🎓️ Vulnerable U | #031

The Art of Strategic Quitting, The WebP 0Day, Youth Hacking Ring The Com, Scattered Spider, and Suicide Crisis in U.S.

Author

Matt Johansen
September 29, 2023

Read Time: 9 minutes

Howdy friends!

Busy week! Was trying to get to the Texas Cyber Summit, but it seems less than likely I’ll be able to slip away from my day job and content needs of the week. Sending delicious breakfast tacos and BBQ vibes to all my friends in town.

Starting off this week with a chuckle:

Sneak Peek at the Blog of the Week:

Benefits of Quitting

Right besides failing, quitting is one of those things that is drilled into kids. Don’t quit. Don’t fail. So it isn’t really something we learn how to do well.

Even as adults, the word "quitting" usually carries negative connotations and often has expectations attached to it. You can quit if you have a good enough reason; another job offer that pays more, your partner was cheating, you got hurt and can’t play the sport anymore.

However, *strategic* quitting can offer a range of benefits, both tangible and intangible. Here are some of the advantages of knowing when to walk away: 1. Resource Reallocation

2. Mental and Emotional Relief

3. Avoiding the Sunk Cost Trap

4. Fostering a Flexible or Growth Mindset

5. Risk Mitigation

6. Opportunity for Reflection and Learning

7. Boosting Team Morale

8. Encouraging Innovation

So, let’s say you are a believer now. Quitting can be awesome! What do you do next? How do you know if / when you are ready to move on? Here’s a good starting point.

In this episode:

  • The WebP 0day

  • Youth hacking ring at the center of cybercrime spree

  • Financially Motivated UNC3944 Threat Actor Shifts Focus to Ransomware Attacks

  • University of Minnesota data breach

  • Predator in the Wires: Ahmed Eltantawy Targeted with Predator Spyware After Announcing Presidential Ambitions

  • 0-days exploited by commercial surveillance vendor in Egypt

  • Middle East telcos targeted by new malware with suspected nation-state backing

  • CVS Health study shows continuing suicide crisis in the U.S.

  • Hackers steal $200M from crypto company Mixin

  • Signal’s Meredith Whittaker: AI is fundamentally ‘a surveillance technology’

  • Fact Sheet: Office of the National Cyber Director Requests Public Comment on Open-Source Software Security and Memory Safe Programming Languages

  • People's Republic of China-Linked Cyber Actors Hide in Router Firmware

ICYMI

🖊️ Something I wrote: People really seemed to like last week’s blog on the psychology of Security Obstructionism.

🎧️ Something I heard: This absolutely star-studded panel at TechCrunch Disrupt with Sherrod DeGrippo, Lesley Carhart, and Rachel Tobac

🎤 Something I said: Got to chat about mental health and the MGM ransomware attacks with some good people over at the Shared Security podcast. Take a listen or a watch!

🔖 Something I read: Detection Engineering and SOC Scalability Challenges - great blog post.

Sponsor

🤖Auto-Anonymize Prod Data with Privacy Dynamics 🤖 

Are you using production data for pre-production tasks like development, preview, and test?

We get it, maintaining a clean version of Prod in your lower environments can be time-consuming. Automate PII-free replicas for your lower environments with Privacy Dynamics, saving your team time and your company money.

With anonymized data, you can:

➡️ Use real data for testing, model training, and development environments

➡️ Resolve data minimization requirements from GDPR, HIPAA, and CPRA

➡️ Eliminate risk of sensitive data leaks in your lower environments

Vulnerable News

This is by far the best technical analysis of a vulnerability I’ve read in a very long time. This vulnerability was also a way bigger deal than the Internet gave it credit for. If you’ve not chased this down yet and run a web app, get to it.

Last week, Google updated Chrome, addressing a security flaw reported by Apple's Security team. This flaw, CVE-2023-4863, was a heap buffer overflow in the WebP image library. Notably, Google was aware that this vulnerability was being exploited in the wild. The vulnerability is complex, rooted in the "lossless compression" support for WebP and its use of Huffman coding.

Why Do I Care?

  1. Security Flaw in Chrome: The WebP image library vulnerability affected Google Chrome, a widely-used browser, making it a significant concern for many users.

  2. Exploited in the Wild: This wasn't just a theoretical vulnerability; it was actively being exploited, emphasizing the real-world implications of such flaws.

  3. Complexity and Implications: The technical depth of this vulnerability showcases the intricacies of modern software and the challenges in ensuring their security.

This also is such a complex bug it helps drive the point home of why bug bounties for Google and Apple pay big bucks for these things. Only a few dozen people on the planet have the skillset to find these kinds of things. (read more)

Attribution is hard. It’s also generally not a great use of time outside of law enforcement, government work, or certain high-end incident response/threat intel groups. That all being said, this article does a great job illustrating why it is both hard and pointless.

The crux: The Com is a group of many hackers, some of which are rather young, who have been responsible for a ton of prominent hacks you’ve read about recently, including the Las Vegas Casino hacks, which were originally attributed to Scattered Spider. Now reports are saying that isn’t correct, but they are also saying The Com and Scattered Spider share members. Woof.

Okay, great, we’ve named this threat actor Scattered Spider. Does that mean all the folks in that group get a brand, and when they do bad-guy hacking things, they’re forever under that moniker? No. These groups are amorphous and, by nature, hard to track.

Why Do I Care?:

  1. Active Threat: This isn't a passive group. They've been actively involved in significant breaches, including those at Caesars Entertainment and MGM Resorts.

  2. Underestimation: Despite their age, these groups shouldn't be underestimated. They're not just dabbling; they're causing real-world damage and aligning with global ransomware syndicates.

Follow more reporting about The Com here if interested. (read more)

Speaking of Scattered Spider, one of their many other names is UNC3944 and we’ve got a run down this week of how their tactics are shifting.

Why Do I Care?:

  1. Emerging Threat Landscape: UNC3944 represents the evolving nature of threat actors, with financially motivated groups adopting sophisticated tactics to breach organizations.

  2. Broad Target Range: From telecom to hospitality, the group's expanding target sectors indicate the potential widespread impact of their activities.

  3. Connection to Major Breaches: Their suspected involvement in many recent headline-making breaches underscores the real-world implications and the potential damage such groups can cause.

They’ve been active since early 2022 and initially targeted telecom and business process outsourcing companies but have now expanded their reach to sectors like hospitality, retail, and financial services. They employ tactics like phone-based social engineering and SMS-based phishing to gain access to organizations. Their modus operandi involves impersonating employees to obtain multi-factor authentication codes and using a variety of tools to steal information and maintain persistence in the victim's network. (read more)

Why Do I Care?:

  1. Extensive Data Breach: The incident potentially affected a vast number of individuals affiliated with the University from 1989 to 2021.

  2. Sensitive Information Exposed: Personal and academic data, including Social Security numbers and other identifiers, were potentially compromised.

We don’t know much about this one, but the University confirmed the breach and stated it goes back to …1989?! If you ever went to school or did business with the University of Minnesota, now might be the time to do some checks on your credit usage. (read more)

Between May and September 2023, Ahmed Eltantawy, a former Egyptian MP, was targeted with Predator spyware after he announced his intention to run for the 2024 Egyptian presidency. The spyware was delivered through links on SMS and WhatsApp. Investigations revealed that the spyware was linked to Cytrox and was delivered via a device inside Egypt, leading to high confidence that the Egyptian government was behind the attack.

Why Do I Care?:

  • Government Use of Spyware: Governments might use cyber tools to monitor and potentially suppress political rivals.

  • WhatsApp Exploit Delivery: Digital communication platforms, even popular ones, can be exploited.

  • Telecom Vulnerabilities: The telecom infrastructure has vulnerabilities that can be misused for surveillance.

Eltantawy had previously been targeted in 2021 with the same spyware. The report also highlights the potential vulnerabilities in the telecommunications ecosystem and the misuse of Sandvine's PacketLogic device in the attack. (read more)

Google's Threat Analysis Group (TAG) and The Citizen Lab have identified a commercial surveillance vendor, Intellexa, exploiting 0-day vulnerabilities targeting iPhones. This was done to install the Predator spyware on devices discreetly. The exploit was delivered through a "man-in-the-middle" attack, redirecting unsuspecting users to Intellexa's servers. While Apple has patched these vulnerabilities, Intellexa also had an Android exploit chain in play, specifically targeting Egyptian users. Google Chrome is enhancing security measures, like introducing "HTTPS-First Mode", to counter such MITM attacks.

Why Do I Care?:

  • Rising Commercial Surveillance: The active exploitation by commercial surveillance vendors highlights a growing trend in the industry.

  • Vulnerability of Mainstream Devices: The fact that widely used platforms like iPhones and Androids can be compromised emphasizes the need for constant vigilance.

  • Mitigating Advanced Threats: With vendors using advanced techniques like MITM attacks, it's crucial for tech giants to stay a step ahead in ensuring user security.

Update your phones! (read more)

Telecom providers in the Middle East are under attack from a new malware dubbed "HTTPSnoop." Cisco Talos researchers discovered this malware, which disguises itself as legitimate security software components, such as Palo Alto Networks’ Cortex XDR and Microsoft’s Exchange Web Services. The origin of the operation is suspected to be state-sponsored, but specifics remain unclear. Another malware, "PipeSnoop," was found alongside HTTPSnoop, forming an intrusion set named "ShroudedSnooper." These tools exhibit high sophistication and stealth, with HTTPSnoop acting as a backdoor to execute content on infected machines.

Why It's Important:

  • Stealthy and Sophisticated: The malware's ability to masquerade as legitimate security software components indicates advanced tactics and a high level of confidence from the threat actors.

  • High-Value Targets: Telecom companies have vast visibility into global internet traffic, making them attractive targets, especially for state-sponsored groups.

  • Growing Trend: The telecom sector has been consistently targeted in recent years, emphasizing its critical role in infrastructure and the increasing cyber threats it faces. (read more)

A recent study conducted by CVS Health in collaboration with Harris Poll reveals a concerning trend regarding mental health in the U.S. The survey, which involved Americans aged 18 and older, found that nearly 18% of U.S. adults experienced suicidal thoughts in the past year. The data is even more alarming for younger adults aged 18-34, with 36% admitting to having contemplated suicide. Despite the widespread awareness of the suicide crisis, only 32% of respondents felt confident in recognizing the warning signs of someone at risk. Furthermore, only 43% were aware of resources that offer support and information on suicide prevention.

Why It's Important:

  • Mental Health Crisis: The data underscores the ongoing mental health and suicide crisis, particularly among the youth and older adults in the U.S.

  • Awareness vs. Action: While there's a high level of awareness about the suicide crisis, there's a significant gap in knowledge about recognizing warning signs and available resources.

We’ll never be truly building resilience or addressing vulnerability if we don’t also address our growing mental health crisis. (read more)

Hong Kong-based cryptocurrency company, Mixin, has reported a significant breach, with hackers making away with approximately $200 million. The intrusion occurred on September 23, 2023, targeting Mixin Network’s cloud service provider's database.

Why It's Important:

  • Major Crypto Breach: This theft underscores the vulnerabilities even in decentralized systems

  • Impact on Users: With Mixin having a significant user base, the breach could potentially affect a large number of crypto investors and traders.

  • Trend in Crypto Thefts: The incident adds to the growing list of major crypto thefts in recent years, highlighting the lucrative nature of such attacks for cybercriminals.

Been a while since I didn’t mention a crypto breach. (read more)

Meredith Whittaker, the president of Signal, shared her perspective on AI during TechCrunch Disrupt 2023, emphasizing that "AI is a surveillance technology." She believes that AI's foundation is deeply rooted in the surveillance business model, which has been prevalent since the rise of surveillance advertising in the late '90s. Whittaker highlighted that AI systems, such as facial recognition, are surveillance tools marketed to those in power, like governments and employers. These systems produce data that can influence our access to resources and opportunities. Interestingly, she pointed out that the data for these AI systems is often organized by the very workers these systems target. While not all AI is exploitative, the economic incentives behind AI development often lean towards surveillance.

Why It's Important:

  • AI's Surveillance Nature: Whittaker's insights shed light on the inherent surveillance nature of AI, emphasizing the need for a critical examination of its applications.

  • Economic Incentives: The development and deployment of AI, especially facial recognition, are driven by economic incentives that often prioritize surveillance over privacy.

  • Impact on Workers: The irony that the data for AI systems is often organized by the very workers these systems can target underscores the broader implications of AI in the workplace.

I’m bullish on AI, but I think it’s important to consider a lot of perspectives on this topic as it has been a tectonic shift in the world with no signs of slowing. My takeaways on all of these topics is to prioritize privacy and advocate for ethical AI. Even though I might not have a concern, marginalized groups will. (read more)

The White House Office of the National Cyber Director (ONCD) has announced a Request For Information (RFI) on open-source software security and memory-safe programming languages. The RFI is aligned with the National Cybersecurity Strategy's commitment to invest in secure software development. Given the widespread use of open-source software in various sectors, the White House has established the Open-Source Software Security Initiative (OS3I) to address potential security risks and develop policy solutions. The RFI aims to gather insights from the public and private sectors to enhance the security of the open-source software ecosystem.

Why It's Important:

  • National Cybersecurity Strategy: The RFI reflects the government's dedication to bolstering cybersecurity, especially in the realm of open-source software.

  • Open-Source Software Proliferation: With open-source software being integral to many commercial, government, and military platforms, its security is paramount.

  • Collaborative Approach: The interagency collaboration signifies a comprehensive approach to address the challenges and risks associated with open-source software.

Love to see this. Many open-source pieces of software have become absolutely critical pieces of Internet infrastructure and aren’t funded or maintained to stay as secure as they need to be. Glad the government is throwing money at this issue. Get involved if you can! (read more)

Chinese government-affiliated spies are suspected of infiltrating Cisco routers, potentially compromising intellectual property and sensitive data, as per alerts from the US and Japan. The cyber-espionage group, known as BlackTech, can modify router firmware undetected and pivot across networks. While the report emphasizes Cisco, similar techniques could be applied to other networking equipment. BlackTech, active since 2010, has targeted various sectors in the US and East Asia, deploying custom malware against multiple operating systems. Once they replace router firmware, it becomes a data collection free-for-all.

Why It's Important:

  • Global Cybersecurity Concern: The joint advisory from the US and Japan underscores the international implications of such cyber-espionage activities.

  • Ubiquity of Cisco Gear: Given the widespread use of Cisco routers, the potential scale of the compromise is vast.

  • Sophisticated Techniques: BlackTech's ability to modify firmware without detection highlights the advanced nature of its tactics and the need for heightened cybersecurity measures.

I don’t run EDR on my router’s firmware, do you? The Register also wrote a great article about this. (read more)

Miscellaneous mattjay

Follow me on Twitter for major infosec thought leader insights such as:

Extra Credit

Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay