🎓️ Vulnerable U | #070

US bans Kaspersky, LockBit Federal Reserve Saga, CDK Global ongoing auto dealer outage, LLMs for Vulnerability Research, and more!

Read Time: 8 minutes

Howdy friends!

Writing to you from Scotland today! My family is out tracking down some Highland cows so I stayed behind for a few hours to get this out to you this week. Been a lovely few days in the UK, thanks for all of you who noticed I was here on Instagram and reached out with recommendations or offers to buy me a drink.

I can see myself spending some more time in Edinburgh in the future; what a lovely slice of the Earth. Future destination to escape Texas summer heat.


🖊️ Something I wrote: A look down memory lane from the last time I was in London.

☑️ Something I think you’ll like: I get a lot of messages from you all asking for help with your company’s SOC2 compliance. I always point you to Vanta. They’ve got a great checklist to get you going.*

🎤 Something I said: Did you see that we’re doing LiquidMatrix Security Digest again? Catch us wherever you do podcasts, but here’s the YouTube link.

🔖 Something I read: Rsnake has been on a mission this week digging into some reports of CISOs effectively taking bribes to purchase certain vendors.


📣 Sponsor

Free SOC 2 Compliance Checklist from Vanta

Are you building a business? Achieving SOC 2 compliance can help you win bigger deals, enter new markets and deepen trust with your customers — but it can also cost you real time and money.

Vanta automates up to 90% of the work for SOC 2 (along with other in-demand frameworks like ISO 27001, ISO 42001, and NIST AI RMF), getting you audit-ready in weeks instead of months and saving you up to 85% of associated costs.

And Vanta scales with your business, helping you continuously monitor compliance, unify risk management, and streamline security reviews.

Download the free checklist to learn more about the SOC 2 compliance process and the road ahead.

Vulnerable News

Alright, let's break this down. The US government just slammed the door on Kaspersky antivirus software, citing serious national security concerns. The feds are saying Kaspersky has ties with Russian intelligence—big surprise there. Starting late July, Kaspersky is banned from selling to US customers, and come September 29, all operations have to stop. No more sales, no more updates, nada. Current users, you've now got a seriously ticking clock to find an alternative.

The Commerce Department even slapped three Kaspersky entities on the Entity List for cozying up with Russian military and intelligence. And let’s not forget, the Treasury Department sanctioned a bunch of Kaspersky’s top brass—though mysteriously, Eugene Kaspersky himself dodged that bullet.

This isn’t just a knee-jerk reaction. This move caps off years of suspicion and mounting evidence. Back in 2017, we learned that Russian hackers used Kaspersky to swipe NSA documents, which led to the initial ban from US government networks.

Bottom line: if you're still using Kaspersky, switch to something else before September rolls around, or you’re going to be left holding the bag. (read more)

Lot of back and forth this week about if the Federal Reserve was hacked. LockBit, clearly desperate to stay relevant, recently claimed they’d hit the Federal Reserve and swiped 33 terabytes of sensitive American banking info. Bold, right? Except, turns out, they didn’t breach the Fed at all—they hit Evolve Bank & Trust, a much smaller target. Some experts are saying this whole stunt was a blatant attempt to drum up some drama and remind the world they still exist. - Personally I think it is more of a shot across the bow of the Fed since they’re in a long standing tug of war over the FBI taking down their domains and making it harder for them to operate. (read more)

What do you think?

Login or Subscribe to participate in polls.

This one has been wild. Apparently, the whole auto dealership industry is run off of a handful of SaaS tools. And one of the biggest, CDK Global, got absolutely owned and has been hard down for weeks now. Dealerships and service centers were breaking out manual workaround pen-and-paper methods to try to stay in business.

Bleeping Computer reported they were knocked offline by a BlackSuit ransomware group that is demanding 10s of millions of dollars.

I’ve been updating my social media as I see info on this one and I’ve gotten dozens of DMs of folks working for companies impacted. I also heard from at least 3 individuals who have worked for tech teams associated with CDK and reported that it is a nightmare tech stack there. They told me CDK requires their customers to use Internet Explorer and an old version of Flash to even use the tool. And that internally their tech was even worse. I obviously can’t confirm this part but I found it very interesting that multiple people told me this. (read more)

Google’s Project Zero named this Project Naptime since they want to go take a nap while an AI bot does their job for them. I find that naming delightful.

They’ve been evaluating the capabilities of LLMs for vulnerability research. So far their bots aren’t great at replacing them but the data is interesting. Here’s some details:

Principles for LLM Effectiveness:

  • Allowing LLMs to engage in detailed reasoning processes yields better results.

  • Models must interact with the environment to refine their outputs, mirroring software development practices.

  • Access to tools like debuggers and scripting environments is crucial for mimicking human researchers' workflows.

  • Automated, unambiguous verification of solutions ensures reliability and reproducibility.

  • Effective exploration of multiple hypotheses through independent trajectories rather than a single path.

Project Naptime Framework:

  • Architecture: Combines tools like a code browser, Python interpreter, and debugger to enable dynamic analysis and automatic verification.

  • Performance: Demonstrated up to a 20x improvement on CyberSecEval 2 benchmarks, especially in tasks like buffer overflow and advanced memory corruption.

  • Challenges: LLMs still struggle with real-world complexity and require more realistic benchmarks to fully gauge their capabilities.

Project Naptime's findings highlight the potential and limitations of using AI in cybersecurity, pointing towards a future where LLMs could significantly augment human efforts in vulnerability discovery. (read more)

Great thread on AI-powered propaganda campaigns. This isn’t an isolated incident and will only get more prevalent. Clemson University's report uncovers a sophisticated AI-powered influence campaign by pro-Kagame/RPF actors. Using over 460 accounts and issuing 650,000+ messages, the campaign leverages AI for text generation and imagery, targeting critics and promoting Kagame's regime. (read more)

We’ve got another chapter in the wild world of crypto scams. The FBI is sounding the alarm about cybercriminals posing as law firms and lawyers, promising to recover your lost cryptocurrency. Instead of helping, these fraudsters are double-dipping into victims' pockets.

Here’s the scam: These fake law firms claim they’re working with the FBI and the Consumer Financial Protection Bureau (CFPB). They drop names of real financial institutions and money exchanges to seem legit. They’ll ask for your personal info, banking details, and even upfront fees, all under the guise of helping you get your money back. They might also tell you to pay "back taxes" or other bogus fees to release your funds. The FBI reports that from February 2023 to February 2024, victims lost over $9 million to these secondary scams.

Remember, legitimate authorities won’t charge you to recover stolen crypto, and they won’t ask for personal information out of the blue. If you’re ever in doubt, research the company thoroughly online and report any suspicious activity to the FBI's Internet Crime Complaint Center (IC3). (read more)

There's a fresh bug in MOVEit Transfer that’s making waves. We’re talking about CVE-2024-5806, an improper authentication vulnerability in the SFTP module that allows attackers to bypass security controls. This bug affects versions from 2023.0.0 before 2023.0.11, 2023.1.0 before 2023.1.6, and 2024.0.0 before 2024.0.2. Essentially, if you’re running any of these versions, you’re a sitting duck.

This isn’t the first time MOVEit has been in the crosshairs. Remember the Clop ransomware gang? They exploited a different MOVEit vulnerability not too long ago, causing chaos and leading to massive data breaches. Millions of people affected and huge ransoms paid.

The FBI and CISA are all over this, providing guidance and urging swift action. Their message is clear: if you’re using MOVEit, update your systems immediately. This vulnerability is already under attack, and the longer you wait, the bigger the risk. (read more)

I love nerding out about detection engineering tactics. This post came across my feed and is super useful for any of you in Okta shops. SnapAttack’s latest blog post breaks down how to tackle Okta attacks using Dorothy and Splunk. The Okta System Log is your best friend here, providing real-time visibility into user activities. By leveraging Dorothy, a tool designed to simulate attacks, you can create realistic scenarios to identify potential vulnerabilities.

Splunk comes into play by analyzing these logs, making it easier to spot suspicious behavior and fine-tune your detection strategies. (read more)

People just playing the algorithm and rage bait for views. Side effect: undermining our critical thinking skills and reality. (read more)

The Biden administration is digging into China Mobile, China Telecom, and China Unicom. Why? They're worried these firms could be funneling American data straight to Beijing through their U.S. cloud and internet operations. The Commerce Department’s on the case, having subpoenaed these state-backed companies. Even after getting booted from providing certain services, these firms still sneak in via cloud services and internet traffic routing. (read more)

CISA just confirmed that hackers might’ve snooped on sensitive info from U.S. chemical facilities during a January cyberattack. The hackers exploited a flaw in Ivanti IT products, targeting the Chemical Security Assessment Tool (CSAT) between January 23-26. While all data was encrypted and no evidence of data theft was found, there’s a chance the hackers got unauthorized access to critical site security plans and assessments. CISA is urging all involved to reset passwords and stay alert. (read more)

This is a fun one. Some thieves just texted a transporter posing as employees of the dealership and got them to deliver to a new destination. They then texted the dealer, showing they’d removed the GPS trackers to gloat. Social Engineering apparently on easy mode, the driver never verified anything with the thieves. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen