🎓️ Vulnerable U | #028

Microsoft cracked the Storm-0558 case, North Korea posing as infosec researchers, New Zero-Click iOS Zero-Day, and more...

Read Time: 6 minutes

Howdy friends!

Writing to you from the Big Island of Hawaii! I’m out here on my tenth anniversary trip. I surprised my family and rebooked our honeymoon for this big milestone and I couldn’t be more excited to be out here. That all being said, I am going to pull the vacation card and share a blog I wrote in the early days of the newsletter. There are more than a few thousand of you now that weren’t here when this was published! (Wow! we’ve been growing around here!) But I did collect my thoughts on the news below so that is all certified fresh. Mahalo!

Dad life. Piled with stuff to walk around with.

Sneak Peak at the Blog of the Week:

Everyone's goal is to not get hacked. That goal is meaningless.

Conventional wisdom is that setting specific, actionable goals is the key to success—ensuring our networks are impenetrable, our data is safe, and our businesses are secure. For years, many of us have approached our infosec practices with this goal-oriented mindset, but the reality is that this approach often falls short.

What truly matters isn't the goal itself, but the system we implement to achieve it. As legendary football coach Bill Walsh says, "The score takes care of itself." In other words, it's not the end result that we should be obsessing over, but rather the process we follow to achieve it.

Link to continue reading.


🖊️ Something I wrote: I gave a talk on Threat Modeling for Cloud Apps/Infra at a conference in Austin this week. The recordings will be up soon.

🎧️ Something I heard: I’ve still been making my way through Outlive on Audible and it is fantastic.

🎤 Something I said: Ran through the news in about 10 minutes over on YouTube - been keeping up with these every week and getting the hang of it.

🔖 Something I read: Mistborn! Finally digging into Brandon Sanderson. I’m a big fantasy book fan and feel like I’ve been missing out.

Vulnerable News

Microsoft figured out how their signing key was stolen: Results of Major Technical Investigations for Storm-0558 Key Acquisition

The whole newsletter should be about this one story. This incident read out is nuts. For a few reasons! The gist of it: The key was included in a crash dump. A series of stars aligning combined with extremely advanced attackers let that key be found in that crash dump.

Incident Timeline (h/t Scott Piper):
April 5th, 2016: Key was issued
April 4th, 2021: Key expired
April 2021: System that used the key crashes
May 15, 2023: Storm-0558 gained access to email accounts affecting approximately 25 organizations using that expired key.
June 16, 2023: Customer reported to Microsoft info that begins the investigation
June 27-July 5: At some point within these dates the key is replaced
July 11: Microsoft reveals the breach
August 11: The CSRB announces their next report will be on this incident.
August 15: Washington Post publishes about an additional a victim that was just informed
September 6: Microsoft publishes latest post relating to a crash dump

So the attacker not only got access to a crash dump they shouldn’t have and a key was in it that shouldn’t have been but the attacker then found that key that MSFT’s scanners missed AND figured out what that key was. - Insanity.

The other crazy thing here - an extremely advanced customer with some clout must’ve been the one to have called up Microsoft in order to say “Hey your key was stolen and we got hacked because of it.” And then for that conversation to result in the giant investigation we’re reading about now. (read more)

Another crazy APT story. North Korean nation state backed attackers were making fake infosec personas and then building relationships and rapport with researchers in the industry. They then used this trust to deliver 0day filled payloads to compromise these sensitive targets. Here is one of the accounts Google discussed in this report detailing this research:

Hope nobody reading this fell for any of these fake profiles. (read more)

All gas no breaks this news week. Citizen lab came out with evidence of a new zero click iOS zero-day tied to Pegasus spyware. The NSO Group is exploiting people in the wild just by sending an iMessage with a malicious image file in it. No interaction from the victim device is needed. Go patch your devices ASAP on this one. (read more)

A newly identified threat group named Earth Estries has been conducting cyber espionage campaigns targeting government and technology entities in various countries including the U.S., the Philippines, Taiwan, Malaysia, South Africa, and Germany. Active since at least 2020, the group compromises companies' internal servers to gain control over administrative accounts, moving laterally within networks to deploy backdoors and other tools, exfiltrating data, and logging keystrokes. They use a blend of Cobalt Strike deployments and other techniques to avoid detection, including PowerShell downgrade attacks and abusing legitimate services like GitHub and Gmail for command and control communications. The group has introduced new tools in its arsenal, including a backdoor named Zingdoor and an information stealer called TrillClient. (read more)

Apparently if you knew someone’s credit card number you could track their movements on the NYC Subway until recently. Some journalists at 404 media questioned the transit authority on this and outlined the dangerous use cases of stalkers or abusive partners. Glad to see this decision being reversed and NYers privacy being considered. (read more)

This story just kept popping up for me on Twitter. And the header image is just perfect. Anyway, I don’t even like smart appliances in my house. Nevermind Internet connected sex toys. Just keep stuff off the wifi that doesn’t need it, ok? (read more)

Another week, another pile of crypto currency stolen. In this case it was an Australian gambling site and the details of the heist are not being shared as of yet. If the other stolen crypto stories of the year can be used to speculate on what happened here, I’d say SIM Swap a privileged employee is a likely culprit. (read more)

In this? 2023? The year of the Barbie movie? We’re setting up a customer organization with all default weak passwords? Surely they are temporary passwords right? Right? - Nope. Seems everyone signing up was getting a quick “Welcome@” password that wasn’t temporary and they didn’t require you to change on first login. This is 101 and it’s rough to still see at this scale. (read more)

File under reasons to forever own your important domains. ESPECIALLY if your domains are printed in the real world. Double especially if that thing they are printed on in the real world is marketed and sold to children. (read more)

A constant struggle in the security vs. privacy wars is the ability to scan users private and encrypted messages/data for the greater good. Whether that greater good is CSAM or for other public safety reasons, the debate come up a lot. This announcement from Apple that they can’t scan all their user’s iCloud or devices for child exploitation evidence WHILE preserving privacy, is big news for this debate. Apple has nearly infinite budget and a top tier team of security personnel. If they can’t figure out a way to scan all this data while not infringing on user privacy, I’m not sure what hope anyone has on this issue. (read more)

Great job CISA for this. I’m looking forward to Mudge being back in a position to influence great change on the Internet at large. “Zatko begins in a part-time role this week as a “senior technical advisor.” It’s a high-profile hire for the Biden administration’s focus on products that are “secure by design,” a key component of this year’s National Cybersecurity Strategy as well as CISA’s strategic plan.” (read more)

Love this write up from Okta. Clearly outlines some struggles customers of theirs have been having including a novel lateral movement technique. It involved setting up a new identity provider as an “impersonation app” which was then used to grant access to applications in the compromised org. (read more)

As demonstrated by the Apple story above: People are realizing that even under the best intentions, breaking encryption is a bad choice. This is good news - the UK is backing down on its fight against encrypted comms, for now. (read more)

Miscellaneous mattjay

I guess I’m just not 1337 enough

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen