🎓️ Vulnerable U | #043

Merry Christmas, FBI Disrupts Blackcat aka ALPHV, Comcast Xfinity breach impacts over 35 million, MongoDB breach investigation ongoing, Lapsus$ GTA 6 hacker apprehended, Google OAuth bug, and more!

Read Time: 4 minutes

Howdy friends!

Merry Christmas! I’m enjoying some time off, but I wanted to get a quick one out to all of you.

Look how festive I am

An idea I’ve been sitting with a lot recently might resonate with a lot of you, and I wanted to share. I’ve had conversations with a fair bit of mental health professionals in recent years, and a theme kept popping up for a lot of people.

The phrase that sticks out to me here is “Be an active participant in your life”

How often do we feel like life is just happening to us? Going through the motions. Or worse, avoiding going through the motions all together and just shut down.

What would the next few weeks look like if you were an active participant in them? What about 2024?

You open two gifts every morning. Your right eye and your left.

Challenging myself and all of you to be an active participant in everything we do. No escaping into our phones, alcohol, drugs, or whatever your avoidance mechanism of choice is.

We got this. And we’re not alone.


🖊️ Something I wrote: I know the holidays aren’t a happy time of year for everyone. But I hope if you get some time off, you use it to connect with some other people out there. Here is a piece I wrote about how powerful that is.

🎧️ Something I heard: We need to talk about the GTA Hacker

🎤 Something I said: Rethinking my overall YouTube approach, but keeping up on shorts there and TikTok.

🔖 Something I read: Finishing up Mistborn in some downtime.

Vulnerable News

This was an absolute tug of war to watch unfold this week. I’m not sure the dust is fully settled but here is what we know:

December 10th, 2023: ALPHV primary domain goes offline, administration saying it is hardware failure

December 10th, 2023: Rumors circulate that is it LE taking down ALPHV

December 11th, 2023: ALPHV denies allegations

December 19th, 2023, 7:26AM EST: ALPHV domain seized

December 19th, 2023, 7:42AM EST: ALPHV states this is the old domain and it doesn't matter

December 19th, 2023, 9:56AM EST, United States Department of Justice releases official statement on the seizure of ALPHV as well as compromising of their servers

December 19th, 2023: 12:34PM EST, ALPHV unseizes domain and threatens retaliation against United States (and associated entities) by allowing attacks against critical infrastructure (timeline thanks to @vxunderground)

Here is the unsealed search warrant

And the official statement from the DOJ

Then during all of this, it seems LockBit and ALPHV, who are generally competitors in the ransomware service space, are talking about joining forces against US Law Enforcement.

Nothing like a common enemy to bring us together, eh? (read more)

Gotta hand it to the state of Maine. Their law on breach disclosure is forcing a lot more transparency.

This breach notification from Maine is how we got the details of impacted Comcast customers at 35.8 million, including 50,000+ in Maine.

It also seems this is another victim of Citrix Bleed which I think we’re criminally under-talking about this year. It is up there with MOVEit in number of impacted victims.

“The hack resulted in the theft of customer usernames and hashed passwords, according to Xfinity’s notice. Meanwhile, “some customers” may have had their names, contact information, the last four digits of their social security numbers, dates of birth, and / or secret questions and answers exposed. Xfinity has notified federal law enforcement about the incident and says the “data analysis is continuing.” (read more)

MongoDB announced a breach and the info is still coming out as a developing story. The page linked here is the live updates they are publishing, kudos to them for the transparent response.

Alright this one caused some viral shitposting on socials because of one particular line in this BBC article we all had some fun with.

This, of course, gives an image of an elite hacker using a Firestick to pew pew to a satellite and hack into the mainframe. A very “Tony Stark was able to build it in a cave with a box of scraps!” vibe.

But of course, his phone is doing the heavy lifting here, with the firestick and TV being basically a monitor. But there are some deeper issues here.

Apparently, besides the hacks, the guy is suffering from some mental issues, deemed unfit to stand trial, and accused of a fair bit of violence. (read more)

My buddy Dylan over at Truffle Security did a cool thing. Using some creative ways that Google handles identity around email, and how SaaS providers allow you to login with Google - Dylan has been able to setup some “shadow” accounts in corporate SaaS tools that don’t get caught by the managed tenant.

Here’s a timeline of events:

  • August 4th- Disclosure to Google, informed them hundreds of applications are likely affected

  • August 7th- The issue was triaged

  • October 5th- Google paid $1337 for the issue

  • November 25th- Bulk private disclosure to dozens of impacted applications (including Zoom and Slack)

  • December 16th- Public disclosure 134 days after notifying Google

“If you’re reading this thinking to yourself “Dang, I gotta stop disgruntled people from accessing our Slack until the end of time”, there’s good news. All you have to do is disable login with Google, and strictly enforce SAML.”

Check the whole post and the YouTube video to see how the bug works, and some caveats on remediation (read more)

Miscellaneous mattjay

In a thread on the GTA hacker

I’m down to watch it this week…


Upcoming Appearances

  • a couch with stretchy pants

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen