- Vulnerable U
- 🎓️ Vulnerable U | #045
🎓️ Vulnerable U | #045
Mindfulness in Tech, Law firm that handles breaches was breached, Russia's devastating hack of Ukraine telecom giant, Google OAuth Session Token Revival 0-day, Orbit Chain lost $86 million, and much more!
Read Time: 10 minutes
Something in the air this week. We all had the Sunday scaries on steroids? Staring down a clean slate new year with a lot of pressure on who you want to be and what you want to achieve. It felt like a lot of people I bumped into this week were feeling that hard. Combine that with the burnout of traveling, cooking, entertaining family and friends for the holidays, and the fact that our bodies are 87% carbs and cheese at this point, and I think we all deserve a little grace.
Hope you’re back in the saddle and feeling good after dusting the first week off. It's like the first smudge on a new pair of sneakers - ok, we’ve broken in 2024. It's time to get to business.
Been thinking a lot about Mindfulness and wrote a blog about it this week:
🖊️ Something I wrote: A quick one on the difference between Goals and Systems
🎤 Something I said: A lot of you liked this video on TikTok and Instagram. Just me talking crap about some cool folks in Berlin who basically Jailbroke a Tesla and unlocked full self-driving for free and a secret “Elon Mode” (My favorite comment so far - “When you put it in Elon mode your wife leaves you”)
🔖 Something I read: I found this creator, Kyla Scanlon, who covers finance in a super approachable way. She wrote a fantastic piece on her 2024 outlook, rate cuts, and the Influence Apocalpyse
Between this and Mandiant’s Twitter account getting hacked this week - who watches the watchers? Who does Mandiant call for IR? Who does this law firm call about their breach?
These are always interesting breaches because the impact of a single breach can be much much wider due to their client list and the info they house. This was actually one of the ways Uber got popped last year, via their law firm.
“San Francisco-based Orrick, Herrington & Sutcliffe said last week that hackers stole the personal information and sensitive health data of more than 637,000 data breach victims from a file share on its network during an intrusion in March 2023.” (read more)
Duration of the Hack: The hackers were inside Kyivstar's system since at least May 2023.
Impact of the Attack: Services for approximately 24 million users were disrupted, causing significant destruction to Kyivstar's infrastructure.
Suspected Perpetrator: The attack is believed to be the work of Sandworm, a Russian military intelligence cyberwarfare unit.
Scope of Damage: The hack wiped out thousands of virtual servers and PCs, marking a major blow to Kyivstar's operational core.
Data Risks: Hackers potentially had access to personal information, phone locations, SMS intercepts, and possibly Telegram accounts.
Response and Recovery: SBU assisted in system restoration and thwarting subsequent attacks.
"This attack is a big message, a big warning, not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable," he said. He noted Kyivstar was a wealthy, private company that invested a lot in cybersecurity.
The attack wiped "almost everything", including thousands of virtual servers and PCs, he said, describing it as probably the first example of a destructive cyberattack that "completely destroyed the core of a telecoms operator." (read more)
Folks have to worry enough about reporting this kind of thing. Now they have to worry about these crisis centers handling their data securely. This doesn’t seem like it was a targeted hack or anything and just a stolen computer during an office move, but it wasn’t encrypted and has a lot of victim information on it.
Sometimes the data being stolen is valuable because it is PII, sometimes just the fact that the data is there is the valuable part. Your name being on the customer list of this center in itself is something inherently private, even if there aren’t credit card numbers or some other PII. (read more)
This is a fantastic write-up on some infostealer malware packages out there and how they all raced to adopt a new zero-day that allowed them to maintain persistent access with a Google Session token.
The gist: There is an API endpoint called “MultiLogin” that is used to handle sessions between a user’s multiple browsers and Google services such as Gmail and YouTube. This endpoint can be abused to revive a session token that would’ve normally expired due to timeout.
Some interesting points of this story for me as a peak behind the malware dev curtain: The first group to find this flaw tried to implement it in such a way that would give them the edge over their competitor malware devs. That only bought them a few days.
“Lumma stealer first adopted the exploit on November 14, whose developers applied blackboxing techniques such as encrypting the token:GAIA pair with private keys to hide the mechanism from competitors and prevent the replication of the feature.
Still, others were able to copy the feature or incorporate PRISMA's exploit into their stealers, with Rhadamanthys being the first to follow on November 17.
Since then, numerous other information stealers have adopted the exploit, including Stealc on December 1, Medusa on December 11, RisePro on December 12, and Whitesnake on December 26.” (read more)
Whelp. It’s got a name and a logo, it must be a serious vulnerability. https://terrapin-attack.com/
We are sharing SSH CVE-2023-48795 (Terrapin attack) vulnerable instances found in our IPv4/IPv6 scans in our Accessible SSH report: shadowserver.org/what-we-do/net…
Nearly 11M instances (by unique IP) found vulnerable (~52%).
Background on the vulnerability: terrapin-attack.com
— Shadowserver (@Shadowserver)
Jan 3, 2024
This one sounds scarier than it is in reality as far as I can tell. It is very cool and detailed research but the real world implications seem small for now.
“At its core, Terrapin works by altering or corrupting information transmitted in the SSH data stream during the handshake—the earliest stage of a connection, when the two parties negotiate the encryption parameters they will use to establish a secure connection. The attack targets the BPP, short for Binary Packet Protocol, which is designed to ensure that adversaries with an active position can't add or drop messages exchanged during the handshake. Terrapin relies on prefix truncation, a class of attack that removes specific messages at the very beginning of a data stream.”
The only other risk it poses this article mentions is that it can allow for easier exploitation of previously hard to exploit vulnerabilities. (read more)
I’m not a crypto guy so I was unfamiliar with Orbit, so if you’re like me the TL;DR is that it isn’t a place that people buy crypto assets themselves, but it is more of a piece of behind the scenes blockchain infrastructure that acts as a multi-asset hub between various chains and services.
Now that we know what it is - we can understand why it was a bit shocking when the value on the chain went from $115M to $29M instantly. I’ll give you one guess on who the main suspect is. (If you’re a regular reader of this newsletter, you won’t need to guess)
North Korean fingerprints all over this one and their groups like Lazarus have been stealing crypto to fund their state operations for years now and had a very lucrative time doing it in 2023. (read more)
Healthcare is an industry I’ve not worked in, and it just seems like it is a rough spot for infosec. Underfunded as it is not a core competency, it is hard to attract talent against high-paying tech areas, and it’s a target-rich environment. Next time your doctor asks for your SSN, just tell them no btw. They don’t need it, I’ve gotten confused looks because nobody else tells those front desk people “no,” but it’s never been pressed.
HealthEC is a population health management platform that helps with lots of patient data analytics, engagement, and reporting. They got popped in 2023 which they disclosed recently and the attackers stole: Name, Address, DOB, SSN, Taxpayer ID, Medical Record Number, Medical information (diagnosis, diagnosis code, mental/physical condition, prescription information, and provider's name and location), Health insurance information (beneficiary number, subscriber number, Medicaid/Medicare identification, Billing and claims information (patient account number, patient identification number, and treatment cost information)
So basically, all the info you’d care about for those 4.5 million patients. (read more)
Quick and dirty useful writeup on some shifting malware techniques spotted in the wild by Palo Alto’s Unit 42.
TL;DR - JinxLoader is a new Go-based loader that was spotted delivering next-stage malware such as Formbook and XLoader. Uses phishing emails, imitating the Abu Dhabi National Oil Company, to trick recipients into opening a RAR archive, initiating the JinxLoader payload. (read more)
Fun little tool for the pentesters reading this. Prereqs include physical access to unlocked computer but the rest is super sleek.
A new keystroke injection tool, named WiFi-password-stealer, was developed using a Raspberry Pi Pico to exfiltrate stored WiFi data (SSID and Password) from computers. The tool, designed for security research, operates by mimicking user keystrokes to deploy malware and send WiFi credentials via email or store them on a USB drive.
Rubber ducky responsibly. (read more)
Turns out words matter. Google got sued because a court decided “private browsing” and “incognito mode” led users to believe they’d not be tracked by Google, which of course, isn’t true. They settled for $5 billion with a B. (read more)
This massive Airbnb & Vrbo scam came crashing down this month, and thanks to some court documents, we get a pretty detailed look into how the fraud was being committed.
The crux of it was this guy Shray Goel, and his team made tons of fake host accounts under various couples’ names. They’d double-book their high-end properties on purpose and then trick the victims into taking a replacement booking at a worse residence. All the while not refunding for the premium space.
It went so far as even listing completely fake premium houses that either they didn’t own or didn’t exist.
“They provided the guest with a false excuse as to why a booked property was unavailable, and then: (1) canceled the reservation, but resisted the assessment of any cancellation fees; (2) convinced the guest to move to an alternative property by falsely representing the alternative was comparable or an upgrade, and denied refunds if guests complained; or (3) lied to the rental platforms about the guest or the reservation to keep money from guests entitled to refunds.” (read more)
AI is going to revolutionize security! But first it’s going to allow some super low effort bug bounty reports to seem legitimate enough just long enough to waste some folks time. This is a funny read as the reporter is submitting code that isn’t even part of the project and is just ChatGPT making things up and you can tell they’re just going back to GPT in between responses.
Don’t do this. (read more)
A recent penetration test revealed a significant vulnerability in Bitwarden's Windows Hello implementation, allowing remote theft of all credentials from a user's vault without requiring the master password or biometric authentication. This vulnerability is now fixed in Bitwarden v2023.4.0.
Vulnerability Mechanism: Bitwarden's vault was not directly encrypted with the master password but with an account encryption key. Biometric unlock, implemented via Windows Hello, stored a copy of the derived key, which could unlock the vault.
Exploit Method: The derived key was stored using the Windows Credentials API and was protected by the Data Protection API (DPAPI). Compromising the domain controller allowed access to DPAPI backup keys, enabling the decryption of the Bitwarden vault without the master password. (read more)
Hey hackers - have you ever considered just ringing your target's doorbell and asking them to give you their password?
Modern problems require modern solutions.
— Matt Johansen (@mattjay)
Jan 2, 2024
This will… be interesting
Stable diffusion created a verification image of someone doing their KYC for a bank or similar.
This is so crazy!
— Aadit Sheth (@aaditsh)
Jan 4, 2024
I had the pleasure of talking to Dr. Stacy Thayer on her podcast CyberPsych
How'd I do this edition?
It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen