🎓️ Vulnerable U | #026
Attack Tree for Depression, UK Tries to Stop Security Patches, SIM-Swap Hack Steals $6.3M, and CloudNordic Servers and Customer Data Wiped by Ransomware
Read Time: 9 minutes
Finally back home after 13 days on the road. After a few flight cancelations and a non-covid virus later, I’m somewhat back to normal. We’ve had some exciting things brewing over here at Vulnerable U that I’m excited to share with you all soon.
For now, I’m glad to be home, but sad I’m not on a 65-degree rooftop in SF as we sweat through our 45th day over 100 degrees here in ATX.
Sneak Peak at the Blog of the Week:
In this episode:
Threat Modeling for Depression Part II: The Attack Tree
Cellebrite asks cops to keep its phone hacking tech ‘hush hush’
Blockchain Capital’s Bart Stephens Lost $6.3 Million In SIM-Swap Hack
Changes to UK Surveillance Regime May Violate International Law
Threat Actors Exploit Known Citrix ShareFile Flaw
Tesla 'insider' breaches personal data of more than 75,000 employees
Hackers exploit WinRAR zero-day bug to steal funds from broker accounts
Lapsus$: Court finds teenagers carried out hacking spree
Criminals go full Viking on CloudNordic, wipe all servers and customer data
Google built a feature to make MFA mandatory for admin accounts and can require two admins to approve sensitive changes
Discord March data breach notification to users affected
Scraped data of 2.6 million Duolingo users released on hacking forum
🖊️ Something I wrote: Doing a follow-up to a post of ours - The Top 5 Obstacles Newcomers Face in Infosec (And How to Overcome Them) - next week. If you’re new to us or want a refresher, this is a quick 7-minute read.
🎧️ Something I heard: A recent episode of a favorite podcast of mine, Steven Levitt’s People I Mostly Admire, about an ex-employee of Google X, Obi Felten: Can a Moonshot Approach to Mental Health Work?
🎤 Something I said: Last week’s news in about 10 minutes. Catch up here. Still playing around with the format for these videos, so share feedback if you have any!
The UK is attempting to expand and maintain its surveillance capabilities which has now stomped its way into thinking security updates would be bad if it limits its ability to spy on its citizens. This is absolutely ridiculous and will result in major damages up to and including lives lost.
“Device manufacturers would likely also have to notify the government before making available important security updates that fix known vulnerabilities and keep devices secure. Accordingly, the Secretary of State, upon receiving such an advance notice, could now request operators to, for instance, abstain from patching security gaps to allow the government to maintain access for surveillance purposes.” (read more)
Holy crap. Worst nightmare scenario. CloudNordic, a major Danish hosting provider, was hit with ransomware this week, and due to it hitting during a database migration, the backups were hit too. They are telling their customers they are out of luck and to find a new provider. Domains, emails, documents, databases, all just gone. They are actually pointing customers to the Wayback Machine as a backup source.
The company has stated that they are not willing to pay the ransom demanded by the hackers. While the company believes there hasn't been a data breach, meaning the data wasn't stolen before encryption, the incident is terrifying and highlights the importance of OFF SITE backups. (read more) - (I hit this one on Twitter too)
Bart Stephens, the co-founder of Blockchain Capital, a prominent crypto fund, lost a staggering $6.3 million in cryptocurrencies due to a SIM-swap attack. In this type of cyberattack, hackers manipulate cellular network providers to gain control over a victim's phone number, allowing them to reset passwords and bypass security measures. The FBI has previously warned about the rise in such attacks, especially targeting individuals with significant cryptocurrency holdings. (read more)
Cellebrite, a company known for its phone hacking technology, has been providing tools to law enforcement agencies worldwide to unlock phones and access their data. Recently, a leaked training video revealed that Cellebrite advises its law enforcement customers to keep their use of its technology a secret. This has raised concerns among legal experts who believe that the use of such powerful technology should be transparent and open to public scrutiny. They argue that keeping the use of this technology secret could infringe on the rights of defendants in court. The company defends its stance by suggesting that revealing its techniques could aid criminals and make law enforcement's job more challenging. (read more)
A critical vulnerability has been identified in Citrix's file-sharing application, ShareFile. If exploited, this flaw allows attackers to remotely compromise the ShareFile storage zone controller without authentication. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has emphasized the urgency of patching this flaw, as evidence of its exploitation has been found. This vulnerability poses a significant risk, especially since ShareFile is widely used for secure file sharing and transfer. (read more)
Tesla experienced a significant data breach where the personal data of 75,735 current and former employees was compromised. The breach was attributed to "insider wrongdoing," and it was discovered that two former Tesla employees were responsible for misappropriating the data and sharing it with a foreign media outlet. While the media outlet has assured that it won't publish the personal information, the breach raises concerns about the security of employee data in large corporations. Tesla has taken legal action against the individuals involved and is offering credit monitoring services to the affected employees.
Since they are suing the employees and have seized their computers, this makes me think the “misappropriation” was not accidental, but I’m having a hard time seeing a motive to just mail a bunch of employee’s PII to a media company. (read more)
The zero-day in WinRAR allows attackers to hide malware in ZIP archives and disguise the malicious files as innocuous file types such as jpg or txt. The attackers using this zero-day have been using it to target financial traders and illicitly access their brokerage accounts. These malicious files have been spread across various trading forums, and once a user is compromised, hackers can perform unauthorized financial transactions and siphon off funds. The cybersecurity firm, Group-IB, has identified at least 130 traders affected by this exploit.
More and more frequently, I’m seeing online crypto accounts targeted. It seems the fact that these exchanges are unregulated is also having an impact on them being higher ROI targets for attackers since the victims have very little recourse to recoup their losses. (read more)
We covered the media discussing these “teenage hackers” a few weeks ago, and now we get to watch the courts send them to jail. Government regulators are hot on this case because the age of the attackers is leading them to believe that our company’s defenses are too soft if they’re breached by such young attackers.
An 18-year-old from Oxford, Arion Kurtaj, was identified as a key member of the cybercrime gang Lapsus$, responsible for a series of high-profile hacks against major tech companies like Uber, Nvidia, and Rockstar Games. Notably, while on bail, Kurtaj leaked unreleased content from Grand Theft Auto 6. The Lapsus$ group utilized a mix of hacking techniques, SIM swapping, and social engineering to infiltrate these companies. (read more)
“Making 2-Step verification (2SV) mandatory for select enterprise administrators: Compromised administrator accounts can have an outsized impact, and 2SV can result in a 50% decrease in accounts being compromised. Starting later this year, in a phased approach, select administrator accounts of our resellers and largest enterprise customers will be required to add 2SV to their accounts to strengthen their security.
Requiring multi-party approval for sensitive administrator actions: Workspace administrators can require additional approval by another administrator to complete a sensitive action, such as changing 2SV settings for a user, to provide an extra layer of defense against malicious actions. This will be available in preview later this year.”
Funnily enough, after all the noise last week about Discord.io being a smaller company that was breached and not Discord itself - Discord itself notified impacted users of a data breach a few weeks ago. Another funny thing about this one is that Discord’s breach only impacted 180 people, according to the filing with the state of Maine. While the smaller Discord.io breach impacted nearly 800k users. (read more)
Web scraping has become more and more popular as various companies leave their APIs woefully unprotected and access to plenty of info worth collecting. In this case, some folks have found that a Duolingo API can be hit, and by feeding it millions of emails, folks have published a database of Duolingo accounts. This includes both public and nonpublic info for these registered users. After looking around on Twitter, it seems that this has been kicking around for a few months in OSINT circles (it is part of the https://osint.industries/ data) but is just making the news now. (read more)
founder of costco: [drunk as hell] it’s gonna have hot dogs and optometrists
— soul nate (@MNateShyamalan)
Aug 11, 2022
Hmmm - Should I do a giveaway for Jason’s next live training for subscribers?
🚀 New dates announced!
Come take my course on modern reconnaissance and application analysis for cybersecurity, red team, and bounty hunter folk!
“The Bug Hunter’s Methodology Live”
— Jason Haddix (@Jhaddix)
Aug 24, 2023
the slack channel when the team gets yubikeys
— Emily Kager (@EmilyKager)
Aug 22, 2023
Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen