CyberWire Daily - SSH-attered trust.
Episode Date: April 18, 2025A critical vulnerability in Erlang/OTP SSH allows unauthenticated remote code execution. There’s a bipartisan effort to renew a key cybersecurity info sharing law. A newly discovered Linux kernel vu...lnerability allows local attackers to escalate privileges. A researcher uncovers 57 risky Chrome extensions with a combined 6 million users. AttackIQ shares StrelaStealer simulations. A major live events service provider notifies employees and customers of a data breach. CISA warns of an actively exploited SonicWall vulnerability. An airport retailer agrees to a multi-million dollar settlement stemming from a ransomware attack. A preview of RSAC 2025 with Linda Gray Martin and Britta Glade. Zoom-a-zoom zoom, it’s always DNS. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today Dave sits down with Linda Gray Martin, Chief of Staff, and Britta Glade, SVP of Content and Communities, from RSAC sharing what is new at RSAC 2025. Selected Reading Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (Bleeping Computer) Bipartisan duo wants to renew 10-year-old cyberthreat information sharing law (The Record) Linux Kernel Vulnerability Let Attackers Escalate Privilege – PoC Released (Cyber Security News) Chrome extensions with 6 million installs have hidden tracking code (Bleeping Computer) Emulating the Stealthy StrelaStealer Malware (AttackIQ) Live Events Giant Legends International Hacked (SecurityWeek) CISA tags SonicWall VPN flaw as actively exploited in attacks (Bleeping Computer) Airport retailer agrees to $6.9 million settlement over ransomware data breach (The Record) Global Zoom Outage Caused by Server Block Imposed from GoDaddy Registry (Cyber Security News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
A critical vulnerability in Erlang OTP SSH allows unauthenticated remote code execution.
There's a bipartisan effort to renew a key cybersecurity info sharing law.
A newly discovered Linux kernel vulnerability allows local attackers to escalate privileges.
A researcher uncovers 57 risky Chrome extensions with a combined 6 million users.
Attack IQ shares Strerelis dealer simulations.
A major live event service provider
notifies employees and customers of a data breach.
CISA warns of an actively exploited
sonic wall vulnerability.
An airport retailer agrees to a multimillion dollar
settlement stemming from a ransomware attack.
A preview of RSAC 2025 with Linda Gray Martin
and Britta Glade and zoom-a-zoom-zoom, it's
always DNS.
It's Friday, April 19, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.
Happy Friday and thanks for joining us here today. Great to have you with us.
Happy Friday and thanks for joining us here today. Great to have you with us.
Erlang OTP SSH is widely used in systems that demand high availability and concurrency, particularly in telecommunications, IoT, and embedded devices. Its integration into Erlang's
ecosystem makes it a preferred choice for developers building distributed systems requiring secure remote access.
A critical vulnerability in Erlang OTP SSH allows unauthenticated remote code execution
on affected devices.
Discovered by researchers at Ruhr University, Baucham, it carries a maximum CVSS score of
10.
The flaw stems from improper handling of pre-authentication SSH messages,
enabling attackers to run commands, often as root, via the SSH daemon. Horizon 3's
security team confirmed the exploit is easy to reproduce and could soon see public proof
of concepts. All systems using Erlang OTP's SSH are impacted. Erlang
relies on the OTP stack for components like SSH. Users are urged to upgrade immediately.
For systems that can't be patched, access should be limited to trusted IPs or SSH disabled
altogether.
Senators Gary Peters, a Democrat from Michigan, and Mike
Rounds, a Republican from South Dakota, have introduced the Cybersecurity
Information Sharing Extension Act to renew a key 2015 law encouraging
businesses to share cyber threat data with the government. Set to expire in
September, the original Cybersecurity Information Sharing Act helped companies
report threats like malware and vulnerabilities to DHS while receiving legal protections.
The law supports real-time collaboration between private firms and agencies like CISA through
efforts like the Joint Cyber Defense Collaborative.
It's credited with aiding responses to major
incidents like solar winds and volt typhoon. Senator Rounds warned that letting it lapse
would harm national cyber defenses. Experts agree the law has boosted operational partnerships,
but say the renewal is a chance to update it for modern privacy, supply chain, and threat
realities.
A newly discovered Linux kernel vulnerability poses a serious risk by allowing local attackers
to escalate privileges and potentially gain root access.
With a CVSS score of 7.8, the flaw affects the bitmap IP set type in the netfilter subsystem due to improper handling
of IP range parameters.
The exploit code enables attackers to perform out-of-bounds writes, bypass Kessler, and
execute kernel-level code.
Patches are available, and system administrators are urged to update immediately.
Security researcher John Tuckner has uncovered 57 risky Chrome extensions with a combined
6 million users, many of which have excessive permissions and could be used for surveillance
or malicious activity.
These extensions, often unlisted from the Chrome Web Store and only installable via Direct
Link, claim to offer privacy or ad blocking services, but can monitor browsing behavior,
access cookies, modify search results, and execute remote scripts. The most notable FireShield
extension protection is heavily obfuscated and communicates with a suspicious domain.
Tuckner found multiple extensions linked to the same domain,
raising concerns about their potential use as spyware.
Google is currently investigating the report,
and users are advised to remove any of the flagged extensions
and reset their passwords as a precaution.
Some extensions have been taken down, but others remain active.
Strela Stealer is a credential-stealing malware targeting email clients like Microsoft Outlook
and Mozilla Thunderbird, active since 2022 and attributed to the threat actor Hive0145.
It spreads via phishing emails containing zip files with malicious JavaScript that downloads
a DLL payload.
Recent campaigns have hit over 100 organizations across Europe and the US with enhanced obfuscation
and new delivery methods involving PowerShell and WebDAV.
AttackIQ has released attack graphs that simulate Strelis dealers behavior covering its initial infection,
system discovery, and data exfiltration
to help organizations test and improve their defenses.
These scenarios highlight the importance of
monitoring native Windows utilities like run DLL32,
and RegServer32, which are used to launch the malware.
Security teams are urged to use these tools to validate detection and mitigation strategies
against this growing threat.
Legends International, a major live event service provider, is notifying employees and
customers of a data breach discovered on November 9th of last year.
The company took systems offline
and found that attackers exfiltrated files
containing sensitive data, including social security numbers,
driver's license details, payment card info,
and medical records.
Over 8,000 Texans were affected,
though the full scope remains unknown.
While there's no evidence of misuse,
impacted individuals are being
offered two years of free identity protection. No group has claimed responsibility.
CISA has warned U.S. federal agencies to patch a high-severity remote code execution vulnerability
affecting SonicWall SMA-100 series appliances. The flaw allows low-privileged remote attackers to execute arbitrary code via the SMA-100
management interface.
Initially considered a denial-of-service issue, SonicWall recently upgraded its severity and
confirmed it is being actively exploited.
Agencies must patch by May 7, and all organizations are urged to act swiftly to prevent potential breaches.
Airport retailer Paradis Shops has agreed to a $6.9 million settlement to resolve a class action lawsuit stemming from a 2020 ransomware attack that exposed personal data of 76,000 current and former employees.
The breach, linked to the R-Evil Ransomware Group, compromised names and Social Security
numbers after hackers accessed systems for five days.
Plaintiffs accused the company of negligence and delayed notification.
While denying wrongdoing, Paradis opted to settle to avoid prolonged litigation.
The deal follows a growing trend of post-breach class actions.
Coming up after the break, a preview of RSAC 2025 with Linda Gray Martin and Britta Glade, and zoom-a-zoom-zoom, it's
always DNS.
Stay with us. Bad actors don't break in, they log in.
Attackers use stolen credentials in nearly nine out of ten data breaches, and once inside,
thereafter one thing, your data.
Varonis's AI-powered data security platform secures your data at scale.
Across LAS, SAS, and hybrid cloud environments.
Join thousands of organizations who trust Veronis
to keep their data safe.
Get a free data risk assessment at veronis.com.
What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, identity attack paths are easy targets
for threat actors to exploit but hard for defenders to detect.
This poses risk in active directory, entra ID, and hybrid configurations.
Identity leaders are reducing such risks with attack path management.
You can learn how attack path management is connecting identity and security teams while
reducing risk with Bloodhound Enterprise, powered by SpectorOps.
Head to SpectorOps.io today to learn more.
SpectorOps, see your attack paths the way adversaries do. The RSAC 2025 conference in San Francisco is right around the corner.
And today I speak with Linda Gray-Martin and Britta Glade from RSAC Conference with a preview
of this year's activities.
Well, Linda and Britta, welcome back.
It is always a highlight when we get to get together
year after year to preview the upcoming RSAC conference.
And this year is no exception.
Welcome back, ladies.
Thank you for having us.
Nice to speak to you again.
So let's start off with some of the things
that are new for this year at RSAC 2025.
Real quick, we've got some new branding for RSAC this year.
Do we want to touch on some of the differences there that folks might notice as they're wandering
around?
Yes.
Well, I think the first one actually people probably heard when you did our introduction
and that is that RSA Conference is now known as RSAC Conference.
So you will see that branding change everywhere
throughout the campus when you're at the conference.
What are some of the other things that we can expect from
this year's conference in terms of what's
new or what you want to bring to people's attention?
Yeah. Well, maybe I can jump in here and start
and then Britta can talk about some of the content stuff
that we're doing this year, always new and exciting.
So we do have a lot of new and big going on this year.
So apart from having refresh sessions and tracks
and content, which I mentioned Britta will dig into,
there's a couple of other things I'd like to highlight. So number one is that we're expanding our campus and for the very first time
we are using the Yerba Buena Center for the Arts which is directly adjacent to Moscone North. If
you're looking at it head on it's to the right and you see that the big blue shield theatre there.
So you know one of the things driving that,
and I'll come back to telling you about what is in YBCA in a minute,
but it is the 20th anniversary of our Innovation Sandbox Contest this year.
I know you're speaking with Cecilia next week,
so I won't steal her thunder.
But we do have a larger footprint for that event to celebrate the 20th anniversary,
amongst other things, which she will go into. And so that has caused us to make some shifts to our
space. So over on YBCA, we have the newly named YBC8 Keynote Program, formerly South Stage Keynote.
So that will be in the really beautiful theatre there.
It holds just under 800 people.
And it's what I call a performance theatre.
So it has a beautiful stage, lovely auditorium seating.
It's going to be a real highlight.
And I think it's going to really provide a lovely experience
for both the speaker and the attendees.
Our Sandbox Program is also going to be over on YBCA,
which hopefully you're familiar with,
that offers our attendees hands-on experiences that range from
things like capture the flags to an escape room this year.
But very excitingly, we're also partnering with DARPA,
and they are bringing their AI cyber challenge to RSAC conference this year.
And just in a nutshell, what that is,
is attendees can go on an immersive journey
that transports them to a fictional city,
which is called Northbridge.
And it's designed to showcase the importance
of AI driven cybersecurity
and protecting our critical infrastructure.
And attendees will literally go on a little simulator train
into the space.
So it's a fantastic program,
and we are so thrilled to have that come to RSAC this year.
And then finally, Early Stage Expo,
which is kind of always near the innovation sandbox space,
that also has an expanded footprint.
So we have nearly 70 startups participating in that space this year. So those are kind of some of
the operational logistical new things. Britta do you want to talk about some of
the new content stuff? Absolutely. So we have well over 400 sessions that are
spread as Linda said we have Moscone West, we have North, South, and then the Yerba Buena Center
for the Arts.
And these sessions are spread across all of those areas,
across 29 different tracks.
And Dave, what we try to do is we really look at,
what content is carefully accessed in our library.
We also do year-round programming.
Then as we look at the call for speakers that come in,
and working with our program committee,
that drives what kind of sessions are we going to have,
how much are we going to have on certain topics, etc.
During the course of that,
we landed on a couple of interesting expansion areas for content.
One is protecting home and family. This will be a mini track if you will that's
running on Monday. You'll hear me say Monday several times because we are
expanding a lot of the content on Monday. We have so many folks on our campus on
that first day of programming. We wanted to make sure there were many many
options for those individuals.
So protecting home and family will be exactly
what it sounds like, right?
You would think that we as cybersecurity professionals
have everything under control, under our own roof.
And the reality is, nope, we could probably take
some pointers on how to make sure we're very secure
on our own home front.
So we have five wonderful sessions that are part of that.
We're also bringing back our security foundations track,
which again you might say,
goodness, you have such experienced attendees at RSAC,
do you really need to cover foundations?
The answer is yes, this is heavily sought after information.
It's nice to have a primer on topics like generative AI, identity, application security.
So again, five sessions on that that are a great starter for the week, refresher to return
to, great content there.
And then lastly, also on Monday, we are partnering with USENIX.
Several of their papers from their Security 24 distinguished
papers honorees are presenting at RSAC as well.
So that's a really nice academic researcher's view
of very critical issues that will
be presented to our audience.
So those are some particularly new ones
that will be part of our content programming this year.
Well, before I let you all go,
let's talk about the conference for folks
for whom this is their first time there.
It can be a bit overwhelming.
The scale of RSAC conference is huge.
So when you walk into that show floor,
when you look at the schedule and you try to figure out
what you want to see and make it all happen,
it's easy to feel a little overwhelmed.
Do you ladies have any tips for the first timer
or for maybe people who haven't been in a few years?
Yeah, we do.
So I think you hit two really important things there,
Dave, and it can be overwhelming.
We understand that and we try really hard
to make everything as accessible as we can.
A couple of tips that we have.
First of all, before you head to San Francisco,
come with a plan.
I think that makes it a little less overwhelming.
So, you know, you can go onto our website,
you can filter on all the different kinds of session types that you want to go to,
you can build out your schedule, you can reserve seats,
you can see which vendors are in the expo hall, you can really plan your time.
And I think that is really going to serve you well and help you maximize your time. And I think that is really going to serve you well
and help you maximize your time.
The other thing I wanted to just point out
is that on the Sunday night, we do have a reception
for first timers, so people who have never been before,
along with our loyalty plus attendees,
so people who have been multiple times.
And it's a really great opportunity
to make some connections.
But honestly, I think people make connections
and have them for life after they've been
to RSA Conference.
Networking, talking to peers, understanding challenges
that others are going through,
it's such an important point of the conference experience.
So a little shout out for that reception on the Sunday night.
Definitely. And I love. Linda pointed out,
reserve a seat.
Any of the content sessions,
you have the ability to reserve a seat,
or if it's one of our larger areas like our keynote area,
you can add it to your favorites.
Have a plan, have a backup plan,
have a backup backup plan,
which also serves you well, Dave,
when you go back to all of this great content,
no one is going to be in 400 plus sessions.
You can't do that. But you've gone through,
you've looked at everything,
all of your favorites give you a map for things you want to return to,
something you might want to share with a colleague, etc.
Then as Linda mentioned, but I'll put a big exclamation point on it, honor that
time to get to know other people as well.
Someone you're standing in line next to, you know, waiting to get into a session, someone
that you're seated next to.
The networking opportunity and the ability to impact this, your cohort for life if you will,
cannot be understated. The opportunity that RSAC presents to you to find like
minds, to find people with different minds, different perspectives, different
disciplines. All of those people are together in San Francisco during this
week and it is an excellent opportunity to immerse yourself
with all of these great minds.
You know, it's a great point and I have some colleagues
who are on the East Coast like I am,
and they may be close by to where I work,
but we joke about how the main place
we get to see each other every year is at RSAC conference
because we're all going to
be there and it's just how it works.
Right, it is and I think that's the exciting part about it, Dave.
Honestly, I think, you know, I was talking to somebody earlier, we just get so excited
when we go and that we have just such a vibrant community, you know, and people just find
joy in spending time with each other.
Yeah.
Well, let me close it out just by suggesting to everybody,
wear comfortable shoes, right?
Indeed.
100%.
Hydrate, yes.
Hydrate, wear comfortable shoes, yes.
You will thank us.
All right, ladies, thanks so much for taking the time.
It's always fun to catch up.
I appreciate it. And I will see you in San Francisco. See right, ladies. Thanks so much for taking the time. It's always fun to catch up. I appreciate it.
And I will see you in San Francisco.
See you very soon.
Take care.
Thank you. Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist, Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And finally, our It's Always DNS desk reports that earlier this week, millions of people
found themselves staring into the void of a broken Zoom link.
The beloved video call platform went dark for nearly two hours, not because of hackers
or server meltdowns, but due to a digital game of telephone gone wrong.
The culprit?
A miscommunication between Zoom's domain registrar, MarkMonitor, and GoDaddy registry, keeper
of the.us domain. In short, GoDaddy accidentally hit the off switch on Zoom.us, making it disappear
from the internet. While those already mid-meeting continued blissfully unaware, the rest of
us were left refreshing error messages and briefly wondering if the apocalypse may have begun.
DNS cache delays meant the fix took a while to ripple across the web, and Zoom had to
walk users through techie tasks like flushing their DNS.
Zoom has since slapped a registry lock on its domain.
Better late than never.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Nick Cern, security consultant from Bishop Fox.
We're discussing Rust for malware development. That's Research Saturday. Check it out.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kielpe is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services by solving complex
challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity, or cloud computing, Vanguard offers a dynamic
and collaborative environment where your ideas drive change.
With career growth opportunities and a focus on work-life balance, you'll have the flexibility
to thrive both professionally and personally.
Explore open cybersecurity and technology roles today at
Vanguardjobs.com