šŸŽ“ļø Vulnerable U | #051

Stress Management in Tech, US Internet Leak, Temu parent company pushing malware, AI generated robocall ban, Pegasus in Poland, Microsoft Breach revisited, Election Security CISA upgrades, and much more!

Author

Matt Johansen
February 16, 2024

Read Time: 10 minutes

Howdy friends!

Canā€™t express my gratitude enough for all of you. After our 50th straight week of sending Vuln U, we crossed 10,000 members. This is even after I set up an automation to prune folks who were inactive, which unsubscribed around 3,000 people.

This is a strangely important milestone in newsletter land in which you begin to be taken a bit more seriously so it feels great to watch that particular odometer roll over. Thank you again.

This weekā€™s blog is all about Stress since it is something Iā€™ve been thinking a lot about.

Thereā€™s a lot of content out there about how to manage your stress in the moment. Really helpful ways to keep your body regulated in intense situations. The most common among them are taking deep breaths and counting to ten before you speak or respond to something activating.

As necessary as those things are, and trust me, I have to employ them all on a regular basis, Iā€™m kind of sick of needing them so frequently. The stress is piling up these days. Friends and family are being laid off. Itā€™s the season of the sickness, and my community is passing around every virus and bacteria you can think of. Plus, the standard: work is busy, side hustle is growing, house projects are backing up, and money is always a thing.

So, what am I supposed to do? Just keepā€¦ breathing? Ok, I can do that. Certainly better than blowing up on my partner or daughter. However, there must be more I can do to reduce stressful events or at least compound stress. Rather than stress relief/management - stress reduction.

ICYMI

šŸ–Šļø Something I wrote: Weā€™ve moved on to the community open vote portion of the Best of AI Security 2023 project. Check out all the nominations and cast your votes!

šŸŽ§ļø Something I heard: The crowd going wild for Caitlin Clark breaking the record for most points in NCAA basketball history

šŸŽ¤ Something I said: At least a few dozen of you are here this week from my latest videos. Been getting good feedback, so Iā€™m going to keep em up!

šŸ”– Something I read: Engineering Leadership newsletter from Kelly Vaughn. Wrote up her suggestions on how to stay technical after moving into leadership positions.

Vulnerable News

US Internet is an ISP that is big in Minnesota (I had to look that up). The gist is that some researchers found a public link that had a directory listing that somehow let whoever was on it access every single email for each of their customers. Krebs clicked around and saw examples going back to 2008 and some from the present day. He then found some of the CEOā€™s emails and forwarded his own email to himself as proof when asking him what was going on.

ā€œWithin minutes of that notification, U.S. Internet pulled all of the published inboxes offline. Mr. Carter responded and said his team was investigating how it happened. In the same breath, the CEO asked if KrebsOnSecurity does security consulting for hire (I do not).ā€

Iā€™m going to let Krebs talk about this one mostly, as he has some of the most šŸ”„ comments Iā€™ve seen from him in this one.

ā€œKrebsOnSecurity has been writing about data breaches for nearly two decades, but this one easily takes the cake in terms of the level of incompetence needed to make such a huge mistake unnoticed. Iā€™m not sure what the proper response from authorities or regulators should be to this incident, but itā€™s clear that U.S. Internet should not be allowed to manage anyoneā€™s email unless and until it can demonstrate more transparency, and prove that it has radically revamped its security.ā€ (read more)

I know a few hundred of you are here because of a viral Twitter thread I had on this topic. If you watched the Super Bowl this past weekend, you couldnā€™t avoid the commercials for Temu. The jokes were bubbling up that a spyware company was buying very expensive ad space, and I was trying to figure out why we all felt a bit off about Temu. The service itself and its prices feel a bit scammy, but there was more to it. The comments on this were saying Temu is no worse than all the other apps that collect data for ads and that it was China fearmongering.

Well, upon some digging, Temuā€™s parent company, PDD Holdings, has a history of pushing malware to its Android app. They even burned a few 0days, all in the name of kicking their competitors off their usersā€™ phones and preventing their apps from being uninstalled. It is a wild story, read my whole twitter thread and the technical article linked here. (read more)

I had the pleasure of working for Phil Venables at one point in my career, and Iā€™m glad heā€™s at the helm over at Google Cloud.

I'm also glad to see Google through some big bucks behind AI security initiatives. Theyā€™re making a bold claim in this report that AI has the power to flip the script on the defenderā€™s dilemma. If youā€™re unfamiliar, that is the story we tell ourselves that defenders have to be right every time and attackers only have to be right once. (I take issue with this, as 0 days are not invisibility cloaks, but I wonā€™t dig into that now). Check the whole PDF on this one, not just the blog/landing page. (read more)

My phone has become virtually unusable as a means of contacting me via voice. I default to all numbers calling me are a scam. Now weā€™re throwing in AI robocalls? There used to be a little part of me that was happy knowing if a scammer was delayed on me messing with them, they couldnā€™t go scam someone else. But now, the scammers are robots, and we arenā€™t delaying anyone.

Well, in this case, the scammers are politicians (same thing, right?), and the FCC has taken a stand against using AI-generated robocalls altogether. Apparently, they were already being heavily used to trick voters into opinions about various candidates by mimicking their voices. I hope this ban has some teeth.

Can we ban infosec sales cold calls and LinkedIn DMs next? (read more)

This NY Magazine personal finance columnist wrote her story about how she was tricked by a scam artist into emptying her bank account and giving it to them. This story is wild, the tale the scammer tells is insane, and Iā€™m just shocked the author came out and admitted to all of this. Iā€™m happy they did, as it is a lesson learned for all of us that anyone can fall for these things. The scammers know how to play on your emotions. Guards up! (read more)

Update your Zoom! Iā€™ve caught myself calling all video calls ā€œZoomsā€ lately - almost like ā€œVelcroā€ or ā€œBand-Aidā€ - the brand has become the thing for me. Anyway, this seemed like a fairly nasty privilege escalation bug. It seems it needs some user interaction to exploit, like clicking a link, but it is still rated 9.6 on the CVSS scale.

On your desktop app, you can click ā€œCheck for updatesā€ by clicking on your profile photo. On mobile, just update from the App Stores. (read more)

I found this via a Twitter thread by John Scott-Railton, who was feeling particularly vindicated as Citizen Lab had previously called out the use of Pegasus against victims in this situation and were called fake news.

More from the Twitter thread: ā€œFor 8 years, #Poland's PiS-Party government was widely viewed as eroding democracy. The confirmation of #Pegasus abuses by Poland's new government under Donald Tusk is a powerful reminder: Mercenary spyware = part of the authoritarian toolkit.ā€ (read more)

This video deserves tens of thousands more views. This is the clearest walkthrough of the recent Russia Microsoft breach Iā€™ve seen. It takes the info MS published and puts together all the possible options and best guesses to fill in the blanks of what happened. The speaker also pulls up Azure tenants to show the identity roles and app permissions that wouldā€™ve been set to make this attack possible. Just fantastic job. (read more)

A bit of a PR piece about Microsoft and their combo research with the OpenAI team. BUT I feel it is valuable and worth reading as we all need to stay on top of this space as it continues to evolve.

ā€œImportantly, our research with OpenAI has not identified significant attacks employing the LLMs we monitor closely. At the same time, we feel this is important research to publish to expose early-stage, incremental moves that we observe well-known threat actors attempting, and share information on how we are blocking and countering them with the defender community.ā€

The bottom of this blog post is interesting as it highlights known threat actor groups that are using LLMs in their identified TTPs (read more)

Disrupting malicious uses of AI by state-affiliated threat actors

Here is the OpenAI side of the coin to the Microsoft blog above.

I like this level of transparency of the level of threats they are seeing and what theyā€™re doing to combat them. (read more)

Great episode of the Microsoft Threat Intel podcast where Sherrod DeGrippo walks through Operation Triangulation, the iOS 0day we talked about a few weeks ago that dropped at CCC. A good run-through of the vuln and Microsoft researchers have a unique view of the world, which I always appreciate a look behind the curtain of. I learned a few things about the landscape of surveillanceware on mobile devices. They particularly focus on how security researchers can be a heightened target due to our line of work.

One tip I took away - Reboot your phone more often. Most of these attacks canā€™t survive a reboot, but a lot of folks never turn their phone off. (read more)

Some good info on a bunch of the recent CVEs to come out, including Adobe and Microsoft patch Tuesday findings. The video shows a cool demo of an exploit the team there found in the wild for CVE-2024-21412 ā€“ Internet Shortcut Files Security Feature Bypass Vulnerability. It is a bypass in Microsoft Defenderā€™s protection from downloading files off the Internet. Itā€™s being used to target some forex traders with a remote access trojan in some online forums. (read more)

A detailed run-through of a security researcher using ChatGPT to analyze a suspected AgentTesla sample. If you are unfamiliar, a quick Google search landed me on CheckPointā€™s site, which says, ā€œAgent Tesla is an example of an advanced remote access trojan (RAT) that specializes in the theft and infiltration of sensitive information from infected machines.ā€ - It spreads mostly via phishing emails and has surged in prevalence since Covid.

I am less interested in the malware analysis in this one and more interested in how ChatGPT navigates some obfuscated and encrypted code snippets to analyze what is going on under the hood. (read more)

This story on the other hand, Iā€™m in for the malware analysis. It is a really good in-depth through of a WinRAR 0-day we talked about when it dropped here in the newsletter. (read more)

Feels like an AI-heavy episode this week. But how can I avoid sharing all of this? Here is an academic research paper on different LLMs finding vulnerabilities in web apps.

Take this paper with a grain of salt, as it was a purposefully vulnerable web app that it was testing. It's not like it was out here finding CSRF on Facebook with a 100% success rate. BUT - I still think this paper proves a direction we all knew was coming. The skill level to find some of these bugs will continue to drop, and the autonomous discovery and exploitation of bugs will not require a skilled operator of Metasploit, which is the current low bar. (read more)

JetBrains - Critical Security Issue Affecting TeamCity On-Premises

This one caught my eye because of Kim Zetterā€™s post, where she points out that SolarWinds and many other software makers use TeamCity to build software. And they even wrote a story about it last year (here is her great piece on the SolarWinds hack). This weekā€™s JetBrains TeamCity vuln lets an attacker bypass auth and become an admin.

From the advisory: The vulnerability affects all TeamCity On-Premises versions from 2017.1 through 2023.11.2. It has been fixed in version 2023.11.3. (read more)

CISA made some big moves this week with 10 new hires dedicated solely to US Elections security. It being 2024, Iā€™m guessing weā€™re seeing this to stave off any hope of a narrative forming that the US didnā€™t do everything possible to secure our presidential election.

ā€œUnderstanding the complexity of each stateā€™s election operating environment and their security needs is critical to us being effective partners in helping them mitigate those needs and ensuring the infrastructure security and resilienceā€

I hope this newly formed squad is transparent in their findings and initiatives as they have a very important mission. (read more)

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Upcoming Appearances

I recorded an episode of the Phillip Wylie Show this week that will be dropping soon. It was a great chat, talking mostly about career advice. Phillip is great and always has fantastic guests (not sure how I snuck in there)

Phillip Wylie Show

Join Phillip Wylie Show host Phillip Wylie as he and his guests discuss the intriguing and ever-expanding field of cybersecurity, including topics from the offensive security side to the defensive and response sides of cybersecurity. Frequent offensive security topics include pentesting, red teaming, ethical hacking, security research, and bug bounties. Guests share their origin stories, tips, and career advice. Phillip and his guests discuss content creation and personal branding in this podcast. If you enjoyed Phillip's previous podcast, The Hacker Factory, you will love this!

www.phillipwylieshow.com

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay