🎓️ Vulnerable U | #062

Verizon DBIR analysis, FCC fines major telecom $200 million, Change Healthcare hack details, Dropbox Breach, Bad passwords illegal in UK, and more!

Read Time: 8 minutes

Howdy friends!

Got to run a quick trip for a friend’s birthday to Albuquerque this past weekend. It wasn’t my first time there, as I’ve driven across the country many times, but it was the first time I actually hung out there. Even did a day trip to Santa Fe. Underrated corner of the country IMO, the weather was great this time of year at elevation and it was fun to escape humidity.

Gearing up for RSA? Going to be a marathon. I’ll have some Vulnerable U stickers and shirts if you find me. And I’m hosting a party at Reddit HQ with some other content creators and journalists: https://darkreddit.splashthat.com/

ICYMI

🖊️ Something I wrote: An overview of GitHub and GitLab being used for malware distribution.

🎧️ Something I heard: I watched Baby Reindeer on my plane rides. It is one of the hardest shows to watch I’ve ever sat down and consumed. I’m not even sure I want to finish it. Not a feel-good, but it will haunt me if you’re into that.

🎤 Something I said: I was on Tines’ podcast recently and talked a lot about careers in infosec, AppSec, security automation, and even mental health in the field.

🔖 Something I read: This AI Report (sorry its gated) - interesting to read how this small group of companies is using (and not using) AI.

Vulnerable News

It’s DBIR week! I say it in a lot of my newsletters: I love good reports with hard-to-compile data and great data visualizations. The DBIR is the REASON I started loving these kinds of things. Some absolute legends of the industry have run this report over the years and have gone on to become CISOs of major institutions. It is extremely high quality, meticulously prepared, and a must-read for our entire industry. I’m going to cover a larger-than-normal portion of my newsletter on this one topic this week.

The report covers data from 30,458 security incidents, of which 10,626 were confirmed breaches.

  • Financial motives drive ~93% of all breaches, showing a slight increase in espionage motives, up to 7% from last year. These incidents mainly affect the Public Administration sector, hinting at low overall diversity in threat motives across other sectors.

As Kelly Shortridge puts it in her great analysis - “Your threat model is still money crimes”

  • MOVEit vulnerabilities were implicated in 1,567 breach notifications.

  • The increase in breaches involving third parties is up 68% from last year.

  • Phishing remains a significant initial attack vector, and the median time for users to fall for phishing emails is less than 60 seconds.

  • The DBIR introduces a discussion on the use of GenAI in cyberattacks, finding little evidence of its adoption by attackers despite its potential capabilities. - This is a nice way of saying that a lot of the “AI is aiding attackers!” is marketing hype.

  • On vulnerabilities, the DBIR reports a 180% increase in exploitation from last year, with web applications being the most affected.

Read another way, stolen creds > phishing + vulns

  • Ransomware made up ~62% of “action varieties” in financially-motivated breaches while pretexting (like business email compromise) was 24%.

  • BUT - 96% of ransomware incidents resulted in no direct loss

Again I point to Kelly Shortridge’s post that talks about the economics of protecting against ransomware. If 96% of these incidents result in no loss, and you have some data about what the loss might be if you fall into that 4%, you can make an informed decision on how much you’d want to spend on backups, and EDR each year.

A stand-out quote for me around the major increase in vulnerabilities being used for initial access: “If we can’t patch the vulnerabilities faster, it seems like the only logical conclusion is to have fewer of them to patch.” - Hell, yes. Vulnerability whack-a-mole is a losing battle. Work on ways to reduce the number of vulns that make it into prod, to begin with. Secure by default!

TL;DR (but please read) -

  • GenAI hype is hype as far as threats go.

  • Vulns being exploited nearly tripled from last year. Get on top of your secure by default guardrails and vulnerability management program.

  • Overall, protecting against stolen creds, credential stuffing, and phishing is still your biggest bang for the buck. FIDO2/Yubikey rollout and make it mandatory.

Fun fact, in 2016 I won a challenge that was a puzzle embedded into the DBIR. It was kind of a CTF with a bunch of challenges that took me a few days. (read more)

Is this your first year reading the DBIR?

Either way, tell me something you learned this year from it

Login or Subscribe to participate in polls.

The FCC has fined AT&T, Sprint, T-Mobile, and Verizon nearly $200 million for illegally sharing customers' location data without proper consent.

Key Points:

  • Privacy Violations: The investigation revealed that these carriers sold access to customer location data to aggregators, who then resold it to third parties, circumventing the requirement for direct customer consent.

  • Carrier Reactions: All fined companies plan to appeal, arguing against the FCC's findings and citing the steps taken to address the unauthorized data access.

This comes at the same time as the FTC publishing some strong signals of impending counter “customer surveillance” legislation. All of this is a backdrop to more talks of major privacy legislation, a la GDPR, but for the U.S. in the form of the American Privacy Rights Act (APRA). (read more)

Maciej Pocwierz shares a cautionary tale about how an empty, seemingly innocuous AWS S3 bucket can lead to unexpectedly high charges. After setting up a bucket for a document indexing proof of concept, Pocwierz was surprised to find a bill over $1,300 due to nearly 100 million S3 PUT requests in a single day.

Security Implications: The scenario also posed significant security risks. Pocwierz experimented by allowing public writes to the bucket, quickly amassing over 10GB of data from external sources, showcasing how easily data leaks can occur through simple configuration oversights.

Proactive Measures: To mitigate such risks, AWS users are advised to use unique, complex names for S3 buckets and explicitly specify the AWS region in requests to avoid unnecessary redirects and charges.

AWS Response: AWS has acknowledged the issue and is looking into measures to prevent such charges in the future, as noted by AWS VP Jeff Barr on Twitter. (read more)

We’ve covered this hack a lot, but now the CEO of UnitedHealth was sitting before the Senate answering about this ransomware attack that crippled the U.S. medical industry. This also included our first glimpse into “how” this hack happened, spoiler: stolen creds (I see you, DBIR), no MFA, and a Citrix portal.

We also get this awesome screenshot of a senator holding a “Hacking for Dummies” book to roast the CEO. (read more)

Dropbox disclosed an incident around their “Dropbox Sign” product that was discovered 4/24. This breach involved compromised emails, usernames, phone numbers, hashed passwords, and certain authentication information including API keys and OAuth tokens.

I also love this thread by Magoo who dives into why this might be more than meets the eye and hard for Dropbox to investigate. Magoo highlights the complexity of confirming whether API keys or tokens were abused during the incident. He suggests that identifying misuse of such credentials, particularly if attackers switched infrastructure, could be exceptionally challenging. (read more)

I mean… This one speaks for itself:

“For more than five years, Marriott has defended a massive 2018 data breach by arguing that its encryption level (AES-128) was so strong that the case against it should be dismissed. But attorneys for the hotel chain admitted in an April 10 hearing that it had never used AES-128 during the time of the breach.

In fact, it hadn’t been using any encryption at all at the time but rather had been using secure hash algorithm 1 (SHA-1), which is a hashing mechanism and not encryption.” (read more)

Bad passwords are now illegal?! Well at least for manufacturers in the UK. Some new legislation just passed requiring some minimum password strength requirements for manufacturers in the UK. Imagine if you went to jail for your crappy password? High school me would’ve been locked up fast. (read more)

A Ukrainian national linked to the notorious REvil ransomware gang has been sentenced to more than 13 years in prison. This comes after his involvement in a 2021 attack that compromised hundreds of businesses globally, including a significant breach at Florida-based Kaseya.

  • Extensive Impact: Vasinskyi was implicated in over 2,500 ransomware attacks, demanding upwards of $700 million in ransoms.

  • Significant Legal Actions: Along with the prison term, he has been ordered to pay $16 million in restitution for the damages caused by his cybercriminal activities. (read more)

Domain Fronting is when you use a trusted domain to establish a connection and then have a different endpoint on the backend responding. CDNs are popular in this technique and many of them attempt to block it. But this paper dropped said they’re not very successful.

“The study revealed that domain fronting remains feasible in 22 out of 30 tested CDNs, including major providers like Akamai and Fastly. This suggests that despite efforts to curb this practice, it continues to be a significant issue within CDN infrastructure.” (read more)

Saw this tool drop for sniffing PCAPs of 2g, 3g, 4g, and some 5g comms on Qualcomm devices:

This is the first I’ve seen of this kind of sniffer, especially for 5G signals.

Okta has been a favorite target in recent years. A compromised Okta account generally gets you access to a lot more behind it, as is the nature of SSO. Even so, Okta has issued a warning about a significant increase in credential stuffing attacks targeting its customers. These attacks involve cybercriminals using automated tools to try stolen username and password combinations across various platforms to gain unauthorized access.

In a shocking twist, Okta’s recommendation is to turn on more of their features! (Pay them more money) for enhanced security. The current U.S. administration has been coming down on this, saying you shouldn’t be charging more for table-stakes security features.

</soapbox> There are lots of techniques to combat this, but I just recommend prioritizing it. This is active exploit data, not theoretical security best practices. Implement that impossible geo feature you’ve been wanting, go fight for Yubikey budget, just block logins from anonymizing proxy services. These 3 things will stop most of these attacks. (read more)

This is just a great set of Twitter threads about common AD vulns found during pentests (first thread) and then a quote tweet with a thread of remediation steps for those common vulns.

If you’re managing an Active Directory network, this is gold. (read more)

The U.S. Senate recently reauthorized Section 702 of the Foreign Intelligence Surveillance Act (FISA), extending it for another two years. This legislation, known as the Reforming Intelligence and Securing America Act (RISAA), faced a ton of debate but still passed. The Senate defeated several amendments aimed at curtailing the scope of warrantless surveillance activities, including a significant one that would have required federal agencies to demonstrate probable cause and obtain a warrant before accessing communications involving U.S. persons.

Proponents of the law, like FBI Director Christopher Wray, defend Section 702 as a critical tool for combating foreign threats, notably cyber attacks from entities like Chinese hacking groups. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Upcoming Appearances

Check out the party I’m hosting at RSA Tuesday night. Hosted by a bunch of your favorite infosec journalists and content creators - https://darkreddit.splashthat.com/

And I’m sponsoring the Securosis recovery breakfast.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay