🎓️ Vulnerable U | #050

China had persistent access to US critical infra, Report on the commercial spyware space, Ransomware rundown for 2023, AI Bias Bounty, Citibank sued over poor data security, Mastodon account takeover vulnerability, AI Fake IDs, and more!

Read Time: 5 minutes

Howdy friends!

It has been an insane few weeks in cybersecurity news. Been hard to keep my head above water on it all, besides navigating the fake stories of toothbrushes. If you don’t know what I’m talking about, lucky you, don’t look it up.

If you’re making something awesome for the Super Bowl that is a crowd favorite, show me a picture of it on Twitter. It has been requested that I BBQ some wings for my family, and they were referred to as “the best wings ever,” - so I’ll need a wheelbarrow for my head that has now grown too large for me to carry it.


🖊️ Something I wrote: Still getting folks pinging me that they liked my Tech Professionals Guide To Mindfulness

🎧️ Something I heard: Two part series from Freakonomics Radio about Richard Feynman - Part 1 && Part 2

🎤 Something I said: Covered the AnyDesk hack from my car on the way to a hockey game.

🔖 Something I read: The Zen of Security Rules

Vulnerable News

Following Director Wray’s testimony last week, this week, a joint intelligence briefing dropped from the FBI, NSA, and CISA stating that the USA’s critical infrastructure is completely owned and has been for 5 years. They are pointing at the Chinese threat actor Volt Typhoon and have evidence that they’ve hacked into routers, firewalls, and VPNs of water, transportation, comms, and energy infrastructure.

We’ve talked about Volt Typhoon a lot at Vulnerable U and mostly their targeting of Guam, Taiwan, and Microsoft. I’m curious about the evidence the government has on these hacks going back 5 years and also curious about what is being done about it. You would think in a national security instance a coordinated cleanup and patch-fest would occur but it seems we’re sticking to warning the public without a lot of clear direction on what that means and what to do about it. (read more)

What an awesome report out of Google’s TAG. Seriously set some time aside to flip through this PDF (direct link to report here)

They refer to spyware peddlers as CSVs (Commercial Surveillance Vendors), and they attribute half of all 0-day exploits used against Google/Android products to them. “If governments ever had a monopoly on the most sophisticated capabilities, that era is certainly over. The private sector is now responsible for a significant portion of the most sophisticated tools we detect.”

Some really good Twitter threads about the report I found:

But please check the whole PDF for yourself. Solid work! (read more)

This is an important piece. There is an Indian hack-for-hire firm called Appin Technology that has been providing various hacking and spying services globally. Think NSO group. Well, it turns out that anytime anyone talked about them, they got some massive legal threats to take down articles calling out the facts.

Hence the importance, you don’t expect to see this sort of censorship in the Western press, but their legal requests were working.

  • A lawsuit against Reuters led to a Delhi court ordering the temporary takedown of an investigative article on Appin Technology, sparking significant resistance and criticism from various anti-censorship groups and media organizations.

  • The EFF, representing Techdirt and MuckRock, has publicly pushed back against the censorship attempts, arguing the limited scope of the Indian court's order and citing the SPEECH Act to protect against the enforcement of foreign libel rulings in the U.S.

  • The ongoing legal and public relations battle has sparked a Streisand effect, drawing more attention to the allegations against Appin Technology and its efforts to silence reporting on its past.

  • Notably, Appin Technology's cofounder, Rajat Khare, has also separately pursued legal action to remove his name from publications, with varying degrees of success. (read more)

A great analysis of 2023s battle with ransomware. Turns out our “dip” in 2022 for payouts wasn’t a trend and was the result of a few concerted efforts that were effective but not long lasting.

I’m a sucker for a good report and data viz - especially on such an interesting topic. I’m also interested to see if in 2024 we see any impact from the US and EU governments coming out and saying they’d not allow federal processing of ransomware payments. (read more)

We’ve covered the Ivanti story a few weeks now. CISA ordered all federal agencies yank these things off the Internet. Well the private sector doesn’t have that big stick waving over their head so of course vulnerable boxes are still out there. GreyNoise did a solid and provided a public list of IPs that are actively scanning/exploiting the Ivanti bug. Helpful for you threat hunter folks. (read more)

What a nightmare scenario for Blackbaud. Not only did they suffer a ransomware riddled breach in 2020, they’ve been in a long drawn out legal fight ever since. Dozens of class action lawsuits with customers. Settled with 49 states for tens of millions of dollars. And now just settled with the FTC for another $3 million as the FTC is sanctioning them into bolstering their cybersecurity hygiene.

It seems that anyone who has audited this situation has left with the opinion that whatever Blackbaud’s security program was doing, it wasn’t enough. Add this to the list of reasons to not neglect your infosec program folks!

“This action follows an incident where a hacker accessed and removed unencrypted consumer data from Blackbaud's systems, which went undetected for months. The company's delayed and misleading response to the breach has also been criticized.” (read more)

Chief Digital and Artificial Intelligence Office (CDAO) - that was a new acronym for me! - But kudos for them partnering with our friends over at Bugcrowd to launch an AI Bias bounty.

This is an interesting bug bounty as it doesn’t require much technical knowledge and is just you trying to identify any prompts that would get an AI bot to show some bias. First prize is $9,000. (read more)

“As a result of Citi’s lax security protocols and procedures, ineffective monitoring systems, and failure to respond in real-time and properly investigate fraud claims, New Yorkers have lost millions to scammers,”

The AG seems to be mostly referring to scams that involve tricking humans, social engineering, and other fraud here. But their point stands, some banks along with telecom companies have had a rough time locking down any process that involves calling up their customer support lines. Between SIM swapping and the kind of fraud this lawsuit is talking about, companies are feeling the burn on how hard it is to reliably identify customers. (read more)

I actually had some friends reach out to me asking if I knew what was going on in Fulton County, Georgia, this week. All signs were pointing toward ransomware, as many state services were offline for an extended period of time. Doing some digging, I found some statements by the school system that stated that one of their students was involved in the hack.

Days later, they’re still trying to get all services up and running, as seen here.

We’re not getting a ton of details on this one, but it doesn’t look like it was ransomware. It doesn’t leave me with a ton of confidence that a student was able to take down many government IT department abilities for days on end, though. (read more)

The joys of Mastodon being a federated model where the servers you belong to have a distributed set of sys admins means that this sort of critical vulnerability can’t be patched centrally by anyone working for Mastodon and must be rolled by each server’s admins.

Mastodon has withheld technical details for the time being to prevent active exploitation of the vulnerability. However, they promised to share more information about CVE-2024-23832 on February 15, 2024.

Mastodon users cannot do anything to address the security risk, but they should ensure that the admins of the instance they participate in have upgraded to a safe version by mid-February; otherwise, their accounts will be prone to hijacking. (read more)

This is a MUST read. Spoutible is another Twitter alternative that popped up during the great Elon exodus. Well, this post by Troy Hunt outlines a serious API vulnerability they had this week that honestly reads like I was doing a web app pentest circa 2009. It just keeps getting worse the longer you read this blog.

First off, the API was enumeratable by just knowing someone’s username. At that point it returned the user’s hashed bcrypt password (not good, but at least it isn’t cleartext?). He then saw it returned the 2FA secret and backup code which rendered 2fa useless, but then even worse it allowed anyone to reset any users passwords. Bad bug, fun read: (read more)

The powers of AI! You ever go through an identity verification for a website where it made you take a picture of your driver’s license? Well for $15 and a Telegram account you can get an ID that says anything you want on it! It even looks like you took it on your phone complete with kitchen counter or bedsheet background.

Kudos to the journalists over at 404 who took this piece a step further and used the service to open a crypto exchange account with an AI-generated ID. (read more)

More ammo for those of you fighting for security budget vs. dealing with rolling the dice.

"The costs incurred relate primarily to third-party consulting services, including IT recovery and forensic experts and other professional services incurred to investigate and remediate the attack, as well as incremental operating costs incurred from the resulting disruption to the Company's business operations,"

The attack was in August, and they said they’re still working to recover from it. (read more)

Not sure how effective this is going to be. Do spyware vendor employees advertise this on their LinkedIn? Even if they do, are they trying to get US Visas?

Either way, it is the first time I remember .gov using a relation to spyware development as a reason to restrict someone’s entry into the country.

Hard to argue with this, though: "The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association," Secretary of State Antony Blinken said. "Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases." (read more)

Was it worth it? When you posted your Evian bottle to social media, and it led to your arrest?

“He is suspected of breaching the patient record database belonging to the psychotherapy centre Vastaamo, and then using that information to blackmail tens of thousands of victims.

He is also suspected of stealing the sensitive personal data of more than 33,000 of the centre's clients and then posting them on the dark web. Around two-thirds of the victims filed criminal reports with authorities.

Kivimäki faces charges of aggravated and attempted extortion, aggravated data trespass, as well as aggravated dissemination of information violating personal privacy.”

I’ve heard of a lot of methods to catch a hacker, but I thought pulling fingerprints off of a picture was reserved for NCIS. (read more)

This was legitimately my toolbox in 2009. Hard to believe such a successful attack campaign in 2024 was via SQLi and XSS. This attack was across a number of job listing sites in APAC, which then scraped personal data off the resumes of job seekers.

They then tried to sell the stolen data via various forums and Telegram channels (read more)

Cory Doctorow is a gem for this one. Always good to be vulnerable and talk about a time you failed so we can all learn from it and build resilience. Cory talks about how he fell for a scam recently where he was tricked into giving his bank details over the phone, which led some criminals to run up a few thousand dollars in charges before he realized his mistake. Take a read to learn a technique good enough that it fooled a tech-savvy, intelligent person like Cory, who has himself keynoted DEFCON. (read more)

Just the lowest of the low. I caught wind of this one from a Reddit post asking r/cybersecurity if they had any info that would help them know why their procedure had been delayed due to a cyberattack

Smells like ransomware to everyone but we don’t have details on the attack. (read more)

Miscellaneous mattjay

Loved this one. for those of you who remember the “Welcome” email you got when you first subscribed will know why.

That phone is so popped

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen