Matt Johansen
@mattjay.com
Friendly neighborhood cybersecurity guy | expect infosec news, appsec, cloud, dfir. | Long Island elder emo in ATX.
vulnu.com <- sign up for my weekly cybersecurity newsletter
vulnu.com <- sign up for my weekly cybersecurity newsletter
If you like this stuff, subscribe to my free weekly newsletter along with 32k other pros:
Vulnerable U
Infosec's favorite weekly newsletter for news, tools, and tips with 32,000+ CISOs, founders, change-makers, and straight up hackers.
vulnu.com
October 23, 2025 at 5:33 PM
If you like this stuff, subscribe to my free weekly newsletter along with 32k other pros:
Full article on TechCrunch -
U.S. government accuses former L3Harris cyber boss of stealing trade secrets | TechCrunch
The U.S. Department of Justice accused Peter Williams, former general manager of L3Harris’ hacking division Trenchant, of stealing trade secrets and selling them to a buyer in Russia.
techcrunch.com
October 23, 2025 at 5:32 PM
Full article on TechCrunch -
Arraignment/plea agreement hearing scheduled for Oct 29 in DC. Williams isn't currently in federal custody. His attorney John Rowley declined comment when contacted by TC.
October 23, 2025 at 5:32 PM
Arraignment/plea agreement hearing scheduled for Oct 29 in DC. Williams isn't currently in federal custody. His attorney John Rowley declined comment when contacted by TC.
The criminal information doc is light on specifics - doesn't name the victim companies or detail nature of stolen trade secrets. But does list all the watches the FBI collected from him...
We can connect some dots based on what they do as a company.
We can connect some dots based on what they do as a company.
October 23, 2025 at 5:32 PM
The criminal information doc is light on specifics - doesn't name the victim companies or detail nature of stolen trade secrets. But does list all the watches the FBI collected from him...
We can connect some dots based on what they do as a company.
We can connect some dots based on what they do as a company.
Worth noting that this comes on heels of recent internal Trenchant investigation into leaked hacking tools. Not yet clear if the two incidents are connected.
October 23, 2025 at 5:32 PM
Worth noting that this comes on heels of recent internal Trenchant investigation into leaked hacking tools. Not yet clear if the two incidents are connected.
Timeline: Williams allegedly stole 7 trade secrets between Apr '22-Jun '25, and an 8th between Jun-Aug '25. He was Trenchant's GM from Oct '24 until Aug '25, operating out of DC.
October 23, 2025 at 5:32 PM
Timeline: Williams allegedly stole 7 trade secrets between Apr '22-Jun '25, and an 8th between Jun-Aug '25. He was Trenchant's GM from Oct '24 until Aug '25, operating out of DC.
Former L3Harris/Trenchant GM Peter Williams charged with stealing trade secrets. DOJ claims he made $1.3M from the sale.
October 23, 2025 at 5:32 PM
Former L3Harris/Trenchant GM Peter Williams charged with stealing trade secrets. DOJ claims he made $1.3M from the sale.
Dig this kind of news?
Join over 30k pros who get my weekly newsletter for free:
Join over 30k pros who get my weekly newsletter for free:
Vulnerable U
Infosec's favorite weekly newsletter for news, tools, and tips with 30,000+ CISOs, founders, change-makers, and straight up hackers.
vulnu.com
September 29, 2025 at 1:52 PM
Dig this kind of news?
Join over 30k pros who get my weekly newsletter for free:
Join over 30k pros who get my weekly newsletter for free:
No vulnerabilities used. No lateral network movement.
It's all just OAuth tokens all the way down.
Read the whole story here:
It's all just OAuth tokens all the way down.
Read the whole story here:
'You'll never need to work again': Criminals offer reporter money to hack BBC
Reporter Joe Tidy was offered money if he would help cyber criminals access BBC systems.
www.bbc.com
September 29, 2025 at 1:52 PM
No vulnerabilities used. No lateral network movement.
It's all just OAuth tokens all the way down.
Read the whole story here:
It's all just OAuth tokens all the way down.
Read the whole story here:
Funnily enough, I was looking for Medusa stuff while writing this thread, and CISA's advisory on how to protect yourself from them is the top search result.
While this is all good advice, it wouldn't have done much to stop this type of attack.
Hacks are just logins in 2025.
While this is all good advice, it wouldn't have done much to stop this type of attack.
Hacks are just logins in 2025.
September 29, 2025 at 1:52 PM
Funnily enough, I was looking for Medusa stuff while writing this thread, and CISA's advisory on how to protect yourself from them is the top search result.
While this is all good advice, it wouldn't have done much to stop this type of attack.
Hacks are just logins in 2025.
While this is all good advice, it wouldn't have done much to stop this type of attack.
Hacks are just logins in 2025.
Worth noting actors maintained professional demeanor throughout most interactions. Only escalated to aggressive tactics (MFA bombing) after patience wore thin.
Even apologized and said that was just them testing the login page.
Even apologized and said that was just them testing the login page.
September 29, 2025 at 1:52 PM
Worth noting actors maintained professional demeanor throughout most interactions. Only escalated to aggressive tactics (MFA bombing) after patience wore thin.
Even apologized and said that was just them testing the login page.
Even apologized and said that was just them testing the login page.
Group referenced previous "successful" insider compromises at UK healthcare and US emergency services orgs.
Claims align with known Medusa TTPs focusing on high-value targets.
Claims align with known Medusa TTPs focusing on high-value targets.
September 29, 2025 at 1:52 PM
Group referenced previous "successful" insider compromises at UK healthcare and US emergency services orgs.
Claims align with known Medusa TTPs focusing on high-value targets.
Claims align with known Medusa TTPs focusing on high-value targets.
When reporter delayed, group pivoted to aggressive MFA bombing - continuously triggering 2FA notifications hoping for accidental approval. Same technique used in 2022 Uber compromise.
September 29, 2025 at 1:52 PM
When reporter delayed, group pivoted to aggressive MFA bombing - continuously triggering 2FA notifications hoping for accidental approval. Same technique used in 2022 Uber compromise.
They requested specific network reconnaissance via command line queries, demonstrated knowledge of BBC's IT infrastructure, and offered "trust payment" of 0.5 BTC as deposit.
September 29, 2025 at 1:52 PM
They requested specific network reconnaissance via command line queries, demonstrated knowledge of BBC's IT infrastructure, and offered "trust payment" of 0.5 BTC as deposit.
Threat actor claimed to be a "reach out manager" for Medusa - a Ransomware-as-a-Service operation believed to operate from Russia/CIS region.
Group has hit 300+ victims in past 4 years per US cyber authorities.
(img: TheHackerNews)
Group has hit 300+ victims in past 4 years per US cyber authorities.
(img: TheHackerNews)
September 29, 2025 at 1:51 PM
Threat actor claimed to be a "reach out manager" for Medusa - a Ransomware-as-a-Service operation believed to operate from Russia/CIS region.
Group has hit 300+ victims in past 4 years per US cyber authorities.
(img: TheHackerNews)
Group has hit 300+ victims in past 4 years per US cyber authorities.
(img: TheHackerNews)
Initial contact came to @JoeTidy via Signal from "Syndicate" offering 15% of potential ransom payment for access to BBC systems.
Offer later increased to 25% of what they claimed would be "1% of BBC's total revenue."
Offer later increased to 25% of what they claimed would be "1% of BBC's total revenue."
September 29, 2025 at 1:51 PM
Initial contact came to @JoeTidy via Signal from "Syndicate" offering 15% of potential ransom payment for access to BBC systems.
Offer later increased to 25% of what they claimed would be "1% of BBC's total revenue."
Offer later increased to 25% of what they claimed would be "1% of BBC's total revenue."
If you like following news like this checkout my weekly newsletter:
Join over 30k pros: vulnu.com/subscribe
Join over 30k pros: vulnu.com/subscribe
Vulnerable U
Infosec's favorite weekly newsletter for news, tools, and tips with 28,000+ CISOs, founders, change-makers, and straight up hackers.
vulnu.com
July 25, 2025 at 8:27 PM
If you like following news like this checkout my weekly newsletter:
Join over 30k pros: vulnu.com/subscribe
Join over 30k pros: vulnu.com/subscribe
Not just 4chan trolls. 404media decompiled the app and found the URLs in question in code. Not public anymore, but verified they are there.
Original article: www.404media.co/wome...
Original article: www.404media.co/wome...
July 25, 2025 at 8:27 PM
Not just 4chan trolls. 404media decompiled the app and found the URLs in question in code. Not public anymore, but verified they are there.
Original article: www.404media.co/wome...
Original article: www.404media.co/wome...
"No authentication, no nothing. It's a public bucket"
This is why security and privacy pros hate these ID verification laws that require drivers license uploads - these apps just can't keep this stuff secure.
This is why security and privacy pros hate these ID verification laws that require drivers license uploads - these apps just can't keep this stuff secure.
July 25, 2025 at 8:27 PM
"No authentication, no nothing. It's a public bucket"
This is why security and privacy pros hate these ID verification laws that require drivers license uploads - these apps just can't keep this stuff secure.
This is why security and privacy pros hate these ID verification laws that require drivers license uploads - these apps just can't keep this stuff secure.
They found the database exposed on Google's Firebase.
The app is meant to be basically the "are we dating the same man?" Facebook group in a dating app.
In order to verify that the users are women, they ask for photos and driver's licenses.
The app is meant to be basically the "are we dating the same man?" Facebook group in a dating app.
In order to verify that the users are women, they ask for photos and driver's licenses.
July 25, 2025 at 8:27 PM
They found the database exposed on Google's Firebase.
The app is meant to be basically the "are we dating the same man?" Facebook group in a dating app.
In order to verify that the users are women, they ask for photos and driver's licenses.
The app is meant to be basically the "are we dating the same man?" Facebook group in a dating app.
In order to verify that the users are women, they ask for photos and driver's licenses.