🎓️ Vulnerable U | #053

Massive US Healthcare Ransomware Outage, How the Pentagon Learned to Track People, WhiteHouse guidance on Memory Safe Languages, Google AI $50,000 Bug Bounty, Ubiquiti Routers hacked, Ransomware at children's hospital, Fulton County LockBit, and more!

Read Time: 10 minutes

Howdy friends!

A ton of news to get into this week, so I won’t yap too much up top. Glad to have you all here and I hope you enjoyed your Leap Day and committed lots of crimes.


🖊️ Something I wrote: A post about how leaning into things that you currently view as major problems can be a viable strategy. Reporting back a few weeks later that it has continued to help me.

🎧️ Something I heard: Worlds collided for me when one of my favorite parenting experts, Dr. Becky, was on Huberman’s podcast. She dropped some of the best career advice I could give someone in this clip. And because you all seem to like when I share it, a song that was playing while I wrote this.

🎤 Something I said: I’ve been making lots of these news stories into short form videos if that is your jam. Pick your poison - Instagram or TikTok (I had a lot of people reach out that one of my recent posts popped up in their feed. Fortunately it wasn’t about anything absurd or embarrassing like malware being delivered via sex toys… (The group chats are laughing at me)

🔖 Something I read: The first two parts of my next Brandon Sanderson book. I’m loving it.

Vulnerable News

This is a gnarly one. UnitedHealth subsidiary Change Healthcare has been down for over 7 days at this point due to a ALPHV/Blackcat ransomware attack. They process lots of payments, insurance claims, and all sorts of other medical back office things that is crippling the pharmacy and hospital sector. I know many personally impacted by this one as they are unable to get their meds paid for in the normal way. Basically getting an ultimatum: pay full out of pocket price or go without your meds.

Check my twitter thread to see the replies of people we know struggling to get insulin, inhalers, and other vital meds.

There was some speculation that this breach involved the ScreenConnect vuln but ALPHV came out and denied that being the vector used. UnitedHealth also initially said they were victim of a nation-state attack, which seems false. Lot more to learn about this one it feels like.

ALPHV also came out and said they stole millions of records and then deleted that statement.

There is plenty more coverage on this one you can check out (Reuters for example) and I’ll keep an eye on this one as it evolves. Follow my socials for more real time updates on this. (read more)

This is an insane read. I need you all to read it. It is incredibly important to understand for your privacy. It details how data brokers, ad tech, and government agencies use phones to track anyone they want, yes, including Putin. There is also a major twist in this read that involves using Grindr. This guy used Grindr data via their advertising platform to track the real time location of its users and could follow them to work, home, and rest stops full of other Grindr users.

I’ve gone down the privacy rabbit hole for many reasons this year, but this is a very good read. I’m so enthralled I’m going to purchase the book about this topic the article mentions: Means of Control. (read more)

Well. I don’t know what to say. This guidance from the Whitehouse is …spot on. It is also shockingly technical and prescriptive. Applause to the team that put it together.

The gist - as stated in this report, up to 70 percent of security vulnerabilities in memory unsafe languages patched and assigned a CVE designation are due to memory safety issues. Even Google and Microsoft publish their trials and tribulations with memory safety, and they have more money than the Pope to try to deal with it. What chance do smaller firms have?

The government is advocating that, where possible, you should stop trying to write code in languages that force you to handle memory safely (C/C++) and choose modern memory-safe languages. I saw conversations about this one calling it a major win for Golang and Rust.

Not that those languages are bug-free, but they really do reduce the risk of shooting yourself in the foot. (read more)

I love my bug-hunting friends. This time Justin, Joe, and Lupin teamed up to hack on some of Google’s new AI features. Combined, they found vulns worth $50,000 and won 1st, 2nd, and 3rd place in the competition.

Their big bug was a $20,000 winner where they were able to get Bard to return a copy of a victim's email in Gmail as an image. It would have to be paired with an indirect prompt injection vuln via an extension or something in order to execute, but Bard wasn’t supposed to be able to return images of the user’s email like that. It's a very cool bug, and the writeup of all the vulns they found is worth the read if you’re into AI security research. (read more)

Can’t thank Troy enough for maintaining “haveibeenpwned” for all of these years. I’d suggest regularly using it for you and your family’s accounts. Here is one I know some of my family might be interested in:

“200k Facebook Marketplace records allegedly obtained from a Meta contractor in October 2023 were posted to a popular hacking forum. The data contained 77k unique email addresses alongside names, phone numbers, Facebook profile IDs, and geographic locations. The data also contained bcrypt password hashes, although there is no indication these belong to the corresponding Facebook accounts.” (read more)

A flurry of activity over LockBit and ScreenConnect news dropped in the last week. This story got updated a few times since I originally captured the link in my list. They originally thought LockBit wasn’t actually taken down since they saw some exploit activity. That has since been corrected. There were also mumblings ScreenConnect has been used in some recent high-profile ransomware attacks that have also been debunked. It’s still a bug worth making sure you’re not vulnerable to because the exploit code has shown up in exploit kits already. From the article:

"On February 22, 2024, Sophos X-Ops reported through our social media handle that despite the recent law enforcement activity against the LockBit threat actor group we had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool," Sophos explained.

"It appears that our signature-based detection correctly identified the payloads as ransomware generated by the leaked LockBit builder, but the ransom notes dropped by those payloads identified one as “buhtiRansom,” and the other did not have a name in its ransom note." (read more)

A few awful things about this one. 1) Why the hell was an antivirus vendor selling your browsing data?! 2) $16mil is a laughably small fine. Might as well prepay your fines and keep on doing it at that rate.

  • FTC's Bold Stand: The FTC announced a prohibition against Avast, accusing it of betraying the trust of its users by selling their sensitive browsing data, under the guise of offering protection against online tracking.

  • Financial Repercussions: Avast has agreed to a $16.5 million settlement with the FTC, intended to compensate the users affected by this breach of privacy. This settlement highlights the financial consequences of compromising user trust and privacy.

  • Privacy vs. Profit: Avast, through its subsidiary Jumpshot, was found to be selling detailed user browsing data, including web searches and visited websites, to over a hundred companies. This data exchange reportedly earned Avast substantial revenue, at the cost of exposing users' religious beliefs, health concerns, political leanings, and precise locations.

  • Corporate Response: Following the exposé, Avast promptly shut down Jumpshot. Avast has since merged with Norton LifeLock under Gen Digital, with reassurances that such practices have ceased. Avast's current statement expresses disagreement with the FTC's allegations but shows readiness to move past the issue, emphasizing alignment with current privacy and security standards. (read more)

  • Data Sharing Deals: Automattic is on the verge of finalizing deals with Midjourney and OpenAI, intending to provide them with substantial user data from Tumblr and WordPress.com. The specific types of data to be shared remain undisclosed.

  • Privacy Oversights: An internal post by Tumblr's product manager, Cyle Gage, disclosed an overreach in data compilation for AI training, inadvertently including private posts, content from deleted or suspended blogs, and posts marked as explicit or NSFW among others. This raises significant concerns over privacy breaches and the safeguarding of sensitive information.

  • Opt-out Mechanism: In response to these developments, Automattic plans to introduce a new setting allowing users to opt out of data sharing with third parties, including AI firms. This measure aims to block AI crawlers from accessing opted-out content, although the effectiveness and retroactive application of this opt-out option remains in question.

  • Automattic's Stance: Following the report, Automattic issued a statement emphasizing its commitment to user choice, attribution, and control over data sharing. The company promises to respect opt-out settings and to work closely with AI partners to ensure compliance with these preferences. (read more)

Been a lot of cybersecurity exec orders lately. It becoming such a big focus is interesting to me. The stats on global data breaches for last year show a drop globally but a 3x increase in US-based breaches. It seems the US is the big target, and the government is trying to do something about it.

This one specifically targets the sale of user data to China. On February 28, 2024, an executive order was issued, specifically targeting the sale and mishandling of personal data by companies and data brokers to “hostile” nations.

  • Regulatory Measures: The DOJ is tasked with issuing regulations to safeguard sensitive data. Additionally, DHS and DOJ are directed to establish security standards to prevent these hostile countries from acquiring Americans' sensitive data through commercial transactions, investments, or contractual and employment relationships.

  • Telecommunications Sector Scrutiny: The order also mandates the Assessment of Foreign Participation in the US Telecommunications Services Sector to take into account the risks to Americans' sensitive personal data in their review processes, especially regarding submarine cable licenses.

  • Enforcement and Penalties: The DOJ will enforce the regulations, seeking civil and criminal remedies for any violations. The severity of penalties will be based on the specifics of the violation, including the strength of any compliance programs in place. (read more)

The tweet that made me catch this was titled - “Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans,” so it caught my attention.

The Cisco Talos Intelligence Group has uncovered significant abuse of Google Cloud Run in a sophisticated malware distribution campaign targeting users across Latin America and Europe. This campaign, notably increasing in volume since September 2023, is distributing banking trojans such as Astaroth (aka Guildma), Mekotio, and Ousaban through elaborately crafted phishing emails.

Google Cloud Run's features, such as detailed request dashboards and API for rapid deployment, make it an attractive platform for adversaries. It allows them to deploy web services that can evade detection and be quickly replaced, facilitating the widespread distribution of malware. (read more)

With the amount of noise about this one lately, I’m guessing we’re going to see it get worse before it gets better. Router botnet attack 2024?

Key Points of the Warning:

  • Persistent Threat: The advisory highlights the threat posed by APT28, a group backed by the Russian General Staff Main Intelligence Directorate (GRU), known for its sophisticated cyber espionage campaigns. APT28, also known as Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, has been exploiting Ubiquiti EdgeRouters for at least four years.

  • Method of Infection: The Russian hackers have gained control of these devices by exploiting devices already infected with Moobot, a botnet malware, by leveraging default administrator credentials that the device owners never changed. APT28 has utilized these compromised routers to install custom scripts and malware, transforming the devices into tools for global cyber espionage.

  • Targets and Tactics: The advisory specifies that APT28 has targeted governments, militaries, and various industries across multiple countries, including the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the United Arab Emirates, and the US. Industries targeted encompass aerospace and defense, education, energy, hospitality, manufacturing, oil and gas, retail, technology, and transportation.

  • Recommended Actions: The FBI urges router owners to perform a hardware factory reset, update to the latest firmware, change default usernames and passwords, and implement firewall rules to restrict external access to remote management services.

  • Previous Similar Incidents: The advisory follows previous operations against nation-state groups, including a China-backed group known as Volt Typhoon, highlighting the ongoing risks posed by compromised routers in small office and home office settings. (read more)

New scheme outlined by Krebs here - Hackers sending out Calendly links that, instead of being a meeting invite, prompt the user to run a script that installs macOS malware. They’re specifically targeting the crypto community, which means you get exactly 1 guess at who is behind this. North Korean hackers have an absolutely LASER focus on stealing crypto all year. (read more)

The US State Dept has outlined a disinformation campaign going on in Africa by Russia.

“The Kremlin’s disinformation campaign in Africa:

  • In addition to its own staff, African Initiative recruits African journalists, bloggers, and members of local publics to support and amplify the organization’s work of bolstering Russia’s image and denigrating that of other countries.

  • One of African Initiative’s first major campaigns is to target U.S. and Western health initiatives in Africa with dangerous health-related disinformation. The campaign seeks to undermine U.S.-funded public health projects across Africa beginning with disinformation regarding an outbreak of a mosquito-borne viral disease.

  • From there, conspiracies will be spread about Western pharmaceutical corporations, health-focused philanthropic efforts, and the spread of disease in West and East Africa.”

I’m always fascinated when these kinds of details come out because you have to think about the incentives of the US government talking points. It is also interesting in this report how detailed they get with naming operatives. (read more)

This has been a hot-button lately. Anyone who owns a car knows the software on these things is atrocious. Arguably, the only one who gets software right is Tesla, and they’re probably more of a software company than a car company. The rest are just trash and rely heavily on Apple CarPlay or Google’s Android Auto to do the lifting for UX.

It seems they’re also searching for various monetization techniques since overall car sales are not doing well, prices are soaring, and they’re super tied to the economy and supply chain. In that search, they’re looking to monetize their user data. This has sparked a lot of fear about what is going on when you plug in your phone to the car’s USB port.

Cars are also connecting to your home wifi, pushing over-the-air updates, and all sorts of things cars didn’t use to do. So in all that, the US government is investigating the privacy practices due to some evidence its’s not going great over there. (read more)

We covered this breach when it happened. Well, the demand is now public, and the ransomware group is asking for 3.6mill for the …check’s notes… children's hospital data.

Long gone are the rules of engagement in this space.

“The cyberattack forced the healthcare provider to take its IT systems offline and postpone medical care in some cases.

Email, phone, access to MyChart, and on-premises internet were all impacted.

Ultrasound and CT scan results were rendered unavailable, patient service prioritization systems were taken down, and doctors were forced to switch to pen and paper for prescriptions.” (read more)

Dan has added a cool new feature to his open-source AI project, Fabric, that allows you to analyze threat reports quickly. You all know how much I love linking threat reports. I’m a sucker for a good long PDF full of unique data and good visualizations. I’m excited for this AI helper making going through them a bit easier for folks who aren’t as into the long form as me. (read more)

Cheap, Internet-connected video doorbells bought from Temu are a bad idea; who would’ve thought? All it takes is holding down the doorbell button for 8 seconds, and you can immediately add that doorbell to your app as an admin. View the video feed or disable it. Temu and Walmart have said they’ve pulled the doorbells made by EKEN from their shelves, but apparently, some white-labeled versions still exist. Be careful with your wifi connected cameras, folks. (read more)

Ok, we’ve beat this vuln to death on the newsletter, but one more shout from CISA where they say that even flashing to factory settings isn’t enough. I think they’re suggesting you take it to an open field and beat it with baseball bats a la Office Space. (read more)

There is a bit of a back-and-forth on whether LockBit has the data from the Fulton County hack. Some folks think they are bluffing and that they lost the data during last week’s takedown.

There is also this post by Krebs saying he talked to LockBit and they say Fulton County paid up. They are denying they paid. So who the hell knows at this point. (read more)

Some cool research from the team over at Apiiro who found a bunch of forks of popular GitHub repos with malware in them. They use the same name as the actual repo to confuse people into using the malicious version containing the malware changes. (read more)

Miscellaneous mattjay

Jhaddix and I have been doing this thing where we stream video games and let folks hang out and ask us security questions. Last night we did this playing Helldivers 2 and telling stories of awesome old AppSec vulns we found.

Congrats RSnake! This is huge.

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen