🎓 Vulnerable U | #019
Privacy vs. Security, Meta's Thread App Concerns, MITRE's Top 25 Most Dangerous, and more...
Read Time: 5 minutes
Happy Blink-182 eve for those who celebrate. I’ll be reliving my teen years with a bunch of other elder millennials tonight when Blink-182 comes to Austin. I will feel so cool I might even beat this heat wave.
Hope you all had a good July 4th weekend if you’re in the States and got some time off. We had a party at my house with a local tattoo artist setup in my living room doing flash tattoos from this sheet:
Ten people walked out with new ink, and Daddy got himself a new skull with a cowboy hat because why not?
Sneak Peak at the Blog of the Week:
In this episode:
Privacy vs. Security
Meta’s Threads App Won’t Launch in EU on Regulatory Concerns
336,000 servers remain unpatched against critical Fortigate vulnerability
MITRE’s Top 25 Most Dangerous Software Weaknesses of 2023
OWASP Top 10 for LLM
Hackers steal personal information on 8,000+ pilot applicants at American and Southwest
Hacking Campaign Actively Exploiting “Ultimate Member” Plugin on WordPress Sites
Malvertising Used as Entry Vector for BlackCat Malware
Hunting Ducks - A Threat Hunters Take on Ducktail Stealer
🖊️ Something I wrote: I expressed my frustration with how mental health issues can literally steal time you can never get back. It seems a lot of people agreed. [Link]
🎧️ Something I heard: The clashing of two giant minds. What a great long convo by two of the best, Andrew Huberman and Tim Ferriss. [Link]
📽️ Something I watched: Great interview of Ryan Montgomery (aka 0day) on NahamSec’s stream [Link]
🔖 Something I read: This Adam Shostack piece - Microsoft Can Fix Ransomware Tomorrow [Link]
If you have a pulse and are online this week, you couldn’t miss everyone rushing to check out the latest Twitter lifeboat alternative - Threads. You’ll also have noticed they ask for about every piece of information they can get from you to sign up. [Read More]
We talked about this Foritnet vulnerability in a previous edition, and I mentioned how tricky hardware patching is. Here is the proof in the pudding. Tons of this stuff is still out there. [Read More]
Love MITRE and all the work they’re doing around ATT&CK. They dropped a list for 2023 that is sort of like the OWASP Top 10 but for all CVE types, not just web applications. Always interesting to use these kinds of stats to help your prioritization efforts of what you’re spending your time addressing. [Read More]
Speaking of the OWASP Top 10! They released their Top 10 for LLM this week. I think most of the security issues surrounding the AI surge are yet to be seen, but it is good to start thinking about the new landscape introduced with this movement. [Read More]
The hackers broke into a recruiting firm to gather this information. Not a lot of details about the hack itself, but an ever-present reminder of the security risks not only in your own organization but also in the vendors that you give info to. [Read More]
WordPress vulns are a dime a dozen and not super interesting to me. However, an active exploit campaign with plenty of victims is worth noting. This one also comes with a good post-mortem from the plugin vendor. [Read More]
We’ve talked about BlackCat (aka ALPHV) malware here in recent weeks. I’ve also got a special place in my heart for ad networks being used by attackers, as I’ve done lots of research in this area. (I gave a BlackHat talk about this kind of stuff over a decade ago, Million Browser Botnet). TrendMicro team did some excellent work tracking down this campaign, and they have lots of details in their report here. [Read More]
Ducktail Stealer is a known threat actor targeting marketing companies with .NET-based payloads. This is a good write-up of the techniques used in delivering the malware and then unpacking the malware itself to see how it steals the victims’ info. Great writeup! [Read More]
Check Point Research uncovers a targeted campaign carried out by a Chinese threat actor targeting government entities in Europe, with a focus on foreign and domestic policy entities. [Read More]
What I fear what might happen:
When Google killed Reader, I tried a bunch of alternatives and none stuck. I just stopped reading most blogs.
As Twitter dies, I’ll try a bunch of alternatives, but I bet in the end the way I engage with the internet will be different.
— Whitney Merrill (@wbm312)
Jul 6, 2023
I’ll be giving some free Threat Modeling training at an event in Austin in September alongside a stacked cast of characters. Check out the event, put on for free by Tromzo: Here
Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen