🎓️ Vulnerable U | #064

CISA official whistleblows on teleco vulns, Encrypted Apple and Proton not so encrypted, Tornado Cash crypto money laundering, Telegram vs. Signal,

Read Time: 10 minutes

Howdy friends!

Getting started late tonight because I was busy jumping up and down around my living room screaming at a hockey game (Go Rangers!)

Is everyone recovering from RSA? That was a whole lot of humaning for me. I could’ve used a bit of a coma this weekend, but I had some friends' kids' birthday parties to go to. So, instead of a coma, I lit up some 5-7-year-olds in laser tag. They never saw it coming.

Got to be on a panel talking about AppSec and API Security this week here in Austin with some of my friends. Got a lot of great feedback and questions.


🖊️ Something I wrote: An RSA Observation about vendors talking so poorly about their competitors, they end up devaluing the whole space they play in.

📣 Something worth checking out: Dive into Zero Trust security with Teleport’s free ebook—straight-up useful stuff!*

🎧️ Something I heard: I offered the Shared Security guys some space to record at RSA and they wound up having me stick around and talk about what we were seeing at the con. Mostly about the AI fluff and conversely, some cool AI tech I saw.

🔖 Something I read: Slack’s updated privacy policy which includes the need to manually opt out of them using your DMs, messages, and files in their new ML models. - Ironically, you can’t opt out via Slack, you need to email them.


Vulnerable News

This one is wild for me, but when I posted on Twitter, a lot of people seemed super familiar with some of these old vulnerabilities. The gist is that there are vulnerabilities in some backbone techs of teleco networks called SS7 and Diameter. They’re used when you’re roaming to route your traffic appropriately.

Well, a CISA official came out and talked about how he has seen evidence of these vulnerabilities being actively exploited to track U.S. citizens. But then went on to say these flaws could also be used to deliver spyware, monitor calls, and texts, and have even been seen to influence voters.

The other reason this is such big news is that this whistleblower is going against the official CISA response about these flaws, and the telecom companies are saying they have no evidence of exploitation. (Though we just saw AT&T say they have no idea how all of their customer data is for sale on the dark web either). The whistleblower also left off with that this is just the tip of the iceberg, so I think it is safe to assume he has evidence of our cell networks being abused by adversaries in all sorts of ways. (read more)

Ok, we know that disinformation campaigns are nothing new. But when we get a full report and details on one that is unfolding before our eyes, I’d like to use it as a teaching moment to remember when our emotions are high, we can be easily played.

The Doppelganger network, aligned with Kremlin interests, is stirring the pot on U.S. college campuses by exploiting protests. They’re pumping out fake news on both sides of the Israel-Palestine debate, mimicking legit news sites to fool people. Their clever use of bots to amplify these articles on social platforms has snagged hundreds of thousands of views. This whole setup is part of a bigger Russian playbook to mess with societal cohesion in the U.S., especially with the 2024 elections on the horizon. (read more)

Alexey Pertsev, co-developer of Tornado Cash, a crypto mixer, just got hit with over five years behind bars for laundering a whopping $1.2 billion. His tool was caught washing dirty money, including cash from North Korean hackers. Although Pertsev argued that Tornado Cash runs on auto on the Ethereum blockchain and he couldn’t control its use, the court didn’t buy it. They said he had enough control but chose to ignore the criminal activity. This case has sparked a big debate about the responsibility developers hold for how their software is used. (read more)

What do you think? Is the developer of a crypto mixer used for money laundering responsible for how it's used?

Login or Subscribe to participate in polls.

These bug bounty hunters are on a tear. They won a zero-day contest in 2021 that netted them a $50k bounty, and now, in the first half of this year, they’ve found 2 bugs.

Apple is a notoriously hard attack surface to find these kinds of bugs in for hunters, so these kinds of write-ups are always a great way to learn from some of the best out there doing it. If you like Bug Bounty content, make sure to check out JHaddix’s newsletter/training/discord and The Critical Thinking podcast. Both are friends of Vulnerable U and putting out top notch content. (read more)

📣 Sponsor

Get your copy of O’Reilly: Identity-Native Infrastructure Access Management

What is identity-native infrastructure access? Why should secret-based credentials be eliminated? How can you implement identity-based access for humans and machines across your entire infrastructure, eliminate the need for secret-based credentials, and manage permissions across varied computing resources?

Learn this and more in O’Reilly’s "Identity-Native Infrastructure Access Management" book, in which authors Ev Kontsevoy, Sakshyam Shah and Peter Conrad break down the complexities of modern infrastructure security into manageable pieces, making it accessible to beginners and experts alike.

Interesting new Chinese pwn2own like competition:

Spanish police got a leg up from encrypted services like Wire, Proton, and Apple to pin down an activist involved in Catalonia’s independence push. Basically, they pulled metadata like email addresses from these services, linking up the dots to identify the person behind the pseudonym.

TL;DR - Even using encrypted services won’t protect you from a warrant if your personal info is in the metadata.

While the services keep the content encrypted, they do dish out metadata when legally pressed, which was key in this case. The involvement of multiple services shows how cross-platform data can be pieced together. (read more)

What is old is new again! Did it ever really go away? Opening malicious PDFs has been a favorite point of entry since forever. But this one is based on a popular javascript package.

Here’s a fun tidbit: "If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value)" - So this is one to chase to see if you’re using in prod and make sure it is updated or ripped out. (read more)

Ok I saw A TON of chatter on Telegram vs. Signal this week, it seems Elon Musk was talking about it which might have spurred some attention. Also it seems Telegram is pumping out a ton of PR against Signal.

But you know who says Signal is more secure? Literally every security expert. Telegram isn’t built to be a secure messenger, it has an optional and questionable encryption feature. Signal Protocol is open source and reviewed by every cryptographer on the planet. The linked thread here by Matthew Green, who is my go to expert on all things crypto (not the bitcoin kind). (read more)

Dmitry Yuryevich Khoroshev, alleged leader of the LockBit ransomware group, was charged by U.S. authorities using extensive digital footprints linked to his numerous online aliases. Authorities traced his activities from early hacker forums to recent ransomware operations. They pieced together his identity through email addresses registered to domains, ICQ numbers, and other digital traces linking back to his real-life persona. The investigation highlights a decade-long evolution from forum-based malware discussions to managing a major ransomware service. (read more)

Great report detailing a scheme named Estate that enabled cybercriminals to carry out automated phone calls to trick victims into revealing one-time passcodes, thereby bypassing security features like multi-factor authentication. The operation targeted major services like Amazon and PayPal, predominantly affecting older demographics believed to be more susceptible to such scams. A security flaw exposed Estate’s internal database, revealing detailed logs of attacks and the identities of involved members. So even the criminals have a hard time keeping security vulns from burning them. (read more)

Rapid7 identified a social engineering campaign where threat actors overwhelmed users with spam, then posed as IT support to facilitate remote access via legitimate tools like AnyDesk or Quick Assist. They then executed scripts to download additional payloads for credential harvesting and persistence, often disguising their actions as routine updates. This campaign, linked to the Black Basta group, involved complex methods like using SSH for reverse tunneling and deploying Cobalt Strike beacons, but no data exfiltration or ransomware deployment was observed in the incidents studied.

If you’re on an DFIR team, this article has some good artifacts and indicators of compromise to look out for. (read more)

Christie’s website got hacked right before a major auction week expected to rake in around $840 million. They’ve taken the site down for now and are hustling to fix things up. Meanwhile, they’re asking folks interested in bidding to use alternative contact details provided on their temporary site message. This hiccup comes after a previous breach last year that leaked some GPS data from artwork images. Upcoming auctions include high-ticket pieces from Warhol, Picasso, and Van Gogh, expected to fetch up to $35 million. (read more)

Europol’s expert platform got hit by hackers using stolen credentials, but thankfully, no sensitive operational data was compromised. The breach only affected a part of the Europol Platform for Experts (EPE), used for sharing non-sensitive info among law enforcement pros. The hackers claimed to have nabbed some classified docs, but Europol insists nothing critical was touched. We’ll see who is right soon, I guess. (read more)

Monday.com had to ditch its “Share Update” feature when phishers hijacked it to send sneaky emails that looked legit. We don’t often think about project management tools as a phishing risk, but here we are. The attackers crafted emails as if they were from HR, leading unsuspecting clicks to phishing sites. Monday.com pulled the plug on this feature fast, and they’re letting affected users know about the potential threat. They’re still deciding if the feature will ever make a comeback. (read more)

Imagine your cloud provider just let you know they accidentally deleted your …everything?

Google Cloud accidentally wiped out UniSuper’s account during a “one-of-a-kind” misconfiguration mishap, cutting off over 620,000 members from their superannuation funds for a week. They’ve fixed the issue to prevent a repeat and managed to restore services thanks to backups UniSuper had elsewhere. Talk about a case study on off-site backups! (read more)

Apple just dropped some updates for iPhones, iPads, and Macs to patch up a bunch of security holes, including a memory bug that might’ve been exploited in older iOS versions. They’re covering everything from potential system crashes to unauthorized data access. So, if you’re running on an Apple device, it’s time to hit the update button! (read more)

Oh cool! Check out new tech police are experimenting with: the Elsag EOC Plus by Leonardo. It’s designed to scan for any electronic signal inside moving cars, catching everything from your smartphone and Fitbit to the RFID chip in your library books.

What could go wrong?!

While it’s meant to track suspects by linking device “fingerprints” to car plates, there’s a ton of concern about privacy. Do we think it could lead to mass surveillance without warrants, tracking people’s movements, and gathering info about personal belongings?! (read more)

GossiTheDog is a voice I listen to in this space. And in this case, the call is coming from inside the house (Microsoft)

His real name is Kevin Beaumont, and he really digs into Microsoft’s announced shift towards making cybersecurity their number one jam after getting a bit of a nudge from the US Department of Homeland Security. He chats about his time at Microsoft, sharing insights about their security setup—or the lack thereof.

Microsoft, led by CEO Satya Nadella, is now all-in on beefing up their security, setting up new rules that basically say, “Hey, when in doubt, pick security over anything else.” They’re restructuring to make sure security isn’t just a side thought but woven into everything they do. Nadella’s making it clear to the team that if it’s a toss-up between rolling out new features or locking down security, security wins every time. (read more)

Poland’s shaking up the spyware game! Once a hot bed for spyware abuse, Poland is now setting standards on how to clean up the mess. After booting the old government accused of misusing Pegasus spyware against foes, the new crew is cracking open the books, investigating, and even letting victims know they were targeted.

This could be a game-changer, showing other countries how to tackle their spyware skeletons. It’s early days, but the move has turned heads and could inspire others to follow suit, balancing security needs with personal rights. (read more)

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen