Read Time: 7 minutes

Vulnerable U Community,

Welcome to the latest edition!

Topic of the Week:

Success in tech? Go at it solo, build walls, and laser-focus.

...Yeah, not so much.

Let's dive into the value of community in cybersecurity. I'll share a snippet of my journey into the field and highlight the crucial role trust plays in helping organizations excel in their infosec efforts.

Today’s threat actors are organized, fast, and indiscriminate, targeting industries like education, healthcare, tech, and finance. Falling victim to phishing or ransomware attacks can be devastating, costing millions and leaking private data to the wrong hands.

How can having a community around you help with this?

Trust

Candidate for top word that gets thrown around in our industry for so many various reasons. Trust between you and a computer via a password. Trust between servers with a certificate. Trust that companies are protecting user data. Trust between leaders and their employees to steer the infosec ship in the right direction.

How about your personal trust within the industry as a whole? Our personal brands are actually a tool we wield in helping us do a better job at work.

Let's look at two scenarios:

1. You're an active community member, attending conferences, sharing research, open-sourcing tools, and mentoring others. When you need help, finding a team member or gathering intelligence on attacks targeting your organization becomes easier because of the relationships you’ve built.

2. You're not involved in the community, using social media platforms just to self-promote and engage in trolling or toxic arguments. When you need help, seeking introductions or finding a new job becomes challenging because you haven’t given enough to start asking what you can take.

I think you see where I’m going and where confidence among the community can be helpful.

The ShmooBus and the Broke Kid

When Twitter emerged during my university days on Long Island, I was amazed that I could engage in conversations with established infosec professionals. Those interactions led to friendships and my first-ever security conference, Shmoocon. A group of infosec pros in Boston rented an RV, dubbed it the ShmooBus, and agreed to pick me up on the side of I-95 on their way to D.C. (this is me casually leaving out my family’s reaction to telling them I was going to get in an RV with a stranger from the Internet named Jack Daniel). This unforgettable trip introduced me to people who would become long-term friends and future employers.

Shmoocon led me to meet individuals from LiquidMatrix, who allowed me to contribute to their blog under the pseudonym of "Security Intern." Posted a daily news round-up for them; which now that I think about it means I’ve been doing this newsletter thing for 15+ years! During that same trip around the sun, I attended BlackHat and Defcon in Las Veags, still broke as a joke. But while there, I continued to meet and grow relationships with folks who would later hire me or provide invaluable support in my career.

What’s the point of me sharing this now? I couldn’t imagine my career taking form the way it did had I not built trust in the community. Not to mention, if you fast forward 15 years, some of my closest friends are people I met during that time. Being vulnerable about how little I knew and inserting myself into uncomfortable situations. Trusting that the community I was building around me would catch me and be worth it. Spoiler alert: I was right.

I’m keeping it to the cliff notes, but do you want to hear this whole story? Reply to this email or hit me on Twitter. I’ll either share with you or include the full story in next week’s letter.

Elective Reading

Here are some things I’m reading right now and some cliff notes or thoughts:

Love when good security tips break out of our echo chamber. Good overview of Yubikeys in the WSJ, using some quotes from friends to back it up.

Speaking of 2fa - love Tall Poppy and their team/mission. They’ve got a good write up about recent changes on Twitter where SMS 2fa will no longer be a free feature.

“Starting in late March, only paid Twitter Blue users will be able to receive 2FA codes via text message. Non-paying Twitter users will still be able to secure their accounts with two-factor authentication, but they will have to use a physical security key or an authenticator app. We recommend you make the switch to a physical security key or an authenticator app regardless of your Twitter Blue status.”

Mandiant’s report on APT43 - North Korea.

“APT43 buys hash rental and cloud mining services to provide hash power, which is used to mine cryptocurrency to a wallet selected by the buyer without any blockchain-based association to the buyer’s original payments—in other words, they use stolen crypto to mine for clean crypto.”

A good wired article on it as well:

Speaking of mainstream - Microsoft has been hot on the AI chatbot market throwing tens of billions at the effort and even launching new features in Bing. But this week they also announced some targeted help for cybersecurity folks.

Interested to see what they come up with. I know there are plenty of ideas floating around for how ChatGPT-4 and beyond will impact the security field.

“Engineers inside Microsoft have been using the Security Copilot to do their jobs. "It can process 1,000 alerts and give you the two incidents that matter in seconds," Jakkal said. The tool also reverse-engineered a piece of malicious code for an analyst who didn't know how to do that, she said.”

I’ve seen some other evidence of chatgpt being pretty good at finding vulns in code as well. We’ll see whats to come!

Related to the 3CX supply chain compromise, here is some preliminary information:

➡️Downloading the MSI installer from the official website serves you with the malicious, weaponized version of the application 💡If you have the application installed, Update.exe will reach out to download the malicious version CommandLine: C:\Users\\AppData\Local\Programs\3CXDesktopApp\app\Update.exe --checkForUpdate hxxps://hdcav.wa.3cx[.]us/electron/update/win32/18.x.x.x

➡️The full path of the process responsible for reaching out to the malicious domains is: C:\Users\\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe

➡️FFmpeg.dll has been altered by the threat actors to run additional code

➡️Malicious encrypted payload has been downloaded from github. Here is the full URL - hxxps[://]raw[.]githubusercontent[.]com/IconStorages/images/main/icon9[.]ico

(h/t @Kostastsale on the summary)

No interaction Outlook 0day - exploits seen in wild starting April 2022. But the scary part: "Exploitation of CVE-2023-23397 leaves very few forensic artifacts to discover in traditional endpoint forensic analysis”

Phishing simulation and education company Hoxhunt ran a cool study to test out ChatGPT vs Human written phishing messages to see who would win. So far us humans are safe beating out the robots in convincing other humans to click links.

And just for laughs.

Community Spotlight:

I’ve talked about this a few times and I really do love the idea. Librarians or teachers, many of which actually have Masters degrees, generally with focus areas in research. They also are experts in cataloging and presenting information to an audience trying to learn.

And speaking of, there are a few success stories here I can actually share.

If you don’t know InfosecSherpa on Twitter, you really should. She is one of the best examples of this transition as a librarian in infosec. Luckily for me she worked for the New York Times and did an interview all about her career transition as well: (link to interview)

When asked: What is the biggest challenge you faced in your career and how did you overcome it? Knowing what you know now, would you do things differently.

Tracy said:
“Prior to working in Information Security, I was a librarian. When I decided that it was time for a career change about five years ago, I looked to tech and eventually realized that my natural paranoia and distrust of things made me suitable for a career in cybersecurity. (That’s a joke… sort of.)

The biggest challenge was the learning curve going from Library Science to Computer Science. Learning about computer networks and security threats required me to use a different part of my brain. I had to learn new skills and learn the ways of a completely different industry. I studied very hard every chance I got and I don’t think I would have changed a thing.”

Love it. Glad you’re here Tracy. Even if we root for a lot of the opposite sports teams.

Check her linktree here: link

Please write to me and share stories or anecdotes for this section. It goes very well with the theme of being vulnerable together. I’d especially love to hear about your failures. What is a time you failed? What did you learn? How did it change your life?

Extra Credit:

Help Us Grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them! As of now, spread will just be by word of mouth.

Parting Thoughts:

Let me know how I can help as always.. If there's a topic you'd like to see covered in a future edition of the newsletter, or if you have any questions or concerns, please don't hesitate to reach out to us. I’m always happy to hear from our readers and help in any way I can.

Stay safe, Matt Johansen
@mattjay