🎓️ Vulnerable U | #061

ArcaneDoor Cisco Zero Days, Mandiant Trends Report, Change Healthcare Ransomware Payment Details, New iPhone Phishing Scam, AI generating police reports, Principal framed with AI-generated voice, and more!

Read Time: 9 minutes

Howdy friends!

I’ve been a part of the pickleball craze sweeping the nation. It was a fun team bonding thing with some coworkers to join a league the last few years. And we did pretty well! So when a new friend asked me to join his league, which is made up of just startup founders, I said of course! We self-identified as “Intermediate,” and I figured, given the crowd, it would be more networking than competing. - Boy, was I wrong, and I’ve decided that I’m not intermediate at anything at all. Got smoked 11-1, 11-5, 11-6, and 11-9 this week. Send ice for my bruised ego.

Anyway, these kinds of things are fun to meet people in meat space and chat eye to eye. Already finding some cool people in town, I’d never have met otherwise that might prove to wind up being friends or even good partners in my career. Moral of the story: get out there and get your ass kicked at something if it means you can bump up against people in your community!

I’ve put a major focus on improving my sleep in the last few years as the data just consistently shows how important it is. I came across an article this week with a lot of good tips on the matter:

5 tips to create a restful environment for a good night’s sleep

Your bedroom should feel like a sleep oasis — stress and distraction-free. While creating the right environment is, to a certain extent, a matter of personal preference, sleep experts offer these sleep hygiene suggestions that are backed by science.

1. The ideal room for sleep is cool and dark.

Most experts agree that the sweet spot for temperature is between 60 and 67 degrees Fahrenheit. According to a National Sleep Foundation poll, 73% of Americans say the darker the room the better. 65% of people use shades, curtains, or blinds to block unwanted light.

2. Peace and quiet make for bedroom bliss.

74% percent of Americans think that quiet is crucial for getting good sleep. That said, many people rely on “white noise” or some type of ambient sound to help mask disruptive noises like car horns or highway traffic.


🖊️ Something I wrote: A look into the Loneliness Epidemic and how those of us working in tech are most susceptible

🎧️ Something I heard: I’ve been listening to my favorite ever non-fiction book A short history on nearly everything. It never gets old for me.

👉️ FWIW: I like threat intel and donating to good causes. Combine the two and enter to win $500 to the charity of your choosing, and check out Prelude today!*

🎤 Something I said: I was happy to give a talk at GreyNoise’s first NetNoiseCon last week. The talk: Stress, Mindfulness, and Mental Health in Cybersecurity. First time giving it, but I think the Vuln U community will dig it. If you watch, let me know what you think and if I should submit it to other cons.

🔖 Something I read: Rich Mogull putting on a cloud security master class over at Cloud SLAW, and this week’s lesson is no exception. Step by step setting up the difference between Prod and Nonprod workloads in AWS. (If you subscribe to him, his automation will give you the lessons in order, but this week was awesome)


📣 Sponsor

Transform your threat intelligence into validated protections in just five minutes.

The detection and response lifecycle is inefficient on the best days. Prelude's automated detection and response engineering platform enables you to turn your threat intelligence into custom detections and control stimulus tests—all in minutes—so you can know with certainty that your defenses are working as expected.

VulnU readers who book a demo are entered to win a $500 contribution to the charity of their choosing. Experience how Prelude can:

→ Turn your threat intelligence into validated protections
→ Automatically remediate missing detections in your XDR
→ Integrate directly with your existing defenses like CrowdStrike, SentinelOne, and more

Vulnerable News

(hey, I know I shared a lot of news that is behind a paywall today. I like to support good journalism, but I also know that isn’t in everyone’s means. There are ways to read these articles, and if you don’t know them and need to know them, just ask me. I’d also like for good journalism to not only be accessible to those who can afford it.)

We’ve got details on a major new cyberespionage campaign, dubbed 'ArcaneDoor,' in which state-sponsored hackers have exploited zero-day vulnerabilities in Cisco’s security appliances to infiltrate government networks globally. This is just further evidence of the growing trend of targeting network perimeter devices—firewalls, VPNs, and more—as initial entry points.

  • Exploited Vulnerabilities: The hackers used two newly identified zero-day vulnerabilities, named Line Dancer and Line Runner, in Cisco’s Adaptive Security Appliances to execute commands and maintain persistent access, even through reboots.

  • Global Impact: The campaign has affected multiple government networks, with attacks peaking between December and early January. While Cisco has not attributed the campaign to a specific country, sources linked to the investigation suggest China may be behind these intrusions.

  • Urgent Security Updates: In response to these intrusions, Cisco has released patches for the exploited vulnerabilities and is advising all users to update their systems immediately to prevent further exploits. (read more)

The Mandiant M-Trends 2024 report has just been released. Long-time readers will know this; I’m a sucker for great reports and data visualizations built on hard-to-compile data. Mandiant hits the mark and gives us insights into the evolution of threat actor behavior. I file this under must-read. Some highlights:

  •  Reduced Dwell Time: The global median dwell time has significantly decreased, reflecting improvements in detection capabilities across organizations. But might be due to ransomware’s prevalence which requires shorter windows of stealth.

  • Advanced Evasion Techniques: Attackers are increasingly employing sophisticated methods to evade detection, including the use of AI and zero-day exploits.

  • Ransomware Trends: Ransomware is the big dog in this report. They even had to slice out ransomware in most of the data examinations in order to show us the “ransomware” vs “non ransomware” insights. That is how much the stats on ransomware skewed everything. (read more)

UnitedHealth Statement - PHI stolen for “a substantial proportion of people in America”

We’ve covered this attack extensively on my socials and in this newsletter. However, during that whole time, Change Healthcare never talked about whether they paid the ransomware. A few weeks ago, a blockchain transaction was thought to be tied to this attack, but this week, Wired confirmed it.

“Cybersecurity and cryptocurrency researchers told WIRED last month that Change Healthcare appeared to have paid that ransom on March 1, pointing to a transaction of 350 bitcoins or roughly $22 million sent into a crypto wallet associated with the AlphV hackers. That transaction was first highlighted in a message on a Russian cybercriminal forum known as RAMP, where one of AlphV's allegedly jilted partners complained that they hadn't received their cut of Change Healthcare's payment.” (read more)

This is an awesome thread on Twitter outlining a scam targeting iPhone users. These phone thieves are obviously pros. They didn’t just take the device; they meticulously deactivated it and the SIM card and then started phishing people close to the phone’s owner.

The phishing texts aren’t great, but in the context, they’re good enough. BUT - holy shit, the phishing websites are really impressive. They look just like an iPhone keypad and trick the previous owner of the phone into handing over their PIN and Apple ID/password. Now, the thieves really have access to your device. (read more)

Have you ever seen this kind of attack?

This seems like a well oiled operation so I'm sure someone reading this has seen it before. What is your experience? I want to hear your story!

Login or Subscribe to participate in polls.

Ok. I’m a huge AI fan. But this is now having AI create the truth. Like the legally defined truth. I feel like this has way more downsides than upsides.

Axon's "Draft One" tech is designed to streamline police reporting by converting body camera audio directly into written reports. This AI-powered tech leverages OpenAI’s GPT-4 Turbo and promises to significantly reduce the time officers spend on administrative tasks.

We’re now at the point where the output of AI could be responsible for people going to jail. (read more)

What. Did. I. Just. Say? In more “AI might start putting people in jail” news, we’ve got a school principal getting put on leave and investigated by a supposed audio clip that surfaced of him saying racist and antisemitic things on tape. Well… the clip was AI and put out by the athletic director at the school, who was retaliating against the principal investigating him for improper payments using school funds.

I’m actually surprised this is the first time I’m reading this sort of story, and I’m glad it was spotted as AI quickly. My money is on this kind of thing that will make major news against celebrities or politicians soon. Either they’ll get framed by AI audio, or they’ll claim legitimate audio is AI. (read more)

Not sure I could love a blog post more. As someone who took a job as head of security for a fintech startup and made a few of these mistakes, I can attest to a few items on this list. Here are the 10 but check out the blog to see what they suggest to do instead of these things.

  1. Don’t run a public bug bounty

  2. Don’t run internal red team assessments or pentests

  3. Don’t run bespoke trainings

  4. Don’t set up hamster wheels of toil

  5. Don’t miss the mark on communicating upwards and outwards

  6. Don’t gatekeep security from the folks who were already doing the work

  7. Don’t fail to prepare for hiring

  8. Don’t fight every fire

  9. Don’t ignore security domains

  10. Don’t start big engineering projects (read more)

As if I needed a reason not to log in to TVs when at an Airbnb or hotel, every time I’m in one, someone’s Netflix account is pulled up, and I get to mess with their feed by watching marathons of “Alone” (a great mindless hotel show, by the way).

So here’s how this attack works: You log in to an AndroidTV-type device. The attacker then installs some 3rd party Chrome browser on that device that isn’t generally supported. But out of convenience, the Chrome browser just grabs the session already auth’d to that device. So even if you logged in to just watch movies, this browser has access to your Gmail, G-Drive, etc. (read more)

MITRE, yes the firm behind the CVE database and the ATT&CK framework, came out and said "No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible."

It seems Mandiant was doing the IR and attributed the attacks to two different APT groups. “Throughout the incident, the hackers used a combination of sophisticated webshells and backdoors to maintain access to hacked systems and harvest credentials.” - I saw some comments saying that MITRE had plenty of warning that Ivanti 0days existed, but these breaches happened back when the 0days dropped and the public comms are just going out now. Seems like they had a helluva cleanup job. HugOps to the DFIR team on this one. (read more)

Geoff Belknap is awesome, and I love reading perspectives from CISOs of large tech organizations (LinkedIn and Slack on his resume). Here, he dives into how to look at security org size and budget. It is a quick read, and one of his key takeaways is that security organizations should be 3-5% of the total engineering team, and he’s used that rule of thumb throughout his leadership career. (read more)

The latest Carnegie Endowment paper underscores an emerging paradigm in combatting cybercrime—empowering law enforcement agencies (LEAs) to conduct cross-border technical takedowns, a role traditionally dominated by military and intelligence agencies. The paper discusses the necessity of granting LEAs greater resources and capabilities to address transnational cybercrime effectively.

  • Successful Interventions: Examples such as the dismantling of the Moobot and AlphV/Blackcat botnets illustrate the potential of LEA-led operations to temporarily disrupt significant cyber threats, though challenges in maintaining these effects are noted.

  • Policy and Collaboration Needs: The paper advocates for new legal frameworks and collaboration mechanisms to support LEA operations, emphasizing the importance of international cooperation and private sector engagement.

The topic of “hacking back” is always an interesting one when broached, but I’d love to see some more collaboration between the public and private sectors on these things, especially in the wake of attacks like Change Healthcare, which had wide economic and health provider implications.

Miscellaneous mattjay

The image Justin replied with is absolutely way funnier than it should be.

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen