Lightnews — Scholar-powered news

Matt Johansen @mattjay.com · 9d

Dig this kind of news?

Join over 30k pros who get my weekly newsletter for free:

Infosec's favorite weekly newsletter for news, tools, and tips with 30,000+ CISOs, founders, change-makers, and straight up hackers.

vulnu.com

4

Matt Johansen @mattjay.com · 9d

No vulnerabilities used. No lateral network movement.

It's all just OAuth tokens all the way down.

Read the whole story here:

'You'll never need to work again': Criminals offer reporter money to hack BBC

Reporter Joe Tidy was offered money if he would help cyber criminals access BBC systems.

www.bbc.com

1 2 13

Matt Johansen @mattjay.com · 9d

Funnily enough, I was looking for Medusa stuff while writing this thread, and CISA's advisory on how to protect yourself from them is the top search result.

While this is all good advice, it wouldn't have done much to stop this type of attack.

Hacks are just logins in 2025.

1 1 4

Matt Johansen @mattjay.com · 9d

Worth noting actors maintained professional demeanor throughout most interactions. Only escalated to aggressive tactics (MFA bombing) after patience wore thin.

Even apologized and said that was just them testing the login page.

1 3

Matt Johansen @mattjay.com · 9d

Group referenced previous "successful" insider compromises at UK healthcare and US emergency services orgs.

Claims align with known Medusa TTPs focusing on high-value targets.

1 4

Matt Johansen @mattjay.com · 9d

When reporter delayed, group pivoted to aggressive MFA bombing - continuously triggering 2FA notifications hoping for accidental approval. Same technique used in 2022 Uber compromise.

1 1 7

Matt Johansen @mattjay.com · 9d

They requested specific network reconnaissance via command line queries, demonstrated knowledge of BBC's IT infrastructure, and offered "trust payment" of 0.5 BTC as deposit.

1 5

Matt Johansen @mattjay.com · 9d

Threat actor claimed to be a "reach out manager" for Medusa - a Ransomware-as-a-Service operation believed to operate from Russia/CIS region.

Group has hit 300+ victims in past 4 years per US cyber authorities.

(img: TheHackerNews)

1 5

Matt Johansen @mattjay.com · 9d

Initial contact came to @JoeTidy via Signal from "Syndicate" offering 15% of potential ransom payment for access to BBC systems.

Offer later increased to 25% of what they claimed would be "1% of BBC's total revenue."

2 1 7

Matt Johansen @mattjay.com · 9d

This BBC reporter was offered 25% of a ransom payout if he gave hackers access to the corporate network.

He played along so we got a look inside their tactic here:

2 23 59

Matt Johansen @mattjay.com · Aug 12

I think the separation of dev and prod is one of the most important things we need to solve in AI coding land.

Keys. Secrets. Deployment. All that jazz.

None of the tools help, if anything they make it super easy to do wrong.

7

Matt Johansen @mattjay.com · Aug 5

Panel on bootstrapping vs. VC money.

@haroonmeer.canary.love : “With bootstrapping you need to be careful to not be timid when it’s time to be bold”

Just great life advice in general. Will remember this quote forever.

Oh and @hdm.io and @andrewmorr.is are cool too.

3

Matt Johansen @mattjay.com · Jul 31

This is a fun vuln

youtu.be/jsygONOr_f4

1 8

Matt Johansen @mattjay.com · Jul 25

If you like following news like this checkout my weekly newsletter:

Join over 30k pros: vulnu.com/subscribe

Vulnerable U

Infosec's favorite weekly newsletter for news, tools, and tips with 28,000+ CISOs, founders, change-makers, and straight up hackers.

vulnu.com

2

Matt Johansen @mattjay.com · Jul 25

Not just 4chan trolls. 404media decompiled the app and found the URLs in question in code. Not public anymore, but verified they are there.

Original article: www.404media.co/wome...

2 8

Matt Johansen @mattjay.com · Jul 25

"No authentication, no nothing. It's a public bucket"

This is why security and privacy pros hate these ID verification laws that require drivers license uploads - these apps just can't keep this stuff secure.

1 1 7

Matt Johansen @mattjay.com · Jul 25

They found the database exposed on Google's Firebase.

The app is meant to be basically the "are we dating the same man?" Facebook group in a dating app.

In order to verify that the users are women, they ask for photos and driver's licenses.

1 4

Matt Johansen @mattjay.com · Jul 25

That viral women's only dating app 'Tea' was hacked by some 4chan users.

They didn't phish, social engineer, or use some crazy hacker technique either - the database was just public

3 3 10

Matt Johansen @mattjay.com · Jul 25

Hey so… don’t do this.

2 14

Matt Johansen @mattjay.com · Jul 16

Someone can buy this extension that is tied to tons of peole's salesforce account and just ...get access to all that info. (h/t @johntuckner.me)

2 8

Matt Johansen @mattjay.com · Jul 15

If I was a bad guy who was looking for memory vulns, I'd be ALL OVER these new hotness web browsers. (Comet, Arc, etc.)

Market share is small but much more valuable targets. - Teams behind them way smaller than ...Google

2 3 11

Matt Johansen @mattjay.com · Jul 11

Wild trend this week of legitimate apps and extensions turning into malware.

youtu.be/o9XBXeX0_5E

2 4

Matt Johansen @mattjay.com · Jul 10

I just can't believe how successful ClickFix campaigns are right now.

And now FileFix on top of it...

1 7

Matt Johansen @mattjay.com · Jul 6

Volume of vulns != In The Wild exploits.

Super interesting post and data - aibaranov.github.io/windrivers/

Lift me up to Ring 0: what are the most vulnerable Windows drivers

Examining the statistics on the most frequently patched Windows drivers between January 2022 and May 2025

aibaranov.github.io

2

Matt Johansen @mattjay.com · Jul 6

Which Windows drivers keep Microsoft’s security engineers busiest - and which ones do attackers actually exploit?

Artem Baranov did the dang math.

He scraped every CVE bulletin from Jan 2022 through May 2025 and built a clean data set of kernel-mode driver patches.

1 1 11