🎓️ Vulnerable U | #029
Vegas Casinos Hacked, Zero-Days for days! Apple x 2, Adobe Reader, Cisco, Chrome, Microsoft x 2, and more!
Read Time: 8 minutes
Second edition coming to you from Hawaii - fortunate enough to still be out here, but headed home soon. Two lucky things this week: the volcano near Hilo erupted big time, largest since 2018, so we ran over there and go to see lava spewing out of the ground. Second, 2 monk seals showed up right outside our hotel room and all the employees stopped what they were doing and were videoing them, asked why it was so cool - apparently only 8 of them left on the island and they rarely come to the hotel.
Gonna be hard to leave
Lava erupting behind me!
Going to be hard to write these from my desk after writing them from a balcony overlooking the ocean for a few days!
Buckle in - it was a CRAZY news week in infosec.
Let’s get vulnerable.
Sneak Peak at the Blog of the Week:
🖊️ Something I wrote: I summed up what we know and what we don’t know about the Microsoft Storm-0558 breach.
🎧️ Something I heard: I heard a monk seal that was hanging out on a beach near my hotel. It sounded otherworldly!
🎤 Something I said: Besides “Aloha” - I talked about the news of the week in about ten minutes over on Youtube.
🔖 Something I read: This great thread on product market fit by Havlar
Starting off the crazy news week we’ve had Citizen Lab being very busy warning us about Zero-Day’s used in the wild by big spyware tools such as Pegasus. If you haven’t seen this news yet, please update your iOS devices immediately. This vulnerability is a zero click takeover of your phone via just receiving an iMessage. - Ars did a good writeup on the patch and issue here.
If you’re not familiar - Citizen Lab does a lot of work tracking government backed spyware campaigns, especially when they target journalists or civilians. When they holler, I listen. (read more)
At this point I’d not touch ManageEngine or Fortinet with a 10ft pole on my network. Especially if exposed to the Internet. CISA has put out an advisory based on in-the-wild exploits seen using this 1-2 punch of CVEs gaining initial access via ManageEngine and then exploiting FortiOS on the network to get around and escalate privileges. .(read more)
In the ongoing series of “.gov has been holding telecom feet to the fire over cybersecurity issues” - Verizon Business Network Services has agreed to pay over $4 million to settle allegations under the False Claims Act that it did not fully implement required cybersecurity controls in an IT service provided to federal agencies from 2017 to 2021. The issue revolves around Verizon's Managed Trusted Internet Protocol Service (MTIPS), which was supposed to offer secure connections to public internet and other networks for federal agencies but allegedly failed to meet three necessary cybersecurity controls.(read more)
This post is awesome. Even with the crazy amount of news to cover this week, I wanted to include this one since it was so good. If you’re a blue team, detection engineering, or just overall looking how to automate parts of your detection and response lifecycle this post is great. Evidence: the phishing group that has been having so much success across the internet lately (latest victim being MGM) hit Coinbase a few months back - post mortem here - Amazingly, they had the threat actor shut down in ten minutes so they didn’t steal anything. Insane response time. (read more)
Lets get into the hell that Vegas has been going through:
vx-underground has been one of my favorite accounts to follow for this issue. They keep close tabs on threat actors and gave some of the most real time updates I saw on stories like this. They’re point here is that it didn’t take some major zero-day or nation state attacker, it took impersonating an employee to the help desk.
Attacks like this are plaguing our industry and many huge orgs are falling for it. Most of the time it doesn’t even take a SIM Swap.(read more)
It started at MGM but took over most of Vegas. As of writing this, we’re 3 days into the attack and I’m still seeing videos of hotel check in lines a mile long as their computers are down.(read more)
While some of the hotels are scrambling to figure out what to do, it seems Caesars just went ahead and paid the ransom to get back online. If you do the math, these casinos make billions per day so every hour they are offline is a real impact on the income. There are no locks on the front doors of Vegas hotels because they never close. A whole floor of slot machines giving blue screens means hundreds of millions in lost revenue.
I can’t say I blame them, but boy is this frustrating. Two paths here, this opens up security budgets as a case study in hundreds of millions lost in downtime so your budget doesn’t seem so bad of an ask. Two, ransomware gangs are invigorated by other industries where downtime equals major revenue lost and increased payout pressure. Maybe both are true.(read more or non-paywall version)
More concerning - reports are coming out that Caesars loyalty program customer data has been stolen …and they haven’t told the victims. This includes drivers license info and SSNs. If they don’t comply with breach notification regulations soon they’re going to be in even more hot water. Breached, gobs of lost revenue, paid ransom, and still lost data, talk about a bad week. (read more)
As more details come out, it seems more than just the slot machines are shut down. Reports are saying 100+ ESXi hypervisors have been encrypted. This also includes data exfiltration and I’d guess a whole lot of persistence. Judging by how completely Vegas has shut down, this will take weeks to unwind. (read more)
Ok, enough about Vegas. I’m sure we’ll be combing through news on that one for a bit. Onto the next Zero-Day of the week, Cisco. They have alerted users to a zero-day vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, which has been exploited in Akira ransomware attacks since August. The flaw, identified as CVE-2023-20269 exists in the remote access VPN feature of the Cisco ASA and FTD. It can be exploited remotely without authentication during brute force attacks, allowing attackers to identify valid username-password pairs and establish a clientless SSL VPN session with unauthorized users. Cisco is working on security updates (aka No patch available yet) to address this vulnerability and recommends users to apply suggested workarounds in the meantime.(read more)
Kudos to this takedown operation by Meta focused at Chinese and Russian disinformation bots. The op involved thousands of fake accounts and pages across various platforms, including Facebook and Instagram, aiming to spread misinformation and influence public opinion on a range of issues including the politics of the U.S, China, and created fake articles to weaken support for Ukraine. (read more)
Coincidence? I think not. Google, Apple, Citizen Lab released some patches for Zero-Day related to WebP in Chrome. Same week as the iOS updates related to spyware groups and Pegasus. I think these are related even though it hasn’t explicitly been said. - Google has released an emergency update for its Chrome browser to address a critical zero-day vulnerability, tracked as CVE-2023-4863, which was discovered being exploited in the wild. This vulnerability, located in the WebP component, could potentially allow attackers to execute arbitrary code on the affected systems.(read more)
In an always good write-up, Krebs has put all these together this week. I included this because it is a reminder of all the updates we all have to do for ourselves and our organizations this week. The urgency by people who have inside information about active exploitation on these is loud and clear. These latest CVEs are a race to patch or see more widespread weaponization.(read more)
It is seeming like a common occurrence for us to be covering a UK government or similar breach. We just talked a few weeks ago about how police information was leaked from a UK database. This time they’re fighting off a ransomware attack paired with some more stolen information. (read more)
We’ve talked about Flax Typhoon a lot lately, now lets flex that new Microsoft naming convention and switch over to Iranian threat actors. Since February 2023, Microsoft has been tracking a high volume of password spray attacks orchestrated by an Iranian nation-state group known as Peach Sandstorm (also known as HOLMIUM, APT33, Elfin, and Refined Kitten). This group has been targeting organizations globally, especially those in the satellite, defense, and pharmaceutical sectors, to facilitate intelligence collection for Iranian state interests. The attacks involve using both publicly available and custom tools for discovery, persistence, lateral movement, and in some cases, data exfiltration. (read more)
If you use Semgrep and Hashicorp this is super useful
Security headlines over the past 2-3 days:
- Two Apple iOS, macOS zero-days
- Adobe PDF Reader 0day exploited
- Cisco ASA 0day exploited in Akira ransomware
- Google patches Chrome 0-da reported by Apple
- Microsoft Patches 2 New Exploited zero-days
— Ryan Naraine (@ryanaraine)
Sep 12, 2023
Thanks Clint over at TLDRsec for turning me onto this one. AI powered threat modeling is a side project I’ve been dabbling with. Here is someone else doing the same:
Your 24/7 SOC Analyst when the spicy alerts are firing.
— Matt Johansen (@mattjay)
Sep 13, 2023
I’ll be on Shared Security’s podcast with Tom Eston next week, keep an eye on his feed if you don’t already:
How'd I do this edition?
It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.
Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen