Read Time: 5 minutes |
|
Brought to you by: |
|
Howdy friends! |
I've had a rough week. Got some really bad news Monday after a ton of emotionally taxing work on something, then Tuesday had to bring my wife to the ER because her appendix was sick of being attached. This happened on the few days this year we're in between two insurance policies. And woke up Thursday morning to my car's window smashed in. |
Needless to say, I'm tired and feeling pretty beat up. One of the hard parts of running your own business is there is nobody to handle stuff on week's like this. So I'm a bit behind on some commitments but we press onward! |
One good bit: It's taken me ages to get setup but the new studio is pretty much to where I want it. So the next YouTube videos you see out of me will be on all new equipment and I'm planning to start live streaming on a regular cadence. Thinking Tuesday and Thursday mornings for a few hours and I'll record some segments as standalone YouTube vids live while streaming. Should really up my output and quality. |
A bunch of you responded to my VulnU community poll last week saying you'd be really interested in sharing some channels talking with each other about not just the security news but what you should do about it. Loud and clear and that is an exciting thing for me to work on. |
|
ICYMI |
๐️ Something I wrote: This thread became full of useful "setup your new Mac" tips |
๐ง️ Something I heard: The Inevitable Comeback Of Piracy |
๐ค Something I said: The MongoDB Christmas Nightmare |
๐ Something I read: This researcher at Wiz hacked AWS's GitHub repos. Like the |
prod ones… |
|
Vulnerable News |
|
Moxie Marlinspike just launched his new project called Confer - basically Signal but for AI chats. His pitch is pretty compelling: when you're working through problems with ChatGPT or Claude, you're not just sharing information, you're revealing how you think. The medium actually influences your behavior with the app. You feel like you're talking to a trusted friend, so you act like it. |
Current AI assistants make this feel like a private conversation but it's really more like a group chat with OpenAI employees, future advertisers, hackers, and whoever else gets access to that data lake. Moxie has been blogging heavily about the technical back end that makes this actually private. All worth a read. |
This feels like a smart direction given how many people are leaning on AI for everything from coding help to therapy-adjacent conversations. Moxie's argument about the "medium inviting confession" hits different when you think about how conversational interfaces trick our brains into oversharing compared to the transactional feel of search. He also warns about ads being imminent to these chat apps. Imagine ads that know not just what you bought, but how you think and what makes you hesitate. Confer's still early but worth watching, especially if you find yourself dumping sensitive thoughts into Gemini (run by the literal advertiser themselves). (read more) |
|
|
Root surveyed 160 security leaders. 82% believe their shift-left approach is working, while only 4% have actually eliminated CVE debt. |
Most teams still fix issues manually, which means more time, more burnout, and delayed releases. Attackers do not wait and often exploit bugs as soon as they are disclosed. This benchmark report breaks down why detection scaled faster than remediation and how the small group using autonomous remediation is finally closing the gap. |
Read the full 2026 Shift Out Benchmark Report |
*Sponsored |
|
China publicly shunning Western cybersecurity vendors, telling domestic companies to stop using software from over a dozen US and Israeli firms including Palo Alto Networks, CrowdStrike, VMware, and Check Point. Beijing's citing national security concerns about potential data collection and transmission abroad, which honestly makes sense from their perspective given how deeply these tools integrate into corporate networks. |
This move fits into China's broader push to replace Western tech with homegrown alternatives, and it's happening just as Trump prepares to visit Beijing in April. Some of the banned companies like CrowdStrike say they don't even do business in China anyway, but others like Fortinet and Palo Alto have significant operations there with multiple offices. I don't know. What do you think on this one? U.S. already doesn't let a lot of Chinese tech in: just look at Huawei. I've also heard stories of 3 letter agencies pressuring domestic companies to comply with various initiatives. (read more) |
|
The Trump administration is apparently floating the idea of letting private companies get into the offensive cyber game, which is currently a no-no under existing law. The proposal would expand how private sector firms can participate in cyberwarfare beyond just building tools. Actually hiring firms to start executing attacks. This would need Congressional approval since right now private companies are banned from conducting offensive cyber ops, though some lawmakers have been pushing "hack back" legislation and even dusting off Civil War-era Letters of Marque for cyber. |
The cybersecurity folks are split on this. Some experts warn it could create "chaos in the environment" if companies start hacking back without proper oversight - imagine private firms accidentally triggering international incidents because foreign governments can't tell if it's official U.S. policy or just some contractor going rogue. Others argue the U.S. needs to scale up fast to match adversaries like China's Salt Typhoon, and the private sector has the talent pool the government lacks. (read more) |
|
|
Iran just hit a grim milestone - they've kept 92 million people offline for over 170 hours straight, making this one of the longest internet shutdowns in the country's history. The blackout started January 8th during massive anti-government protests and is now the third longest shutdown globally, only beaten by Sudan's 35-day outage in 2021 and Mauritania's 22-day stretch in 2024. Authoritarian playbook stuff - cut communications when people get uppity about ...their rights. |
The shutdown was so comprehensive it even knocked government ministries offline initially, though they've since restored access for some banks and gas stations because, you know, the economy still needs to function. Some clever Iranians are using smuggled Starlink terminals to get back online, but authorities are cracking down hard with jamming and making the devices illegal. Meanwhile, Trump's talking about military intervention while the UK just noped out and closed their Tehran embassy. Nothing says "stable situation" like evacuating diplomats and redirecting naval strike groups. (read more) |
|
Black Lotus Labs just dropped a solid writeup on their takedown of the Kimwolf botnet - a monster one that grew from the remains of Aisuru to hit 800,000 infected devices. They tracked it evolving in real-time, watching it pivot from one infrastructure setup to another as the operators tried to stay ahead of disruption efforts. The botnet was sucking up residential proxy devices from services like PYPROXY to fuel its growth, hitting record-breaking DDoS volumes of over 11 trillion bits per second. |
Lumen's disruption efforts worked so well that the botnet operators got personally salty about it. They actually embedded profanity directed at Lumen in their DDoS attack payloads, which is both petty and objectively hilarious. Over 550 C2 servers null-routed in four months. Nice work. (read more) |
|
A security researcher spent months trying to get Bluspark Global's attention about some pretty gnarly vulnerabilities in their shipping platform. Plaintext passwords, unauthenticated APIs that spilled customer data going back to 2007, and the ability to create admin accounts without any verification. The researcher tried emails, voicemails, LinkedIn messages - but Bluspark ghosted him completely. It wasn't until TechCrunch stepped in and literally included part of the CEO's password in an email that the company finally responded (through lawyers, naturally). |
This hits different because Bluspark isn't some random startup - they're powering freight shipments for major retailers and grocery stores worldwide. Researchers have been warning about hackers increasingly targeting logistics companies to redirect cargo shipments to criminals. The good news is everything's patched now, and Bluspark claims no evidence of exploitation. But the fact that it took including someone's actual password in an email to get a response? That's not exactly inspiring confidence in their security posture. (read more) |
|
|
A DHS whistleblower just dumped personal info on around 4,500 ICE and Border Patrol agents to a watchdog site called ICE List, reportedly triggered by the fatal shooting of Renee Good in Minneapolis. The leak includes details on about 2,000 agents and 150 supervisors, with early analysis suggesting 80% are still employed. The site's run by Dominick Skinner from the Netherlands (keeping it offshore), and this breach more than tripled their database from around 2,000 to 6,500 people. |
DHS is predictably not happy about this, with officials calling it "disgusting doxxing" that puts officers and families at risk. They're claiming massive spikes in threats and assaults against agents. ICE List says they'll verify and publish most of the names while making exceptions for certain roles like childcare workers and nurses. (read more) |
|
|
Microsoft just took out RedVDS, a criminal virtual desktop service that was basically Amazon Web Services for scammers. For the low low price of $24 a month, criminals could rent disposable virtual machines loaded with unlicensed Windows to run their scams from. This operation was pulling in around $40 million in fraud losses in the US alone, offering dirt-cheap Windows RDP servers to cybercriminals worldwide. The downfall of their setup was using a single cloned Windows Server 2022 image for every customer - all servers had the same hostname "WIN-BUNS25TD77J" which made detection a lot easier once researchers caught on. |
It's absolutely wild to me to see how turn key these criminal providers have become. It's enterprise SaaS levels of features but for crime. Customers paid in crypto, got full admin access, and the servers came loaded with everything a scammer could want - mass mailers, email harvesters, VPN clients, and even AI tools like ChatGPT to help write convincing phishing emails. Microsoft tracked multiple threat actor groups using this infrastructure for BEC operations, managing over 3,700 homoglyph domains to impersonate legitimate businesses. |
Actual victims stepped forward as co-plaintiffs. H2-Pharma in Alabama got hit for $7.3 million that was supposed to go toward cancer treatments and kids' allergy medications, while a Florida condo association lost nearly $500K in resident funds. Microsoft worked with German authorities and Europol to seize the domains and infrastructure, marking their 35th takedown operation (read more) |
|
Gootloader's back baby. After a hiatus, the malware crew is working with Vanilla Tempest (the folks behind Rhysida ransomware) and they've kept their signature trick of using intentionally broken ZIP files. These archives are deliberately malformed - they concatenate 500-1000 identical ZIP files together and mess with the file structure so that tools like 7zip and WinRAR choke on them, but Windows' built-in unarchiver handles them just fine. Every download is unique thanks to randomized values, making hash-based detection useless. |
|
The good news is all these tricks actually give defenders some solid detection opportunities. You can spot the malformed ZIP structure with YARA rules, watch for WScript executing JS files from temp folders, and flag the weird process chains where CScript spawns PowerShell. The researchers recommend changing your Group Policy to make Notepad the default handler for JS files instead of Windows Script Host - simple fix that breaks a lot of these delivery mechanisms. (read more) |
|
Miscellaneous mattjay |
|
|
|
|
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
|
|
Parting Thoughts: |
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you. |
Stay safe, Matt Johansen
@mattjay |
Comments