🎓️ Vulnerable U | #040

Okta hack updated to include *all* customers, US Sanctions North Korean hacking group, Chinese hackers steal chip designs, Facebook MFA bypass, White House Surveillance Program leaked, and more!

Read Time: 5 minutes

Howdy friends!

You did it. You made it to the rip in spacetime, the weeks between Thanksgiving and Christmas. There are two paths in front of you: either you’re incredibly busy until everyone you work with disappears, or you’re already pushing meetings out to January 8th. You’ve given up on appearing like you care. Which one are you?

Charlie Munger, Warren Buffet’s long-time investing partner, died this week at 99. They are two of the best ever to do it, so we’re revisiting a blog post I wrote this week inspired by a financial term they helped popularize about a company’s “moat”:

Me, Adrian Lane, Gunnar Peterson

I got the pleasure of going to a Berkshire Hathaway shareholder meeting a number of years ago with some fellow security nerds who also happen to be big investing nerds.

I’ve been thinking about moats a lot lately. And how they apply to career and personal growth.

For those who have never heard the term, it’s common terminology among the investor folk. Warren Buffet made the phrase famous, referring to a business’s ability to maintain a competitive advantage.

You can picture it, the moat around a castle protecting it from invaders—the wider the moat, the harder to attack. Hence, a “Wide Moat” stock would have a considerable edge over other companies trying to disrupt that industry.

If you’re wondering what this has to do with your career, bear with me.

Companies need moats to protect their market share and profitability. Individuals need personal moat to protect or advance professional standing.

It’s about identifying and leveraging your unique strengths and interests to build a successful career. It’s about creating a solid personal brand that separates you from the crowd.


🖊️ Something I wrote: A thread on a major real estate services provider going down for ransomware - they’ve been offline for over a week now. Folks can’t close on houses, money is missing, and mortgage payments can’t be made.

🎧️ Something I heard: My Spotify wrapped says I heard a whole lot this year. Mostly punk and emo music, though. My top song of the year.

🎤 Something I said: My friend Dennis Fisher sent me a copy of his new book this week, which prompted me to revisit when I was on his podcast a few months back if you missed it.

🔖 Something I read: This quick book about Storytelling. I give it 3.5 out of 5. But I’m trying to learn more about this to work on some ideas for my YouTube channel that aren’t news summaries. Stay tuned.

Vulnerable News

Remember when we covered this story a few weeks ago? And that only 1% of customers were impacted, including 1Password and Cloudflare?

Well, upon further investigation, Okta says it was all of their customers. It seems they had a filter set when they ran the database query that the attackers ran. They noticed the filter and reran it, and it dumped info about all the customer support accounts.

The thing about their customer support accounts is that every customer admin account automatically gets one, so these are juicy target accounts and a phishing treasure trove. (read more)

This press release is written about as hard to read and digest as it possibly could be. It's more of an intel debrief than digestible press. Here’s my ELI5:

  • Kimsuky is a Spy Group: It's part of the Reconnaissance General Bureau (RGB), North Korea's primary spy agency. The United States and the United Nations recognize RGB as essential to the North Korean government.

  • It's Been Around Since 2012: The US government, specifically an office called OFAC, has been watching RGB since 2010 and officially marked it as a controlled part of the North Korean government in 2015. Kimsuky, as part of RGB, is also seen as essential and controlled by North Korea.

  • What Kimsuky Does: Its main job is to collect secret information. It does this by tricking people who work in governments, research places, universities, and news groups, especially in Europe, Japan, Russia, South Korea, and the United States. Kimsuky sends spear-phishing emails to these people to get access to their secret documents and information.

  • Kimsuky's Goal: The information they collect helps North Korea with its plans, especially for making nuclear weapons and other big strategies.

  • Official Action Against Kimsuky: Because of its activities, Kimsuky is now officially recognized by the US as a part of the North Korean government that they must watch and restrict. (read more)

This hack is wild. I’ve been trying to write a Twitter thread about it for days but haven’t been happy with the outcome. The main thing I’m stuck on with this one is the length of time they went undiscovered.

For over two years, Chimera, a Chinese hacker group, exploited employee accounts to access NXP, a leading Dutch semiconductor company. Despite using multi-factor authentication (MFA), the hackers successfully bypassed these defenses by using SIM-swapping and brute-force attacks. Once again, it highlights the need for hardware token-based MFA.

  • Brute forced VPN passwords helped by a previous data breach’s info

  • SIM Swapped employees to race condition the SMS MFA token

  • Happened in 2017 and went unnoticed until 2020

  • Hackers came back every few weeks to steal more data that was new and interesting - mainly focusing on chip designs

  • “The logs, which span more than two years, show that working hours correspond exactly to Chinese time zones, including a break around noon. The hackers hack every day of the week, but not on Sundays. And the longer periods in which the spies are not or hardly active coincide exactly with the Chinese holiday season, the so-called Golden Week.”

  • The hackers' modus operandi can be recognized by the password they use to encrypt the loot: 'fuckyou.google.com' (read more)

Hey everyone! If you’re going to steal some company source code, don’t subsequently make that apparent while sharing your screen on a call.

In a striking alleged intellectual property theft case, automotive technology company Valeo is suing Nvidia. This lawsuit stems from an incident where Mohammad Moniruzzaman, a former Valeo employee, reportedly revealed Valeo's stolen source code during a video call with his previous employer after joining Nvidia. (read more)

Love me a good bug bounty write-up. Facebook has one of the longest-standing and most active bounty programs as well. My old team racked up a bunch of findings in their early days. Good memories!

Security researcher Bassem M Bazzoun uncovered a method to bypass Facebook’s 2FA by manipulating Instagram's sign-up process. By creating an Instagram account with a victim's phone number and then linking it to a Facebook account, he could transfer the phone number, effectively disabling 2FA on the victim's Facebook account.

The exploit involved sending a verification code to the target's phone number, brute-forcing the verification code to create an Instagram account linked to that number, and then transferring the phone number to the attacker’s Facebook account in the account center, thereby removing it from the victim's account. (read more)

Law enforcement agencies from seven countries, including the U.S. and Canada, have arrested key members of a notorious ransomware gang operating from Ukraine. The gang, active since 2018, caused over $82 million in damages globally, marking a substantial impact on international cybersecurity.

  • The group encrypted over 1,000 servers of large enterprises, demanding ransoms in cryptocurrency. One notable victim was a leading chemical company in the Netherlands, charged $1.3 million in ransom.

  • The gang employed LockerGoga, MegaCortex, Hive, and Dharma ransomware variants, using phishing, brute force attacks, and advanced malware like TrickBot, Cobalt Strike, and PowerShell Empire. They remained undetected in networks, compromising systems before launching ransomware attacks.

  • More than 20 investigators from multiple countries participated in the operation, leading to the arrest of the gang's 32-year-old ringleader and four key accomplices. This followed an earlier wave of arrests in 2021, which helped identify additional members of the gang​ (read more)

This link is from a story in 2019 - but Krebs updated this week that New York state’s judgment came through this week, and it was for a whopping $1 million.

“In 2019, I broke the news that First American Title Insurance Co, the country's second-largest title insurer, had leaked on its public website hundreds of millions of documents related to mortgage deals going back to 2003. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.

According to a report today from Newsday, First American has agreed to pay New York state $1 million for violating the state's cybersecurity regulation.

Not sure how the regulators reached $1m as an appropriate fine, but it seems small to me.”

Brian Krebs

It seems small to me, too. (read more)

Cyber-criminals are advertising on dark web forums and offering rewards for hotel login details, exploiting vulnerabilities in the hotel administration portals to defraud customers.

  • The attackers are using a malware called Vidar Infostealer, tricking hotel staff into downloading it by posing as guests. Once installed, it allows hackers to access Booking.com’s administration portals and customer information.

  • Hackers are contacting customers through the official Booking.com app, posing as hotel staff, and convincing them to transfer money directly to them, often using social engineering tactics.

  • Customers from various countries, including the UK, Indonesia, Singapore, and the US, have reported being victims of this fraud. While Booking.com itself hasn't been compromised, the company acknowledges that its partners are being targeted and is working to support them. (read more)

A WIRED analysis reveals a secretive White House surveillance program, known as Data Analytical Services (DAS), that grants law enforcement agencies access to trillions of American phone records without suspicion of a crime. Snowden files all over again.

  • Extensive Data Collection: DAS, previously known as Hemisphere, involves collaboration with AT&T, tracking over a trillion domestic phone records annually in the U.S. It employs chain analysis to monitor not only individuals in contact with suspects but also their contacts, extending its reach to innocent parties.

  • Legal Concerns and Opposition: Senator Ron Wyden has raised serious doubts about the legality of DAS, highlighting the program's potential infringement on Americans' privacy. Despite being non-classified, the program's details are restricted from public disclosure, prompting Wyden to challenge the Department of Justice for transparency.

  • Program Funding and Operation: The White House has funded DAS since 2013, with at least $6.1 million allocated. The program was initially suspended in 2013, resumed under Trump, halted in 2021, and then restarted under Biden. DAS operates under the High-Intensity Drug Trafficking Area (HIDTA) program, managed by the White House’s Office of National Drug Control Policy. (read more)

Google’s Threat Analysis Group (TAG) has been prolific lately. Here is another example of them finding exploits in the wild and following up with a patch and a CVE for us to track. As always, there is not a ton of detail on the exploit that was discovered, but restart your browsers, folks. (read more)

I’ll take the theme of this article seriously, but the counting of cyberattacks is always laughable. Is a port scan a cyberattack? What are they talking about when they say: “I was … observing thousands of attacks on our energy grid taking place live,” - gotta eye roll a bit.

BUT, it is a real concern that since the Ukraine/Russia conflict broke out - many industrial control environments have seen some significant targeting. (read more)

Miscellaneous mattjay

Well that’s one way to steal a car.

Upcoming Appearances

I got a chance to talk to Cyber Psychologist Dr. Stacy Thayer last week for her podcast. We had a great chat about mental health in our field and technology in general. Keep an eye on her feed, not sure of the publish date:

Do you like getting Vulnerable U on Friday morning?

I've heard some feedback that I should send this out Tuesdays to give folks more weekdays to read it.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen