- Vulnerable U
- 🎓️ Vulnerable U | #049
🎓️ Vulnerable U | #049
Cloudflare Hacked Again via Okta Breach, Police arrest 17 year old prolific swatter and 19 year old Scattered Spider hacker, Microsoft Breach Follow Ups, FBI Director warns of massive Chinese critical infrastructure hacking operation, New Container breakout vulnerabilities, CISA demands Ivanti be ripped out, and more!
Read Time: 10 minutes
There is a lot of news this week, so I'm just going to jump right in. Hope you all are having a great one.
Very personal blog of the week, hope it encourages you to explore some things you’re feeling:
🖊️ Something I wrote: Last week to get nominations in for Best of AI Security 2023. Community voting starts next week, followed by an expert judges panel.
🎧️ Something I heard: This elder emo thoroughly enjoyed this rendition of I’m Not Okay by @aislinnd17 on TikTok.
🎤 Something I said: Our top story this week in thread form. Plus a high quality meme response by MalwareBytes.
🔖 Something I read: Dan’s short piece to make you ask yourself how you feel about Mondays
The Okta hack that keeps on giving! This is a doozy of a write-up from Cloudflare, and I appreciate their thorough response, transparency, and detail on this one.
In case you forgot or missed it, Okta was breached this past fall, and Cloudflare was one of the companies caught in the splash damage. Well, this week, they revealed even after rotating all the access tokens after the Okta breach, they must’ve missed a few, and those 4 missed tokens were used by the hackers to reestablish persistence on Cloudflare’s network via a self-hosted Atlassian server.
From November 22nd to January 5th, Cloudflare then proceeded to undertake a massive incident response effort:
“We undertook a comprehensive effort to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, performed forensic triages on 4,893 systems, reimaged and rebooted every machine in our global network including all the systems the threat actor accessed and all Atlassian products (Jira, Confluence, and Bitbucket)”
HugOps to the holiday crew who had to do all that.
To take it even further, the hackers attempted to pivot to a server in a new data center in Brazil, but they were unsuccessful. In an extreme step of caution, Cloudflare returned all of the hardware at that data center to the manufacturers. I’d like to have been a fly on the wall when the call was made to replace all the hardware in a data center, just in case. Kudos.
I’m skimming over a bunch, and the report is really detailed, including some things other companies should look for if they were involved in the Okta breach. Definitely take a read of the whole thing. (read more)
Some of these hacking groups have become quite the prolific Swatters in recent years. Turns out they start swatting the wrong kinds of powerful people who put enough pressure on FBI and local law enforcement to hunt them down.
“For more than a year, the United States Federal Bureau of Investigation has been hunting the person whom experts say is one of the most prolific swatters in American history. Law enforcement now believes they have finally arrested the person responsible. A 17-year-old from California is allegedly the swatter known as Torswats”
Swatting is no joke and I’m bummed it’s become a meme that teen hackers treat like one. (Non paywall coverage here)
“Alan Winston Filion, 17, was arrested on 18 January at his home in Lancaster, Los Angeles County, and extradited to Seminole County, Florida, where he was charged with four felonies related to making a false police report of a mass shooting at a local mosque in May 2023.” (read more)
The best kind of “Florida Man” headline ever. If you’re a long-time reader here, we’ve talked extensively about Scattered Spider.
“Prosecutors say Noah Michael Urban (19) of Palm Coast, Fla., stole at least $800,000 from at least five victims between August 2022 and March 2023. In each attack, the victims saw their email and financial accounts compromised after suffering an unauthorized SIM-swap”
I especially like that Krebs talked to Allison Nixon:
“Allison Nixon, chief research officer at the New York cybersecurity consultancy Unit 221B, said the increasing brazenness of many Com members is a function of how long it has taken federal authorities to go after guys like Sosa. (Urban)
“These incidents show what happens when it takes too long for cybercriminals to get arrested,” Nixon said. “If governments fail to prioritize this source of threat, violence originating from the Internet will affect regular people.”
She is one of the folks who is actually trying to find the baddies. She knows more about these threat actors than anyone else I’ve talked to. (read more)
Here is a spicy one from ex-Yahoo and Facebook CISO Alex Stamos.
We covered this Microsoft incident post-mortem in last week’s newsletter. Here are some of Alex’s problems with it:
1) Microsoft buries the lede with this paragraph:
"Using the information gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations."
“Translation: Since the techniques outlined in the blog only work on Microsoft-hosted cloud identity and email services, this means that other companies were compromised using the same flaws”
2) Microsoft continues to downplay the attack by abusing the term "legacy".
“Calling this a “legacy” tenant is a dodge; this system was clearly configured to allow for production access as of a couple of weeks ago, and Microsoft has an obligation to secure their legacy products and tenants just as well as ones provisioned today.”
3) Microsoft is using their own security flaws as an opportunity to upsell.
going on to say, “This is morally indefensible, just as it would be for car companies to charge for seat belts or airplane manufacturers to charge for properly tightened bolts.” (read more)
And just like Alex said, there followed some notifications from Microsoft to other vendors that they might be impacted by this.
Microsoft said that “the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.” (read more)
Well, this testimony was a bit of a different tone than usual…
Go watch the whole thing. This is in the wake of some recent discoveries of breaches in critical infrastructure.
“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,” Wray told the House Select Committee on the Chinese Communist Party."
I’ve reported on lots of hacks like these. Taiwan power companies. Regional electric grid centers. Oil refineries. Steel mills. Railroads. Most of the time, these findings are in other countries that are openly in conflict with China or Russia
What Wray seems to be implying here is that the USA is compromised already and that China is just choosing to not use that access at the moment until they’re ready to escalate a conflict. This is a serious accusation. I’m interested to see more messaging out of the FBI in the next few weeks.
Some good coverage on NPR too - “The hearing came the same day that the Justice Department announced that it had disrupted a Chinese state-sponsored hacking campaign that targeted American critical infrastructure.
Officials say hackers known as Volt Typhoon had placed malware on hundreds of small office and home routers” (read more)
Container breakout via docker build command
4 new vulnerabilities Snyk’s research team just dropped. They let an attacker break out of a Docker container and onto the host OS via runc.
Really great summary from my buddies at KSOC on this one too: here
“The main recommended mitigations involve upgrading to runC version 1.1.12 and BuildKit version 0.12.5” (read more)
In an unprecedented move - CISA is requiring all federal agencies to disconnect Ivanti products by Friday at midnight (roughly 48 hours from the announcement). No patching; this is an order to rip the devices out! (read more)
“In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware.
On Christmas Eve, within just three hours of gaining initial access, the threat actors executed ransomware across the entire network.
The threat actors employed a batch script to exfiltrate data, and dropped a series of other batch scripts that could hinder defensive measures, establish a user account, grant access through the firewall for RDP, and automate other intrusion actions.
Throughout the intrusion, SoftPerfect’s Netscan played a pivotal role in conducting various discovery operations.” (read more)
At least they’re paying for it? Just wish I saw some of the cash…
I’m not sure much has changed since the Snowden leaks, and we all just kind of have to keep on keeping on here.
“The U.S. National Security Agency (NSA) has admitted to buying internet browsing records from data brokers to identify the websites and apps Americans use that would otherwise require a court order, U.S. Senator Ron Wyden said last week.
"The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans' privacy are not just unethical, but illegal," Wyden said in a letter to the Director of National Intelligence (DNI), Avril Haines” (read more)
Another banger by Krebs this week, but are we surprised?
Good eye on him to notice that FTX announced $400m lost the same week we see arrests tied to that same dollar amount from SIM-Swappers. He’s the first I saw tie those together. (read more)
Why you should care about this. (read more)
If you don’t know what pig butchering is, it is when scammers “using various means of manipulation, the criminal gains the victim’s affection and trust. Criminals refer to victims as ‘pigs’ at this stage because they concoct elaborate stories to ‘fatten up’ their victims.”
After the trust is built, they’ll get the victims to funnel them money for either an investment or some personal needs, whatever the story was to trick them.
Just absolutely vile stuff here: “At one point, that victim saw their curve.bet investment had risen to $580,000. They tried to withdraw $380,000, but the transfer was unsuccessful, the record says. Here was where the fraudsters continued to ‘fatten up’ their target. Curve.bet online customer support said the person would need to send 20 percent of the $380,000 in order to release the funds. As well as offering a (fictitious) loan to the victim, the woman using Facebook encouraged the victim to take out a credit line, sell their vehicle, and borrow money from others in order to find that 20 percent.” (read more)
I saw someone call it “Tishing” and I really hope they were being sarcastic. We gotta stop with the phishing alternatives. But yet again we have a Teams phishing story, we really need to see Microsoft doing more about this.
“The attackers used what looks like a compromised Teams user (or domain) to send over 1,000 malicious Teams group chat invites, according to AT&T Cybersecurity research. After the targets accept the chat request, the threat actors trick them into downloading a file”
“This phishing attack is possible because Microsoft allows external Microsoft Teams users to message other tenants' users by default.” (read more)
The largest crypto hack of 2024 so far! Last year, we saw about $2 billion stolen, much of it from North Korean threat actors, which made this their main priority to fund their military programs. (read more)
I read the headline and thought, ok, a few DratKing accounts were hacked, so what?
“The U.S. Department of Justice arrested and charged two more suspects for their involvement in the hacking of almost 68,000 DraftKings accounts in a November 2022 credential stuffing attack.”
Well, that is a lot of accounts in one sweep of credential stuffing! DraftKings had to refund hundreds of thousands of dollars due to these hacks. It also surprised me that 68,000 accounts didn’t cross into 7 figures. Guess folks are losing a lot of bets! (read more)
World record 0-day found and patched in a device? It’s not even on shelves yet! How may it have been exploited?! It seems the bug is straight from iOS, and that’s how an exploit was working on it because it was developed for iPhones. Wild to see this before anyone even owns one. (read more)
Ok, I know I talked about Deepfake YouTube ads recently, but now the AI has crossed the line. They come for Taylor Swift, and I know for sure that the regulations are about to start pouring out. The people won’t stand for it.
Joking aside, this was a prolific and viral explicit deepfake of Swift circulating that all the social sites had to get to work tearing down.
This article is a long and well-thought-out look at the current state of deepfakes and nonconsensual pornography. Highly recommend a full read.
“The state of nonconsensual, AI-generated pornography on the internet at the moment is completely out of control. AI startups are flush with cash from venture capitalists, and they are racing to make their tools available before they stop to stress test how those tools could be abused, and nobody seems to care until the Swifties show up.“ (read more)
How'd I do this edition?
It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen