CyberWire Daily - Take a trip down regreSSHion lane.
Episode Date: July 2, 2024A new OpenSSH vulnerability affects Linux systems. The Supreme Court sends social media censorship cases back to the lower courts. Chinese hackers exploit a new Cisco zero-day. HubSpot investigates un...authorized access to customer accounts. Japanese media giant Kadokawa confirmed data leaks from a ransomware attack. FakeBat is a popular malware loader. Volcano Demon is a hot new ransomware group. Google launches a KVM hypervisor bug bounty program. Johannes Ullrich from SANS Technology Institute discusses defending against API attacks. Goodnight, Sleep Tight, Don’t Let the Hackers Byte! Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest is Johannes Ullrich from SANS Technology Institute talking about defending against attacks affecting APIs and dangerous new attack techniques you need to know about. This conversation is based on Johannes’ presentations at the 2024 RSA Conference. You can learn more about them here: Attack and Defend: How to Defend Against Three Attacks Affecting APIs The Five Most Dangerous New Attack Techniques You Need to Know About Selected Reading New regreSSHion OpenSSH RCE bug gives root on Linux servers (Bleeping Computer) US Supreme Court sidesteps dispute on state laws regulating social media (Reuters) China’s ‘Velvet Ant’ hackers caught exploiting new zero-day in Cisco devices (The Record) HubSpot accounts breach under investigation (SC Media) Japanese anime and gaming giant admits data leak following ransomware attack (The Record) Exposing FakeBat loader: distribution methods and adversary infrastructure (Sekoia.io blog) Halcyon Identifies New Ransomware Operator Volcano Demon Serving Up LukaLocker (Halcyon) Google launches Bug Bounty Program for KVM Hypervisor (Stack Diary) How to Get Root Access to Your Sleep Number Bed (Dillan Mills) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. A new open SSH vulnerability affects Linux systems.
The Supreme Court sends social media censorship cases back to the lower courts.
Chinese hackers exploit a new Cisco zero-day.
HubSpot investigates unauthorized access to customer accounts.
Japanese media giant Kadokawa confirmed data leaks from a ransomware attack.
FakeBat is a popular malware loader.
Volcano Demon is a hot new ransomware group.
Google launches a KVM hypervisor bug bounty program.
Johannes Ulrich from the SANS Technology Institute discusses defending against API attacks.
And good night, sleep tight,
don't let the hackers bite.
It's Tuesday, July 2nd, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here once again.
It is great to have you with us.
A new open SSH vulnerability dubbed Regression,
with a capital SSH in the middle of the word Regression,
allows unauthenticated remote code execution
with root privileges on Glibc-based Linux systems.
Discovered by Qualys in May of this year,
the flaw results from a race condition in the SSHD signal handler. It can be exploited if a
client fails to authenticate within the default 120-second login grace time, triggering unsafe
async signal calls. Exploitation could lead to a complete system takeover. Although
Qualys notes it's challenging to exploit, AI tools might improve success rates. The flaw affects
OpenSSH versions 8.5p1 to 9.8p1 on Linux, with older and OpenBSSD systems unaffected. Mitigation includes updating to version 9.8p1 or adjusting SSHD configurations.
The U.S. Supreme Court avoided ruling on Republican-backed laws in Florida and Texas
that limit social media companies' power to moderate content.
Instead, they unanimously threw out previous judicial decisions
and sent the cases back to lower courts for further First Amendment analysis.
The laws, passed in 2021, were challenged by NetChoice and the Computer and Communications
Industry Association, whose members include Meta, Google, TikTok, and Snap. The lower courts had mixed rulings blocking parts of Florida's law while upholding Texas's law.
Neither law is currently in effect.
Liberal Justice Elena Kagan, writing for the majority, questioned the legality of the Texas law,
stating it forces platforms to change their content moderation in ways that conflict with the First Amendment.
The core issue is whether the First Amendment protects the editorial discretion of social media platforms,
allowing them to manage content to avoid spam, extremism, and hate speech.
Republicans claim these platforms censor conservative voices,
while President Biden's administration argues that the laws
force platforms to promote objectionable content, violating the First Amendment.
Florida and Texas officials argue the platform's moderation actions are not protected speech.
The Texas law bans social media companies with over 50 million users from censoring based on viewpoint, allowing users or the state to sue.
Florida's law prohibits large platforms
from banning political candidates or journalistic content.
The Supreme Court's decision highlights the ongoing debate
over free speech and content moderation in the digital age.
A new zero-day vulnerability affecting Cisco NXOS software on Nexus Series switches was exploited by Chinese state-backed hackers, dubbed Velvet Ant, back in April.
The hackers used administrator credentials to access the switches and deploy custom malware for remote control and data exfiltration.
custom malware for remote control and data exfiltration.
Cisco and cybersecurity firm Signia published advisories about the flaw,
which has no workarounds but is addressed in recent software updates.
Velvet Ant's primary goal is espionage, focusing on long-term network access.
They previously maintained access to a victim's network for three years using outdated F5 Big IP equipment.
Most affected devices are not Internet-exposed, but often lack sufficient protection.
HubSpot is investigating a cyber attack involving unauthorized access to a limited number of customer accounts.
number of customer accounts. The company has activated incident response procedures,
contacted impacted customers, and revoked unauthorized access since June 22. HubSpot's chief information security officer, Alyssa Robinson, confirmed the investigation but
provided no further details about the incident's impact or affected clients. HubSpot serves over 216,000 corporate customers,
including Discord, Talkspace, and Eventbrite. Japanese media giant Kadokawa confirmed data
leaks from a ransomware attack last month, affecting business partner information and
personal data of subsidiary Duongo's employees.
No credit card data was compromised.
Kotokawa, which operates Nikoniko Bookwalker and holds a stake in From Software,
apologized for the inconvenience caused.
The black suit ransomware gang linked to the defunct Conti group claimed responsibility,
saying they exfiltrated 1.5 terabytes of data.
Kadokawa is verifying the authenticity of the claims and is working on system restoration.
Nikoniko temporarily shut down some services due to the attack.
During the first half of 2024, Fakebat, also known as UginLoader or PeckLoader, became one of the most widespread loaders using drive-by download techniques. Distributing malware like IcedID, Luma, and
Redline, FakeBat campaigns used malvertising, fake browser updates, and social engineering to
trick users into downloading malicious software.
Sequoia's threat detection and research team tracked multiple campaigns and identified infrastructure, such as compromised websites
and command and control servers used to distribute fake bat.
Despite efforts to evade detection, TDR continues to monitor and track these activities,
providing indicators of compromise and technical
details to help protect against these threats. Halcyon identified a new ransomware group,
Volcano Demon, responsible for several recent attacks. They use an encryptor called LukaLocker,
affecting files with the.NBA extension and have a Linux version.
Volcano Demon locked both Windows workstations and servers
by exploiting common administrative credentials
and exfiltrated data for double extortion.
They cleared logs, making full forensic evaluation difficult.
The group has no leak site and instead uses threatening phone calls
to leadership and IT executives to demand ransom with calls from unidentified numbers.
Google has launched a bug bounty program, KVM-CTF, to enhance the security of the kernel-based virtual machine, the KVM Hypervisor,
offering up to $250,000 for critical vulnerabilities.
The program invites security researchers to find zero-day vulnerabilities in KVM used in platforms like Android and Google Cloud.
Participants can test exploits in specialized lab environments provided by Google.
Rewards vary on the severity of the findings, with a quarter million dollars for
full virtual machine escapes, a hundred grand for arbitrary memory rights, and fifty thousand
dollars for arbitrary memory reads. The program aims to improve KVM security through collaboration
with the open source community. Detailed rules and submission guidelines are available on the
program's
GitHub page with a Discord channel for community discussions.
Coming up after the break, Johannes Ulrich from the SANS Technology Institute discusses
defending against API attacks. Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating. Too icy. We could try hot yoga. Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, welcome back.
Yeah, good being back here, even though not in person this time at RSA.
Well, that's what I wanted to talk about with you today.
You know, you and I missed out on our opportunity
to get together face-to-face
like we usually enjoy doing at RSA Conference this year.
So I wanted to take this opportunity to follow up
and learn about some of the things
that you presented on at this year's conference.
Yeah, again, I had the pleasure to be part of our
SANS panel. This time
we had, again, Ed Skotis
kind of managing it all, and
Heather Barnhart, and
Terence Williams, actually, he was
first time on the panel. Also
had Stephen Sims back to give us a little bit
sort of more offensive
security spin
on things.
Quite the lineup there.
So a couple of presentations here.
One of them was called Attack and Defend,
how to defend against three attacks affecting APIs.
It's a hot topic.
Yeah, this is actually a little learning lab
that I did with Jason Lam.
What is sort of cool about it,
we did a hands-on lab
where we actually walk people
through attacking and defending APIs.
What are some of the threats
that are affecting APIs?
And the lab is actually available online.
If you just go to sansapi.com,
you can do the lab right now.
We have all the instructions there.
We sort of clean it up about once a day,
kind of just to give everybody a clean slate again to start out with.
But yes, this worked really well.
We had about 100 people in the room that participated in that lab.
So can you give us an overview of the kind of things that you cover here in this lab?
In this lab, we talked about, first of all, authentication,
some of the mistakes that happen with APIs,
for example, API keys versus some of the more modern methods like OAuth.
Also access control, function level,
where, for example, you do give a user access to a URL, but do you allow them to just request data from the URL with a get request?
Or do you allow them to update data with a post?
I noticed that this particular session, you were using the Chatham House rules here.
What's the advantage of that?
Does this give people an opportunity to open up
in ways perhaps they wouldn't otherwise?
Yeah, it's really more interactive
where we have also people contributing to the material.
We had, I think it's a two-hour session.
And for this session, we only had like 10 slides.
So everything else was hands-on, was discussions.
So it was a very interactive, very hands-on session.
Yeah.
Another one was titled,
The Five Most Dangerous New Attack Techniques You Need to Know About.
Tell us about that one.
Yeah, so this is our annual SANS panel.
And this is always sort of a highlight for myself kind of of the year
because as I mentioned,
Reduction, great company here for the panel.
And we try to predict a little bit
what are kind of the up and coming threats.
So part of it is a little bit,
hey, what's currently happening?
Part of it is,
how are we projecting this moving forward?
Can you give us some of the highlights here?
What are some of the things you all covered?
Yeah, so just a couple of the topics we had here.
I was talking a little bit about technical debt
and how that affects security,
in particular, in security devices.
And I think that's nothing fundamentally new.
That's sort of we're really projecting forward again.
We're a little bit at an inflection point here where a lot of the people who developed
these devices back in the early 2000s are leaving the industry.
We have some of these companies that develop these devices being now bought by private
equity funds and such who don't necessarily have the experience in actually maintaining
software like that.
And I think that's, we have seen sort of some of this last year happening,
but I think that's something that's probably going to be a big issue going forward.
And as an example, I had some secure devices that had literally code in them, copyrighted in 1998 and 2001.
So, Perl code, that's sort of what's my favorite language back then.
So, this is one of the topics.
Probably Heather had sort of one of the little bit more disturbing topics,
and that's sextortion for children, particularly teenagers,
which in middle schools, high schools, is a huge problem
leading to suicide, in particular in teenage boys that are affected by this.
And one of the topics that sort of went a little bit through it all, of course, was
AI.
And this is all sort of one of those areas where AI, of course, has a major impact.
You know, I was going to ask you about that
and kind of give you a little bit of a hard time
that neither of these presentations had the word AI in the title.
So how could you possibly expect anybody to show up?
I mean, we still have people show up.
Everything is about AI, of course, these days.
Your APIs are integrated with the AIs.
You're using APIs to connect to AIs.
But yeah, and I think actually we had in this one in particular, the next topic that
Terrence Williams was talking about, again, of deepfake AIs
and election security, how that matters.
Stephen Sims actually was talking about how AI is being used to accelerate
exploit development.
Now, for all of these, we also try to give a little bit positive side, how to defend
against it. It's always easy to just admire the problem, kind of.
But for example, with AI, you can also accelerate the defensive part, developing
solutions to vulnerabilities. For the technical debt, AI is actually a great tool to help you
move some of this ancient code to more modern platforms. It can really help you also understand
code that someone else wrote back in 1998 and maybe hasn't documented
back then. That's sort of, of course, always a problem. And have AI help you read that code.
With the sextortion part, AI can in some ways help and assist in identifying these deep fakes and
such.
I have to be honest, I think when it comes to election security,
when it comes to sextortion,
my hope is kind of that AI and deepfake will be so common that when you are seeing an image,
you assume it's deepfake before you actually consider it being real.
So there is maybe some desensitization happening here with AI. It's a little bit maybe a
bleak future, but almost sounds like a better thing than having sort of these deepfakes and such
rule public discourse and rule our lives. Yeah. I mean, I guess it's fair to say that,
you know, that genie is not going back in the bottle anytime soon.
Yeah. And techniques like R7's proposed, like, for example,
labeling these deepfakes, that'll work if you're
going to one of the honest AI tools.
But then you have specific AI tools. What's another topic that I covered?
How do you, for example, establish someone's identity online?
This has been a big problem now with some of these know-your-customer rules
where you have websites like onlyfakes.com
that specialize in creating not just fake IDs,
but images of fake IDs that look real in the sense that, for example, they look like it's a snapshot taken on a piece of carpet or a wood floor and such.
How someone would typically take a picture of an ID at home.
I wonder about things like chain of custody with AI.
And, you know, dare I mention the word blockchain
as being a potential, you know, tool for something like that?
Do you have thoughts there?
Well, for chain of custody,
I think something like blockchain digital signatures and such,
of course, is what you want to do.
And that's one solution where you do have, for example,
images that are automatically digitally signed
by the camera, so you know who took the image. But, you know, I'm not even talking about deepfakes.
I don't think you'll ever really see an image in a major news publication that's displayed as it
was taken. They're always cropped. They're being color adjusted.
Usually minor modifications like this
that are perfectly honest for the most part.
But doing something like an identical match
to a hash is very difficult.
But you at least could have that original image
and have some proof that this image was taken at a certain date by a certain photographer using a specific camera.
So that way, I think you could establish sort of a chain of custody for images if someone should question the authenticity of an image.
Yeah. So a big picture, as you left this year's RSA conference, how are you feeling?
What's your sense of the tone that people are leaving this year's show with?
Well, of course, the AI hype train is in full swing. And at this point, if you are a company,
if you are a startup, and as you say, if you don't have AI in your title on the first slide of your pitch deck, you don't have a case.
The sad part, of course, with that is something called AI washing, where you have a lot of things that probably don't need to be done with AI, that are better done without AI.
Mouse drivers.
Yeah, you shouldn't really replace a regular expression with AI
or a simple string match with a regular expression.
So sometimes a simpler solution wins.
And I think there is currently a lot of carbon being burned and wasted
for AI stuff that's probably
not necessary.
I think the market will hopefully
tell us in the end what will survive
here, what will work.
As many
as always with startups, most of them
will sadly not survive.
In part, probably because they
went on that AI bandwagon
without really considering that you have now
the major cybersecurity players coming out
with their own tools that are properly integrated
into the existing product,
into tools that enterprises already use
without having to add another supplier
to your ever-complicating supply chain.
So that, I think, is what we'll see over the next couple of years
of that shaking out of what AI will survive
and which will just not be forgotten.
Yeah.
All right.
Well, Johannes Ulrich is the Dean of Research
at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, thanks so much for joining us.
Yeah, thank you.
Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant. And finally, our Circadian Rhythms desk tells us the tale of one Dylan Mills,
an enterprising home hacker who managed to gain root access to their Sleep Number Beds hub.
Tinkering enthusiasts start your engines.
This involves some serious hacking with a URTTY device and a bit of code wizardry.
The goal? Total bed control without relying on Sleep Numbers servers.
This tech journey began with cracking open the hub,
poking around with a logic analyzer, and discovering
a secret back door. After some script sorcery and hardware hijinks, the bed now obeys commands over
the local network. The ultimate hack let users adjust sleep settings, lighting, and more. Just a
heads up, warranty voids apply, and sleep number won't bail you out if things go sideways.
Proceed with caution.
Because nothing says sweet dreams like a command prompt and root access.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the
most influential leaders and operators in the public and private sector, from the Fortune 500
to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy
for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.