Vulnerable U
Posts
🎓 Vulnerable U: #023

🎓 Vulnerable U: #023

Cybersecurity & Mental Health, Unlimited Airline Miles, Microsoft Called Out, Russian Phishing in MS Teams

Matt Johansen
August 04, 2023

Read Time: 5 minutes

Howdy friends!

Can you feel it? Vegas is coming.

I think it’ll actually be colder there than the surface of the sun that is Texas, but I’ll still be taking as many meetings as I can by the pool. Find me to say hi or have a coffee or fizzy water with me. I won’t be drinking, and I’ll be hitting the gym in the mornings. If you choose not to go hard all week like that city is designed for, you won’t be alone.

Pulled some photos from BlackHat 10 years ago of my view about to give my presentation, Million Browser Botnet. We also had a guy with a monkey at the WhiteHat party… you know, normal Vegas things.

Sneak Peak at the Blog of the Week:

I’m writing this today for you as much as for myself. We’ve gotten real here before, but this time, I wanted to hit a bit differently. The tone is a bit more serious, maybe a little more exhausted. Dark humor is the way I try to convince myself it’s not that bad.

The reason I’m most impressed that I’ve hit submit on 23 weeks straight of long blogs and newsletters is because any given week is a crap shoot on where I am mentally. The last few weeks have been hard ones, and today is no different.

Luckily for me, I have put in a lot of hours on the subject matter, and I know I am not alone. But I also know not everyone feels like that, and so I was called to share a bit more and dig a bit deeper this week.

Let’s get vulnerable.

With hardly any effort at all, I found that it was not just in my head. Mental health issues within cybersecurity grow at an alarming rate.

The industry demands nothing short of perfection—zero tolerance for mistakes. Our adversaries are persistent and smart, requiring we remain two steps ahead, constantly anticipating their next move. It's like playing chess with ghosts, where a single oversight has the potential for devastating consequences.

We're fighting against the clock too. Hackers don't punch out at 5 PM, and neither do we. I can’t tell you how many family vacations over holidays I’ve been on an incident bridge running command on a response effort. It became a joke that July 4th was just destined to have me holding my phone up in the woods searching for cell signal while dealing with adversaries who knew the US folks would be AFK.

Sleepless nights and bleary-eyed mornings are par for the course. Any security consultant's go-bag includes all sorts of stimulants. I remember we used to trade espresso beans in our hotel rooms while going over pcaps.

Some of us live for this as there's a thrill in the chase, the constant learning, and the triumphs when we outsmart our foes. But let's be honest, it's not always sunshine and rainbow tables. It’s not always as glamorous as popping boxes and flying off to brag about it in Vegas. The mental toll can be heavy.

Today I want to expose the realities of mental health in our industry while also sharing the life rafts I’ve been using to stay afloat. Likewise, consider this your invitation, rather, I implore you to share what works for you so I can try on new mental health fits.

Link to continue reading

In this episode:

Cybersecurity and Mental Health
Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Platform
Microsoft… The Truth Is Even Worse Than You Think
Pentagon hit by ‘critical compromise’ of US air force communications
Threat Intel - Midnight Blizzard conducts targeted social engineering over Microsoft Teams
The Spies Who Loved You: Infected USB Drives to Steal Secrets
Ivanti discloses new critical auth bypass bug in MobileIron Core
Over 640 Citrix servers backdoored with web shells in ongoing attacks
A new incident database for AI-related incidents
Abusing AWS’s SSM agent as post-exploitation Remote Access Trojan
“PhishForce” - Vulnerability in Salesforce’s email services exploited for phishing Facebook accounts in the wild

ICYMI

🖊️ Something I wrote: A few hundred of you are new to Vulnerable U Newsletter since last week, and I’m guessing it’s from this post. Thanks for joining our community!

🎧️ Something I heard: Jason Chan, former Netflix head of security, encourages everyone “become dramatically more transparent” with your security programs. I obviously wholeheartedly endorse it.

🎤 Something I said: Trying a new short format on the YouTube channel. Top headlines covered by me in under 10 minutes. Let me know what you think.

🔖 Something I read: Dan Guido from Trail of Bits met with the CFTC and explained how he believes AI will impact cybersecurity. He believes AI “has the potential to fundamentally change the balance between cyber offense and defense”

Vulnerable News

Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Platform

Ever dream of having infinite airline miles and hotel points? Well… some hackers decided that might be possible and found a fun combination of bugs that made it possible. A series of vulns discovered and patched quickly this spring allowed the researchers admin access to Points.com, which runs rewards for most of the big airlines and hotels. This access would allow them to grant themselves miles, look up other users, and even transfer miles out of others’ accounts into theirs. A great write-up of all the tech details too. (Read More)

Microsoft… The Truth Is Even Worse Than You Think

Tenable CEO Amit Yoran joined Senator Ron Wyden in condemning Microsoft’s cybersecurity practices this week. According to Tenable, they found a serious vulnerability in Azure that allows the secrets of their customers, including a bank, to be exposed. Most of the customers are unaware they are even at risk. Microsoft has been slow to respond, and the vulnerability isn’t fixed yet, with an ETA of September 28th for a patch that is …grossly slow.

This comes after Senator Ron Wyden criticized Microsoft for recent Chinese threat actors being successful in stealing the O365 MSA keys that we covered in recent Vuln U episodes. The frustration is not new. However, as Dave Kennedy and Justin Elze point out, they’ve been complaining that cloud vulns don’t get CVEs which limits transparency, stat tracking, and risk discussions. (Read More)

Pentagon hit by ‘critical compromise’ of US air force communications

I was just talking about TETRA having a backdoor causing encrypted radio comms to be at risk. Now we have an insider at the Arnold air force base who has stolen $90k worth of various government radio equipment. The feds raided his house and pulled out tons of admin Motorola software, USB keys with passwords and ssh keys on them, law enforcement radio programming files, etc. Don’t hack without permission, folks. (Read More)

Threat Intel - Midnight Blizzard conducts targeted social engineering over Microsoft Teams

These targeted social engineering campaigns are more aggressive by the day. They’re also incredibly successful. Microsoft Teams is an attack vector of choice lately, and the Russian Government-backed threat actor, Midnight Blizzard, has been tracked using previously hacked O365 tenants to create new domains to mimic tech support. The attacks look really convincing, check out the IOCs and teach your teams what to keep an eye out for here. (Read More)

The Spies Who Loved You: Infected USB Drives to Steal Secrets

WHAT YEAR IS IT?! Infected USB Drives? I haven’t heard about malware spreading via USB in a minute. Mandiant reports a threefold increase in attacks using infected USB drives to steal secrets. It seems there are two major malware campaigns spreading this way, convincing folks to click a malicious EXE on the drives to install the malware. It also self-spreads to any other peripherals plugged into an infected machine. (Read More)

Ivanti discloses new critical auth bypass bug in MobileIron Core

MobileIron Core seems to have a soft spot. I was unfamiliar with this software, but it is a popular mobile device management (MDM) solution that allows orgs to manage employee devices. The vulnerability is one of a few in the MobileIron Core software this year and allows unauthenticated attackers to access the API and steal users’ PII and make changes to the server. The vendor won’t be patching since it is in an old version of the software that is end-of-life. Shodan shows 2,200+ MobileIron user portals publicly on the Internet. (Read More)

Over 640 Citrix servers backdoored with web shells in ongoing attacks

This one is a doozy. Reports are coming out that hundreds of Citrix servers have web shells on them from a CVE that just a few weeks ago was used a zero-day against a U.S. critical infrastructure organization. A few research orgs are monitoring the exploit traffic and a nonprofit, Shadowserver, has stated, “if you did not patch by July 20th, assume compromise.” The vuln impacts Netscaler appliances configured as gateways. (Read More)

A new incident database for AI-related incidents

“The AI Incident Database is dedicated to indexing the collective history of harms or near harms realized in the real world by the deployment of artificial intelligence systems. Like similar databases in aviation and computer security, the AI Incident Database aims to learn from experience so we can prevent or mitigate bad outcomes.”

This was much needed, and I’m glad it exists. It will help improve tracking and transparency as AI incidents become more common, with its usage skyrocketing. (Read More)

Abusing AWS’s SSM agent as post-exploitation Remote Access Trojan

Anything can be a C2 if you try hard enough. This one is fun because AWS Systems Manager (SSM) is an already existing agent on Windows and Linux boxes that runs as root. Attackers using SSM to run their commands would likely evade detection in many cases since it is a trusted and signed binary. This also means the attacker wouldn’t need to upload a new bit of malware to the servers, which would likely trip a detection. Fun research! I wonder if this technique has been used and undetected before. (Read More)

“PhishForce” - Vulnerability in Salesforce’s email services exploited for phishing Facebook accounts in the wild

Do I talk about phishing campaigns enough? This one is nasty because it actually uses a vulnerability in Salesforce email services and SMTP servers. The vuln allows attackers to send emails that look like they’re from Salesforce.com, and Google even marks them as “Important” in Gmail, adding to the phishing campaigns’ legitimacy. (Read More)

Miscellaneous mattjay

Ten years ago this week was my second BlackHat Talk. This attack would still 100% work:

Sherrod is being a bit loud for my taste on this one. Feeling called out.

I think being good at infosec just comes down to your level of clinical anxiety and if you're managing it through being freaked out at work vs. personal life.
— Sherrod DeGrippo 📬 (@sherrod_im)
Jul 28, 2023

This is how your emails find me
— 1984’s George Whorewell (@EwdatsGROSS)
Aug 2, 2023

Upcoming Appearances

Developers and Security are Friends Day - Tromzo

Join practitioners from Netflix, Cloudflare, Reddit, and more for a full day of free training on Tuesday, September 5. Register now!

tromzo.com/developers-and-security-are-friends-day

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Extra Credit

Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay