Read Time: 5 minutes

Howdy friends!

Writing you from SFO, waiting for my flight back to ATX. Came out here to host a meetup @ Reddit HQ we called SnooSec. It went awesome, we had a great turnout, and great talks. The sentiment was, “Man, we missed these kinds of in-person meetups.”

Speaking of, Vulnerable U is sponsoring a few meetups at RSA, so keep an eye out. The first one is the Securosis Recovery Breakfast on Thursday morning. We all need to recover after the RSA marathon, so come decompress for a bit.

ICYMI

🖊️ Something I wrote: Ranted about how security vendors need to integrate into security team’s pipelines/workflows. Gone are the days of analysts interpreting PDFs.

🎧️ Something I heard: Rachel Tobac is awesome. Darknet Diaries is awesome. Rachel on Darknet Diaries is very awesome.

🎤 Something I said: Was on the Phillip Wylie show this week talking about infosec career paths and mental health in cyber.

🔖 Something I read: Rich Mogull makes some great points about the recent scathing report out of CISA about Microsoft. It’s Time for a Microsoft Trustworthy Cloud Initiative

Vulnerable News

Let’s be honest. This is basically the XZ special edition. There are a lot of great pieces to make sure we cover on the story as it is one of the bigger stories in our industry in years. Let’s start with my high level 90 second description of the incident:

(TikTok or Instagram if you’d rather over Twitter)

TL;DR - XZ which is on almost all Linux boxes was being maintained by 1 person. A threat actor gained that maintainers trust by committing helpful code and then eventually used that trust to slip a backdoor in.

backdoor in upstream xz/liblzma leading to ssh server compromise

Here is the post that started it all. This backdoor was found by Andres from Microsoft who was benchmarking some things and noticed his login time was 500ms slower than he’d expected. This had him dig in more and he found the backdoor. (read more)

(hacker news comments) Backdoor in upstream xz / liblzma leading to SSH server compromise

🚨 Incident Tracking : 2024-03-29 xz-liblzma

Magoo is a major role model of mine, but besides that, here he created a great splash page with links, resources, and timeline for the XZ incident. (read more)

Evan Boehs - Everything I Know About the XZ Backdoor

Evan has one of the other best writeups i’ve seen of things found out in real time detailing even the attackers Git history. (read more)

Here is an OSQuery query that can help - https://gist.github.com/jamesspi/ee8319f55d49b4f44345c626f80c430f

THREAD by @robmen: Lots of analysis of the xz/liblzma vulnerability. Most skip over the first step of the attack:

A great thread into the mental state of the XZ maintainer and how that was crucial in this attack even getting as far as it did. (read more)

The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind

A great Wired article that looks back into the Jia Tan persona and it’s behavior. A lot of folks jumped to point to China for this. The name and time zone are definitely meant to make you think Asia. But some researchers note that the time zone was not consistent and we even see some possible slip ups where they might’ve forgot to set the right time zone and actually commit from eastern Europe.

There are some clues about them working through Chinese holidays but missing Christmas that point towards the possibility of someone trying to make it look Chinese but not really Chinese. (read more)

A Microcosm of the interactions in Open Source projects

Rob Mensching's blog post provides a detailed narrative of the issues in open-source project maintenance, particularly highlighted by the xz/liblzma vulnerability incident. He discusses the burnout of the original maintainer, the entry of a malicious actor into the project, and the complex dynamics and pressures within open-source communities. The post reflects on the need for change in how open source projects are managed and maintained, emphasizing the heavy reliance on individual maintainers and the risks it poses. (read more)

Facebook snooped on users’ Snapchat traffic in secret project, documents reveal

There is a court case going on right now that is causing a lot of documents to be public that are teaching us all sorts of things about Facebook’s behavior and data privacy abuses. Notably, here, Facebook saw Snapchat as a competitor, realized they didn’t have good analytics on how Snap’s users were using that platform, and decided to do something about it. Doing something here means - acquiring a VPN company, secretly paying teenagers to use it, and snooping on the encrypted traffic to Snap to collect said data. (read more)

AT&T resets account passcodes after millions of customer records leak online

Remember that AT&T breach we talked about in the last few episodes? The one they denied? Well raise your hand if you got a breach notification and a forced password reset this week. Looks like they found evidence the breach was legit and started forcibly resetting passwords as a defense. (read more)

The Resurgence of the “Manipulaters” Team - Breaking HeartSenders

The Pakistan-based cyber crime team, the Manipulators, are the ones behind a phishing/spam tool called HearSender. Domain Tools wrote a good breakdown of their activities including how they’re claiming to operate as a legitimate business. Great writeup here showing the whole scale of their malicious domains and the groups security lapses that allowed this kind of tracking. (read more)

Review of the Summer 2023 Microsoft Exchange Online Intrusion — CISA

Going to steal Rich Mogull’s line from the blog I linked up top. “CISA just released their report on the big Summer 2023 Microsoft Exchange Online Intrusion. You could call it blistering, but I call it more of a third degree plasma burn.”

We covered this Microsoft breach a lot in the newsletter, but if you’re new here - Microsoft has been a nation-state punching bag a bit over the last few years. The most recent major attack was a rough one in particular because the comms was handled poorly around what the impact actually was. They stated no source code was stolen and then had to fix that. This happens in Incident Response, and I’m glad they kept looking for info after initial comms, but it didn’t help the public eye battle they were fighting. This new CISA report certainly adds fuel to that fire. Worth a read, I’ve never seen them come out so pointed at a single private company like this. (read more)

HaveIBeenPwned — New Breach: SurveyLama had 4.4M email addresses breached in Feb.

A classic thank you to Troy from haveibeenpwned. If you’re not using his service and resetting your user’s accounts that pop up here, you should be. Here is a new 4 million user breach of SurveyLama that includes: Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses (read more)

@VXunderground — A group of Threat Actors operating under the monikers; IntelBroker, Sanggiero and EnergyWeaponUser claim to have compromised Acuity Inc, a Federal tech consulting firm based out of Reston, Virginia

File this under a watch item. It's not verified, but it made my spidey senses tingle as it could be a very big deal once we find out more.

Google Bans Face Swap App for Inviting Users to Make Deepfake Porn

404media has been on a tear going after any AI companies that are aiding in non-consensual deepfake porn. I find the space super interesting as it crosses many ethical lines to use people’s likeness in this way. One of the pieces of tech that was common in these schemes was a face swap app used to put victims’ faces onto adult film stars. After making enough noise about it, it seems Google has taken action to remove the app from the Play Store. I fear this will be cat and mouse for a while, though, as a lot of copycats exist and don’t even need the mobile app stores to distribute. (read more)

New Chrome feature aims to stop hackers from using stolen cookies

Google is introducing a new Chrome security feature called 'Device Bound Session Credentials' (DBSC) to enhance account protection. This feature cryptographically ties authentication cookies to the user's device, preventing stolen cookies from being used on different devices. By utilizing the Trusted Platform Module (TPM) chip, DBSC ensures that stolen cookies are useless to attackers, enhancing security for both consumers and enterprise users (read more)

Miscellaneous mattjay

mattjayy

View more on Instagram

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay