🎓️ Vulnerable U | #029

Vegas Casinos Hacked, Zero-Days for days! Apple x 2, Adobe Reader, Cisco, Chrome, Microsoft x 2, and more!

Author

Matt Johansen
September 15, 2023

Read Time: 8 minutes

Howdy friends!

Second edition coming to you from Hawaii - fortunate enough to still be out here, but headed home soon. Two lucky things this week: the volcano near Hilo erupted big time, largest since 2018, so we ran over there and go to see lava spewing out of the ground. Second, 2 monk seals showed up right outside our hotel room and all the employees stopped what they were doing and were videoing them, asked why it was so cool - apparently only 8 of them left on the island and they rarely come to the hotel.

Gonna be hard to leave

Lava erupting behind me!

Going to be hard to write these from my desk after writing them from a balcony overlooking the ocean for a few days!

Buckle in - it was a CRAZY news week in infosec.

Let’s get vulnerable.

Sneak Peak at the Blog of the Week:

I recently stumbled upon a thought-provoking video featuring psychologist Dr. Russell Barkley, in which he discusses the roles of a parent in a child’s life.

In the video, Barkley suggests that parents have little to do with WHO their children are. We are born with 400+ psychological traits and short of abuse, neglect, and malnutrition, there is little that parents can do to CHANGE who their kids are. Not to say they don’t impact them, but that guiding, nurturing, and creating safe environments for their children to develop and grow is all they really have control over. The personalities, abilities, and traits of children are predetermined by a unique set of genes. He goes on to say that you can not design your child. Nothing you do in your home will make them something they are not.

He describes this as a shepherd view and an engineer view. Shepherds, he says, are very powerful people. They choose the pasture to graze on, determine whether they are properly nourished, determine whether the sheep are protected from harm. “The environment is important, but it doesn’t design the sheep.”

The engineering view, however, leaves parents feeling responsible for everything. They believe they can change, mold, and design a child into the person they think they should be. And it’s simply not possible no matter how hard they try.

This concept got me thinking about leadership in technology organizations, particularly infosec. Because at our jobs leaders aren’t parents and staff aren’t children (not usually anyway!), I had to get a little creative, but the basic principles are the same.

We don’t get to create an individual contributor, but we do get to create our teams, for the most part. Sometimes we inherit them, but often times we do get to build them. And so while Berkley sees shepherding as inherently good and engineering as inherently ineffective, I think there is value in both kinds of leadership.

Though, it’s crucial to recognize when to shift between the roles of shepherd and engineer.

When should we focus on nurturing and guiding our team members, and when is it more appropriate to concentrate on building systems, introducing technology, or altering processes?

ICYMI

🖊️ Something I wrote: I summed up what we know and what we don’t know about the Microsoft Storm-0558 breach.

🎧️ Something I heard: I heard a monk seal that was hanging out on a beach near my hotel. It sounded otherworldly!

🎤 Something I said: Besides “Aloha” - I talked about the news of the week in about ten minutes over on Youtube.

🔖 Something I read: This great thread on product market fit by Havlar

Vulnerable News

Starting off the crazy news week we’ve had Citizen Lab being very busy warning us about Zero-Day’s used in the wild by big spyware tools such as Pegasus. If you haven’t seen this news yet, please update your iOS devices immediately. This vulnerability is a zero click takeover of your phone via just receiving an iMessage. - Ars did a good writeup on the patch and issue here.

If you’re not familiar - Citizen Lab does a lot of work tracking government backed spyware campaigns, especially when they target journalists or civilians. When they holler, I listen. (read more)

At this point I’d not touch ManageEngine or Fortinet with a 10ft pole on my network. Especially if exposed to the Internet. CISA has put out an advisory based on in-the-wild exploits seen using this 1-2 punch of CVEs gaining initial access via ManageEngine and then exploiting FortiOS on the network to get around and escalate privileges. .(read more)

In the ongoing series of “.gov has been holding telecom feet to the fire over cybersecurity issues” - Verizon Business Network Services has agreed to pay over $4 million to settle allegations under the False Claims Act that it did not fully implement required cybersecurity controls in an IT service provided to federal agencies from 2017 to 2021. The issue revolves around Verizon's Managed Trusted Internet Protocol Service (MTIPS), which was supposed to offer secure connections to public internet and other networks for federal agencies but allegedly failed to meet three necessary cybersecurity controls.(read more)

This post is awesome. Even with the crazy amount of news to cover this week, I wanted to include this one since it was so good. If you’re a blue team, detection engineering, or just overall looking how to automate parts of your detection and response lifecycle this post is great. Evidence: the phishing group that has been having so much success across the internet lately (latest victim being MGM) hit Coinbase a few months back - post mortem here - Amazingly, they had the threat actor shut down in ten minutes so they didn’t steal anything. Insane response time. (read more)

Lets get into the hell that Vegas has been going through:

vx-underground has been one of my favorite accounts to follow for this issue. They keep close tabs on threat actors and gave some of the most real time updates I saw on stories like this. They’re point here is that it didn’t take some major zero-day or nation state attacker, it took impersonating an employee to the help desk.

Attacks like this are plaguing our industry and many huge orgs are falling for it. Most of the time it doesn’t even take a SIM Swap.(read more)

It started at MGM but took over most of Vegas. As of writing this, we’re 3 days into the attack and I’m still seeing videos of hotel check in lines a mile long as their computers are down.(read more)

While some of the hotels are scrambling to figure out what to do, it seems Caesars just went ahead and paid the ransom to get back online. If you do the math, these casinos make billions per day so every hour they are offline is a real impact on the income. There are no locks on the front doors of Vegas hotels because they never close. A whole floor of slot machines giving blue screens means hundreds of millions in lost revenue.

I can’t say I blame them, but boy is this frustrating. Two paths here, this opens up security budgets as a case study in hundreds of millions lost in downtime so your budget doesn’t seem so bad of an ask. Two, ransomware gangs are invigorated by other industries where downtime equals major revenue lost and increased payout pressure. Maybe both are true.(read more or non-paywall version)

More concerning - reports are coming out that Caesars loyalty program customer data has been stolen …and they haven’t told the victims. This includes drivers license info and SSNs. If they don’t comply with breach notification regulations soon they’re going to be in even more hot water. Breached, gobs of lost revenue, paid ransom, and still lost data, talk about a bad week. (read more)

As more details come out, it seems more than just the slot machines are shut down. Reports are saying 100+ ESXi hypervisors have been encrypted. This also includes data exfiltration and I’d guess a whole lot of persistence. Judging by how completely Vegas has shut down, this will take weeks to unwind. (read more)

Ok, enough about Vegas. I’m sure we’ll be combing through news on that one for a bit. Onto the next Zero-Day of the week, Cisco. They have alerted users to a zero-day vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, which has been exploited in Akira ransomware attacks since August. The flaw, identified as CVE-2023-20269 exists in the remote access VPN feature of the Cisco ASA and FTD. It can be exploited remotely without authentication during brute force attacks, allowing attackers to identify valid username-password pairs and establish a clientless SSL VPN session with unauthorized users. Cisco is working on security updates (aka No patch available yet) to address this vulnerability and recommends users to apply suggested workarounds in the meantime.(read more)

Kudos to this takedown operation by Meta focused at Chinese and Russian disinformation bots. The op involved thousands of fake accounts and pages across various platforms, including Facebook and Instagram, aiming to spread misinformation and influence public opinion on a range of issues including the politics of the U.S, China, and created fake articles to weaken support for Ukraine. (read more)

Coincidence? I think not. Google, Apple, Citizen Lab released some patches for Zero-Day related to WebP in Chrome. Same week as the iOS updates related to spyware groups and Pegasus. I think these are related even though it hasn’t explicitly been said. - Google has released an emergency update for its Chrome browser to address a critical zero-day vulnerability, tracked as CVE-2023-4863, which was discovered being exploited in the wild. This vulnerability, located in the WebP component, could potentially allow attackers to execute arbitrary code on the affected systems.(read more)

Adobe, Apple, Google & Microsoft Patch 0-Day Bugs

In an always good write-up, Krebs has put all these together this week. I included this because it is a reminder of all the updates we all have to do for ourselves and our organizations this week. The urgency by people who have inside information about active exploitation on these is loud and clear. These latest CVEs are a race to patch or see more widespread weaponization.(read more)

It is seeming like a common occurrence for us to be covering a UK government or similar breach. We just talked a few weeks ago about how police information was leaked from a UK database. This time they’re fighting off a ransomware attack paired with some more stolen information. (read more)

We’ve talked about Flax Typhoon a lot lately, now lets flex that new Microsoft naming convention and switch over to Iranian threat actors. Since February 2023, Microsoft has been tracking a high volume of password spray attacks orchestrated by an Iranian nation-state group known as Peach Sandstorm (also known as HOLMIUM, APT33, Elfin, and Refined Kitten). This group has been targeting organizations globally, especially those in the satellite, defense, and pharmaceutical sectors, to facilitate intelligence collection for Iranian state interests. The attacks involve using both publicly available and custom tools for discovery, persistence, lateral movement, and in some cases, data exfiltration. (read more)

Miscellaneous mattjay

If you use Semgrep and Hashicorp this is super useful

GitHub - hashicorp-forge/semgrep-rules: HashiCorp-relevant rules for the Semgrep code analysis tool

HashiCorp-relevant rules for the Semgrep code analysis tool - GitHub - hashicorp-forge/semgrep-rules: HashiCorp-relevant rules for the Semgrep code analysis tool

github.com/hashicorp-forge/semgrep-rules

Woof

Thanks Clint over at TLDRsec for turning me onto this one. AI powered threat modeling is a side project I’ve been dabbling with. Here is someone else doing the same:

GitHub - xvnpw/ai-threat-modeling-action: AI featured threat modeling and security review action

AI featured threat modeling and security review action - GitHub - xvnpw/ai-threat-modeling-action: AI featured threat modeling and security review action

github.com/xvnpw/ai-threat-modeling-action

Upcoming Appearances

I’ll be on Shared Security’s podcast with Tom Eston next week, keep an eye on his feed if you don’t already:

Shared Security Podcast

Exploring the bonds shared between people and technology

sharedsecurity.net

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Extra Credit

Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay