🎓️ Vulnerable U | #067

Snowflake Saga, Hacking Millions of Cox Modems, Microsoft Recall Issues, Crypto and stalkerware hacks, and much more!

Read Time: 9 minutes

Howdy friends!

I feel like the year is condensing. I’m already having conversations about plans and meetings that I have to turn down in late August. Isn’t it barely summer? How is this possible?!

I did a fairly long AMA on my Instagram this week. I got so many DMs saying how grateful people were for it and asking me to do more of them. Keep an eye on my profile if you want to participate in the next one. I’ll keep the responses in my story highlights for a bit, too.

Also want to give a shout to my sponsors over the next few weeks. Checking them out is the best way to support the work I do here. Thank you in advance. It means more to me than you know!

Let’s get vulnerable.

ICYMI

🖊️ Something I wrote: This one made the rounds on LinkedIn again this week even though I wrote it back in February. “I stopped resisting things I thought were 'wrong' about me and here is what happened”

🎧️ Something I heard: I somehow ended up on the “Dirt Man” side of the algorithm and this D&D spin-off cracked me up. Unhinged.

🎤 Something I said: There is “fake news” and then there is really fake news. Ran through a report about NewsBreak, it’s foreign investors, and it’s AI generated, completely fabricated and false news stories.

🔖 Something I read: This brilliant thread: “Your fundamentals are your greatest shield. Your efforts actually matter. That is what actually prevents failure. I know. I see.”

📣 Sponsor

🧟 How Risky is a Zombie (Identity) in Your Cloud?!

These dormant identities are more than just inactive; they represent a significant threat to your organization's security. 

Don't let these unused identities undermine your defenses—arm yourself with knowledge from Sonrai’s Cloud Access Risk Report.

Discover in the report:
→ The alarming prevalence of zombie identities — 61% of cloud identities are unused and ripe for exploitation.
→ A shocking 92% of permissions go unused, creating an expansive attack surface.
→ How automated solutions like the Cloud Permissions Firewall are helping cloud teams combat these risks.

Don’t let the dead eat you alive.

Vulnerable News

Snowflake Saga

There are too many links on this one topic that I want to share so we’re creating an umbrella header here.

TL;DR - After a few data leaks caught attention and were rumored to be connected to a service provider, people got curious. Then it was reported Snowflake was the common thread and that they must’ve been breached. Well they themselves were technically not breached, but it seems a bunch of their customers were. Let’s dig into what we know:

Then it started to come out that the Santander and Ticketmaster breaches were linked to Snowflake: Snowflake account hacks linked to Santander, Ticketmaster breaches

A post by a security vendor, Hudson Rock, came out detailing a Telegram conversation they seemingly had with the threat actors responsible. This conversation said that Snowflake was hacked and 400 other customers were impacted. This post caught a lot of attention obviously, but then was quickly removed.

Snowflake pointed to the fact that the post was removed as evidence it was false. They neglected to mention it was actually removed because their lawyers forced it down.

Snowflake put out a statement that they had retained Mandiant and Crowdstrike to confirm they were not breached.

However, we’ve not seen the last of their customer impact. Hundreds of Snowflake customer passwords found online are linked to info-stealing malware

And one more thread with a grain of salt as it is anecdotal. But they are saying 5 more customers impacted and not thrilled as the hacks also spiked their usage bills during the attacks. So they lost data and owed Snowflake for the privilege.

Sam Curry puts out a ton of great research. This one is funny to me because I saw the national news coverage of Cox routers before I saw this. I got to meet Sam in SF a few weeks ago and you should absolutely follow him on socials and his blog.

This blog is a masterclass in AppSec and API testing. Sam walks you step by step what put him on the trail of this vulnerability and then how he proked and prodded until he exploited it. I’ll give you the start and the end and you’ll absolutely want to read the whole thing.

Start:

That one mysterious request led to him discovering his modem was hacked. He then found a way to hack any Cox modem.

To prove it, he used an admin API on Cox’s business portal to change his own home SSID and it worked. Absolutely wild. (read more)

If you’ve not been following the Microsoft Recall story, long and short is that they launched a new feature that takes screenshots of your screen every few seconds to feed to a local AI that you can ask questions. “Who emailed me this week asking for that report?” - but then yes any malware on your device would have a full record of everything you did or read for the last few months.

Microsoft put out info saying you’d need to physically have access to the device, that isn’t true. They also said this:

Shot:

Chaser:

And this Wired article goes into a lot of Microsoft’s claims and what researchers are finding. (read more)

📣 Sponsor

Zero-day attacks get attention, but only 5% of breaches stem from software flaws

The shortcomings of traditional security approaches are no match for today’s evolving cyber threats. In this white paper by IAM analyst Jack Poller, learn how switching from shared secrets to zero trust can combat identity-centered attacks on your modern infrastructure.

You’ll gain an understanding of the pitfalls of traditional IT security measures and learn strategies for proper security, enabling you to avoid substantial consequences such as data theft (in 32%), extortion (in 24%), and credential harvesting (in 23%).

Japanese crypto exchange DMM Bitcoin just got hit with a massive hack, losing 4,502.9 bitcoin—that's about $305 million, making it the eighth biggest crypto theft ever. Despite this, DMM Bitcoin is reassuring customers that their Bitcoin deposits are safe and will be fully covered with help from their partner companies. (read more)

Besides being ethically shitty, stalkerware apps have been historically insecure. So they go and collect a bunch of spy data on unsuspecting victims, store it, and then get hacked.

Last week, hackers broke into pcTattletale, a U.S.-based stalkerware company, and leaked its data. This is the 20th stalkerware company hacked since 2017. These apps, used to spy on partners, are not only creepy and illegal but also poorly secured, putting user data at risk. Hackers often target these companies to expose their unethical practices. (read more)

Read this thread! This person fell for but then recognized a scam as it was going on. Super believable and tugging on your emotions and sense of urgency while pretending to be law enforcement and having a lot of data about you. (read more)

Ummmm. What?

Jibreel Pratt, a hacker from Detroit, bought stolen credentials from Genesis Market and allegedly planned to join ISIS. He told FBI informants he wanted to help ISIS with tech and cyber attacks, and shared plans for suicide drones, remote-controlled cars with explosives, and sent cryptocurrency to support ISIS. The FBI linked him to nearly 14,000 stolen credentials and arrested him on cybercrime charges. (read more)

Always love when normies get confused by something being capped at 256. This reminded me of that. Also this reply is gold:

A massive attack last year turned 600,000 WiFi routers into useless bricks, cutting off the internet for many rural American families. The routers were hit by "Chalubo" malware, which infected devices and wiped out their firmware, requiring replacements. Researchers believe weak credentials or exposed admin interfaces allowed the attack. (read more)

I’ve long talked about the dangers of ad networks being abused. I gave a Blackhat talk way back in 2013 about it. These networks at scale have very limited capability to ensure that the ads they are serving aren’t malicious in nature. This Twitter thread shows tons of examples of malicious ads being served up by reputable ad networks. (read more)

An internal Google database obtained by 404 Media reveals thousands of privacy incidents over six years, including Google accidentally recording children’s voices, leaking carpool users' trips and home addresses, and making YouTube recommendations based on deleted watch history.

I also just saw the news that they axed their Chief Privacy Officer and will not be replacing them. They’re retiring from the role altogether. (read more)

What in the hell is this? This is a lesson in how not to communicate a security incident. Completely lackluster update that doesn’t say anything. I honestly think this is virtually untouched ChatGPT output. No details about how or what happened. Very vague details about what they did about it besides rotating creds and bringing in experts. This just smells weird to me. Am I crazy? (read more)

A ransomware attack hit Synnovis, a key pathology and diagnostics provider, disrupting major London hospitals like Guy's and St Thomas', King's College Hospital, and others. The attack began on June 3 and has severely impacted healthcare services, especially blood transfusions, leading to canceled or redirected procedures. Emergency care has also been affected due to the unavailability of quick-turnaround blood test results. (read more)

The FBI is warning about scammers posting fake remote job ads to steal crypto from job seekers. These scams involve posing as legit recruiters, offering easy tasks, and then requiring victims to make crypto payments to earn more. The FBI suggests being cautious with unsolicited job offers, never sending money or personal info, and reporting any sketchy activities to the FBI Internet Crime Complaint Center. (read more)

Mozilla is launching a bug bounty program specifically for LLM models (not the underlying tech) to help keep GenAI secure, and they say it's everyone's job to pitch in. They talk about the evolution of bug bounty programs and introduce their own next-gen program, 0Din. They're also hiring for several AI security roles if you’re on the market. (read more)

Sophos just dropped a detailed look at "Operation Crimson Palace." This big cyber-attack campaign targets Southeast Asia and is all about espionage. Hackers used phishing emails with malicious attachments to break into networks. Once inside, they used a mix of custom tools and existing malware to swipe sensitive data. The report digs into their tactics, tools, and how they got around security measures. Love a good deep dive like this one that gives you that full look behind the curtain. (read more)

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay