🎓️ Vulnerable U | #057

Chinese hackers target family members, MFA Bombing attacks on iPhone, Vulnerability in Apple's M-series chips, EU bans anonymous crypto payments

Read Time: 10 minutes

Howdy friends!

It's been a crazy few weeks (months? years?). If you know my day job, you’ve read the headlines. I can’t talk much about it, but know it’s a wild ride.

Back home from New Orleans and gearing up for the eclipse to come right through my city. Have you got your special eclipse glasses yet?

ICYMI

🖊️ Something I wrote: Talked about how I can’t stand PDF reports as a means of ingesting action items from a security product. Seems it resonates with you all.

🎧️ Something I heard: I read this book years ago, but I’ve been listening to the audiobook of Guns, Germs, and Steel again lately.

🎤 Something I said: Showing folks what to look out for in the recent MFA Bombing attacks

🔖 Something I read: 5 years. 224 issues. and now 50,000 subscribers. Congrats, Clint, on this milestone and the consistency of kick-ass content. I know how much work goes into TL;DRsec every week, and it’s a second job for him. The community is better off for it.

📣 Sponsor

How did Lemonade automate detection and response engineering capabilities?

Like many organizations, when a new threat emerges in the market, Lemonade's leaders turn to their CISO to know if they're protected. With Prelude, Lemonade's CISO was able to answer this question with certainty. Deployed in production across thousands of endpoints, Prelude Detect automatically surfaced missing detections and helped Lemonade push validated protections to CrowdStrike quickly and efficiently. 

Explore the case study to see how Lemonade found a solution that:

→ Turned their threat intelligence into actionable, production-ready tests
→ Provided board-level assurance that they were protected against the latest threats
→ Automatically remediates missing CrowdStrike detections and preventions

Vulnerable News

We got some great info about APT31’s techniques this week due to some reports in court becoming public. The main takeaway here is that your home and family are not out of scope.

From 2015 to 2024, APT31, linked to China's Ministry of State Security, aggressively pursued U.S./Western politicians, academics, and activists, especially those critical of PRC policies.

From 2015 to 2024, APT31, linked to China's Ministry of State Security, aggressively pursued U.S./Western politicians, academics, and activists, especially those critical of PRC policies. They bypassed the enhanced security measures of these high-profile targets by focusing on a more vulnerable link: their family members.

Using seemingly innocuous emails with tracking links, APT31 mapped out the digital footprint of their targets' relatives to gain crucial intel like location, browser, OS, and network details. This preliminary data collection facilitated APT31's subsequent 'direct and sophisticated' attacks, targeting devices and routers for deeper network penetration.

Honestly… the tech being used, like tracking links, mirrors legitimate practices like those in marketing. Thin line between benign and malicious… (read more)

I wrote a Twitter thread on this one, as a few people have reached out to tell me they’ve experienced this exact attack. MFA fatigue isn’t anything new. If your org had Duo’s Push notification 2fa, where users just hit a green check, they loved the UX, but if they got 100 of them, they’d eventually hit a green accidentally or to make it stop.

Well now people are seeing it against their iCloud accounts and system level MFA prompts on trusted devices. The 2 more interesting points on this attack: 1) The attackers pair the MFA bombing with a spoofed phone call from a legitimate Apple support number to get a 2fa code read to them over the phone. 2) This attack happens just by knowing the target’s phone number/email on their iCloud account and is started via the password reset form. The attackers seem to have bypassed Apple’s rate limit on this form.

Usually in MFA fatigue attacks, the hacker has the target’s creds stolen either via phishing or data leak. Here, they just need the phone number to kick off the attack via “forgot password” (read more)

Most of the write-ups on this are extremely low level technical nitty gritty. So fair warning, chip level stuff isn’t the easiest to grok.

Researchers have discovered a security flaw in Apple's M-series chips (M1, M2, M3) that could allow attackers to steal cryptographic keys through a side-channel attack exploiting the chips' data prefetching mechanism.

If you want another great post on this, the always awesome Kim Zetter has one for you too - https://www.zetter-zeroday.com/apple-chips/

A super important note here! - For this vulnerability to be exploited, the attacker needs to execute arbitrary code on the device. If like me, your Mac is just your personal device, any such code would likely operate under the user's permissions. This raises the possibility of utilizing this method to access private keys within sandboxed applications.

As Rob Graham pointed out in that article and on Twitter: I’m not super worried about this one unless I had a ton of crypto on a local wallet on my device.(read more)

Agree or not, EU has been leading the regulatory muscle on the Internet. Things like GDPR are driving how global corps handle data privacy. Here we have the EU taking a bold stance against using crypto for money laundering.

It is just a fact that without crypto ransomware would be absolutely neutered. Could you imagine an encrypted domain controller asking your CISO to go drop a duffel bag of cash under a park bench? The ability to make and receive large anonymous payments via crypto fuels the dark web industries.

That being said, many will hate this decision because much of the strength of crypto is laying in folks belief that movement of capital should be free of government interference. (read more)

Do you agree with the EU ban on anonymous crypto payments?

Login or Subscribe to participate in polls.

We’ve known about SQLi for a long time. We’ve known how to stop it for just as long. It’s like the glitter of vulnerabilities, you can never really truly get rid of it all. CISA and the FBI are making some noise to get software manufacturers to take it more seriously. I was teaching classes on parameterized queries and prepared statements over 10 years ago, and here we are in the year 2024 still preaching the same message.

This also reminds me of the Rugged Manifesto in this CISA report where they’re trying to get software manufacturers to take ownership of their customer’s security. Check these 3 main points of the report:

  • Principle 1: Take Ownership of Customer Security Outcomes

  • Principle 2: Embrace Radical Transparency and Accountability

  • Principle 3: Build Organizational Structure and Leadership to Achieve These Goals

This is just table stakes. But it continues to need to be said that if you’re writing code, you’re responsible for your user’s security. (read more)

Called it

Age verification is going to be a hot topic this year. Between this and the recent social media restrictions in Florida for teenagers, we’re going to see more cat and mouse on this. A lot of folks have laughed at this saying they’ve lied about their age since they’ve been on the Internet. However, age gating is getting more sophisticated.

The more interesting bit of all this for me, who does age verification responsibility lie with? The apps are making a good case that this belongs on the device with Apple and Google. Do age verification on device setup once instead of making it up to every app or website, which will of course have hugely varying degrees of ability to do so effectively. (read more)

Great Mandiant writeup about some shifts in APT29’s behavior and targeting. Most interestingly to me is the fact they’re using a very newly discovered backdoor named WINELOADER (good writeup on just that part here: https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader)

“This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions.”

This was also the first time this threat group has been seen to use German language lures in their phishing. (read more)

It sounds like Pokemon is thwarting off a credential-stuffing attack this week. They immediately detected the attack and reset the passwords of the compromised accounts (take note, 23andMe who said cred stuffing was the user’s fault) - “Benkwitt said that only 0.1% of the accounts targeted by the hackers were actually compromised, and reiterated that the company already forced the impacted users to reset their passwords, so there isn’t anything to do for people who have not been forced to reset their passwords.” (read more)

Wallet Drainers have started using the Create2 opcode to bypass security alerts by pre-calculating contract addresses, deploying them after a victim signs a malicious signature. This method has led to significant asset theft, with nearly $60 million stolen from around 99,000 victims in six months. The technique involves creating temporary addresses to evade wallet security checks, a strategy confirmed through analysis and testing by Scam Sniffer and SlowMist teams. (read more)

“Attacks can be triggered from a single spoofing-capable host” - Don’t like that line when it comes to DoS.

This newly discovered Application-layer Loop DoS Attack targets protocols like DNS, NTP, and TFTP, causing them to communicate endlessly and flood networks with traffic. Identified by CISPA researchers, this attack affects around 300,000 internet hosts and can be launched via IP spoofing, stressing targeted servers and networks. (read more)

Another bit of forced transparency due to court documents being public. Facebook's "Project Ghostbusters" intercepted and decrypted Snapchat user traffic to analyze behavior and gain competitive insights. This secretive effort, revealed in court documents, involved using Onavo, a VPN-like service, to conduct 'man-in-the-middle' attacks. Despite internal concerns about privacy and ethics, the project aimed to expand analytics capabilities to platforms like Amazon and YouTube. (read more)

I’ve been saying this for a bit. Security has long been seen as a cost center, but I’ve now been on all possible sides of the coin, and I can confidently agree with this article. I’ve been head of security for a startup getting acquired, security for a company IPOing, part of the due diligence team reviewing a company’s security posture before we acquired them, and a few other permutations of all of the above. Addressing cyber risks can move the financial needle in all these situations.

Investing in cybersecurity is an investment in business health. Companies with strong cyber defenses tend to outperform in the market, reflecting higher trust and stability. (read more)

If you’ve been subscribed for any length of time, you know how I feel about reports put out by companies with unique piles of data and smart people to analyze it. Google’s TAG and Maddie Stone fit the bill, and I always love their year-in-review of zero-day reports.

Do yourself a favor and read the whole thing. But a notable call out - “If enabled, Lockdown Mode would have protected users from the majority of the exploitation chains discovered [in 2023] targeting iOS and attackers would not have been able to successfully compromise their targets.”

Couldn’t name a stronger case to enable Lockdown Mode if you’re at all worried about iOS attacks. (read more)

Runa is awesome and ran the security for the newsroom at the NYTimes for a while. Here she breaks down a gnarly situation where some journalists got arrested for covering the human rights violations in Qatar. There are some good tips here on Opsec if you’re a person who has a heightened threat model, a journalist in hostile territory, or any similar situation. Regular data transfers back home, smart encryption usage on your hardware, FileVault, BitLocker, and VeraCrypt are all good tools. She even talks about a communication plan with twice-daily check-ins. (read more)

Step 1 - join a discord server of your competition. Step 2 - Upload CSAM. Step 3 - Discord automation bans the server. This is not the first time we’ve seen weaponization of automated content moderation techniques. (read more)

Miscellaneous mattjay

This is an awesome thread.

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay