🎓 Vulnerable U: #023
Cybersecurity & Mental Health, Unlimited Airline Miles, Microsoft Called Out, Russian Phishing in MS Teams
Read Time: 5 minutes
Can you feel it? Vegas is coming.
I think it’ll actually be colder there than the surface of the sun that is Texas, but I’ll still be taking as many meetings as I can by the pool. Find me to say hi or have a coffee or fizzy water with me. I won’t be drinking, and I’ll be hitting the gym in the mornings. If you choose not to go hard all week like that city is designed for, you won’t be alone.
Pulled some photos from BlackHat 10 years ago of my view about to give my presentation, Million Browser Botnet. We also had a guy with a monkey at the WhiteHat party… you know, normal Vegas things.
Sneak Peak at the Blog of the Week:
In this episode:
Cybersecurity and Mental Health
Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Platform
Microsoft… The Truth Is Even Worse Than You Think
Pentagon hit by ‘critical compromise’ of US air force communications
Threat Intel - Midnight Blizzard conducts targeted social engineering over Microsoft Teams
The Spies Who Loved You: Infected USB Drives to Steal Secrets
Ivanti discloses new critical auth bypass bug in MobileIron Core
Over 640 Citrix servers backdoored with web shells in ongoing attacks
A new incident database for AI-related incidents
Abusing AWS’s SSM agent as post-exploitation Remote Access Trojan
“PhishForce” - Vulnerability in Salesforce’s email services exploited for phishing Facebook accounts in the wild
🖊️ Something I wrote: A few hundred of you are new to Vulnerable U Newsletter since last week, and I’m guessing it’s from this post. Thanks for joining our community!
🎤 Something I said: Trying a new short format on the YouTube channel. Top headlines covered by me in under 10 minutes. Let me know what you think.
🔖 Something I read: Dan Guido from Trail of Bits met with the CFTC and explained how he believes AI will impact cybersecurity. He believes AI “has the potential to fundamentally change the balance between cyber offense and defense”
Ever dream of having infinite airline miles and hotel points? Well… some hackers decided that might be possible and found a fun combination of bugs that made it possible. A series of vulns discovered and patched quickly this spring allowed the researchers admin access to Points.com, which runs rewards for most of the big airlines and hotels. This access would allow them to grant themselves miles, look up other users, and even transfer miles out of others’ accounts into theirs. A great write-up of all the tech details too. (Read More)
Tenable CEO Amit Yoran joined Senator Ron Wyden in condemning Microsoft’s cybersecurity practices this week. According to Tenable, they found a serious vulnerability in Azure that allows the secrets of their customers, including a bank, to be exposed. Most of the customers are unaware they are even at risk. Microsoft has been slow to respond, and the vulnerability isn’t fixed yet, with an ETA of September 28th for a patch that is …grossly slow.
This comes after Senator Ron Wyden criticized Microsoft for recent Chinese threat actors being successful in stealing the O365 MSA keys that we covered in recent Vuln U episodes. The frustration is not new. However, as Dave Kennedy and Justin Elze point out, they’ve been complaining that cloud vulns don’t get CVEs which limits transparency, stat tracking, and risk discussions. (Read More)
I was just talking about TETRA having a backdoor causing encrypted radio comms to be at risk. Now we have an insider at the Arnold air force base who has stolen $90k worth of various government radio equipment. The feds raided his house and pulled out tons of admin Motorola software, USB keys with passwords and ssh keys on them, law enforcement radio programming files, etc. Don’t hack without permission, folks. (Read More)
These targeted social engineering campaigns are more aggressive by the day. They’re also incredibly successful. Microsoft Teams is an attack vector of choice lately, and the Russian Government-backed threat actor, Midnight Blizzard, has been tracked using previously hacked O365 tenants to create new domains to mimic tech support. The attacks look really convincing, check out the IOCs and teach your teams what to keep an eye out for here. (Read More)
WHAT YEAR IS IT?! Infected USB Drives? I haven’t heard about malware spreading via USB in a minute. Mandiant reports a threefold increase in attacks using infected USB drives to steal secrets. It seems there are two major malware campaigns spreading this way, convincing folks to click a malicious EXE on the drives to install the malware. It also self-spreads to any other peripherals plugged into an infected machine. (Read More)
MobileIron Core seems to have a soft spot. I was unfamiliar with this software, but it is a popular mobile device management (MDM) solution that allows orgs to manage employee devices. The vulnerability is one of a few in the MobileIron Core software this year and allows unauthenticated attackers to access the API and steal users’ PII and make changes to the server. The vendor won’t be patching since it is in an old version of the software that is end-of-life. Shodan shows 2,200+ MobileIron user portals publicly on the Internet. (Read More)
This one is a doozy. Reports are coming out that hundreds of Citrix servers have web shells on them from a CVE that just a few weeks ago was used a zero-day against a U.S. critical infrastructure organization. A few research orgs are monitoring the exploit traffic and a nonprofit, Shadowserver, has stated, “if you did not patch by July 20th, assume compromise.” The vuln impacts Netscaler appliances configured as gateways. (Read More)
“The AI Incident Database is dedicated to indexing the collective history of harms or near harms realized in the real world by the deployment of artificial intelligence systems. Like similar databases in aviation and computer security, the AI Incident Database aims to learn from experience so we can prevent or mitigate bad outcomes.”
This was much needed, and I’m glad it exists. It will help improve tracking and transparency as AI incidents become more common, with its usage skyrocketing. (Read More)
Anything can be a C2 if you try hard enough. This one is fun because AWS Systems Manager (SSM) is an already existing agent on Windows and Linux boxes that runs as root. Attackers using SSM to run their commands would likely evade detection in many cases since it is a trusted and signed binary. This also means the attacker wouldn’t need to upload a new bit of malware to the servers, which would likely trip a detection. Fun research! I wonder if this technique has been used and undetected before. (Read More)
Do I talk about phishing campaigns enough? This one is nasty because it actually uses a vulnerability in Salesforce email services and SMTP servers. The vuln allows attackers to send emails that look like they’re from Salesforce.com, and Google even marks them as “Important” in Gmail, adding to the phishing campaigns’ legitimacy. (Read More)
Ten years ago this week was my second BlackHat Talk. This attack would still 100% work:
Sherrod is being a bit loud for my taste on this one. Feeling called out.
I think being good at infosec just comes down to your level of clinical anxiety and if you're managing it through being freaked out at work vs. personal life.
— Sherrod DeGrippo 📬 (@sherrod_im)
Jul 28, 2023
This is how your emails find me
— 1984’s George Whorewell (@EwdatsGROSS)
Aug 2, 2023
How'd I do this edition?
It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.
Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen