This week on the podcast, we discuss a recent warning from the FBI about hacking leading to stolen shipments. Before that, we cover the Vercel software supply chain incident before discussing the Vect Ransomware-as-a-service turned accidental wiper.
View Transcript
Marc Laliberte 0:00
Hey everyone, welcome back to the 443 security simplified. I'm your host. Mark Laliberte, and joining me over there is
Corey Nachreiner 0:07
that portal punch Corey, the notorious Robo blocks cheater. Nachreiner, actually, I've never played Robo blocks.
Marc Laliberte 0:16
You're not even
Corey Nachreiner 0:17
Roblox. ROBLOX. ROBLOX,
Marc Laliberte 0:24
Anyways, on today's episode, we will discuss how Robo blocks caused the security incident at a company twice removed from the point of that.
Marc Laliberte 0:33
They should catch that fish. If you got a robo blocks fish, that's kind of giveaway.
Marc Laliberte 0:39
Yep. We'll discuss a ransomware that's actually a accidental wiper, and then we'll end with an interesting public service announcement from the FBI on cyber crime turning into stolen goods off of trucks.
Corey Nachreiner 0:53
By the way, Mark in general, I recommend intentionally wiping and not accidentally wiping. It's a little uncomfortable, if it only happens accidentally.
Marc Laliberte 1:04
With that, let's go ahead and flush our way in.
Marc Laliberte 1:14
So let's start with, I guess it's about a week and a half ago now, the major software development company of vercel, disclosed a security incident impacting a limited number of their customers, as they said, if you're not familiar with vercel, they're the developers of Node js, a really popular JavaScript framework that many, if not Most, JavaScript single page applications and other tools use. They quickly updated their disclosure soon after publishing it to point to a third party tool as the source of this, though, and this is where the story gets really interesting. So we've had a lot of supply chain attacks over the last couple of years. This one was kind of a, I don't know, a calamity of storms. Basically, researchers found that a vercel employee was using context AI, which is a third party artificial intelligence platform, and they had given that platform access to their vercel Google workspace account. Basically, if you go to sign in to app with your account, hit the sign in with Microsoft or sign in with Google button, it grants a level of access with auth tokens to allow that application to access resources as if they were you. From that employees account, the attacker was able to pivot into vercel's production environment and ultimately steal and decrypt What vercel called non sensitive environment variables. Basically, if you're using their environment to host something, you might use environment variables to store a secret or a configuration item. Anything that wasn't encrypted wasn't marked with a checkbox that says sensitive was up for grabs from this attacker. But where this gets interesting, is a security researcher at Hudson rock pointed out that on February 2026, context, AI, an employee from them with sensitive access was compromised by Loomis, which is a info stealing malware that's making huge waves over the last Two, three years now, that stolen data showed up on a underground marketplace for sale. I think it was in one of the free samples for one of them even. And along with these stolen credentials was a whole bunch of other stolen data from this context, AI employees computer. You could see their entire web request history. You could see the requests from them logging into vercels Like tenant within context AI and working with them. So this employee had a lot of a lot of access within context AI's environment, and access into vercel's environment. Looking through that infected machines, browsing history though, which was a part of the dump, they found evidence that the victim was searching for Roblox cheats and auto farm script specifically, and it was very soon after that, or alongside that, that they received the Loomis dealer info stealer instead. So basically, the the path for this was employee at Context AI, searching for Roblox cheats, gets Loomis dealer Loomis steals that context. Ai employees credentials, gains access to their machine from there within context. Ai steals OAuth tokens to vercel's environment. Within vercel's environment steals customer data, including environment variables. But this all started with Roblox cheats,
Corey Nachreiner 4:41
what someone gaming at work and downloading kind of illicit things on a work computer,
Marc Laliberte 4:49
either that or like, Did they let their kid use their laptop like that happens too sometimes. I think,
Corey Nachreiner 4:55
yeah, but, but a work computer like I would definitely would let my kid use. My own gaming computer at home, but a work computer. I mean, there's a lot of takeaways that are obvious here, things you shouldn't do on corporate machines, and if you're lending it to a kid, the corporate machine is definitely not the one to lend to a kid.
Marc Laliberte 5:12
And it also points to a lesson that I learned 25 years ago, and you've probably learned even before me, that when you're searching the internet for cheats, for very popular games, you typically end up with things that you weren't asking
Corey Nachreiner 5:26
for along the way. Tracks right if you're going to do that kind of stuff, find the source, because the ones that are middlemen are usually adding fun things to it fun, I mean, things you don't want.
Marc Laliberte 5:37
Yep. I also thought this was interesting, that we could actually trace back the like point of origin for this, back to a Loomis dealer at a third party company, and trace it back to how vercel, in this case, was actually impacted.
Corey Nachreiner 5:51
It's an interesting combination, by the way, like before we even get into technical security, if there really were tech there are technical controls that might help here. But it first was a human issue, I mean, one a behavior that they shouldn't be doing to that human falling for things on the computer to I guess he really fell for his own, his or her under them, their, their own bad habit that the Fisher happened to be seen, plus supply chain issues too. Like, it really is, like, we like you and I like multi stage vulnerability hacks. This is like a multi stage supply chain social engineering situation, and it could continue going on further, because vercel themselves is a platform, like people host applications as a like cloud app on here, those environment variables, like, even though you're supposed to check a little checkbox to mark them as sensitive, which encrypts them and stores them elsewhere, like people could just not know that, not check it, whatever, and still put a secret in there, like an API key or some other authentication credential. And now this will gain access to other secrets that can
Marc Laliberte 7:00
be used for other incidents going forward, OAuth
Corey Nachreiner 7:03
tokens were involved. Remember the octa breach, which had lots of OAuth token like it. This is why supply chain is such a big deal, because you, even if you're a small business, you may not realize how connected you are to upstream vendors that are bigger than you, and lower stream vendors. And how all these connections, if you get these smart attackers that are figuring the supply chain out, can be leveraged, I really think supply chain is the next thing we have to worry about
Marc Laliberte 7:35
hit 100% is, and this is it's just when we take a step back and see this started with a video game sheet, and it could potentially go into a third stage it is that is how risky. By
Corey Nachreiner 7:46
the way, I'm not like, there are times like I'll admit that I've had steam on my work computer, not because I'm playing games on it, but because I logged into my Steam account once and wanted to activate a key while I was on the flight. So these are little human mistakes that can really add up, that you have to think about, that seem, might seem innocuous, but aren't always.
Marc Laliberte 8:09
So what's the takeaway here? Application allow listing
Corey Nachreiner 8:12
when it get there? That seems to be hard for small businesses, because it just creates the Help Desk nightmare, because people are going to be installing things. So how can you do Application Whitelisting in the most frictionless way?
Marc Laliberte 8:27
Yeah, well, even just good endpoint protection, like Loomis dealer isn't new, like we know how to check
Corey Nachreiner 8:32
Canvas dealer, yeah,
Marc Laliberte 8:34
and even I suspect that this context AI employees, machine was lacking
Corey Nachreiner 8:41
for sure. Yeah, I would also, like, I worry the hard part about this really kind of convoluted multi stage attack is the threat actor taking the time and having to know enough to, you know, first, you know, hack was a context. I AI to get the vercel, but then also to realize this one employee like something that they use as part of the target. What happens when agentic AI starts to like, we already know it's taken over lateral movement, but now it can take over this type of lateral movement too, which is learning everything about the person on a machine and then figuring out connections to other places there. This is all why we need to get some more AI security to help fight this war for us, besides
Corey Nachreiner 9:24
just
Corey Nachreiner 9:24
having the defense, like you said, EDR would catch Loomis dealer, watch card, EPR would catch Luma stealer.
Marc Laliberte 9:31
But like you said, as agentic, AI becomes more powerful, malware will become more evasive. There will be higher percentages of it slipping through endpoint protection, even strong endpoint protections, and that's where having good detection and response capabilities will be so critical, and especially ones that you can automate at scale. Because, man, I don't know, I feel like I'm losing more and more sleep every night. And
Corey Nachreiner 9:56
hey, we work for a security company that's using AI too. I was going to get in. To like this comes down to you said good detection response and a CERT team that manages that detection response. This is why MDR services are made. So it's nice to work for a company that has that service, and I think the ones that use AI will be sleeping a little bit better.
Corey Nachreiner 10:17
Yeah, I
Corey Nachreiner 10:18
just have to keep our AI smarter.
Marc Laliberte 10:20
Do I just still have trust issues? Yeah,
Corey Nachreiner 10:23
that
Corey Nachreiner 10:23
is true.
Marc Laliberte 10:23
That keeps me up at night.
Corey Nachreiner 10:25
I think all of us in this industry are a little paranoid and want to do things ourselves. Just to verify, a little
Marc Laliberte 10:31
paranoid. You can't see my tin foil hat because I left it in the at the desk, but it's there.
Corey Nachreiner 10:37
It's under my to pay.
Marc Laliberte 10:38
There you go. Yeah, because of all the hair loss, moving on. So the next story that was interesting. This comes from our good old best buddies at checkpoint, where their research team puts
Corey Nachreiner 10:50
no Sargassum in that at all right mark. Actually, checkpoint is cool, but our project is better.
Marc Laliberte 10:56
Yes, their research team is cool. They can hang they put out a really interesting post about a new, actually new ransomware variant called vect, which is a new ransomware as a service offering that made its very first appearance back in December of just this last year on a Russian language cyber crime forum. They claimed their first two victims back in January, but they really started making waves back just a little bit ago when they announced a partnership with Team PCP, which some of you may not know who that is. Team PCP is the I assume they have good parties. Yes, great parties. They made their fame from many of the software supply chain attacks from the last couple of months, including trivia checks, marks light LLM and telnix. So vect announced a partnership with them to expand the breadth of their ransomware as a service reach. They also announced a partnership with breach forums itself, the really popular hacking Forum, which
Corey Nachreiner 12:04
has
Corey Nachreiner 12:04
been taken down like 12 times and has come up every single time. Yep,
Marc Laliberte 12:08
really bad game of Whack a Mole. But so they offered every single registered user on breach forums affiliate access and the ability to use vect, which is how checkpoint and their team got their hands on it, as all of us are members of,
Corey Nachreiner 12:24
by the way, affiliate access, if you wonder how, like, the reality is the people spreading ransomware usually don't write it. And the way that the people who write ransomware monetize while, frankly, not really taking as much of the direct risk, is they create a ransomware product, and they can essentially give it away for free, but they have code within when they are taking the ransom, they take, like, 20% of whatever cryptocurrency is offered in ransom. So that's what an affiliate is on that. I mean, it's just like, I don't know, multi stage marketing here, you sell our product, although I guess in those multi stage marketing they make you buy the stock of the dumb teddy bears that you're supposed to sell, or the candles I would definitely put, like Herbalife on par with ransomware operators. That's that is a fair but most of the people spreading are technically efficient affiliates, and the ones making it have that arm's length away,
Corey Nachreiner 13:21
yep.
Marc Laliberte 13:22
But so checkpoint went into a pretty in depth technical analysis, which uncovered a few kind of interesting irregularities that I'll give you my hot take on. Why I think that they're in there. Like, first off, they describe a very specific type of encryption. They say they're using authenticated Cha Cha 20, specifically Cha Cha 20 poly 1305, turns out it's unauthenticated. Cha Cha 20 is a stream cipher, which, for the non nerds in here, that doesn't matter, but it's a discrepancy of what they say they're doing versus what's actually going on. They advertise a few other encryption related and usability related features that just weren't fully implemented in their ransomware product, for example, and there was one really big flaw in their ransomware that actually just turns it into a straight up wiper, where any file larger than 128 kilobytes,
Corey Nachreiner 14:16
I think it's silly that They call this a large file processing flaw, because 124 kilobytes is not large in my brain. No, this is a tiny, just a little bit bigger than tiny flaw processing empty
Marc Laliberte 14:32
word document is probably
Corey Nachreiner 14:35
the template for the Word document.
Marc Laliberte 14:36
Yeah, but anything larger than 128 kilobytes is actually permanently and irrecoverably destroyed, because as it's going and encrypting files, the cipher that it's using, it needs both a key and what's called a nonce, a number you use once. Those two together is what makes cryptography secure. That nonce is generated for each chunk of the file they're generated that they're trying to. Encrypt. And so when it's they get a large file, they break it into four chunks, they generate a nonce, encrypt the first one, generate a nonce for the second one, encrypt that, and so on and so forth. But in the way the code was written, they screwed up with how the variable is defined, and it's basically overwritten by each subsequent block, which means they're not storing it. They have no way of giving it to you. If you pay the ransom, the files are just gone if they are larger than 100
Corey Nachreiner 15:28
so tin foil hat, like Russian threat actors are known for when they're targeting places like Ukraine and actually want to deploy wiper malware, but want to do it under a black flag operation, they pretend it's ransomware,
Marc Laliberte 15:43
like, not Petya,
Corey Nachreiner 15:44
yeah, yes. And I guess the immediate question here is, why would this group publicly ask everyone to do that? Because it's not a target. But, you know, in checkpoints research, this is, like, maybe described as a mistake that makes it bad malware, bad ransomware. But was this a mistake for sure? What's
Marc Laliberte 16:04
the name of the logical rule where never attributes
Corey Nachreiner 16:07
or
Corey Nachreiner 16:07
never
Marc Laliberte 16:09
returning something to malice that could be better explained by this seems more like
Corey Nachreiner 16:16
razor,
Marc Laliberte 16:17
yeah, more like a big piece of vibe, coded garbage, is what I gather out of this.
Corey Nachreiner 16:22
Where could be, could be, for sure,
Marc Laliberte 16:24
they wanted to join the ransomware game. This what first came into the market December of last year. So AI assisted development is well established and highly capable in the right hands and the wrong hands. If you have no idea what the heck you're doing or how to validate it, you end up with stuff that technically runs, technically works, but may have
Corey Nachreiner 16:44
things this would come up on their test computer, though. I mean, you would think they would maybe test the decryption once if they want to get paid.
Marc Laliberte 16:52
Do you think reservoir operators have a QA department?
Corey Nachreiner 16:55
I guess if CrowdStrike doesn't test their updates
Marc Laliberte 16:59
and the world, maybe we shouldn't put it on our friendship with CrowdStrike ended. That is, yeah, totally fair, but I feel very strongly that this was some script kiddie got their hands on, like cursor or cloud code got around the guardrails, and now they generated a really crappy ransomware offering that doesn't do what it says it's supposed to do. So unfortunately, if you are or do become a victim of vect, which is free for everyone to use with a breach form account, your files are gone and there is no recovering from it. So unless
Corey Nachreiner 17:41
you
Corey Nachreiner 17:41
have backup, unless you do the normal things that business should do to prevent disaster or to allow business continuity and disaster recovery. Yeah,
Marc Laliberte 17:51
correct, which hopefully everyone listening right now does have a not just a backup, but a tested restoration process. Because, yeah, this could be bad. I do think this probably won't be a operator that lasts. I feel like the offering everyone on breach forms affiliate access is like a desperation move to try and gain clout. And like, at the end of the day, affiliates are trying to earn money, and if, like, word gets out that you literally can't recover from it. No one's going to pay the ransom, even those that would be inclined to do so normally. So does it have any exfiltration capability? It did not look like it did so and if it was supposed to, then I suspect that wasn't working either. So yeah, silver linings, if you are in the market for a new ransomware as a service offering, I would recommend staying away from this one. One out of five stars, bad experience. So moving on to the last one, I saw this email come through. I think just like yesterday, at the time of this recording, the FBI published a public service announcement last or last week at the time you're listening to this about how threat actors are using cyber enabled tactics to hijack freight, steal high valued shipments and reroute deliveries that are intended to go to other organizations. So since starting in 2024 they've gained unauthorized access to computer systems of brokers, carriers and like other shipping organizations, usually starting with social engineering, but they've got this big, long attack chain that we'll walk through and pull up here on the screen in just a second, and they basically trick carriers into handing over goods to a the attackers without like any any capability to stop them in many spots. So basically, this all starts the FBI walked through the attack chain. It all starts with them impersonating and spoofing a broker. So basically, shipping companies act through brokers to find organizations that want something moved from point A to point B. The carrier will go through their broker and say, I'll do that for $1,000 let's say, and they'll get assigned the shipment about pick it up, drop it off where they're supposed to. So this starts with pretending to be a broker, a actual, known one, and sending out an email to carriers with things like a carrier broker agreement they need to sign or say that they got a bad service rating that they need to address and review. So those are the hooks to trick them into clicking on the link which takes them to a realistic but illegitimate website designed to look like that broker that's hosting malicious executables that ultimately download legitimate remote management tools, RMM tools, by
Corey Nachreiner 20:51
the way, our listeners, most of which are Ms MSPs, know about rmms. I mean, these are tools you use all the time in your business to monitor the endpoints you're monitoring. So legitimate tools, definitely something this, obviously, is targeting a very specific vertical in these these carriers and cargo ships and organizations, but familiar techniques, man, you got to be careful with downloading rmms from bad sources.
Marc Laliberte 21:20
There's a reason they're using it because, like these are legitimate tools like McAfee, antivirus isn't going to block your whatever RMM tool, because RMM
Corey Nachreiner 21:30
typically, one of its default capabilities is to push executables and installers remotely on other places. So it's a excellent tool for threat actor as well, yep.
Marc Laliberte 21:41
So once they gain that access to the carrier's account, so like the actual trucking organizations, they then access the the truck load boards, the places where you bid for these using that carrier's account, but they impersonate a broker to compromise other carrier accounts and trick that and post like fake loads, fake like offers for transportation, and legitimate carriers will bid on these fake loads. So
Corey Nachreiner 22:08
it's kind of interesting. They've already infected someone, but they can also monitor some results of who they infected to and use them for these fake loads. So
Marc Laliberte 22:18
then they create these fake ones, create fake contracts for the threat actor. They then provide a malicious carrier broker agreement and compromise carrier and compromise additional carrier computers. So basically they're spreading throughout this like this marketplace, I guess
Corey Nachreiner 22:37
physical this literal, like carried cargo supply chain like this is what we think of. It the normal supply chain, and they're infecting all of this delivery supply chain.
Marc Laliberte 22:48
So then they'll use their access as a compromised carrier to accept shipments and from like unwitting drivers. They'll provide manipulated bills of lading, the actual like manifests and contract for transporting it, and they'll change the destination for the load too. So instead of delivering your Nike shoes to whatever city, they'll send it off to a different warehouse. They'll even change the legitimate carriers contact info with the regulatory agency here in the US for it. They'll update insurance information to let them carry loads that they were previously not permitted to carry. So think like electronics probably have lithium ion batteries. They may not have the right insurance for that. They'll update their insurance to be able to carry lithium ion batteries to steal a bunch of laptops. They'll then the unsuspecting carrier that has accepted this contract we'll go drive it to the location that,
Corey Nachreiner 23:43
by the
Corey Nachreiner 23:43
way they they call, I don't know if we're talking about the carriers or the drivers right now, but they call it partially unwitting drivers that pick up the load. So this gets me thinking about whole mule economy, which we don't talk about a lot like a lot of times when you're doing a scam, you eventually do need to get a person to transfer money or something, and there's mules that they typically are falling for social engineering too. But in my opinion, it's such obvious like, Why have I been contacted through text randomly to do this thing? That seems really weird, and I'm going to get a little money for so I am curious. I wish we had, we don't have the whole story there, but I wish we knew more about why they call it partially unwitting drivers, the
Marc Laliberte 24:30
partially unwitting drivers, though, then meet up with the totally malicious, or at least complicit drivers, who then cross load or cross dock the actual goods and then steal them, effectively, take them somewhere else and put them up for resale. Sometimes they even contact the broker and demand a ransom in exchange for the location of these details for the load. And they've had a ton of success over this, like the FBI mentioned very early on that in 2025 the estimate. Cargo theft in the US and Canada reached $725 million and this like stood out to me as a kind of no duh. It makes sense to see cyber related crimes making their way into every like area, but like cyber crime to physically steal goods like it's Ocean's 11 is it feel pretty nuts still.
Corey Nachreiner 25:24
You had terrorist all this, which I'm sure all of these carriers have to deal with, at least in their paperwork. I'm surprised tariffs can actually be paid and aren't being affected. Anyways, yes, this is a very cool but scary cargo cyber heist. Man, this is definitely Ocean's 11 on cyber.
Marc Laliberte 25:45
But there are, like, some takeaways from this, if any truckers or brokers happen to be listening right now, like, the biggest one is just social engineering, is how this typically starts, and they use all hallmarks of a good fish of urgency, like, you've got a bad review and you need to come address this, or we're going to stop shipping goods through you, or, Hey, we've got a new agreement that you have to accept before you're allowed to carry any more goods. And that's the hook to get them interested, fall for the site, and then from there, it's just a matter of tricking them into downloading
Corey Nachreiner 26:15
the links. I mean, the FBI goes into the links being used. When we've talked about shorteners before, those are scary. When you look at these domains, the FBI used their own domain as an example, but like the way you all know, the way people spoof legitimate domains, throwing in a hyphen or extra punctuation, doing a different top level, like instead of.com doing.io there's lots of or adding a couple words to something that's legitimate. So the techniques used were all techniques that you're familiar with. So so all your basic social engineering training should apply.
Marc Laliberte 26:51
And then on the RMM front, like you as an organization, probably use RMM tools, but you probably use one single, or at least within a single customer you service or business, you're at one single RMM tool. You should know what that one is, and you should be on the lookout for unexpected ones popping up on your computers. And this is where like or like MDR can really help, where we've got detection capabilities and anomaly detection to look for new RMM tools that we hadn't seen previously on a company and the network, and flag that is suspicious and trigger an investigation. Because, like your endpoint security, like Microsoft defender, on its own, is not going to flag something like connect wise as malicious, because it's
Corey Nachreiner 27:37
not. It knows it. There's a lot of human things you should learn from this, policy wise too. Like I one thing Mark and I in any CISO office knows is you can have all the technical security controls in the world, but people can still accidentally do a dumb thing. But these are all business processes, shipment requests, changes in pickup locations, bids that cost money. Anytime you're working with external partner or business, there should be human processes to check driver's licenses, vehicle numbers, the actual banks you send bids to. So there's also, I mean, really very I'm assuming shipment and cargo, people can add human processes that help them validate before they start doing things with external pickup organizations that might cause their cargo to get into the wrong driver's hands,
Marc Laliberte 28:33
at least pick up the phone and be like, hey, this you, I can help out a lot.
Corey Nachreiner 28:38
Exactly,
Marc Laliberte 28:39
yeah, crazy times, though, what do you think the biggest heist they had was?
Corey Nachreiner 28:45
I don't know. Man,
Marc Laliberte 28:47
yeah, the changing
Corey Nachreiner 28:47
insurance bikes. There's all kinds of fun EV stuff. If I were to target something besides laptops and GPUs, it would be like all these little EV longboards or dirt bikes or bicycles.
Marc Laliberte 29:00
I could see that being a popular target and something relatively easy defense, like iPhones, they know every serial number on the market,
Corey Nachreiner 29:07
GPS,
Marc Laliberte 29:08
but a bike, yeah, that could be it.
Corey Nachreiner 29:11
And they're high value. I mean, some of those dirt bikes are 5k so if you can steal a bunch of those, you got a lot of money, and they don't all have GPS in them to help find them
Marc Laliberte 29:20
crazy times, though, Keep on the lookout for cyber stolen trucks.
Marc Laliberte 29:29
Hey everyone, thanks again for listening. As always, if you enjoyed today's episode, don't forget to rate, review and subscribe. If you have any questions on today's topics or suggestions for future episode topics, you can reach out to us on blue sky. I'm at it's mark.me corey's SecAdept, and the both of us are on Instagram at Watchguard underscore technologies, thanks again for listening, and you will hear from us next week.
