🎓️ Vulnerable U | #060

Israel Spyware leaked, Palo Alto Networks 0-day, Change Healthcare $1B breach costs, US Government's problem with Microsoft, Spy Site Selling Discord Scraped Data, and more!

Author

Matt Johansen
April 18, 2024

Read Time: 6 minutes

Howdy friends!

My RSA Calendar is just about full. How about you? If you’re going, I, along with some of your other favorite infosec content creators and journalists, are hosting a party on Tuesday night at Reddit HQ. Decipher, TL;DRsec, Dark Reading, and Vulnerable U! Register if you want to come and say hi!

ICYMI

🖊️ Something I wrote: I dug into the rumored Telegram vulnerability on Twitter

🎧️ Something I heard: Scott Galloway’s outline of his experience with therapeutic Ketamine at a mental health clinic.

🎤 Something I said: My 90 second run down of today’s top story on Israel spyware

🔖 Something I read: I finished The Way of Kings by Brandon Sanderson. Was a perfect fantasy epic for me. I am taking a break from the series and reading a Stephen King book my friend gave me, but I am excited to come back to it.

Vulnerable News

Israel Tried to Keep Sensitive Spy Tech Under Wraps. It Leaked Abroad

I’ve long talked about delivering malware via ad networks. You can go watch my Blackhat talk from 2013, where I actually tested this out and successfully delivered malicious Javascript via an ad network and used it to DDoS websites. The combination of the advancement in ad networks' ability to target specific individuals and the desire of nation-states to deliver malware to target mobile devices sounds pretty dangerous to me.

Intellexa, a digital surveillance entity spearheaded by Tal Dilian, a former high-ranking officer in Israeli intelligence circles, developed a spyware system dubbed "Aladdin." The crux of Aladdin lies in its utilization of online ad networks as a vector for infiltrating iPhone and Android devices without requiring any user interaction. (read more)

Palo Alto Networks is dealing with an 0-day this week, and some researchers are noticing exploit traffic on the web already spinning up. Justin from TrustedSec shared what he was seeing, along with Greynoise.

Initial guidance recommended turning off a telemetry setting to mitigate, but later, that was found to be ineffective. Ars Technica also has a great writeup on this.

The POC code is out there, and it seems pretty trivial to exploit, so if you’re running these devices, I’d get on it fast, and honestly, by this point, start investigating what has happened the last few days on the boxes. (read more)

We’ve extensively covered this story as it unfolded a few weeks ago. Well, now that quarterly earnings are rolling in, UnitedHealth is starting to report the impact of this attack on their bottom line, and it’s absolutely massive. DIRECT costs in Q1 alone were $872 million, with the potential to exceed $1 billion. This doesn’t include the disruption downstream. Absolutely wild numbers here for a single ransomware attack. (read more)

Were you impacted by this attack?

I know a lot of people that were unable to get meds or care. I even know some small practice medical pros who couldn't get paid/bill.

Login or Subscribe to participate in polls.

Pretty cool attack technique I didn’t know about. They’re calling it “poor man’s SIM Swapping.” The gist: you can craft a malicious link that when clicked on a mobile device starts an outbound call. Calling this number automatically sets up call forwarding right then and there. Once the link is clicked and the number starts to dial, there is no prompt, warning, or way to stop it. So if this was done in the context of a phishing attack, 2FA codes would then be forwarded to the attacker’s number. (read more)

Shockingly, the U.S. government is very reliant on Microsoft to run …everything. From their computer’s OS to their email and identity servers, of course, Microsoft is everywhere and would be virtually impossible to remove at this point.

Pair that overreliance with a handful of high-profile nation-state compromises of Microsoft’s network and products in the last few years, and you’ve got some angry people in Washington. This article dives into that interdependence and how, even though there are some vocal critics of how Microsoft is handling its security posture, .gov keeps procuring more Microsoft services.

Fun throwback in this one to the SolarWinds incident where a bunch of victims couldn’t investigate the hack due to not paying for a high enough tier for Microsoft to have access to the right logs. (read more)

Wait. So you’re telling me that the XZ backdoor wasn’t the only backdoor ever? I thought that was it. We just happened to catch the one and only.

Recent reports from the Open Source Security Foundation and OpenJS Foundation suggest that the sabotage of the XZ Utils software might be part of a broader campaign targeting essential digital infrastructure. Several JavaScript projects, heavily utilized globally, were approached by individuals attempting to insert suspicious updates or gain maintenance roles. (read more)

Mandiant dropped a report and it made it all the way to CNN. (Read the full Mandiant report here) They detailed an investigation tying some incidents against critical infrastructure control systems, like water facilities in Texas, to Russian threat actor Sandworm. However, it isn’t Sandworm proper, but seems like an offshoot. This is an important detail because Sandworm is a meticulous nation-state group while this sub-group seems a bit more haphazard and opportunistic, which is a dangerous combo. (read more)

This is great. What if you wanted to exploit a company who had some open source projects? Those projects might have a path to you becoming a trusted contributor. And then your code submissions might start to run in CI/CD systems with some elevated privileges. Here is an expert from the article on how they did that:

“Step one was becoming a contributor. To do this, we had to submit a pull request that got accepted and merged by a DeepSpeed maintainer. Typically, engineers will submit PRs for bug fixes or feature additions, but we didn’t want to spend the time doing that. Instead, we decided to try submitting a typo fix – finding a typo in their documentation and submitting a PR that fixes that typo.

We fired up Grammarly and got to work.”

What an awesome attack technique. (read more)

A Spy Site Is Scraping Discord and Selling Users’ Messages

A service named Spy Pet is reportedly scraping messages from over ten thousand Discord servers and selling this data. It allows users to track individual Discord users' activities across various servers for a fee. Besides selling data to individuals, Spy Pet also offers its datasets to entities like AI researchers and law enforcement. (read more)

A popular phishing as a service provider got shut down by UK Police this week. Here are some details of what LabHost provided and cost:

The operation led to multiple arrests and the closure of over 40,000 fraudulent sites. (read more)

Shakeeb Ahmed, a former security engineer, was sentenced to three years in prison for hacking two decentralized cryptocurrency exchanges in July 2022, stealing over $12.3 million. Using his expertise in reverse engineering smart contracts and blockchain audits, Ahmed exploited a flaw to manipulate pricing data and siphon funds. Although he returned most of the stolen assets under negotiation, he kept a portion. Ahmed also laundered the stolen funds using cryptocurrency mixers and cross-chain bridges. (read more)

A flaw identified in PuTTY versions 0.68 through 0.80, known as CVE-2024-31497, allows the recovery of private cryptographic keys. This vulnerability arises due to the bias in ECDSA nonce generation using the NIST P-521 curve. The details of this one are for all you crypto nerds (where crypto means cryptography). Attackers could potentially exploit this to access unauthorized SSH servers or impersonate users by collecting 58 cryptographic signatures from server logs or signed Git commits. The issue has been addressed in PuTTY version 0.81, which now uses the RFC 6979 technique for key generation. (read more)

Miscellaneous mattjay

This may be the funniest SNL sketch I’ve seen in years. Ryan Gosling just doesn’t miss when he goes on. I loved his short about Avatar font being Papyrus, and his alien abduction skit with Kate McKinnon. But this Beavis and Butthead one is just brilliant.

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Upcoming Appearances

Today! If you read this early enough. I’m giving a talk at GreyNoise’s NetNoiseCon. https://www.greynoise.io/blog/netnoisecon-amplifying-the-future-of-infosec

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay