payloads, including information-stealing trojans, are delivered. Innovatively, attackers are now hosting malicious files on a decentralized cryptocurrency blockchain, making the takedown of these files challenging for security experts and law enforcement.

• Evolution of Tactics: The scam has evolved, with malicious files now being hosted on a decentralized, anonymous cryptocurrency blockchain, complicating mitigation efforts.

• Specific Targeting: The fake browser update notifications are tailored to the specific browser a visitor is using, making the scam appear more legitimate and increasing the likelihood of users downloading malicious files. (read more)

Detecting and mitigating a multi-stage AiTM phishing and BEC campaign

Microsoft has discovered a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack targeting banking and financial services organizations. The attack, initiated by a compromised trusted vendor, involved AiTM and BEC attacks across multiple supplier/partner organizations, aiming for financial fraud. The attackers used indirect proxy methods, allowing them more control and flexibility in tailoring phishing pages, stealing session cookies, and bypassing multi-factor authentication (MFA).

Why is this important?

• Complex and Multi-Stage Attack: The AiTM attack is sophisticated, involving multiple stages such as phishing, session cookie theft, and BEC, showcasing the complexity and evolution of threat tactics.

• Abuse of Trusted Relationships: The attack originated from a compromised trusted vendor, exploiting the trusted relationships between vendors, suppliers, and partner organizations, making detection more challenging.

• Evolving Threat Tactics: The use of indirect proxy methods and the ability to bypass MFA highlight the continuous adaptation and evolution of threat tactics, necessitating advanced and proactive defense strategies. (read more)

Allied Spy Chiefs Warn of Chinese Espionage Targeting Tech Firms

In an unprecedented gathering at Stanford University, intelligence chiefs from the United States and its allies highlighted the escalating threat of Chinese espionage aimed at stealing technology, particularly in Silicon Valley. The FBI estimates that over half of Chinese espionage activities aimed at technology theft occur in this region.

The meeting aimed to engage the private sector in a collective effort to counteract this "unprecedented threat," urging companies to bolster defenses against theft of technological innovations and intellectual property.

• Shift in Espionage Focus: The meeting underscored a strategic shift in Chinese espionage activities, focusing more on technology theft from Silicon Valley rather than governmental institutions in Washington.

• Engagement of Private Sector: Intelligence chiefs are seeking to engage the private sector more actively, emphasizing the need for collective action and enhanced security measures to protect technological innovations. (read more)

Lazarus Group Targeting Defense Experts with Fake Interviews via Trojanized VNC Apps

The Lazarus Group, linked to North Korea, has been deploying a sophisticated campaign, "Operation Dream Job," targeting defense and nuclear engineers. The attackers use trojanized versions of Virtual Network Computing (VNC) apps as lures, offering fake job interviews to potential victims.

The malicious apps, once opened, activate additional payloads, including known Lazarus Group malware, to profile the compromised hosts. The campaign primarily targets businesses involved in defense manufacturing, such as radar systems, military vehicles, and weaponry.

• Sophisticated Lures: The Lazarus Group is using trojanized VNC apps and fake job interviews as lures, demonstrating the sophistication of their tactics to deceive and compromise targets.

• Targeting Defense Industry: The campaign is specifically aimed at the defense industry, including sectors like radar systems and military vehicles, indicating a strategic focus on acquiring sensitive and classified information. (read more)

Thousands of remote IT workers sent wages to North Korea to help fund weapons program, FBI says

This one is wild to me. A ton of North Koreans moved to China or Russia and got remote jobs in the US. They would pay US residents to use their Internet as a tunnel to appear to be working from the States. They then funneled their earnings back to North Korea and even stole info from their employers. (read more)

Twitter glitch allows CIA informant channel to be hijacked

A cybersecurity researcher, Kevin McSheehan, exploited a vulnerability on the CIA's official Twitter account, redirecting a channel used for recruiting informants to his own Telegram channel.

The CIA’s account on Twitter, aimed at gathering intelligence from a network of spies and informants worldwide, displayed a link to a Telegram channel for secure communications. However, due to a flaw in displaying the link, McSheehan was able to hijack it, raising concerns about the potential interception of sensitive intelligence by hostile nations. (read more)

Over 40,000 admin portal accounts use 'admin' as a password

In other news, your machine learning blockchain-powered threat intel-focused Kubernetes sidecar that detects anomalies in any blip of traffic is pointless because everyone still uses “admin” as their password. (read more)

Miscellaneous mattjay

I did a live stream with my friend Ed over at Cribl on a “state of the union” of cybersecurity. 30-minute casual convo over lunch:

My day job changed.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay