🎓 Vulnerable U | #017

What are you avoiding? New phishing threat actor, TriangleDB iOS Spyware, and more...

Author

Matt Johansen
June 23, 2023

Read Time: 5 minutes

Howdy friends and welcome to another edition of Vulnerable U!

Coming to you this week fresh off the beaches of South Padre Island. I got to bring my daughter swimming in the ocean for the first time, teach her to build sand castles, and plant a seed about going to space being a real thing.

Drove my Jeep onto the beach and spent the afternoon watching the sun go down behind the rockets at Space X, and generally forgetting, for a moment, about the week ahead. It was incredible.

I’m going to try some new formatting on the newsletter this week to better keep things digestible and valuable.

Instead of the normal Vulnerable U content being in the body of this email I’m going to summarize and then link to it on my blog. Then I’ll still keep all the news links I’m reading this week here as well.

If you loved the main body of the newsletter up until this point you can find it in the “Something I wrote” link below from now on.

If you have feelings about this new format, please vote on the poll at the bottom so I can gauge if I should keep doing it this way.

ICYMI

🖊️ Something I wrote: What Are You Avoiding?

A huge revelation I had this year was in discussion with my therapist about a depressive episode I was having. (Yeah we’re getting that kind of deep today) - I would become bed ridden and he asked me “Well what were you avoiding?”

That one question blew my mind and shifted my perspective.

Lets dive into avoidance and how it plays into our lives as infosec practitioners who might not always do the things we know we should every week.

🎧️ Something I heard: Between Two Nerds: Go Big or Go Home

🎤 Something I said: Vulnerable U’s Latest on YouTube and Spotify

Sponsor

🚀 Skyrocket your company’s growth with Gambit 🚀 

Data-driven growth strategies powered by Gambit’s proprietary data integration and advanced machine learning algorithms help businesses grow exponentially.

Discover New Opportunities:

➡️ Find new customers and expand your reach

➡️ Learn more about your audience and their preferences

➡️ Identify emerging channels for untapped potential

Stay one step ahead

➡️ Anticipate market trends and future-proof your business

➡️ Enhance efficiency within existing channels

➡️ Stay ahead of the competition with valuable insights

Maximize your business’s potential in unmatched ways. Partner with Gambit today and propel your growth to new heights.

Vulnerable News

A new threat group known as Muddled Libra, which uses advanced phishing tactics similar to 0ktapus. Read for detailed insights into the group's methods, targets, and the significant risks it poses to organizations. This report includes a list of IOCs to include in your hunts.

A detailed analysis of TriangleDB, a sophisticated spyware implant used in Operation Triangulation to target iOS devices of Kaspersky employees.

I summarized on Twitter also:

Worth mentioning - Apple has released a patch for the 0days used in this implant.

And a good article in WaPo about this story as well.

In an incredibly unique attack vector - members of the military are getting apple watches in the mail from an unknown sender and nobody knows what they do.

“These smartwatches, when used, have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data. These smartwatches may also contain malware that would grant the sender access to saved data to include banking information, contacts, and account information such as usernames and passwords.”

Analysis of the Lazarus threat group's exploitation of vulnerabilities in Korean finance security solutions VestCert and TCO!Stream. (“VestCert is a web security software developed by Yettiesoft using a non-ActiveX approach, while TCO!Stream is a company asset management program made by MLsoft. Both solutions are widely used by Korean companies.”)

Krebs outlines a detailed investigation into a SMS phishing (or "smishing") campaign that exploited the United Parcel Service's (UPS) online shipment tracking tool in Canada to harvest phone numbers and other information.

Ransomware attack causing angst among students who aren’t able to participate in their normal classwork due to the school not recovering from the attack yet.

Immersive Labs’ guide on understanding and detecting the Sliver Command and Control (C2) framework. This is crucial as Sliver, an open-source, cross-platform, and extensible C2 framework, is increasingly being used by threat actors to target large organizations. The guide provides insights into Sliver's structure, encoding, and encryption, and offers practical methods for detecting its presence through file, memory, and network artifacts.

Vulnerability found in Microsoft Teams that allows external tenants to introduce malware into any organization using Microsoft Teams in its default configuration. It bypasses many traditional payload delivery security controls, making it a potential avenue for threat actors to deliver malware. JUMPSEC has detailed remediation options, as well as some detection opportunities.

Misc

“Are you willing to be uncomfortable for 5 minutes?

Exercising is easier once you've started the workout.

Conversation is easier once you're already talking.

Writing is easier once you're in the middle of it.

But many rewards in life will elude you if you're not willing to be a little uncomfortable at first.”

James Clear

Come hang next week on Recon’s Thursday Defensive with me. Casual chat and Q&A format.

“Today I escaped anxiety. Or no, I discarded it, because it was within me, in my own perceptions—not outside.”

Marcus Aurelius

Got to chat with my friend Dennis on his podcast over at Decipher. We talk about how I got into infosec, the power of being a part of the community, and my mission here at Vulnerable U.

POLL: How did you like this new format?

Login or Subscribe to participate in polls.

Extra Credit

Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay