Cisco has identified a critical security flaw in its SSM On-prem. The world's largest recreational boat and yacht retailer reports a data breach. The UK’s NHS warns of critically low blood stocks after a ransomware attack. Port Shadow enables VPN person in the middle attacks. Ivanti patches several high-severity vulnerabilities. FIN7 is advertising a security evasion tool on underground forums. Indian crypto exchange WazirX sees $230 million in assets suspiciously transferred. Wiz documents vulnerabilities in SAP AI Core. DDoS for hire team faces jail time. Guest Tomislav Pericin, Founder and Chief Software Architect of ReversingLabs, joins us to discuss their "Free Resource to Conduct Risk Assessments on Open-Source Software." Playing red-light green-light with traffic light controllers.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Guest Tomislav Pericin, Founder and Chief Software Architect of ReversingLabs, joins us to discuss their "Free Resource to Conduct Risk Assessments on Open-Source Software."
Selected Reading
Cisco discloses a 10.0 CVSS rating vulnerability in SSM On-Prem (Stack Diary)
Yacht giant MarineMax data breach impacts over 123,000 people (Bleeping Computer)
UK national blood stocks in 'very fragile' state following ransomware attack (The Record)
Port Shadow Attack Allows VPN Traffic Interception, Redirection (SecurityWeek)
Ivanti Issues Hotfix for High-Severity Endpoint Manager Vulnerability (SecurityWeek)
Cybercrime group FIN7 advertises new EDR bypass tool on hacking forums (Security Affairs)
WazirX reports security breach at crypto exchange following $230 million 'suspicious transfer' (TechCrunch)
SAPwned: SAP AI vulnerabilities expose customers’ cloud environments and private AI artifacts (Wiz Blog)
Jail time for operators of DDoS service used to crash thousands of devices (Cybernews)
Hackers could create traffic jams thanks to flaw in traffic light controller, researcher says (TechCrunch)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. So what's it like to buy your first cryptocurrency on Kraken? Well, let's say I'm at a food truck I've never tried before. Am I going to go all in on the low to taco? No, sir. I'm keeping it simple, starting small. That's trading on Kraken. Pick from over 190 assets and start with the 10 bucks in your pocket. Easy, go to kraken.com and see what crypto can be. Not investment advice, crypto trading involves risk of loss. Cryptocurrency services are provided to U.S. and U.S. territory customers by Payward Interactive Inc. P.W.I. D.B.A. Kraken. U.P.W.I.S. disclosures at kraken.com/legal/disclosures. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies, like Atlassian, Flow Health, and Quora, use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. Cisco has identified a critical security flaw in its SSM on-prem. The world's largest recreational boat and yacht retailer reports a data breach. The UK's NHS warns of critically low blood stocks after a ransomware attack. Port Shadow enables VPN person-in-the-middle attacks. Avanti patches several high severity vulnerabilities. VIN-7 is advertising a security evasion tool on underground forums. The European crypto exchange, Wazir-X, sees $230 million in assets suspiciously transferred. Whiz documents vulnerabilities in SAP AI Core. Adidas for higher team faces jail time. Our guest is Thomas Lau-Parison, founder and chief software architect at Reversing Labs. We're discussing free resources to conduct risk assessments on open-source software. And playing red light, green light with traffic light controllers. It's Thursday, July 18th, 2024. I'm Dave Bittner, and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It is great to have you with us. Cisco has identified a critical security flaw in its smart software manager on-prem, that's SSM on-prem, scoring a perfect 10.0 on the CVSS scale. Announced on July 17th, this vulnerability allows attackers to change any user's password, including administrators, without needing to log in. The flaw is due to the improper implementation of the password change process, exploitable via specially crafted HTTP requests. SSM on-prem is used for managing software licenses within local network environments. This vulnerability could enable attackers to gain full control over the system, leading to potential disruptions and data theft. Although primarily used in local networks, poor remote access security, or a compromised internal network, increases exploitation risks. Cisco has no workarounds for this issue, and the only remedy is applying the latest updates. Cisco confirmed no known malicious use of this vulnerability at the time of disclosure, and it was promptly addressed following a report by security researcher, Mohammed Adel. Marine Max, the world's largest recreational boat and yacht retailer, is notifying over 123,000 individuals about a security breach in March, claimed by the RICEDO ransomware gang. The breach compromised personal information, which Marine Max initially denied, but later confirmed. The Florida-based company, operating over 130 locations worldwide, reported $2.39 billion in revenue last year. The attackers accessed Marine Max's systems from March 1st through March 10th of this year, and stole personal data, including names and identifiers. The breach was detected on March 10th, and an investigation confirmed data exfiltration. RICEDO published a 225 GB archive of stolen data, including financial documents and IDs on their dark website. This gang has previously targeted high-profile entities, including the Chilean Army and the British Library. The recent ransomware attack on several London hospitals has put UK national blood stocks in a very fragile position. NHS chief executives warned that blood supplies might move to amber alert status, restricting transfusions to the most critical cases. The attacker on Sanovis, a pathology services provider, disrupted blood-matching tests, depleting universal donor stocks and affecting blood banks nationwide. Affected hospitals are performing blood-matching at about 54% of their usual capacity, with O-negative stocks critically low. NHS London declared a regional incident postponing over 6,000 outpatient appointments and 1,400 surgeries, including cancer treatments. The Quill-in ransomware gang is blamed for the attack, with disruptions expected to last until September. Researchers from Arizona State University, University of New Mexico, University of Michigan, and the University of Toronto's Citizen Lab have identified a vulnerability in VPNs that enables person in the middle attacks. Named Port Shadow, this technique allows attackers to intercept and redirect traffic by exploiting a shared resource called a port on VPN servers. The vulnerability affects OpenVPN, WireGuard, and OpenConnect on Linux and FreeBSD, though FreeBSD is less vulnerable. Port Shadow enables attackers to shadow their own information on a victim's port, acting as an in-path router to intercept encrypted traffic, de-anonymize VPN peers, and conduct port scans. While VPN software developers were informed, mitigation involves specific firewall rules rather than code fixes. The best protection for users is connecting to a private VPN server. Shadow Socks and Tor remain unaffected. Evanti has announced patches for several high-severity vulnerabilities in Endpoint Manager and Endpoint Manager for mobile. The most critical is an SQL injection flaw with a CVSS score of 8.4, affecting EPM 2024 flat. Authenticated attackers with network access could exploit it to execute arbitrary code. A hot fix is available with security updates forthcoming. No known exploitation of this vulnerability has occurred. Additionally, patches for four vulnerabilities in EPMM have been released. Three high-severity flaws enable command execution and authentication bypass. A medium-severity improper authentication issue was also fixed. Evanti also patched a medium-severity path traversal vulnerability in docs at work for Android, which could allow malicious apps to read sensitive data. Evanti reports no known public exploitation of these vulnerabilities. The Cybercrime Group FIN-7 is advertising a security evasion tool AV neutralizer on underground forums, according to cybersecurity firm Sentinel-1. This tool can bypass security solutions and has been used by various ransomware groups, including Avos Locker, Medusa Locker, Blackcat, Trigona, and Lockbit. Sentinel-1 researchers discovered a new version of AV neutralizer that uses the Windows driver PROC launchmon.sys to evade security measures. FIN-7 uses multiple pseudonyms to mask their identity with advertisements for the tool appearing on forums such as exploit.in, xss.is, and ramp with prices ranging from $4,000 to $15,000. The tool has advanced capabilities to disable endpoint security solutions through various techniques, including leveraging a previously undocumented Windows driver capability. Sentinel-1 highlights FIN-7's adaptability and persistence in evolving its threat operations. Indian crypto exchange Wazir-X confirmed a security breach with $230 million in assets suspiciously transferred from one of its multi-sig wallets. This type of wallet requires multiple keys for authentication. Affected assets include SHIB, Ethereum, MATIC, PEPPA, USDT, and Gala tokens. Blockchain data indicates the attackers are offloading assets on Uniswap and they may be affiliated with North Korea. Liminal, the wallet infrastructure provider, stated that the breach occurred outside its ecosystem. Other Indian crypto exchanges, CoinSwitch, and CoinDCX assured customers of their security. This incident follows Wazir-X's separation from Binance earlier this year. The Wiz Research team found significant vulnerabilities on multiple AI service providers focusing on tenant isolation issues. Their latest research on SAP AI Core presented at the Black Hat Conference uncovered a vulnerability chain named SA Pwned. This allowed attackers to access sensitive customer data, including cloud credentials for AWS, Azure, and SAP HANA, by exploiting SAP's infrastructure. Attackers could execute arbitrary code, move laterally, and gain cluster administrator privileges, compromising Docker images and artifacts. Key vulnerabilities included bypassing network restrictions, accessing AWS tokens, exploiting unauthenticated EFS shares, and helm servers. All issues were reported to and fixed by SAP with no customer data compromised. The research highlights the need for improved isolation and sandboxing standards in AI infrastructure to protect against such attacks. Scott Rowell Esparza, age 24, from Katie, Texas, along with co-conspirator Shamar Shatok, age 21, from Margate, Florida, operated astrostress.com, a DDoS as a service website. The platform allowed users to launch DDoS attacks, overloading and disrupting victims devices and networks. Esparza and Shatok ran the site from 2019 to 2022, offering subscriptions for varying levels of attack power. They used infected devices to create botnets, which were then directed to overwhelm Target's IP addresses. The Department of Justice stated that Esparza managed the attack servers and marketing, while also employing a customer service representative. After the sites shut down in 2022, both men were apprehended. Esparza faces nine months in prison, while Shatok awaits sentencing and could face up to five years. Coming up after the break, my conversation with Thomas Lab Parisen, founder and chief software architect at Reversing Labs, he joins us to discuss their free resource to conduct risk assessments on open-source software. Stay with us. And now, a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed security coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security coach analyzes these alerts and provides users with relevant security tips via email or slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with security coach. Learn more at nobefore.com/securitycoach. That's nobefore.com/securitycoach. And we thank no before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. [music] I recently checked in with Thomas Love-Parisen, founder and chief software architect of Reversing Labs. He shares the release of their free resources to conduct risk assessments on open-source software. For the last couple of years, we've seen a dramatic increase in attacks, malicious code being published to open-source space. Last year, we actually published a research paper which kind of summarizes the year. And we've seen a dramatic increase, 1300%, actually, if we measure that year when compared to the previous year. So this is just the volume of malicious packages being published to open-source space is increasing. And we have found evidence that both nation-state actors and your common criminals are all taking part by publishing the malicious packages and trying to trick both open-source developers, developers who are using open-source components to build their own commercial products into using these packages to build their own applications. And they're doing two different things. They're trying to hack "machines" of the developers themselves so they can kind of capture credentials and install a lot of pieces of malware. But also they are trying to be part of their build at the end of the day, be included in the software package and then affect the end user as well. Well, let's talk about this program. You call it Spectra Assure Community. What exactly does this entail? Yeah, Spectra Assure Community is the free offering as you mentioned. It is our website where anybody can go today. So if you go to secure.offer, you will have in front of you a very large resource of our knowledge on open-source packages. As I mentioned, there's a dramatic increase in malicious packages being published. And we've done our best to ingest all the data from open-source, primarily targeting Python repository that with PyPy, Node.js repository, that would be MPM, and we have Ruby gems as well. There's about 5 million or so software packages. If you don't count their versions, but 5 million individual packages that we've collected, and all of them are actually searchable. So kind of like Google, you can type in a package name and you can see all the different types of properties we track for these open-source packages. Does it contain malicious code being one of the most concerning ones? But there are other properties as well. Does it contain any malicious code? Yes, does it refer to code which has vulnerabilities? Does it leak any secrets? Those types of things. So when you're building your application, you can use this website as a resource, and then select the best building blocks for an next application. Can you walk me through a typical use case here for somebody who's out there doing developing work and looking to use some open-source resources? How do you suppose they're going to interact with this website? Yeah, and this stuff deals very nicely into what the attackers are doing today. We've seen lately, in this very recent month or so ago, that the attackers are kind of seeding sites like Stack Overflow and even GitHub with references to their malicious packages. So basically, they will kind of open up a topic or respond to a question, you know, proposing to the developer to just copy-paste this piece of code and include it in their project. And what the code does, it actually refers to a package which supposedly solves a problem, right? So if you're in that kind of scenario and you are, you know, debating whether or not you want to use an open-source package that you've never heard about before and that, you know, seems new-ish or, you know, seems specifically tailored to that particular problem, it is best to just check it up on resources such as ours. So you just go to the website, look up the package by name, and you see what we see about it, which gives you insights into the track categories, as I mentioned, but also lets you know if we verify the package itself. So we have quite a few threat researchers and hunters who are monitoring all of the open-source for new packages being published, and they are diligently looking to label all these things before the developers have the chance to actually use them. So if it's a new package or anything like that, look it up. If we think it's malicious, we'll give you reasons why and you probably want to stay away and report whoever pointed you to the malicious package as well. So it's a bit of a reality check for folks to kind of have somebody who has your back. Yeah, yeah, it is quite like that. Our data is pretty much in real time, so as packages are being published, our team is using our automated tools, which include 17 or so different threat detection engines and machine learning and heuristics and all those things, but also humans are part of the loop. There is a specific label that we attach to every single package that we've manually vetted and said, "Yes, this is real. This is actually malicious." And I think the best part about it is that the website doesn't forget even if a package is now popular and trustworthy, and there are cases where this has happened, and you can actually see that on our website too, like top 100s in a community. They have had malicious incidents in the past where they accounts were compromised and malicious code was published. That also is a good data point that they probably, and in all of the cases, they have cleaned up their acts, but they're all these historical versions that you definitely don't want to use. So even if you're using something trustworthy, you need to check that you're actually using the latest version and that you're using the safe version as well. You refer to this as a community. What is in place here to encourage that sense of community building? Is there any interaction? Can folks make requests to the reversing labs team? How much is this an active growing effort? Oh, yeah, absolutely. So first, this is a brand new website to be perfectly clear. We've started with this idea of we want to build a community here. What we've done on our end to start with is to publish all of our data to open SSF, which is the security foundation which takes care of monitoring of security issues in open source space. So all of our data, as soon as we get it, is published to open SSF. So if you're part of the open source community, you can leverage that data to kind of even automatically check whether or not you're pulling in packages that are malicious or not. Very soon, we will have additional programs where developers will be able to interact more with our platform. So basically sending us data using our tools to scan things and so on and so forth. All of that is going to be announced very soon, so I don't want to spoil things for anybody, especially when I get in trouble, but we do want to think about this as a community. And we are generally here to help the community because so much of the tools that we use and the tools that are used to build software are basically free and open source. We feel it's the right way to go about it, to help secure people who are really, you know, spending their time and energy and resources to build something that anybody can use for free and just help them do that in the safe way as possible. That's Thomas Love Harrison from Reversing Labs. We'll have a link to their free resources to conduct risk assessments on open source software in the show notes. And now a message from Black Cloak. What's the easiest way for threat actors to bypass your company's cyber defenses? Targeting your executives at home. That's because 87% of executives use personal devices to conduct business. Often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking, credential theft and reputational harm. Close the at home security gap with Black Cloak concierge cyber security and privacy. Award winning 24/7 365 protection for executives and their families. Learn more at blackcloak.io ♪♪ ♪♪ And finally, Andrew Lemon, a researcher at RedThread, discovered a flaw in the Intel Lite X1 traffic light controller that could let hackers create chaotic traffic jams. Lemon found that the device's web interface had no authentication. "I was just in disbelief," Lemon told TechCrunch. Despite trying, he couldn't pull off a full Italian job scenario thanks to a device called the malfunction management unit. However, he could still mess with light timings, causing major traffic headaches. Lemon found about 30 vulnerable devices online and reported the issue to Q-Free Intel Lite's owner. Instead of thanks, Q-Free sent a legal letter implying Lemon's research might violate anti-hacking laws and urging him not to publish his findings for national security reasons. Lemon also noted similar issues in Akano Lite traffic controllers, which Akano Lite claimed were outdated and shouldn't be online anyway. Nothing says thanks for the heads up like a good old-fashioned legal threat. ♪♪ And that's The Cyberwire. For links to all of today's stories, check out our daily briefing at TheCyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. They make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpe is our publisher, and I'm Dave Fittner. Thanks for listening. We'll see you back here tomorrow. [music] [music] [music] [music] [music] [music] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. Register early and save at M-Wise.io/Cyberwire. That's M-Wise.io/Cyberwire. [music]
