🎓 Vulnerable U | #017
What are you avoiding? New phishing threat actor, TriangleDB iOS Spyware, and more...
Read Time: 5 minutes
Howdy friends and welcome to another edition of Vulnerable U!
Coming to you this week fresh off the beaches of South Padre Island. I got to bring my daughter swimming in the ocean for the first time, teach her to build sand castles, and plant a seed about going to space being a real thing.
Drove my Jeep onto the beach and spent the afternoon watching the sun go down behind the rockets at Space X, and generally forgetting, for a moment, about the week ahead. It was incredible.
I’m going to try some new formatting on the newsletter this week to better keep things digestible and valuable.
Instead of the normal Vulnerable U content being in the body of this email I’m going to summarize and then link to it on my blog. Then I’ll still keep all the news links I’m reading this week here as well.
If you loved the main body of the newsletter up until this point you can find it in the “Something I wrote” link below from now on.
If you have feelings about this new format, please vote on the poll at the bottom so I can gauge if I should keep doing it this way.
🖊️ Something I wrote: What Are You Avoiding?
🎧️ Something I heard: Between Two Nerds: Go Big or Go Home
🔖 Something I read: Travis on One Year of Founding a Security Startup
A new threat group known as Muddled Libra, which uses advanced phishing tactics similar to 0ktapus. Read for detailed insights into the group's methods, targets, and the significant risks it poses to organizations. This report includes a list of IOCs to include in your hunts.
A detailed analysis of TriangleDB, a sophisticated spyware implant used in Operation Triangulation to target iOS devices of Kaspersky employees.
I summarized on Twitter also:
🚨 Woah. Crazy spyware analysis just dropped.
Triangulation iOS spyware that targeted Kaspersky employees.
Upon analysis, this implant might work on macOS as well.
Lets dive in! 👇
— Matt Johansen (@mattjay)
Jun 22, 2023
Worth mentioning - Apple has released a patch for the 0days used in this implant.
And a good article in WaPo about this story as well.
In an incredibly unique attack vector - members of the military are getting apple watches in the mail from an unknown sender and nobody knows what they do.
“These smartwatches, when used, have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data. These smartwatches may also contain malware that would grant the sender access to saved data to include banking information, contacts, and account information such as usernames and passwords.”
Analysis of the Lazarus threat group's exploitation of vulnerabilities in Korean finance security solutions VestCert and TCO!Stream. (“VestCert is a web security software developed by Yettiesoft using a non-ActiveX approach, while TCO!Stream is a company asset management program made by MLsoft. Both solutions are widely used by Korean companies.”)
Krebs outlines a detailed investigation into a SMS phishing (or "smishing") campaign that exploited the United Parcel Service's (UPS) online shipment tracking tool in Canada to harvest phone numbers and other information.
Ransomware attack causing angst among students who aren’t able to participate in their normal classwork due to the school not recovering from the attack yet.
Immersive Labs’ guide on understanding and detecting the Sliver Command and Control (C2) framework. This is crucial as Sliver, an open-source, cross-platform, and extensible C2 framework, is increasingly being used by threat actors to target large organizations. The guide provides insights into Sliver's structure, encoding, and encryption, and offers practical methods for detecting its presence through file, memory, and network artifacts.
Vulnerability found in Microsoft Teams that allows external tenants to introduce malware into any organization using Microsoft Teams in its default configuration. It bypasses many traditional payload delivery security controls, making it a potential avenue for threat actors to deliver malware. JUMPSEC has detailed remediation options, as well as some detection opportunities.
Come hang next week on Recon’s Thursday Defensive with me. Casual chat and Q&A format.
Thanks to @techyteachme for a fun & interactive Detection Engineering chat today!
Next week @mattjay joins us!
— Recon InfoSec (@Recon_InfoSec)
Jun 22, 2023
Got to chat with my friend Dennis on his podcast over at Decipher. We talk about how I got into infosec, the power of being a part of the community, and my mission here at Vulnerable U.
POLL: How did you like this new format?
Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen