Matt Johansen Profile picture
Helping Secure the Internet | Long Island elder emo surviving in ATX | Expect: infosec current events, DFIR, appsec & cloudsec - and me!
3 subscribers
Oct 10 7 tweets 3 min read
New series of Palo Alto Networks vulnerabilities, chained together for a bad time.

“We find that a simple request to that exact endpoint over the web service resets the admin password.”

Well, I don’t like the sound of that… 🧵 Image First up -

CVE-2024-9464 is an OS command injection vulnerability in Palo Alto Networks Expedition

This allows an authenticated attacker to run arbitrary OS commands as rootImage
Oct 5 4 tweets 2 min read
So U.S. uses backdoors in it's own Internet providers to spy on it's citizens.

China says "don't mind if we do" and backdoors the backdoors.

They sat for months undetected on the U.S. wiretap system for Verizon, AT&T, and more... Who watchers the watchers? Turns out China does.

My summary:

vulnu.com/p/government-w…
Sep 26 12 tweets 4 min read
Woah. Millions of cars can be hacked just by knowing the license plate number.

This is done through a simple web app bug too, no complicated car hacking involved.

I also don't think it's fixed yet... 🧵 Image The bug seems to impact all Kias right now and the researchers didn't disclose a PoC since it isn't fixed but it's been 90 days since disclosure so they're talking about it. Image
Sep 3 11 tweets 3 min read
This is an absolutely wild one by @iangcarroll and @samwcyo

The most basic SQL injection ever in the Known Crewmember (KCM) and Cockpit Access Security System (CASS) used by airlines and TSA.

Literally ' OR 1=1 got them admin access. Here's what we know: @iangcarroll @samwcyo The vulnerability was found in FlyCASS, a web-based interface used by smaller airlines to manage KCM and CASS.

A simple SQL injection in the login page allowed unauthorized access to the admin panel for Air Transport International. Image
Aug 30 10 tweets 3 min read
⚠️ Breaking: North Korea just burned an 0-Day in Chromium.

They used it to install a Windows rootkit and the campaign targeted cryptocurrency platforms and users.

Here's what we know: Microsoft reports that a North Korean hacking group, Citrine Sleet, exploited a previously unknown Chromium bug to target crypto organizations just a few days ago. Image
Aug 29 10 tweets 3 min read
Google uncovered evidence that Russian government hackers (APT29) are using exploits "identical or strikingly similar" to those developed by spyware companies Intellexa and NSO Group.

And we don't know how they got their hands on it...

Here's what we know: 🧵 APT29 should sound familiar. Re: Microsoft and Solarwinds hacks.

They're patient and persistent. Pair that with incredibly skilled and well funded and this is a deadly combo. Image
Aug 13 7 tweets 3 min read
Whelp. Another North Korean laptop farm just got taken down in the US.

This time at a guy's house in Nashville. The NK team made over $250k for their remote work between 2022 and 2023.

Hey if someone shows up and asks you to host a pile of laptops at your house, just say no? 38 year old Matthew Isaac Knoot offered his address up to the NK teams.

He'd get laptops to his HOME for an employee named "Andrew M." who got remotely hired for a number of US jobs.

His house would act as the local IP and addy for these overseas spies to tunnel through. Image
May 28 12 tweets 4 min read
The DoJ just busted a massive scam involving North Korean IT workers infiltrating major US companies.

They had some help in the US and were posing as remote freelancers to siphon off money and sensitive info.

Holy crap, here's what we know: How they operated:

North Korean operatives are stationed in countries like China, Russia, and parts of Eastern Europe and Southeast Asia.

They then use fake documents and buy accounts to get remote jobs in the States. Image
May 16 8 tweets 3 min read
Kevin Briggs, a senior advisor at CISA, has publicly revealed ongoing vulnerabilities in U.S. telecom networks.

TL;DR - He has evidence vulns in teleco's are being used to track and spy on U.S. citizens.

Buckle up, here's what we know: Oversimplified: The attacks involve 2 teleco techs

SS7 - crucial for routing messages when roaming
Diameter - SS7's more efficient successor

They are both being exploited to track phones, intercept calls, and access texts. Image
Apr 22 10 tweets 3 min read
🚨 GitHub and GitLab comments are being abused to push malware via Microsoft repo URLs.

Let's dive in: GitHub comments can host files uploaded during issue discussions or commit annotations.

Once uploaded, these files are accessible via GitHub's CDN, regardless of the comment's visibility or existence. Image
Mar 26 12 tweets 4 min read
I'm hearing reports of a sophisticated 'MFA Bombing' attack that targets Apple users, exploiting a flaw in Apple's password reset feature.

Let's dive in: What Happened?

Several Apple users, including entrepreneur @parth220_, have reported a deluge of system-level password reset prompts on their devices

An aggressive phishing technique known as 'MFA fatigue' Image
Mar 15 10 tweets 3 min read
Are you kidding me?

Who had "actually suffering ransomware attacks is good for business" on your bingo card?

That's what is going on at United Healthcare: So we all know about this crippling ransomware attack that has most of the country's medical payments at a standstill.

TL;DR—Change Healthcare is down. They process tons of payments, and it has been weeks. ALPHV claimed responsibility. Image
Feb 28 11 tweets 4 min read
Holy crap. People are getting an ultimatum at their pharmacies this week - pay full price out of pocket or go without their meds.

All due to a ransomware attack.

Let's dig in: UnitedHealth's Change Healthcare hit by 'Blackcat' ransomware

This is causing a 6-day outage affecting prescription deliveries across the U.S. Image
Feb 13 13 tweets 4 min read
Turns out the parent company of Temu has a history of publishing malware into their Android apps

Let's dig in: It wasn't sitting right with me that a bunch of folks in my comments had mixed feelings about Temu being a shady app.

Many saying no worse than other apps collecting data.

Some even calling it China fearmongering Image
Feb 1 12 tweets 3 min read
The Okta hack that keeps on giving!

Cloudflare announced a new data breach today in it's continued battle against creds stolen during a previous Okta hack

Let's dig in: Thanks to Cloudflare's reporting, we have a pretty good idea of what all went down:

4 access tokens from the Okta hack in Oct '23 were still valid by Nov 14th when the hackers accessed Cloudflare's self hosted Atlassian servers Image
Dec 16, 2023 7 tweets 2 min read
A vulnerability in the way Google implements OAuth was disclosed publicly today and is still not fixed.

It can let employees retain indefinite access to applications like Slack and Zoom after they're offboarded.

Let's dig in: Here’s a timeline of events:

August 4th- Disclosure to Google

August 7th- The issue was triaged

October 5th- Google paid $1337

November 25th- Bulk private disclosure to dozens of impacted applications

December 16th- Public disclosure 134 days after notifying Google
Dec 13, 2023 11 tweets 3 min read
One of the biggest hacks of the year has mainly gone untalked about.

A Chinese hacker group compromised a $57 billion chip manufacturer in 2017.

They weren't discovered for over 2 years. Here's everything we know: The chip company in question is NXP and they're the 2nd largest semiconductor company in the EU.

Their chips are in all sorts of devices you use including iPhones and Apple Watches, specifically NFC chips that support Apple Pay. Image
Dec 4, 2023 11 tweets 3 min read
The head of security at Canva shared this on LinkedIn.

I don't see him on Twitter to tag for credit, but I needed to share as it's pure gold. Image Way to go! Image
Nov 16, 2023 10 tweets 3 min read
What in the hell?!
A group of cybercriminals has filed an SEC complaint against a company for not disclosing a data breach.

Here's what we know and what this might mean for the future of ransomware: Alphv/BlackCat claims they breached MeridianLink's systems, stealing customer and operational data.

They're now leveraging an SEC complaint to pressure the company into acknowledging the breach. Image
Nov 9, 2023 11 tweets 3 min read
A plastic surgeon's office got hacked.

Patients info and nude photos before/after surgery was stolen.

A bunch of the women are suing - buckle up lets look at whats going on: Imagine seeking to improve your life through surgery, only to have your privacy stripped away.

This is the reality for about a dozen women suing the Las Veags clinic for failing to protect their data. Image
Oct 30, 2023 5 tweets 2 min read
Holy crap -

SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures

sec.gov/news/press-rel… 👀 Image