CyberWire Daily - SSM On-Prem Flaw is a 10/10 disaster.
Episode Date: July 18, 2024Cisco has identified a critical security flaw in its SSM On-prem. The world's largest recreational boat and yacht retailer reports a data breach. The UK’s NHS warns of critically low blood stocks af...ter a ransomware attack. Port Shadow enables VPN person in the middle attacks. Ivanti patches several high-severity vulnerabilities. FIN7 is advertising a security evasion tool on underground forums. Indian crypto exchange WazirX sees $230 million in assets suspiciously transferred. Wiz documents vulnerabilities in SAP AI Core. DDoS for hire team faces jail time. Guest Tomislav Pericin, Founder and Chief Software Architect of ReversingLabs, joins us to discuss their "Free Resource to Conduct Risk Assessments on Open-Source Software." Playing red-light green-light with traffic light controllers. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Tomislav Pericin, Founder and Chief Software Architect of ReversingLabs, joins us to discuss their "Free Resource to Conduct Risk Assessments on Open-Source Software." Selected Reading Cisco discloses a 10.0 CVSS rating vulnerability in SSM On-Prem (Stack Diary) Yacht giant MarineMax data breach impacts over 123,000 people (Bleeping Computer) UK national blood stocks in 'very fragile' state following ransomware attack (The Record) Port Shadow Attack Allows VPN Traffic Interception, Redirection (SecurityWeek) Ivanti Issues Hotfix for High-Severity Endpoint Manager Vulnerability (SecurityWeek) Cybercrime group FIN7 advertises new EDR bypass tool on hacking forums (Security Affairs) WazirX reports security breach at crypto exchange following $230 million 'suspicious transfer' (TechCrunch) SAPwned: SAP AI vulnerabilities expose customers’ cloud environments and private AI artifacts (Wiz Blog) Jail time for operators of DDoS service used to crash thousands of devices (Cybernews) Hackers could create traffic jams thanks to flaw in traffic light controller, researcher says (TechCrunch) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cisco has identified a critical security flaw in its SSM on-prem.
The world's largest recreational boat and yacht retailer reports a data breach.
The UK's NHS warns of critically low blood stocks after a ransomware attack.
Port Shadow enables VPN person-in-the-middle attacks.
Avanti patches several high-severity vulnerabilities.
FIN7 is advertising a security evasion tool on underground forums.
Indian crypto exchange WazirX sees $230 million in assets suspiciously transferred.
Wiz documents vulnerabilities in SAP AI Core.
A DDoS for Hire team faces jail time.
Our guest is Thomas Lau-Parrison, founder and chief software architect
at Reversing Labs.
We're discussing free resources
to conduct risk assessments
on open source software.
And playing red light, green light
with traffic light controllers.
It's Thursday, July 18th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today. It is great to have you with us.
Cisco has identified a critical security flaw in its Smart Software Manager On-Prem, that's SSM On-Prem, scoring a perfect 10.0 on the CVSS scale.
scale. Announced on July 17, this vulnerability allows attackers to change any user's password,
including administrators, without needing to log in. The flaw is due to the improper implementation of the password change process, exploitable via specially crafted HTTP requests.
SSM on-prem is used for managing software licenses within local network environments. SOS a compromised internal network increases exploitation risks. Cisco has no workarounds
for this issue, and the only remedy is applying the latest updates. Cisco confirmed no known
malicious use of this vulnerability at the time of disclosure, and it was promptly addressed
following a report by security researcher Mohamed Adel. MarineMax, the world's largest recreational boat and yacht retailer,
is notifying over 123,000 individuals about a security breach in March claimed by the
RICEDA ransomware gang. The breach compromised personal information, which MarineMax initially
denied but later confirmed. The Florida-based company, operating over 130 locations worldwide,
reported $2.39 billion in revenue last year.
The attackers accessed MarineMax's systems from March 1st through March 10th of this year
and stole personal data, including names and identifiers.
The breach was detected on March 10, and an investigation
confirmed data exfiltration. Riceta published a 225-gigabyte archive of stolen data, including
financial documents and IDs, on their dark web site. This gang has previously targeted high-profile
entities, including the Chilean army and the British Library.
The recent ransomware attack on several London hospitals has put UK national blood stocks in a
very fragile position. NHS chief executives warned that blood supplies might move to
amber alert status, restricting transfusions to the most critical cases.
The attacker on Synovus, a pathology services provider, disrupted blood matching tests,
depleting universal donor stocks and affecting blood banks nationwide.
Affected hospitals are performing blood matching at about 54% of their usual capacity, with O-negative stocks critically low.
NHS London declared a regional incident, postponing over 6,000 outpatient appointments
and 1,400 surgeries, including cancer treatments.
The Quillen ransomware gang is blamed for the attack,
with disruptions expected to last until September.
Researchers from Arizona State University,
University of New Mexico,
University of Michigan,
and the University of Toronto's Citizen Lab
have identified a vulnerability in VPNs
that enables person-in-the-middle attacks.
Named Port Shadow,
this technique allows attackers to intercept and redirect traffic
by exploiting a shared resource called a port on VPN servers.
The vulnerability affects OpenVPN, WireGuard, and OpenConnect on Linux and FreeBSD, though FreeBSD is less vulnerable.
Port Shadow enables attackers to shadow their own information on a victim's port, acting as an in-path router to intercept encrypted traffic,
de-anonymize VPN peers, and conduct port scans.
While VPN software developers were informed,
mitigation involves specific firewall rules rather than code fixes.
The best protection for users is connecting to a private VPN server.
Shadowsocks and Tor remain unaffected.
Ivanti has announced patches for several high-severity vulnerabilities in Endpoint Manager and Endpoint Manager for Mobile.
The most critical is an SQL injection flaw with a CVSS score of 8.4, affecting EPM 2024 flat. Authenticated attackers with
network access could exploit it to execute arbitrary code. A hotfix is available with
security updates forthcoming. No known exploitation of this vulnerability has occurred.
Additionally, patches for four vulnerabilities in EPMM have been released.
Three high-severity flaws enable command execution and authentication bypass. A medium-severity
improper authentication issue was also fixed. Avanti also patched a medium-severity path
traversal vulnerability in Docs at Work for Android, which could allow malicious apps to read
sensitive data. Ivanti reports no known public exploitation of these vulnerabilities.
The cybercrime group FIN7 is advertising a security evasion tool, AV Neutralizer,
on underground forums, according to cybersecurity firm Sentinel-1.
This tool can bypass security solutions and has been used by various ransomware groups,
including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit.
Sentinel-1 researchers discovered a new version of AV Neutralizer
that uses the Windows driver proclaunchmon.sys to evade security measures.
Thin7 uses multiple pseudonyms to mask their identity, with advertisements for the tool
appearing on forums such as exploit.in, xss.is, and ramp, with prices ranging from $4,000 to $15,000.
The tool has advanced capabilities to disable endpoint security solutions through various techniques, including leveraging a previously undocumented Windows driver capability.
Sentinel-1 highlights FIN7's adaptability and persistence in evolving its threat operations.
in evolving its threat operations.
Indian crypto exchange WazirX confirmed a security breach with $230 million in assets suspiciously transferred
from one of its multi-sig wallets.
This type of wallet requires multiple keys for authentication.
Affected assets include SHIB, Ethereum, Matic,
Pepe, USDT, and GALA tokens.
Blockchain data indicates the attackers are offloading assets on Uniswap,
and they may be affiliated with North Korea.
Liminal, the wallet infrastructure provider, stated that the breach occurred outside its ecosystem.
Other Indian crypto exchanges, Coinswitch and CoinDCX, assured
customers of their security. This incident follows WasirX's separation from Binance earlier this year.
The Wizz research team found significant vulnerabilities on multiple AI service
providers, focusing on tenant isolation issues. Their latest research on SAP AI service providers focusing on tenant isolation issues.
Their latest research on SAP AI Core
presented at the Black Hat conference
uncovered a vulnerability chain named SAP Honed.
This allowed attackers to access sensitive customer data,
including cloud credentials for AWS, Azure, and SAP HANA
by exploiting SAP's infrastructure.
Attackers could execute arbitrary code, move laterally, and gain cluster administrator
privileges, compromising Docker images and artifacts.
Key vulnerabilities included bypassing network restrictions, accessing AWS tokens, exploiting
unauthenticated EFS shares, and Helm servers.
All issues were reported to and fixed by SAP with no customer data compromised.
The research highlights the need for improved isolation and sandboxing standards in AI infrastructure to protect against such attacks.
to protect against such attacks.
Scott Raul Esparza, age 24, from Katy, Texas,
along with co-conspirator Shamar Shattuck, age 21, from Margate, Florida,
operated astrostress.com, a DDoS-as-a-service website. The platform allowed users to launch DDoS attacks,
overloading and disrupting victims' devices and networks.
Esparza and Shattuck ran the site from 2019 to 2022, offering subscriptions for varying levels
of attack power. They used infected devices to create botnets, which were then directed to
overwhelm targets' IP addresses. The Department of Justice stated that Esparza managed the attack servers and
marketing while also employing a customer service representative. After the site's
shutdown in 2022, both men were apprehended. Esparza faces nine months in prison,
while Shadok awaits sentencing and could face up to five years.
Coming up after the break, my conversation with Thomas Lobb-Parrison,
founder and chief software architect at Reversing Labs. He joins us to discuss their free resource to conduct risk assessments on open source software.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
I recently checked in with Tomislav Parisen,
founder and chief software architect of Reversing Labs.
He shares the release of their free resources to conduct risk assessments on open source software.
Last couple of years, we've seen a dramatic increase in attacks,
malicious code being published to open source space.
Last year, we actually published a research paper which kind of summarizes the year.
And we've seen a dramatic increase, 1300% actually, if we measured that year when compared to the previous year.
So this is just the volume of malicious packages
being published to open source space is increasing. And we have found evidence that both nation-state
actors and your common criminals are all taking part by publishing the malicious packages
and trying to trick both open source developers,
developers who are using open source components to build their own commercial products
into using these packages to build their own applications.
And they're doing two different things.
They're trying to, you know, hack, quote unquote, machines of the developers themselves
so they can kind of capture credentials and install a lot of pieces of malware.
But also they are trying to be part of their build at the end of the day, be included in
the software package and then affect the end user as well.
Well, let's talk about this program.
You call it Spectra Assure Community.
What exactly does this entail?
Yeah, Spectra AssSure community is the free offering
as you mentioned. It is our website where anybody can
go today. So if you go to secure.soffer
you will have in front of you a very large
resource of our knowledge on open source
packages. As I mentioned, there's a
dramatic increase in malicious packages being published
and we've done our best to ingest all the data from open source
primarily targeting Python repository that would be PyPy
Node.js repository that would be NPM
and we have RubyGems as well.
There's about 5 million or so software packages
if you don't count their versions,
but 5 million individual packages that we've collected, and all of them are actually searchable.
So kind of like Google, you can type in a package name and you can see all the different types of
properties we track for these open source packages. Does it contain malicious code being one of the most concerning ones?
But there are other properties as well.
Does it contain any malicious code?
Yes.
Does it refer to code
which has vulnerabilities?
Does it leak any secrets?
Those types of things.
So when you're building your application,
you can use this website as a resource
and then select the best building blocks
for your next application.
Can you walk me through a typical use case here
for somebody who's out there doing developing work
and looking to use some open source resources?
How do you suppose they're going to interact with this website?
Yeah, and this dovetails very nicely
into what the attackers are doing today.
We've seen lately, and this is very recent,
a month or so ago,
that the attackers are kind of seeding
sites like Stack Overflow and even GitHub
with references to their malicious packages.
So basically, they will kind of open up a topic
or respond to a question,
you know,
proposing to the developer
to just copy-paste
this piece of code
and include it
in their project.
And what the code does,
it actually refers to
a package which supposedly
solves a problem, right?
So if you're in
that kind of scenario
and you are,
you know,
debating whether or not
you want to use
an open source package that
you've never heard about before and that seems newish or seems specifically tailored to that
particular problem, it is best to just check it up on our resources such as ours. So you just go to
the website, look up the package by name, and you see what we see about it, which gives you insights into the threat categories, as I mentioned,
but also lets you know if we verify the package itself.
So we have quite a few threat researchers and hunters
who are monitoring all of the open source for new packages being published,
and they are diligently looking to label all these things before the developers
have the chance to actually use them. So if it's a new package or anything like that, look it up.
If we think it's malicious, we'll give you reasons why, and you'd probably want to stay away and
report whoever pointed you to the malicious package as well.
So it's a bit of a reality check for folks
to kind of have somebody who has your back.
Yeah, it is quite like that.
Our data is pretty much in real time.
So as packages are being published,
our team is using our automated tools,
which include 17 or so different threat detection engines and machine learning
and heuristics and all those things. But also humans are part of the loop.
There is a specific label that we attach to every single package
that we've manually vetted and said, yes, this is real, this is actually
malicious. And I think the best part about it is that the website
doesn't forget, even if a package
is now popular and trustworthy, and there are cases where this has happened, and you can actually see
that on our website too, like top 100s in a community, they have had malicious incidents in
the past where, you know, accounts were compromised and malicious code was published.
That also is a good data point
that they probably, and in all of the cases,
they have cleaned up their acts,
but there are all these historical versions
that you definitely don't want to use.
So even if you're using something trustworthy,
you need to check that you're actually using
the latest version and that you're using
the safe version as well. You know, you refer to this as a community.
What is in place here to encourage that sense of community building? Is there any interaction?
Can folks make requests to the Reversing Labs team? How much is this an active growing effort?
the Reversing Labs team?
How much is this an active, growing effort?
Oh, yeah, absolutely.
So first we start, this is a brand new website,
to be perfectly clear.
We've started with this idea of we want to build a community here.
What we've done on our end to start with
is to publish all of our data to OpenSSF,
which is the security foundation
which takes care of monitoring
of security issues in open source space.
So all of our data, as soon as we get it, is published to OpenSSF.
So if you're part of the open source community, you can leverage that data to kind of even
automatically check whether or not you're pulling in packages that are malicious or not.
Very soon, we will have additional programs where developers will be able to interact more with our platform.
So basically sending us data, using our tools to scan things and so on and so forth.
All of that is going to be announced very soon.
So I don't want to spoil things for anybody,
especially not get in trouble.
But we do think about this as a community and we are genuinely here to help the community
because so much of the tools that we use
and the tools that are used to build software
are basically free and open source.
We feel it's the right way to go about it,
to help secure people who are really spending their time and energy
and resources to build something that anybody can use for free
and just help them do that in the safe way as possible.
That's Tomislav Pereson from Reversing Labs.
We'll have a link to their free resources to conduct risk assessments on open source software in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And finally, Andrew Lemon, a researcher at RedThread,
discovered a flaw in the Intellite X1 traffic light controller that could let hackers create chaotic traffic jams.
Lemon found that the device's web interface had no authentication.
I was just in disbelief, Lemon told TechCrunch. Despite trying, he couldn't pull off a full
Italian job scenario, thanks to a device called the Malfunction Management Unit. However,
he could still mess with light timings, causing major traffic headaches.
with light timings, causing major traffic headaches.
Lemon found about 30 vulnerable devices online and reported the issue to Qfree, Intel Light's owner.
Instead of thanks, Qfree sent a legal letter
implying Lemon's research might violate anti-hacking laws
and urging him not to publish his findings
for national security reasons.
Lemon also noted similar issues
in Econolite traffic controllers,
which Econolite claimed were outdated
and shouldn't be online anyway.
Nothing says thanks for the heads up
like a good old-fashioned legal threat.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast
app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders
and operators in the public and private sector, from the Fortune 500 to many of the world's
preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at N2K.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jenniferzman. Our executive producer
is Jennifer Iben.
Our executive editor
is Brandon Karp.
Simone Petrella
is our president.
Peter Kilby
is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you.