🎓️ Vulnerable U | #039

Security Exec hacks hospital to drum up business, Microsoft delivers big win for passkeys, Windows Hello Fingerprints bypassed, Mirai Botnet authors speak out, Fidelity National hacked by ALPHV and title closings halt, and more!

Author

Matt Johansen
November 24, 2023

Read Time: 5 minutes

Howdy friends!

I normally do the bulk of the newsletter work on Thursday nights, so I appreciate your understanding that this edition comes out a day later than normal as I was enjoying time with family and full of an aggressive amount of food for Thanksgiving.

Speaking of which, I’m VERY thankful for all of you who’ve trusted me to add value to your weeks.

ICYMI

🖊️ Something I wrote: My shirts for Vulnerable U say “Building Resilience,” and just last week, I decided to dig deep into resilience with some research-backed ways to build it.

🎧️ Something I heard: I listened to a few BlueHat talks that hit YouTube this week. Including the great keynote from a friend of mine, Jason Haddix.

🎤 Something I said: Hackers filing an SEC complaint about their own hack not being disclosed.

🔖 Something I read: Sahil Bloom’s ABC Goal System

Vulnerable News

The COO of a security company decided it would be a good idea to be a pest to a hospital system in order to drum up business for himself. Start a tire shop and go drop some nails on the highway kind of behavior.

"During his attack on September 27, 2018, he disrupted the health provider's phone and network printer services, and he stole the personal information of more than 200 patients from a Hologic R2 Digitizer digitizing device connected to a mammogram machine on GMC's Lawrenceville hospital.

On the same day, Singla used over 200 printers in the GMC hospital in Duluth to print stolen patient information and "WE OWN YOU" messages." (read more)

This seems like a weird thing for me to link but stay with me. There is an announcement buried in here that I think we should be talking about more and celebrating.

Another win for passkeys! Microsoft announces more support for the FIDO2 tech, including Microsoft Authenticator and Windows Hello integrating to manage passkeys.

“Microsoft is committed to supporting passkeys across our ecosystem, starting with Windows 11. Once you create a passkey for a website, application, or service using Windows Hello, you can sign in from your device using your face, fingerprint, or device PIN. This gives enterprises and government customers an additional, phishing-resistant alternative to physical FIDO2 security keys. Microsoft Entra ID users will soon be able to sign in using passkeys managed from the Microsoft Authenticator app.” (read more)

But in great timing, We can’t sing all the praises of Microsoft Hello without mentioning that just recently some researchers presented at BlueHat they found a way around the fingerprint tech.

Caveat - fairly sophisticated attack that requires a specially built piece of hardware to MiTM the auth request and spoof to the chip that the fingerprint was right. (read more)

A fantastic long piece by Andy Greenberg going into the complete history of the Mirai botnet, including talking to the authors of it.

I saw this one talked about on Twitter, and Allison Nixon, a researcher who worked closely on Mirai and still is hunting threat actors, spoke about how proud she is of the three Mirai kids and how they’ve turned over a new leaf.

“Companies still face near-constant attacks from Mirai descendants, Seaman says. Because those botnets are generally still fighting over the same vast but splintered collection of vulnerable internet-of-things devices, none of them is nearly as big as the original Mirai. Nor has any of Mirai’s progeny ever again managed to surprise defenders to the degree Mirai did.

But their attacks still plague the internet, adding to the millions of dollars a year that companies pay in DDoS protection. “The arsonists have turned over a new leaf,” Akamai’s Seaman summarizes. “The wildfires continue to rage.” (read more)

Fidelity National Financial was hacked this week and ALPHV took credit and had some things to say about Mandiant in their ransom extortion announcements.

In a report filed Nov. 21 with the SEC, Fidelity National Financial said it was blocking access to systems related to "services we provide related to title insurance, escrow and other title-related services, mortgage transaction services, and technology to the real estate and mortgage industries." (read more)

We read a lot of fear mongering around QR codes, and while I’ve seen them in phishing emails be a new URL hiding technique akin to URL shorteners, this is one of the first big attacks I’ve read about in the wild of a QR code on a wall scamming someone.

“In August the victim, who wishes to stay anonymous, used the code and, after a string of fraudulent payments were blocked by her bank, the fraudsters called her posing as bank staff.

Referencing genuine transactions, they convinced her they were legitimate and obtained enough information to run up debts of thousands in her name, including a loan of £7,500 they took out in minutes.” (read more)

Big profile piece by Microsoft on Scattered Spider, Octo Tempest, 0ktapus, etc. - If you don’t want to listen to this podcast (you should, Sherrod is awesome), Here is the accompanying blog post.

It is one of the most prolific groups out there, and it is worth knowing what you can about them. (read more)

Having worked at a few financial institutions, I’ve completed my fair share of mandated Money Laundering training. Just reading this article is like a checklist of everything I was taught not to do. Once again, we see crypto companies’ lack of regulation coming to bite them when they realize why those regulations exist.

“Binance had failed to institute programs to report suspicious transactions involving terrorist groups — including Hamas in the Gaza Strip, Al Qaeda and ISIS. “Binance was allowing illicit actors to transact freely, supporting activities from child sexual abuse to illegal narcotics to terrorism,” Ms. Yellen said.

The authorities also said that Mr. Zhao knew that Binance’s efforts to stop people in sanctioned countries from doing business on the exchange were inadequate. Prosecutors specifically charged Binance with conspiring to run an unlicensed money transmitting business and violating banking and sanctions laws.” (read more)

This is some fantastic research and a great write-up detailing it.

“A chain of vulnerabilities we discovered and exploited during our research allowed us to gain full control, run code, and extract private keys of hundreds of validators on multiple major networks, potentially leading to direct losses equivalent to over one billion dollars in cryptocurrencies such as ETH, BNB, SUI, APT and many others.”

“The vulnerabilities disclosed by this blog post could have been exploited to steal private keys of Ethereum validators totaling at least 1.2% of Ethereum’s stake (and probably much more — see below), which is a significant potential first step in such an attack. Motivated malicious attack groups could have found this vulnerability, exploited and stolen these private keys and kept them for “judgment day” when they collected enough private keys to control the network — which is why we recommended that InfStones change the validator keys of all exposed validators.” (read more)

Three vulns in one disclosure from ownCloud this week. First vuln lets you read admin creds from an exposed URL. The second makes a password not matter and lets you do admin stuff unauth’d. The third is in OAuth and lets you bypass a validation code.

OwnCloud reports 200,000 installs, 600 enterprise customers, and 200 million users. (read more)

Miscellaneous mattjay

Congrats to John on 1 million YouTube subs! This is an absolutely massive milestone for our niche industry.

Upcoming Appearances

I spoke with Stacy Thayer, a Cyber Psychologist, on her podcast. We talked a lot about mental health, and a few of my recent blog topics. It should come out in a few days.

Podcasts CyberPsych Home Page

netography.com/cyberpsych

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay