🎓️ Vulnerable U | #044

Complex new iMessage exploit, Tesla autopilot hacked unlocking “Elon Mode,” Web injections on the rise, Mint Mobile breached, & more

Read Time: 5 minutes

Howdy friends!

Blinked and it was Friday. My body is mostly baked ziti leftovers at this point. I’m existing somewhere between reality, food coma, and a wrapping paper tornado. I fed a small army at my house for 3 days and have a giant pile of cardboard boxes from all the toys the many kids opened here. I swear I looked into my living room at one point and saw children hanging from the ceiling and toilet paper covering my Christmas Tree.

Still haven’t even sat at my desk all week so another quick newsletter to round out the year.

I also want to share that I’ve found a new wellness community I’ve been a part of for a few weeks now that has helped me take some time to be present, process some grief, heal from some trauma, and do some more hard internal work. I suspect my experience here will bleed into the newsletter’s writing on mental health topics.

A word that came to me during a meditation session this week was “courage”. During a guided meditation that was leading us to find our intention going into the rest of the session. I’ve been working on being more present, stopping avoiding problems, and overall what that requires is courage to face the world.

Challenging all of us reading this to sit with the word courage for a moment and see if it something that resonates with you. Are you finding the courage in yourself to be the person you want to be?

Thanks for taking a second there with me. Let’s get into the cybers.

ICYMI

🖊️ Something I wrote: Since I brought it up above. What are you avoiding?

🎧️ Something I heard: I’ve been using the phrase “I’m just going to Rick Rubin my way through this” lately. Sort of as a replacement for “yolo.” So of course I watched this interview with Rick on Huberman’s podcast. (Have you read his book? It’s on my list.)

🎤 Something I said: Had a great conversation on the Security Weekly podcast.

🔖 Something I read: Hit the climax on Mistborn around 11pm the other night and just stayed up super late to finish it. And now just started The Untethered Soul as someone recommended it to me.

📣 Sponsor

Are you using production data for pre-production tasks like development, preview, and test?

Auto-Anonymize Prod Data with Privacy Dynamics.

With anonymized data you can:

→ Use real data for testing, model training, and dev environments
→ Resolve data minimization requirements from GDPR, HIPAA, and CPRA
→ Eliminate risk of sensitive data leaks in your lower environments

Automate PII-free replicas for your lower environments with Privacy Dynamics, saving your team time and your company money.

Vulnerable News

This really puts the “Advanced” in Advanced Persistent Threat. I’m seeing folks call this the most advanced exploit ever discovered.

TL;DR - iMessage exploit that uses a TrueType vulnerability that has existed since the 90s, 2 kernel exploits, a browser exploit, and an undocumented hardware feature that was not used in firmware, which the researchers are unsure how the attackers would know about.

ELI5 TL;DR - Highly funded attackers can send a text to an iPhone and take complete control of it without you knowing.

I just needed to include all these highlights as they are pretty jaw dropping.

The crew presented this research at CCC and the video is already up here: https://youtu.be/7VWNUUldBEE

The whole post is long and detailed if you’re into the technical nitty gritty of hardware security and kernel exploits, it’s all there. (read more)

In more hardware security news - some researchers were able to send some unexpected voltage to a Tesla’s circuit board and get it to unlock some features. They were also able to pull out some hidden information in it including information about previous owners like stored addresses that had been “deleted.”

In a normal Tesla’s Full Self Driving (FSD) mode costs $12,000 to unlock and even then has a fair bit of safety restrictions that require active driver supervision. Well there is apparently a secret “Elon mode” that gets rid of a lot of the restrictions.

The “Elon mode” is a secret hands-free full self-driving feature that previously hackers managed to discover. This executive mode allows Tesla vehicles to self-drive without any driver input or monitoring. This mode was discovered by @greentheonly in June 2023, who tested the mode and posted some clips on social media.” (read more)

Great report out of Microsoft Threat Intel. Storm-0569, Storm-1113, Storm-1674 and Sangria Tempest using App Installer to spread malware since Nov 2023.

The crux of it is a malicious MSIX packages pushed via fake ads & phishing on Microsoft Teams. (I have a feeling we’ll be talking about Teams phishing a lot in 2024) (read more)

JavaScript was a mistake. This kind of attack has been around for 20+ years and barely has advanced in technique.

“Upon examining the injection, we discovered that the JS script is targeting a specific page structure common across multiple banks. When the requested resource contains a certain keyword and a login button with a specific ID is present, new malicious content is injected.”

Old or new, it’s cool to read this post to see the full JavaScript malware flow and how it get’s the bad stuff done. Pay attention to your browser security folks! (read more)

First and foremost, this article starts with the phrase “In a series of Xeets” and I’d like to report a war crime. I refuse there.

Anyway, the threat actor here is Peach Sandstorm or APT33, and they were seen distributing malware to U.S. defense-sector employees.

“Mandiant, which tracks the Iran-backed crew as APT33, says it targets organizations in the US, Saudi Arabia and South Korea for "strategic cyberespionage," with a particular interest in both commercial and military aviation companies as well as those in the energy sector with ties to petrochemical production.”

"We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries" (read more)

These telecom companies have been a major target lately and Mint seems to be the latest victim. T-Mobile has proposed acquiring them and even they got hacked this year with 37 million victims.

Not a ton of info on this Mint breach but there are some forum posts claiming to be selling the data from it. Unaware of the method of the breach but notifications started going out this week.

These attacks are concerning because of the popularity of SIM swapping in larger breaches. The info stolen from these telecom providers can be used in other attacks. Specifically in this breach it seems SIM serial numbers and IMEI numbers were stolen which can be used in SIM swap attacks. (read more)

Miscellaneous mattjay

Upcoming Appearances

In bed before the ball drops

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay