Read Time: 6 minutes

Howdy friends!

Writing to you amidst the calm before the hacker summer camp storm. Are you all getting excited about Vegas? Find me if you want to share a coffee or a club soda, as I just celebrated one year without booze.

Vegas and Austin are both towns built around keeping the alcohol flowing, it was rough to choose to go dry right before Vegas last year, but it’ll be a whole lot easier this year.

Sneak Peak at the Blog of the Week:

In this episode:

• The Growth Mindset Revolution

• SEC vote requiring public companies to disclose cybersecurity incidents

• Code Kept Secret for Years Reveals Its Flaw—a Backdoor

• Google’s 2022 Year in Review of in-the-wild 0-days Tweet

• Hackers are infecting Call of Duty players with a self-spreading malware

• Jailbreak technique for Chatgpt

• Lazarus hackers linked to $60 million Alphapo cryptocurrency heist

• CoinsPaid blames Lazarus hackers for theft of $37,300,000 in crypto

• Apple Rolls Out Urgent Patches for Zero-Day Flaws Impacting iPhones, iPads and Macs

• Zenbleed - A new use-after-free bug in AMD Zen2 processors

ICYMI

🖊️ Something I wrote: Excellence doesn’t come from mastering the complex. It comes from exaggerating the basics.

🎧️ Something I heard: All the NahamCon 2023 talks went up on YouTube. I heard Daniel Miessler say he believes AI is on track to be more transformative than the printing press.

🎤 Something I said: I talked about the news in last week’s newsletter over on YouTube in a longer conversational form. I’m attempting a new format today, so subscribe over there if you’re interested in what I’m up to.

🔖 Something I read: Kelly Shortridge’s post on Quantum: “there are those in the tech sphere and on its periphery who worry about how horrible cryptography problems could get – but this is because they are ignorant of how bad implementation problems currently are”

Vulnerable News

SEC vote requiring public companies to disclose cybersecurity incidents

Add this to the pile of real-world consequences of cybersecurity breaches. Whether you’re a CISO who could be found personally liable or you're a public company with new SEC regulations, you better be investing in a big girl security program these days. A few things that I’m sure will make lots of billable hour lawyers happy here: Companies can claim a breach isn’t material, the 4-day timer doesn’t start until the company is aware of the breach being material, and there are caveats in the cases for national or public safety concerns of disclosure. (Read more)

Code Kept Secret for Years Reveals Its Flaw—a Backdoor

An intentional backdoor has been discovered in encrypted radio comms used globally for over 25 years. Less a backdoor and more …a door. The tech is called TETRA and is used widely by police, fire, ambulance, critical infrastructure, etc. The researchers are giving a BlackHat talk about this, which was until today Redacted. The wild part to me, we have no idea how widely this has been exploited up until this point. (Read more)

Google’s 2022 Year in Review of in-the-wild 0-days Tweet

I’m a sucker for a good report aggregating hard-to-find and hard-to-analyze data. Nobody does 0-day in the wild exploit data like Maddie Stone over at Google. This report gives us a great view into what 0-days were actually exploited in the wild in a given year and shows us trends of malicious threat actors’ tactics.

This year at a glance:

• 41 0-days seen in the wild. Down from 69 in 2021

• 0-days are not needed on Android as patches don’t become available for a long time, so an older bug is just as usable.

• 0-click exploits fell into favor which meant fewer browser bugs as those tend to be 1-click. 0-click tends to be in other components.

• Over 40% of the 0-days were reused vulnerabilities with new variant exploits

• Collisions were high. Attackers found the same bugs as each other, so if you fix one 0-day, you’ll likely stop more than one threat actor.

I’d use this along with the DBIR trends to track what threat actors are up to and prioritize accordingly based on your threat model. (Read more)

Hackers are infecting Call of Duty players with a self-spreading malware

Self-spreading malware was a bit of a specialty of mine back in my AppSec pentesting days. I LOVE finding a good worm. For those of the MySpace generation, you might remember the Samy Worm, well that same combo of bugs has been replicated a lot of times since then. This one is interesting since it seems to infect players sitting in a Call of Duty lobby waiting to start a game. Hard to imagine sitting in a game lobby these days and players infecting each other with malware. Likely this is a combination of bugs in the game itself. Steam took CoD offline while they investigated the issue. (Read more)

Jailbreak technique for Chatgpt

If you were on the internet around 2003, you may have seen this popular email circling around: "Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe."

Well turns out this worked on ChatGPT and got it to bypass the “sorry, I can’t help you write that ransomware code” type protections. (Read more)

Lazarus hackers linked to $60 million Alphapo cryptocurrency heist

North Korea has been busy. Some crypto exchanges got popped recently, and researchers who study blockchain activity are attributing them to Lazarus. Check the next story for more. (Read more)

CoinsPaid blames Lazarus hackers for theft of $37,300,000 in crypto

On back-to-back days Lazarus has been successful in parting nearly $100mill in crypto from two exchanges. Their M.O. has been to lure employees of these exchanges on LinkedIn with fake job offers to trick them into opening infected files on their PC. This technique has netted Lazarus nearly $ 1 billion in crypto stolen. Talk about an ROI on social engineering. (Read more)

Apple Rolls Out Urgent Patches for Zero-Day Flaws Impacting iPhones, iPads and Macs

I feel like I’ve included a “Patch your Apple things!” link in a lot of newsletter editions lately. That’s because I have. This is the 4th round of patches related to bugs discovered to be used as part of Operation Triangulation spyware campaign. (Read more)

Zenbleed - A new use-after-free bug in AMD Zen2 processors

A few weeks back, Tavis Ormandy started on a new project focused on CPU security research. Well, their first big result just dropped in a big way. Impacted products:

• AMD Ryzen 3000 Series Processors

• AMD Ryzen PRO 3000 Series Processors

• AMD Ryzen Threadripper 3000 Series Processors

• AMD Ryzen 4000 Series Processors with Radeon Graphics

• AMD Ryzen PRO 4000 Series Processors

• AMD Ryzen 5000 Series Processors with Radeon Graphics

• AMD Ryzen 7020 Series Processors with Radeon Graphics

• AMD EPYC “Rome” Processors (Read more)

Miscellaneous mattjay

I forget where I heard it, but I like to say: “Any sufficiently sophisticated attacker will be indistinguishable from an insider"

Echoing what I say often - your security program is useless if you don’t have phishing or ransomware solved for:

Upcoming Appearances

Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay