News & Commentary

VoidProxy, a phishing service, is outsmarting MFA 🪝

Researchers at Okta have discovered VoidProxy, a phishing-as-a-service platform with its crosshairs set on Microsoft and Google accounts. Using adversary-in-the-middle tactics, this platform can capture session tokens, MFA codes, and credentials, which allows attackers to bypass SMS- and app-based MFA.

(What a time to be alive!!11!!)

VoidProxy has been slinking around the DaRk wEb for about a year now, and as we’ve seen time and time again, a dark web presence = a lower barrier for even unskilled threat actors to launch sophisticated campaigns. In the case of VoidProxy, attackers send lures from compromised accounts using legitimate email providers, which often trips up spam filters. Successful takeovers could make us see spikes in business email compromise (BEC), data theft, and lateral movement inside of organizations.

The good news? It looks like phishing-resistant authentication methods (think passkeys and passwordless methods) can block VoidProxy’s attacks.

If anything, VoidProxy is a good reminder that MFA only goes so far. SMS codes and authenticator apps are still vulnerable when attackers sit in the middle of the exchange. The real shift needs to be toward phishing-resistant options like passkeys and hardware tokens.

FBI warns of Salesforce data theft campaigns 📊

The FBI has issued an alert on two active campaigns that target Salesforce environments for data exfiltration. Cybercrime groups UNC6040 and UNC6395 are using two different (but effective) tactics—one is social engineering and the other is through exploiting third-party integrations—to steal sensitive data and extort victims.

UNC6040 uses vishing calls to trick employees into authorizing malicious Salesforce apps. Once the access is granted, attackers gain OAuth token access that bypasses MFA and password resets, which allows hackers to quietly exfiltrate data via API queries.

In contrast, UNC6395 has largely been observed using compromised OAuth tokens from Salesloft’s Drift chatbot integration to infiltrate Salesforce instances. The good news is that Salesloft and Salesforce revoked all Drift tokens recently, so this attack path is no bueno for attackers at this point.

The FBI has given the usual common-sense advice: security awareness training for staff, adhering to the principle of least privilege, regularly monitoring and auditing third-party app integrations, etc.

Ultimately, this is a good reminder to make sure users have the knowledge they need to avoid falling victim to phishing attacks—and to make sure you know which third-party integrations exist and which apps have access to what data. A single malicious phone call or forgotten API token can undo every other technical safeguard your org has in place.

That CarPlay exploit from 6 months ago? It’s still unpatched in most cars. 🫠

We’re coming up on 6 months since Apple released a fix for CVE-2025-24132, which is a scary zero (0)-click CarPlay vulnerability. The vulnerability allows attackers to hijack CarPlay with root access and potentially spy on drivers or otherwise disrupt them while they’re driving. It’s a versatile one, too: Hackers can launch attacks via USB, wifi, or even Bluetooth. Then, they’re free to impersonate an iPhone and take control via Apple’s iAP2 protocol.

To date, most vendors—and apparently no carmakers—have applied the patch.

* record scratch *

Apparently the auto industry is in dire need of playing catch-up in terms of their update cycles. At the same time, it’s understandable that the update cycle is a bit slow. You can’t just shimmy over to Microsoft’s website and download vehicle patches, after all. 😅

Many vehicles still rely on manual updates that require action from the dealerships they sit at, waiting to be purchased. While some manufacturers do offer over-the-air vehicle updates, for now, that’s the exception, not the rule.

Just a polite wink and nudge to remind car manufacturers that their products are basically computers bolted onto wheels, and patching is important for computers, so if A = B and B = C, then A = C^{please patch your vehicles}.

Sponsor

Transforming Detection & Response for the Cloud Era

Cloud attacks need cloud-native response

The Cloud gives teams incredible speed and flexibility. Security should match that pace, helping you detect and respond to issues in real time without slowing innovation.

That’s where Cloud Detection & Response (CDR) comes in. Built for the cloud, CDR gives you comprehensive visibility, enabling you to both understand the threats facing your environment and provide better remediation recommendations.

This new guide explains how CDR helps SecOps and IR teams:

• Detect cloud-native threats in real time

• Effectively prioritize and investigate threats

• Respond and contain quickly

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-016.

(And as always, thanks for nothing, Clippy. 💙)

Just Hacking Training 🤓
Sept Announcements

🚀 Exclusive In-Person Training 🚀
Spend the Day with Me & JHT All-Stars

Before catching my closing keynote in the Windy City on November 1, JHT is launching live training as the exclusive provider of BSidesChicago's pro workshops on October 31. This is live onsite only and will not be recorded, so don’t miss your chance to get face-to-face instruction from me and our top experts with a full day (8+ hours) of in-person, hands-on training. Early pricing of $450 (10% off) still in effect. Seats will go fast, so ACT NOW!

💻 John Hammond - Script-Based Malware Analysis

Most security professionals are comfortable with scripting methods to analyze incidents. Extending this more familiar process, John focuses on malicious software that can more easily be turned into human readable code, rather than needing to try and make sense of a debugger or disassembler like IDA, GHIDRA, or others. Students will have an array of lessons as a guide through this much more approachable first step into the world of malware analysis.

💻 Mishaal Khan - Level Up OSINT

It’s no hyperbole to say that Mishaal consistently produces “mind blown” syndrome during his popular online courses and talks, but there’s no substitute for having direct 1-on-1 access for an entire day! Learn actionable techniques to use on the job immediately in his intermediate-level course. See why even John Hammond was left speechless in a recent livestream. Now it’s your turn to interact with him in a live setting that only happens a few times a year… and not at this price!

💻 Ellie Daw - Vibe Coding for Responsible Adults

There’s nothing wrong with using AI for individual efficiency, but we’ve all seen the horror stories of teams vibe coding their way to production. Learn what vibe coding is, how to select the right tools, and what out-of-the-box results look like. More importantly, learn to get better results, keep projects aligned with organizational goals, and fold agentic coding into your dev workflows. Write specs, generate code, verify functionality, ensure proper data flow and architecture… all while following best practices. Ellie will help bolster your bottom lines while avoiding headlines!

💻 Trevor Stevado - Hardware Hacking 101 w/ Take-Home Kit!

This intense 1-day hands-on course introduces participants to fundamental hardware hacking techniques used in embedded systems security research and pentesting. Each lab starts with a basic objective and adds additional layers to challenge yourself. Learn by doing with your own dedicated hardware hacking kit (included with your enrollment), then continue your journey in the comfort of your home, because the kit is yours to keep!

💸 10% Early Discount = $450

🎥 Get online access to the course after the event

⚡ Goes back to standard pricing of $500 soon

🍽️ Lunch included!

Want Just Hacking Training at your event? Email sales[at]justhacking[.]com.

In-depth Threat Analysis

How an Attacker’s Blunder Gave Us a Rare Look Inside Their Day-to-Day Operations

I usually keep my day job shtuff at my day job, but on occasion, I’ll come across something so wild that I have to blab about it everywhere I can. 😅

TL;DR: A threat actor installed Huntress—an embarrassing mistake on their part—giving us first-hand insight to their tooling, workflow & routine. Phishing infra, stealer logs, Telegram+dark web sites, AI...

This is a hilarious goldmine of cybercrime deets with a front row seat.

Feels like we’re in a groove with this thing! I invite you to help me shake it up.

Please reply to this email and let me know what you’re loving — and what you’d love to see in the next edition.

Thank you!