🎓️ Vulnerable U | #048

Massive Kubernetes Vulnerability, Mental impacts of Ransomware, Microsoft Threat Intel on Russian Threat Actor, Chrome Zero Day Detailed Writeup, Head of CISA gets swatted, and more!

Read Time: 12 minutes

Howdy friends!

I hope you’re all having a great week. I’ve noticed a few things from you all this week that are leading us to build a few new things. I’ve started getting a lot of emails, texts, and DMs with news stories folks want me to cover. Well, now you’ll find a way to do that down in the news section.

We’re also going to hit 10,000 readers this month which is a very exciting milestone for me. To celebrate, we have something really special planned that we’ll launch around then. Stay tuned, I think you all are going to love it.

One more request from me: are you a leader in the cybersecurity space? If you’re subbed to this newsletter, you most likely also care about mental health in some capacity. - I’m taking volunteers who are willing to get vulnerable and chat with me about their mental health journey. “Leader” is a loose definition here, so if you’re interested, reach out to me on Twitter, LinkedIn, or just reply to this email.


🖊️ Something I wrote: Have you nominated an awesome AI Security project yet? I’m collecting the Best of AI Security for 2023 - community vote and expert judging starts soon!

🎧️ Something I heard: A line in a new song going around social media - “If only you loved me like you loved getting high. I can’t let you go.” - and I’m just sending good vibes to anyone that resonates with that one. Hit me like a ton of bricks. Addiction sucks.

🎤 Something I said: Told my followers about a cool new iOS security/privacy feature

🔖 Something I read: I Shared My OCD Struggles with 11,000 Employees—Their Responses Showed Me the Importance of Vulnerability in Leadership

Vulnerable News

This one gave me a scare when I first got it sent to me. At first glance, this seemed really bad. Anyone with a Gmail account can access your Kube cluster?! Let’s dig in further:

A vulnerability in Google Kubernetes Engine (GKE) was uncovered, which could allow any Google account holder to take control of Kubernetes clusters due to a misconfiguration. This issue, codenamed Sys:All, affects an estimated 250,000 active GKE clusters.

Key Technical Details:

  • The vulnerability stems from a misconception about the system:authenticated group in GKE, which includes any Google authenticated account, not just those within the organization.

  • Attackers could exploit this by using their Google OAuth 2.0 bearer token, potentially leading to cluster control, data theft, or malware introduction. - Without a trace

  • Google has responded by blocking the binding of the system:authenticated group to critical roles in GKE versions 1.28 and up.

  • Recommendations include not binding the system:authenticated group to any RBAC roles and reviewing cluster configurations for unsafe bindings.

You can audit your GKE setup with these instructions: Google Cloud Docs

For a detailed understanding of this critical cybersecurity development, read the full article here. This story is a must-read for cloud pros.

Okay, this one hits Vulnerable U square in the face. Royal United Services Institute (RUSI) conducted a study on the mental impacts of ransomware on its victims.

The report breaks it down into 3 types of harm.

  • First-order harms: Harms to any organization and their staff directly targeted by a ransomware operation.

  • Second-order harms: Harms to any organization or individuals that are indirectly affected by a ransomware incident.

  • Third-order harms: The cumulative effect of ransomware incidents on wider society, the economy, and national security

Some of the folks in the study summarized by an article in the Register:

“A cybersecurity worker in the financial services industry, for example, pinned the stress of remediating ransomware on their heart attack, which ultimately required surgery to sort out.

Another, working for a charity, was hospitalized after their self-care went downhill following a ransomware attack. Dehydration caused by the excessive consumption of coffee, coupled with an insufficient intake of water and pre-existing medical conditions, led to health issues that required medical intervention…”

“…One RUSI interview with a security specialist working for a consultancy revealed that a ransomware attack was so mentally damaging, due to their personal identity being so closely tied to their professional success, that the incident drove them to the brink of suicide.”

I feel this all deeply. Those of us on the defense side can feel these pressures and the feeling of failure during an incident. Sleep deprived, malnourished, stressed, depressed, and just have to keep going. If you can relate and you’re out there reading this - I see you. (read more)

Ok you have to read this one section:

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself.”

This Russian threat actor hacked Microsoft to figure out what Microsoft knew about them.

Why you should care about this. (read more)

Following the previous story - kudos to the Microsoft Threat Intel team for then sharing guidance for those defending against this threat actor. Take advantage of a team this open about their detections who are willing to help the community out.

“Microsoft was able to identify these attacks in log data by reviewing Exchange Web Services (EWS) activity and using our audit logging features, combined with our extensive knowledge of Midnight Blizzard.”

I love these Microsoft public post-mortems. This one is particularly good because they go into detail about the various stealth methods Midnight Blizzard used, such as their low and slow password spray attacks via a residential proxy with high IP turnover from non-data center IPs.

If threat actors like this are a part of your threat model, I’d check this post out and see the detection suggestions towards the end. (read more)

18+ headline aside - I always find content moderation a fascinating problem set. Social media sites have huge armies of people and algorithms working hard to keep unwanted or illegal content off their platforms. However this is always just an arms race to see who can evade the current techniques. To this end you wind up with faceless spam accounts backed by tech savvy individuals bypassing input validation but penalizing actual people trying to follow the rules.

“"It feels unfair to see others posting content on Instagram that is not only against their TOS, but also is far more explicit than anything I've ever posted," Screams said. "I've tried reporting accounts that were posting actual porn, only to receive notification that the accounts or posts weren't violating the TOS. Instagram is such an integral part of the marketing strategy for many, many sex workers, and yet we are pushed off the platform because of our chosen line of work. It's infuriating to know there is actual porn being posted on the app and profited off of, yet sex workers have to censor ourselves down to the words we choose to use. It's discriminatory and a double standard, especially since so many sex workers do stick to the TOS and still face deplatforming." (read more)

Have a news story you think I should cover next week?

Give me the URL in the text box after you click Yes

Login or Subscribe to participate in polls.

We get these announcements a lot, generally from Google themselves, about 0 days in Chrome. Out-of-bounds memory issues are one of the more common bugs in Chrome as well, but it is a very in-depth skill to find these bugs. Hence their giant bug bounty payouts.

When Google finds these bugs themselves, we don’t get a really thorough write-up on them, though. That is not the case today! Exodus Intel found this bug, and this is a masterclass in exploit development for memory bugs.

Case in point. Here is how they lay out the exploit step by step. They go in-depth into each of these steps and the code they used to achieve each part:

“Exploiting this vulnerability involves the following steps:

  • Triggering the vulnerability by directing an allocation to be a FoldedAllocation and forcing a garbage collection cycle before the FoldedAllocation part of the allocation is performed.

  • Setting up the V8 heap whereby the garbage collection ends up placing objects in a way that makes possible overwriting the map of an adjacent array.

  • Locating the corrupted array object to construct the addrof,read, and writeprimitives.

  • Creating and instantiating two wasm instances.

  • One containing shellcode that has been “smuggled” by means of writing floating point values. This wasm instance should also export a main function to be called afterwards.

  • The first shellcode smuggled in the wasm contains functionality to perform arbitrary writes on the whole process space. This has to be used to copy the target payload.

  • The second wasm instance will have its shellcode overwritten by means of using the arbitrary write smuggled in the first one. This second instance will also export a main function.

  • Finally, calling the exported main function of the second instance, running the final stage of the shellcode.”

If you understood any of that, you should definitely get into browser exploit detection and go make some bank in bug bounty land. (read more)

“Written across the bottom of the video is a kind of disclaimer from Predatory Sparrow, the group of hackers who took credit for this cyber-induced mayhem and posted the video clip to their channel on the messaging service Telegram”

“the attack's damage was caused when the hackers used their access to the HMI to bypass a “degassing” step in the steel refining process that removes gases trapped in molten steel, which can otherwise cause explosions”

Talk about the physical consequences of a hack. It seems this hacking group popped into the infrastructure of this Steel Mill and caused a meltdown of molten steel, almost killing the factory workers. The security cam footage was… you guessed it… from a camera open to the Internet on Shodan. (read more)

“An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been attributed to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021.”

It's the 2 years of no detection for me. Thats rough. (read more)

First off - Greynoise is awesome. They’re using a series of Internet sensors and honeypots to get a vibe of what real attackers are doing, and this allows them to catch exploits for new CVEs that start to be actively exploited.

“These payloads are all leveraging a pair of vulnerabilities in Ivanti Connect Secure - CVE-2023-46805 and CVE-2024-21887, written about here, and with a public exploit available. You can also see the exploitation picking up on our tag.”

The whole post has IOCs and breakdowns of the files the attackers were pulling in via wget and curl once on the systems. Always fun to look behind the curtain on active exploit campaigns. (read more)

Troy Hunt, the operator of haveibeenpwned.com, came across a new list of usernames and passwords on a popular hacking forum. It was sent to him by a company that got it sent to them via their bug bounty. Usually these lists are old hat for Troy as his database is so flush already, this one however had only a 65% hit rate with his current data. So that means there is a net new 35% in this massive pile that he hadn’t collected yet. He did a sampling to confirm some of the passwords, including one of his own old passwords he recognized. (read more)

This is an interesting privacy leak in WhatsApp that was reported to the Meta bug bounty and told it was working as intended. The gist is just by knowing someone’s phone number you can enumerate the devices they are actively using for WhatsApp.

The impact, as stated by the author, could be targeted exploits, targeting “softer” devices rather than a known main device, or even personal leaks like someone in a domestic violence situation who has a secret second phone. (read more)

Some researchers at Varonis published this neat attack. Limited impact as it is hashed passwords, but leaking them would allow for offline brute force.

“One of Outlook’s features is the ability to share calendars between users. However, this feature can be exploited, as discovered by Varonis Threat Labs, by adding a few headers in an email to trigger an attempt to authenticate, redirecting the hashed password.”

“Attack scenarios

1 - An attacker crafts an email invite to the victim, pointing the “.ICS” file path to the attacker-controlled machine. By “listening” to a self-controlled path (domain, IP, folder path, UNC, etc.), the threat actor can obtain connection attempts packets that contain the hash used to attempt to access this resource. Many tools are used to perform this listening, and in the example above, Responder.py was used (the go-to tool for every SMB and NTLM hash attack).

2- If the victim clicks on the “Open this iCal” button inside the message, their machine will attempt to retrieve the configuration file on the attacker's machine, exposing the victim’s NTLM hash during authentication.” (read more)

It's interesting to see folks deploying ChatGPT to see if it is better at automated fact-checking across a data set. This is a hot topic as we’re in an election year, and the AI false information engines are already proving strong. I’m glad someone is fighting fire with fire and using AI to detect the false stuff as well.

“Our experiments show that fine-tuned GPT-3 models outperform the best baseline CNN-hybrid model in political statement classification.” (read more)

“Cybersecurity and Infrastructure Security Agency Director Jen Easterly’s home was swatted late last month, another incident in what has become a nationwide trend targeting state and federal government officials.

Police in Arlington County, Virginia, say they are investigating a 911 call placed slightly before 9 p.m. on December 30 that falsely claimed a shooting had occurred inside a residence on the block where Easterly lives.”

Nobody should be dealing with this. Someone is going to get killed. (read more)

mattjay king for a day action item - if your social media account could start a war or crash the stock market, two-factor authentication is required. (read more)

I made a video about this one on socials. If you missed it, super cool new iOS feature that is meant to buy you some time to defend yourself if your phone is stolen. It works by requiring Face ID or a security 1-hour lockout to perform any admin actions on a device that is not in its normal location. This can buy you time to mark it as stolen, or otherwise lock down your accounts. It is out now on iOS 17.3 (which you should update to anyway due to security patches) (read more)

From the weird grabbag - I’ve seen some objection to AI facial tracking and recognition, but now we’re using DNA to predict a face and then running facial recognition on that?

“Because modern facial recognition algorithms are trained neural networks, we just don’t know exactly what criteria the systems use to identify a face,” Garvie, who now works at the National Association of Criminal Defense Lawyers, tells WIRED. “Daisy chaining unreliable or imprecise black-box tools together is simply going to produce unreliable results,” she says.

“We should know this by now.” (read more)

I saw a lot of blog posts saying Tesla was hacked, and 24 0 days came out of pwn2own auto this year. Looking closer, that was a bit sensationalized, and most of the hacks were of the smart charging stations. Still interesting!

Here is a post from ZDI, who has long been in the 0day game, and they’ve done a huge deep dive on EV Charging hardware. (read more)

I’ve talked about Kostas’s awesome project here before, but he recently pushed a big update worth checking out if you’re in Threat Intel.

“Televiewer.py is the latest tool, allowing you to view and download all messages and media from the threat actor-controlled telegram channel.” (read more)

Miscellaneous mattjay


AI Art Poisoning tool Nightshade is now free! #ai #artificialintelligence #aiart #aiarttheft #aiartpoisoning #aimodels #artists #artistsof... See more

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Upcoming Appearances

Got to record with the Co-Founder of Tines on their podcast. Not sure when it goes live but the feed is here:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay🎓️ Vulnerable U | #048