🎓️ Vulnerable U | #027

Fostering Welcoming Environments, Taiwan Hacked by 'Flax Typhoon', Qakbot take down, and another SIM-Swapped for Crypto

Author

Matt Johansen
September 01, 2023

Read Time: 8 minutes

Howdy friends!

Writing to you as I prep for a big week. I’m giving a free training session in ATX in a few days with some of the best speakers in the industry. Excited to put it on, my session is going to be cloud security focused. Link at the bottom if you’re in town and would like to join!

This time next week, I’ll be on a beach listening to some waves crash on my first vacation in a long time. Don’t worry, newsletter, YouTube, and podcast will all still come out - when you travel with a little kid, you get some forced downtime glued to the hotel room at night anyway.

Sneak Peak at the Blog of the Week:

If you are a veteran (or working toward that status) in your career and want to be the professional who fosters welcoming, educational, supportive, and generally friendly environments, this one is for you.

Don’t worry, newbies; read on to learn how to spot high-achieving and nurturing communities when you are breaking into any industry.

My start in infosec is a story I’ve told before. Mustering up all the courage I had inside my body, I hopped on the Schmoo Bus with a bunch of people I followed on Twitter and set course to my first-ever SchmooCon.

This adventure introduced me to many obstacles newcomers face in the industry. On the other side of that now, aligning more closely with a Schmoo bus driver than a hitchhiker, I decided to revisit a concept from an earlier newsletter from a new perspective.

In that newsletter, I shared the 5 obstacles newcomers face when breaking into information security. Today, I want to share what I do to facilitate environments that set newcomers up for success.

First, I will tell you why I find this particularly important. Fostering a culture of inclusivity and support within the infosec community elevates the entire industry and everyone in it.

The success and growth of the industry depend on the active engagement and development of newcomers. Building a community where questions are welcomed and where experienced professionals willingly share their knowledge and insights is something we should be striving to achieve.

By valuing and encouraging the participation of beginners, we ensure the sustainability and vitality of the infosec field.

In this episode:

  • Chinese-backed APT 'Flax Typhoon' Hacks Taiwan with Minimal Malware Footprint

  • Mandiant Report - Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)

  • Kroll Employee SIM-Swapped for Crypto Investor Data

  • Man puts tracking app on wife's phone, shoots her twice and fires at man she's with, police say

  • A Brazilian phone spyware was hacked and victims’ devices ‘deleted’ from server

  • Poland investigates cyber-attack on rail network

  • MOVEit, the biggest hack of the year, by the numbers

  • Ignored by police, twin sisters took down their cyberstalker themselves

  • FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown

  • A Fake Signal App Was Planted On Google Play By China-Linked Hackers

  • VMware Aria vulnerable to critical SSH authentication bypass flaw

  • Mom’s Meals says data breach affects 1.2 million customers

  • Saudi man receives death penalty for posts online, latest case in wide-ranging crackdown on dissent

ICYMI

🖊️ Something I wrote: Take to the comments on this one. Lots of varying viewpoints!

🎧️ Something I heard: How this guy became stupid rich off of WordPress

🎤 Something I said: The news in about 10 minutes. If you like this newsletter, you’d probably like to sub to my YouTube.

🔖 Something I read: A women’s volleyball game set an attendance record. As a volleyball player myself, married to a volleyball player. This got me hyped.

Vulnerable News

Microsoft's threat hunters have identified a Chinese government-backed Advanced Persistent Threat (APT) group named Flax Typhoon that is infiltrating Taiwanese organizations using minimal malware. Instead of relying heavily on malware, this group exploits vulnerabilities in public servers and then uses legitimate software tools within the Windows operating system to maintain a discreet presence in the compromised networks.

The stealthy nature of their operations, which involves using valid accounts and living-off-the-land binaries (LOLBins), makes detection and mitigation challenging. As Lindsay at Duo points out - “This pattern of activity is unusual in that minimal activity occurs after the actor establishes persistence." - Microsoft emphasizes that the techniques used by Flax Typhoon could be replicated in other targeted attacks. The group has been active since mid-2021, targeting various sectors in Taiwan, with some victims also identified in Southeast Asia, North America, and Africa. (read more)

This great report, unfortunately, fought a headwind in the news cycle. We’ve covered the UNC4841 Barracuda attacks on the show in the past.

Mandiant delves deeper into the tactics and techniques used by UNC4841, especially after remediation efforts were made for the Barracuda ESG Zero-Day vulnerability. UNC4841 displayed adaptability by deploying new malware to maintain its presence in high-priority targets, even after patches were released. (read more)

We just talked last week about SIM swaps and how they’re growing in prevalence, especially against crypto targets. Well, here we go again, this time, the crypto targets were one step removed from the attack. Kroll, a consulting giant, has disclosed a significant security incident where one of its employees fell victim to a SIM-swapping attack. This breach led to the unauthorized access and theft of user information from multiple cryptocurrency platforms, including BlockFi and FTX, both of which were relying on Kroll's services for their bankruptcy proceedings. (read more)

I like to share these stories because it is a periodic reminder that the digital decisions we make have kinetic consequences. Once again, we see the violent misuse of location-sharing applications. (read more)

Speaking of spyware - they also tend to be awfully insecure apps. Not all heroes wear capes, it turns out, and a Brazilian spyware app was hacked, and all the victim’s info was erased by a vigilante hacker. This joins the long list of spyware that has been compromised this year, unfortunately not always by someone with good victim-saving intentions. (read more)

With $30 of equipment and a quick radio signal, pro-Russian attackers were able to impact over 20 Polish trains. Possibly to impact Ukraine's war efforts. The signals that disabled the trains were interspersed with the Russian national anthem and audio of a speech by Putin. (read more)

As the number of victims of MOVEit related breaches crosses over 1000 companies and 60 million people, it is becoming one of the largest breaches ever tracked. This article breaks down the Cl0p ransomware group’s attack by the numbers, including calculating the billions in damages caused and the types of organizations impacted. The feds are hot to get any info on this group and are offering big bucks for info related to Cl0p in order to get closer to arrests. (read more)

This one is worth the read. It highlights how broken our nonconsensual pornography laws are. These victims had to chase this down until it could not be ignored, and the FBI got involved because they were mocked by local law enforcement. “Some officers told Christine she should not have had the photos taken at all. Now well-accustomed to the judgment that came with having her intimate pictures stolen, she says she deployed a quick rebuttal: “Your wife doesn’t send you nudes? That must be so sad for you.”

Infuriating details of how little was done without them doing all the early heavy lifting. The good news is the perpetrator was sentenced to 15 years in prison when it was all said and done. (read more)

The big story of the week. Everyone is talking about this one, and rightfully so. Qakbot has been a menace for many in the industry and has wreaked havoc across the internet. I also remember years ago, when researchers would gain control over a botnet, they couldn’t actually run the uninstall command on the malware because that was technically hacking as well. So they’d just sinkhole the command and control, leaving the botnet dormant. This time, the FBI actually ran an uninstaller and wiped the malware off the Qakbot-infected machines. Huge kudos to all involved in this massive, coordinated international effort. (read more)

I’ve long talked about how lax the criteria are to get an app onto the Play Store or a Chrome extension into the webstore. Hell, I’ve even deployed a purposefully malicious extension for a BlackHat talk and titled it something like “Malicious App,” and it got in. Well, now a counterfeit version of the private messaging app, Signal was discovered on Google Play and is believed to be connected to a Chinese espionage operation. This fake app, named "Signal Plus Messenger," was designed to spy on the communications of the genuine Signal app secretly. The malicious app exploited a feature in the genuine Signal app, allowing it to silently link the compromised device to the attacker's Signal account, thereby intercepting all messages without the user's knowledge. (read more)

VMware Aria Operations for Networks, a suite used for managing and monitoring virtualized environments and hybrid clouds, has been found vulnerable to a critical authentication bypass flaw. This vulnerability, identified as CVE-2023-34039, allows attackers to bypass SSH authentication, potentially leading to data exfiltration, network disruption, and malware installation. (read more)

I read the name of this one and said “how the heck does that have so many records and what could possibly be stolen?” - well it turns out a lot. Don’t let the name fool you, this company was a healthcare adjacent food company. - “The information included customer names, Social Security numbers, driver license and state identification numbers, financial account and payment card information, medical record numbers, health information, treatment information, diagnosis codes, meal categories and costs, health insurance information and patient ID numbers.” (read more)

When I say security and privacy are life and death endeavors, I mean it. This isn’t hyperbole. If you are charged with the privacy of the users of your platform, and that trust is broken, it could mean dire consequences based on that person’s location or identity. We in the States take our Bill of Rights for granted some days and have to remember it is not an international document. Being a dissident or LGBTQ is still very dangerous in many parts of the world.

Our jobs are serious, and having a diverse talent set on our staff is important to remind us of worldly perspectives that are difficult to see for homogenous teams. (read more)

Miscellaneous mattjay

It’s called defense in depth

Love a good BMW joke

As a New Yorker and a hacker this is offensive on so many levels

Upcoming Appearances

Developers and Security are Friends Day - Tromzo

Join practitioners from Netflix, Cloudflare, Reddit, and more for a full day of free training on Tuesday, September 5. Register now!

tromzo.com/developers-and-security-are-friends-day

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay