🎓️ Vulnerable U | #052

One Year of Vulnerable Us! Lockbit Takedown, I-S00N leaks, Stolen biometrics to hack bank accounts, Massive ScreenConnect vulns, UnitedHealth breach, DOJ hacks home routers to monitor Russians, Biden Executive order on port security, and much more!

Read Time: 9 minutes

Howdy friends!

One whole year. 52 weeks. It’s a big deal! The community we’ve grown in that time is so much bigger than I ever expected too. Genuinely, I’m so happy you are here. This is something I love doing - talking about mental health and sharing cybersecurity news. It’s even better to know you are all enjoying it too.

I’m working on something to show my gratitude that I think you all will love. Stay tuned!


🖊️ Something I wrote: Been exploring some new stress management techniques and wrote about them last week.

🎧️ Something I heard: My good friends Jen Leggio and Dennis Fisher having a great convo on the Decipher podcast

🎤 Something I said: Honestly, I said a lot this week. There was a lot to talk about! I went a bit reel happy over on IG and TikTok

🔖 Something I read: We have a lot of work to do on the road to address mental health issues in our country, but we celebrate the wins. Here’s a win.

📣 Sponsor

What can defensive engineers learn from their EDR?

For many, EDR tools can seem like a well-executed illusion. In our upcoming webinar, Prelude’s Principal Security Engineer and author of “Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems” unpacks the black box that is the modern EDR.  

Join us on February 29th at 2:00pm EST for a deep dive into:

→ How an EDR differentiates itself from other endpoint protection platforms
→ A breakdown of the sensors and agents that make up the modern EDR
→ How to leverage the capabilities of your EDR to craft better protections

Vulnerable News

This has been a wild ride - China is having its own Edward Snowden moment, and one of their APT groups had a leak of a lot of their operations docs, capabilities, and some of their stolen data. It all started in this Twitter thread where a threat intel researcher who spoke both English and Mandarin got busy translating as we followed along in real time.

If you follow my socials, you’ve seen me make a few videos about this one.

Highlights: State-sponsored hacking group capabilities exposed, including social media account monitoring, hacked telecom companies from various countries, hardware and wifi hacking devices, and more.

Lots of content on this one in the last few days, but BushidoToken’s summary has been the best for me: (read more)

You’ve seen this news already unless you’ve been living under a rock. The LockBit takedown seems like it was massively coordinated across a number of global law enforcement entities. Not only did they take the Onion site offline, but they also put up this nice advent calendar that gives us some dates to look forward to when they’ll be releasing more information on one of the world’s largest ransomware crew operations. Including their methodologies for initial access, info on their affiliates, and upcoming arrests. (read more)

A few things on this one. Is this really the first-ever iOS trojan? I was baffled when I read that. Second, this research group says that they have found evidence that a Chinese hacking group is using an iOS trojan to steal face ID scans, then recreating the digital face into an AI deepfake and using that to access your bank account. This is terrifying, honestly.

The attack works like this: Social Engineer victims to install a “government services” app on their phone. They then get them to load up a full MDM profile which lets them do anything on the device. They load up more malicious apps that pretend to be government apps that have the victims scan their faces for biometrics and scan their ID documents. They then use this info to create an AI Deepfake of the victim.

So if you get locked out of your bank account and go through an account recovery process, there are new providers that will make you scan your ID and your face. This hacking group seems to be defrauding that process with stolen iOS biometric data and AI deepfakes. I had to read this a few times to believe it was real. Wild! (read more)

This bug is about as bad as they get. It is easily exploited and widely used, and POC is available. From the time I grabbed this link for the news story to the time I’m writing this, a number of ransomware groups have begun to use this exploit in their arsenal. Shodan shows almost 9,000 ScreenConnect boxes open on the internet, mostly unpatched. That is just what is on the internet, ransomware groups are good at other various initial access methods and then this vuln would be lights out. Check this super easy POC video.

Thanks, John and the Huntress crew, for how great you handled this disclosure. (read more)

We don’t know much about this one, but it seems big. UnitedHealth and Change Healthcare are enormous healthcare providers, and Change even runs background infrastructure for the whole healthcare system. Payment provider, pharmacy ops, coverage validation, and care coordination. They’ve been down since Wednesday, and the 8k filing is light on details. They say it was nation-state aligned, which can mean a lot of things, but this certainly smells like ransomware to me.

“Pharmacies across the U.S. are reporting that they are unable to fulfill prescriptions through patients’ insurance due to the ongoing outage at Change Healthcare, which handles much of the billing process.” (read more)

This is something I’ve been talking about for a bit in regard to the Volt Typhoon stories we’ve covered in the newsletter. FBI has said Volt Typhoon is currently sitting in wait on our critical infrastructure routers. Here is evidence of Fancy Bear, a Russian threat group separate from Volt Typhoon (China), who has compromised a bunch of US residents’ home Ubiquiti routers.

The DOJ has granted special permission to the fed to hack into the same US routers in order to monitor Russian activity. They then notified the impacted folks, basically saying, “Hey, you were hacked by Russia, then you were hacked by us to prove it and chase the Russians out; you really have to factory reset all of your hardware and patch it when it comes back online.”

I’m predicting we’re going to see a similar course of action to oust Volt Typhoon wherever the FBI and CISA think they see them. (read more)

Executive orders vary in effectiveness. I like to see it, though; ports are some of the economy’s most critical infrastructure. I’d wager that software running cranes unloading shipping containers are probably not written in Silicon Valley. This brings up a big supply chain risk if we aren’t in control of our own destiny here. This order at least sets a minimum bar of security best practices for port operators; whether they follow the rules or just get their rubber stamp is yet to be seen.

“These cranes, because they are essentially moving the large-scale containers in and out of port, if they were encrypted in a criminal attack, or rented or operated by an adversary, that could have real impact on our economy’s movement of goods and our military’s movement of goods through ports.” (read more)

Thinkst canaries are awesome. They have a free version of their tokens that you can check out on canarytokens.org, which is always super cool of them. But if you use the free versions, Truffle figured out that you can enumerate the AWS account IDs for Thinkst, which makes these particular canaries super easy to detect.

So, if you want to run AWS canary tokens, you’re going to want to run a private canary server or a paid Thinkst server.

I got this wrong on Twitter when I first talked about it. Thanks so much to Haroon for writing me and setting me straight. I originally didn’t realize that it only impacted the free canaries that use the public servers. Also, thanks to Dylan at Truffle for open-sourcing this raising the cloud security bar for everybody. (read more)

  • Google discovered malicious code from Variston in July 2022, targeting major browsers and operating systems with zero-day exploits.

  • Variston tried to maintain a low profile, with strict policies against employee disclosure of their workplace and vague public-facing information.

  • The company was founded in 2018, and after acquiring Truel IT, it developed exploitation frameworks targeting various operating systems.

  • Variston's primary relationship was with Protect, a UAE-based company, which significantly influenced its operations and funding.

  • Following exposure by Google and changing circumstances with Protect, Variston is reportedly shutting down, indicating the volatile nature of the offensive security industry and the significant impact of public exposure and financial dependencies. (read more)

If you have a wifi camera at home and are relying on it for any of your home security, I’d consider your threat model a bit. Here is some evidence of nine different home burglaries where they knocked the cameras offline with a wifi jammer. These are obviously illegal but are easily obtained or cheap to make.

There are some alternatives like PoE or other non-wifi cameras you can look up if this feels like an attack you’d be worried about. (read more)

Here is the news story that Rachel is commenting on: link

First off, I’m proud of this columnist for sharing this story in detail as much as they did. I saw a lot of reactions to this piece, making fun of them and saying they’d never fall for this. While it’s true some of us would’ve sniffed this scam out at some point, Rachel does a great job in this article describing what the scammer did well to get the victim to comply. Building trust in them, sowing distrust of people around the victim, building a sense of embarrassment, and setting up a sense of urgency.

I know I’ve been scammed before; I’ve fallen for phishing emails or texts. I just am glad none of them have ever cost me $50k (read more)

I saw a tweet on this one that summed it up best. by @haxrob - “This is wild. Your own Kali Linux box in the ☁️ with inbound connectivity for reverse shells - requiring no signup at all.”

I know some bug hunters in my audience would find this one useful. (read more)

The "Silent Sabotage" article from HiddenLayer Research discusses a security vulnerability within Hugging Face's Safetensors conversion service. This flaw allowed attackers to inject malicious code into machine learning models, potentially compromising a wide range of applications. The researchers demonstrated the exploit by impersonating the official conversion bot, highlighting the potential for significant supply chain risks within the machine learning ecosystem.

  • Vulnerability in Hugging Face's conversion service.

  • Potential for injecting malicious code into machine learning models.

  • Demonstrated exploit via bot impersonation.

  • Highlighted supply chain risks in the machine learning ecosystem. (read more)

CrowdStrike has a unique view of the world, being that they’re absolutely everywhere. As an EDR vendor with visibility into tons of malware on corporate devices, I’m always a sucker for good data visualization and report from vendors like this. (read more)

Came across this as Bushido wrote the I-S00N summary in the lead story. He also released their personal Opsec advice, and it was too good not to share. I get asked a lot for a “how can I do better at my personal cybersecurity?” and here are some really good starting points. (read more)

Well, the meme game of the NSA just got weaker. So long, Rob, and thanks for all the fish. salute (read more)

We’ve covered some Microsoft breaches in the last year, and they’ve caught more and more heat about how their security logging services charge a premium to enable. Basically, .gov is saying you really can’t charge for seatbelts if you’re selling a car. It seems they’re starting to come around and giving away a lot of security logging for free. (read more)

I can’t express this clearly enough: I hate this so much. Avast was selling people anti-virus and VPN services under the guise of privacy and security, then turning around and selling their browser history to data brokers. Also, the $16.5 million dollar fine is hilariously low, and nobody will learn anything from this. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen