Read Time: 8 minutes

Howdy friends!

Writing this from 38,000 feet. Episode 25 is the first edition written from the air! I’m still not home from Vegas last Monday, and my flight home was canceled today, leaving me scrambling and sad not to get home to read bedtime stories to my daughter. I hope if you were in Vegas with me, you avoided the plague, I’m feeling like crap but testing negative, so just normal “12 days on the road and around too many people” crud.

It was great seeing everyone, even though I’m grumpy and wish I got home sooner. I lost count of how many folks tracked me down for stickers/shirts, and many more told me they loved the newsletter/podcast. That kind of feedback really puts wind in my sails, so THANK YOU!

Sneak Peak at the Blog of the Week:

In this episode:

• 7 Ways to Rest & Recover After Socially Exhausting Events

• DISCORD.IO has suffered a data breach

• GitHub’s Hardcore Plan to Roll Out Mandatory Two-Factor

• Kubernetes misconfiguration unknowingly exposed data of Fortune 500 firm, hundreds more

• NSA chief: Chinese cyber spies continue to improve — but haven't surpassed US

• PSNI and UK voter breaches show data security should be taken more seriously

• BSidesLV conference talks are now available to stream

• Special counsel obtained Trump DMs despite ‘momentous’ bid by Twitter to delay, unsealed filings show

• This $70 device can spoof an Apple device and trick you into sharing your password

• Major Energy Company Targeted in Large QR Code Campaign

• FBI Warns: Cyber Criminals Targeting Victims through Mobile Beta-Testing Applications

• LinkedIn Accounts Under Attack

• New SystemBC Malware Variant Targets Southern African Power Company

• VMConnect: Malicious PyPI packages imitate popular open source modules

ICYMI

🖊️ Something I wrote: I laid the groundwork for some further writing on this topic last week, but I think many missed due to Vegas. Threat Modeling Depression - I’ll follow this up with more soon.

🎧️ Something I heard: My good friend, and old LiquidMatrix podcast cohost, Dave Lewis, was on the Decipher Security Podcast.

🎤 Something I said: Recorded a podcast episode from a hotel suite in Vegas. Covered a talk on hacking casino card shufflers and other news. I was also on a panel about cloud security with BishopFox during Defcon.

🔖 Something I read: I have been reading about the fires in Maui and want to encourage anyone who can look into the best way to help. Having been devastated by a wildfire personally, my heart is aching with the people of Maui.

Vulnerable News

DISCORD.IO has suffered a data breach

This breach made me do a very fast double-take. I ran to Twitter to start writing a thread about how Discord was hacked and taken offline to recover. It turns out that was a major overreaction that MANY folks had, but it wasn’t Discord that was breached. It was a much smaller org Discord.io, a service that is built to help people share discord servers. The company is shut down “for the foreseeable future,” which is nuts for a data breach. I’m guessing they’re small enough not to have a recovery path, and the attackers did. Kudos to the group for doing the right thing even though it is greatly disrupting their service. (Here is an archive link to the breach notification if/when they remove it from their homepage) (read more)

GitHub’s Hardcore Plan to Roll Out Mandatory Two-Factor

This makes me want to do a hardcore dance. Or make that face you make when the heavy breakdown hits. You know the one:

This is just unbelievably awesome and the widest mandatory adoption of 2fa, I remember. 100 million GitHub users will now be required to enable 2fa of some sort when the company flips this switch. Absolute bravo to take on this undertaking. If you’ve never been on the blue team side of this, this comes at the large operational cost of folks losing devices, getting locked out of accounts, and just generally increased customer support workload. Thanks to Microsoft and GitHub for leading the charge here. I hope others do the same. (read more)

Kubernetes misconfiguration unknowingly exposed data of Fortune 500 firm, hundreds more

I’ve regularly asked for examples where Kubernetes was the main culprit in a data breach. It is rare, and yet there are many security vendors raking in millions on doing k8s security, and I’ve even spent a good portion of my career focused on this. You can’t have an infrastructure tool as widespread as k8s and not expect security issues, but I found that threat actors don’t like complexity and still target the lowest-hanging fruit, humans and CVEs with published exploits. That all being said, it’s exciting when I see a headline about Kube being the reason for a breach, and here we have some research from Aqua, who found a ton of vulnerable and exposed Kube clusters on the internet, 60% of which were already compromised with malware. (read more)

NSA chief: Chinese cyber spies continue to improve — but haven't surpassed US

Nothing like a little “my APT is better than yours” with your morning coffee. It turns out that with all the recent successful breaches attributed to Chinese threat actors, some US lawmakers felt the need to ask Army Gen. Paul Nakasone, the outgoing director of the NSA, if we were being surpassed in capability level. He, of course, said no but admitted they are getting better. I remember when I was getting into infosec, longer ago than I’m comfortable admitting to myself, there was another acronym that was used alongside APT, which was the CTH or Chinese Teenage Hacker. It makes sense that those teenagers would be in their 30s now and have leveled up.

It also brings up a question I covered in the newsletter a few months ago, Why is it so rare to hear about Western cyber-attacks? (read more)

PSNI and UK voter breaches show data security should be taken more seriously

Why does it always take data breaches, ever increasing in severity, to make folks question if they should take security more seriously? Well, that’s just what happened in the UK and Northern Ireland after a few incidents.

“On Tuesday, the PSNI, in a bungled response to a freedom of information (FOI) request, released an Excel spreadsheet containing details of more than 10,000 officers and employees. It was published on an FoI website called WhatDoTheyKnow for about two and a half hours before the PSNI realized the error and had it removed.

On the same day, the Electoral Commission revealed it had been hit by a cyber-attack resulting in the perpetrators accessing the names and addresses of anyone in the UK registered to vote between 2014 and 2022, equating to the data of 40 million people.” (read more)

BSidesLV conference talks are now available to stream

Were you there? What were some of your favorites? I enjoyed my buddy Lief’s talk (timestamp of stream / slides) - it was all about how your company should engage the security community to increase brand value. Couldn’t agree more! I’m actually helping some folks do this. Reach out to me if you’re interested. (read more)

This $70 device can spoof an Apple device and trick you into sharing your password

I was one of the folks who kept getting this Apple TV popup on my phone while walking around DEFCON. I’m generally used to these kinds of shenanigans, so it didn’t shock me much, and I just turned off all WiFi and Bluetooth to make it stop. Turns out it was a researcher just having some fun and didn’t have his device set up to steal any info even if you clicked “accept” on the Apple TV join request. But theoretically, the attack could be used to steal info about users or even as part of a unique social engineering attack to trick users they’re talking to a “trusted” device. (read more)

Major Energy Company Targeted in Large QR Code Campaign

One of the things coming out of Covid that I’ve realized is the increased prominence and comfort with scanning random QR codes. Just last week in DEFCON, some folks stuck QR stickers over QR code menu placards at casino restaurant tables. They are also used in very official-looking phishing emails, as seen in this report detailing a major uptick and successful phishing campaigns utilizing QR codes with a Bing redirect URL in them.

A nasty little trick to keep an eye out for. (read more)

FBI Warns: Cyber Criminals Targeting Victims through Mobile Beta-Testing Applications

This advisory leads me to believe there is a fairly successful attack campaign convincing folks to install fraudulent mobile apps disguised as Beta testers. If you’ve ever used a Beta Test app, you’ll know that, generally, the install path is much different than the official app store. This also means the app hasn’t been scrutinized by any public app store guidelines.

This advisory is severely lacking in some key data, IMO. It mentions nothing about which mobile OS and install method is used. I’d be surprised if iOS and Testflight could be used in this way, but if so, that would be very interesting to me. I wish that level of detail was provided. Either way, be highly alert if you’re the “install random things on my phone to kick the tires” type. (read more)

LinkedIn Accounts Under Attack

We’ve covered LinkedIn being the center of some other security issues recently, where folks were offered fake jobs to trick them into opening malicious files and then stealing millions in crypto assets. This is a bit more direct of a report indicating a major uptick in the LinkedIn accounts themselves being compromised. This uptick seems to be all branching from one or a small handful of campaigns, as their techniques are similar. 2fa seems to be successfully stopping the attackers, though it seems some leaked breach data is being used as folks are reporting a flood of 2fa requests which means their password is hacked. For folks without 2fa, hackers get in and immediately change the recovery email address to an anonymous Russian service provider address which limits the victim’s ability to recover their account. Long story short: use MFA. (read more)

New SystemBC Malware Variant Targets Southern African Power Company

Ok, buckle up on this one. It is a masterclass on why getting into this field is hard for beginners. Let’s see if you follow: A South African critical infrastructure target has been hit with malware called DroxiDat. DroxiDat is a variant of SystemBC. SystemBC is a malware that leverages SOCKS5 proxies to funnel in attacks, including ransomware payloads. SystemBC also was used as a Tor backdoor for Ryuk and Egregor infections.

“DroxiDat's links to ransomware deployment stem from a healthcare-related incident involving DroxiDat around the same timeframe in which the Nokoyawa ransomware is said to have been delivered alongside Cobalt Strike”

The threat actors behind this remain unnamed, but similar attacks point to a group named FIN12, or as Microsoft calls them, Pistachio Tempest, which is known to deploy SystemBC alongside Cobalt Strike.

Jeez. That is a lot of malware-specific terminology that I can’t imagine laymen following. - TL;DR: Critical infrastructure in Africa is being targeted by ransomware, likely at the hands of Russian Government based threat actors. (read more)

VMConnect: Malicious PyPI packages imitate popular open-source modules

We’ve all heard a lot about supply chain security ad nauseam, especially since the Solarwinds breach. I couldn’t count how many vendors pitched solutions to this problem in my LinkedIn inbox or on conference show floors. That all being said, when there is a legitimate targeted campaign trying to get malware into popular package managers like npm, or PyPi, we should be on the lookout. Blindly including helper packages can get us into some trouble.

“the campaign began on or around July 28, 2023, when the first of the malicious packages were published. It continues to the current day, with new, malicious PyPI packages posted on a daily basis, as prior packages are detected and removed.

In contrast to other, recent supply chain campaigns, such as Operation Brainleeches, the malicious packages that make up this campaign display evidence of a concerted effort to deceive developers. They achieve this by implementing the entire functionality of the modules they are imitating and standing up corresponding and linked GitHub projects that omit the malicious functionality found in the PyPI release package.” (read more)

Miscellaneous mattjay

Saw a smoothie shop in SF that advertised that it was “Powered by AI.” - I did a double and triple take before snapping a photo.

Feeling called out here:

Saw this labeled “DEFCON 2023”

Upcoming Appearances

Extra Credit

Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay