🎓️ Vulnerable U | #046

What are you obsessed with? Hacking a critical smart-wrench, 1.3 million impacted in Fidelity National breach, Fed threatening to pull funding to Hospitals with bad Security, 2023 Adversary Infrastructure Report, Oktajacking, and more!

Read Time: 9 minutes

Howdy friends!

Is anyone else feeling the wrath of the “let’s circle up on that after the holidays” wave of folks actually circling up on that after the holidays? I feel like I’ve been at my computer 18 hours a day this week, just keeping up with it all. Good problems to have.

My blog this week is about obsession:

I have a tendency to become obsessed with things.

I have a hard time doing anything casually. Sometimes the thing I’m obsessed with is lucrative, like cybersecurity. Sometimes it is a video game and thousands of hours get sunk into an RPG - I run communities about that game, I plan nights and travel about that game, and I want to become the best I can be at that game.

Sometimes I’m obsessed with a person, or group of people. And I get the rush of making new relationships. Falling in love. Even love of the friend variety where you find a person and think “oh yeah, I’m going to keep this one.”

Often I’m obsessed with money. Not obsessed in a healthy way, but in a “I’m always concerned about it” kind of way. Transparency here, I don’t come from money and never really had a nest egg. Traumatic and very expensive disasters in the last 5 years have set me back about a decade financially too.

Hobbies are easy to hyper-fixate on as well. Most recent hyper-fixations include my newsletter, YouTube, and podcast, which started as hobbies and have now flourished into a company that employs people. A fun side effect of spending too much time on one thing.

On a call with a friend this week, he shared with me, “I’ve learned to stop focusing on what the audience wants to read or watch and just talk about what I’m obsessed with. And I feel like I’ve been watching everything you put out, and I can just tell you’re not obsessed with it. So, what are you obsessed with?”

Sometimes big mirrors being held up to you are hard to look into.

ICYMI

🖊️ Something I wrote: Got some texts telling me they loved this one: The Tech Professional’s Guide to Mindfulness

🎧️ Something I heard: I watched this channel’s series on SF and now there is a similar one exploring the dark sides of Philly. - And Noah Kahan has been on repeat in my house lately. Orange Juice is a stand-out song for me.

🎤 Something I said: Talked about how Russia is hacking webcams in Ukraine to better target their airstrikes.

🔖 Something I read: The Midnight Library. Was a fun little existential crisis in book form.

Vulnerable News

I don’t think I’d normally share a vulnerability dropping on a wrench. The Internet of Things is getting out of control again. But upon reading this one, wondering why it was making the rounds - this isn’t just some special WiFi wrench - it is used and set to specific torque settings for critical nuts and bolts on aircraft. Well, now that piques my interest, and I see a threat vector worth exploiting. (read more)

Kelly Shortridge is required reading in this house. Her post on Security Obsctructionism is a piece I go back to often and send to a lot of people who are dealing with problems of building security into the culture of their org.

This piece is another good one and is a natural extension of all of us clamoring for “shift left” for the last decade.

“TL;DR Paved roads, not roadblocks” she says for herself in this one.

  1. Self-certification to guidelines

  2. Follow Platform/SRE’s lead

  3. Build Standardized patterns

  4. Abandon the perimeter model

  5. Advise, don’t dictate

  6. Ask platform teams to integrate security

  7. Provide isolation patterns

  8. Conduct user research

Love this list. A few teams I’ve worked with recently are looking to SRE as a model for how security teams should integrate. I’d pass this link around to your security teams as culture inspiration going into 2024. (read more)

We covered this breach when it first went down. It was a pretty gnarly one, and the company went offline for a very long time. They even stopped answering the phones, and folks couldn’t pay their mortgage.

Well, the regulatory paperwork filings are coming in, and we found out a bit more about the results of this. We don’t know what kind of data was impacted, but we know that 1.3 million of their customers got breach notifications and free credit monitoring. Not sure what that monitoring is worth to any of us anymore, but it is the normal bag of tricks post-breach. (read more)

Ok I’ve heard of hacking into a school to change your grades, but hacking into an Applebee’s to get a job is new.

This AI company Chattr had a bug found by these researchers which allowed them to view a lot of sensitive data they shouldn’t have had access to. But also a ton of fast food chains were using Chattr in their job application flow and this vuln allowed an attacker to accept/deny job applications. Fun bug write-up, give it a read! (read more)

Surely, if we remove hospital funding, that will make them better at security. They must’ve been just choosing to be super vulnerable to ransomware attacks all this time because they didn’t get around to it.

These are complex environments to secure, having done a fair share of assessments on hospital systems, there are a lot of layers under those roofs. Anyway, it looks like some new regulations might be coming down the pipe by the end of the year that withhold government funds from hospitals that don’t enforce 2FA or have a vulnerability remediation program. (read more)

First, “infoseccers” is not a phrase I’m going to get behind. Stop that.

Next, CISA sent out this warning which means they’ve got data about active exploitation.

“Security experts believe Chinese nation-state attackers are actively exploiting two zero-day vulnerabilities in security products made by Ivanti.

If you're an admin or a user of the two products affected, VPN service Ivanti Connect Secure (ICS) and network access control toolkit Policy Secure, you should immediately apply the current workaround in Ivanti's security update, the US Cybersecurity and Infrastructure Security Agency (CISA) warned last night.” (read more)

The tip of the spear these days seems to be crypto miners. These quick and dirty techniques are developed early by folks just trying to drop a quick miner somewhere and make a buck. Then, the techniques might be used later by stealthier attackers, so I like to keep an eye on these low-hanging miner fruit attacks.

Aqua Security's team has uncovered a stealthy attack targeting Apache Hadoop and Flink applications. The attackers leverage misconfigurations to deploy malicious software, including a Monero cryptominer and rootkits. (read more)

Seems we’re talking a lot about attacker techniques this week! Here’s another one based on research from DataDog talking about how modern attackers are moving from IRC to places like Discord and Telegram.

  • The Datadog Security Research team has observed numerous malware families leveraging chat platforms for malicious purposes.

  • Malware delivery is evolving from traditional server-based methods and command and control communication to chat platform-based methods.

  • It is difficult to counter this trend due to the necessity of chat platforms in many business operations.

This write-up is great and even includes some YARA and Suricata rules for you to implement to help out here. (read more)

I think it’s time to learn a lot more about AsyncRAT if you haven’t already. “AsyncRAT is a remote access tool written in C# that was published by NYAN-x-CAT on GitHub in January 2019. The tool has been used by both state-sponsored and financially motivated threat actors.”

A good report to flip through - here are some key findings:

  • Open-source and commodity malware C2s continue to lead the way in terms of infrastructure server numbers.

  • Despite many contenders for the title, Cobalt Strike remains the top C2 framework by a wide margin.

  • RedLine Stealer and Raccoon Stealer are the clear leaders among infostealer C2s in 2023 as far as the volume of C2 servers, despite a hiatus of several months for Raccoon Stealer

  • Takedowns of malicious infrastructure, such as the recent dissolution of the QakBot network, are effective ways of adding friction to malicious operations.

  • Russian state-sponsored actors are continuing to add legitimate internet services to their repertoire. They also update their C2 infrastructure with a rapid cadence, making changes weekly or even daily.

  • China state-sponsored actors are increasingly using anonymization networks constructed of compromised IoT systems, routers, and other devices. Multiple China-affiliated entities have been observed sharing the use of these networks. (read more)

Redis is everywhere. It is one of those tools that if I see a vuln in it I get concerned because it is hiding somewhere in a ton of infrastructures. Either on purpose or via supply chain dependencies.

“In some cases, Redis may incorrectly handle resizing of memory buffers which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution,” (read more)

Okta has been the center of a ton of recent breaches. It is a target of choice for the major phishing operations out there as if the attacker can successfully pop one account, they generally get access to a lot more behind it. Because of this I consider following along to any red team techniques surrounding Okta to be critical for blue/purple teamers to understand as they build defenses and detections.

This is a cool technique used to harvest credentials post-compromise or create more convincing phishing campaigns. “To be clear, this isn't a vulnerability in Okta that circumvents a security boundary and needs to be patched. This is offensive use of a product feature, the SaaS version of living off the land (LOTL). Let's call it living off the cloud (LOTC).” (read more)

Speaking of Living off the land. Here is an example of living off trusted sites. GitHub is one of those sites that allows for a ton of user-generated content to be hosted on it which will always be misused. In this blog’s case, we’re looking at how threat actors misuse this for command and control of botnets, dead drop resolving, and payload delivery. The perk here is that using a trusted domain like GitHub dot com will get you through many normal firewall rules and blend in with normal network traffic. (read more)

Does anyone else still have PTSD from Struts? My team at the time literally had T-shirts made after that trauma bonding we went through. Sleepless nights chasing that bug that was easy to exploit and hard to find.

Whelp, here’s another vuln with a 9.8 severity rating. “CVE-2023-50164 is a vulnerability arising from parameter pollution. Exploiting this flaw empowers attackers to manipulate the initial parameter by introducing an additional parameter in lowercase. This manipulation has the potential to override an internal file name variable, thereby facilitating path traversal and exposing the system to potential exploitation. Consequently, a path traversal payload can endure in the final filename, bypassing critical security mechanisms within Apache Struts.”

Fun one! Easy to read write-up here. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay