You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. A new open SSH vulnerability affects Linux systems. The Supreme Court sends social media censorship cases back to the lower courts. Most Chinese hackers exploit a new Cisco zero-day. HubSpot investigates unauthorized access to customer accounts. Japanese media giant Katakawa confirmed data leaks from a ransomware attack. Fakebat is a popular malware loader. Volcano Demon is a hot new ransomware group. Google launches a KVM hypervisor bug bounty program. Johannes Ulrich from the Sands Technology Institute discusses defending against API attacks. And, good night, sleep tight, don't let the hackers bite. It's Tuesday, July 2nd, 2024. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here once again. It is great to have you with us. A new open SSH vulnerability dubbed "regression" with a capital SSH in the middle of the word "regression" allows unauthenticated remote code execution with root privileges on glib C-based Linux systems. Discovered by QALIS in May of this year, the flaw results from a race condition in the SSHD signal handler. It can be exploited if a client fails to authenticate within the default 122nd login grace time triggering unsafe async signal calls. Meditation could lead to a complete system takeover. Although QALIS notes it's challenging to exploit, AI tools might improve success rates. The flaw affects open SSH versions 8.5 P1 to 9.8 P1 on Linux with older and open BSD systems unaffected. Mitigation includes updating to version 9.8 P1 or adjusting SSHD configurations. The US Supreme Court avoided ruling on Republican backed laws in Florida and Texas that limit social media companies' power to moderate content. Instead, they unanimously threw out previous judicial decisions and sent the cases back to lower courts for further First Amendment analysis. The laws passed in 2021 were challenged by NetChoice and the Computer and Communications Industry Association, whose members include meta, Google, TikTok, and Snap. The lower courts had mixed rulings blocking parts of Florida's law while upholding Texas's law. Neither law is currently in effect. Liberal Justice Alina Kagan, writing for the majority, questioned the legality of the Texas law, stating it forces platforms to change their content moderation in ways that conflict with the First Amendment. The core issue is whether the First Amendment protects the editorial discretion of social media platforms, allowing them to manage content to avoid spam, extremism, and hate speech. Republicans claim these platforms censor conservative voices, while President Biden's administration argues that the laws force platforms to promote objectionable content, violating the First Amendment. Florida and Texas officials argue the platform's moderation actions are not protected speech. The Texas law bans social media companies with over 50 million users from censoring based on viewpoint, allowing users or the state to sue. Florida's law prohibits large platforms from banning political candidates or journalistic content. The Supreme Court's decision highlights the ongoing debate over free speech and content moderation in the digital age. A new zero-day vulnerability affecting Cisco NXOS software on Nexus series switches was exploited by Chinese state-backed hackers, dubbed Velvet Ant, back in April. The hackers used administrator credentials to access the switches and deploy custom malware for remote control and data exfiltration. Cisco and cybersecurity firm Cygnia published advisories about the flaw, which has no workarounds but is addressed in recent software updates. Velvet Ant's primary goal is espionage, focusing on long-term network access. They previously maintained access to a victim's network for three years using outdated F5 Big IP equipment. Most affected devices are not Internet-exposed but often lack sufficient protection. HubSpot is investigating a cyber attack involving unauthorized access to a limited number of customer accounts. The company has activated incident response procedures, contacted impacted customers, and revoked unauthorized access since June 22. HubSpot's chief information security officer, Alyssa Robinson, confirmed the investigation but provided no further details about the incident's impact or affected clients. HubSpot serves over 216,000 corporate customers, including Discord, TalkSpace, and Eventbrite. Japanese media giant Katukawa confirmed data leaks from a ransomware attack last month, affecting business partner information and personal data of subsidiary Duongos employees. No credit card data was compromised. Katukawa, which operates Nikoniko Bookwalker and holds a stake in From Software, apologized for the inconvenience caused. The black suit ransomware gang linked to the defunct Conti Group claimed responsibility, saying they exfiltrated 1.5 terabytes of data. Katukawa is verifying the authenticity of the claims and is working on system restoration. Nikoniko temporarily shut down some services due to the attack. During the first half of 2024, FakeBat, also known as Yujin Loader or PEC Loader, became one of the most widespread loaders using drive-by download techniques. Distributing malware like IceID, Luma, and Redline, FakeBat campaigns used malvertizing fake browser updates and social engineering to trick users into downloading malicious software, Sequoia's threat detection and research team tracked multiple campaigns and identified infrastructure, such as compromise websites and command and control servers used to distribute FakeBat. Despite efforts to evade detection, TDR continues to monitor and track these activities, providing indicators of compromise and technical details to help protect against these threats. Halcyan identified a new ransomware group Volcano Demon responsible for several recent attacks. They use an encryptor called Luca Locker, affecting files with the .nba extension and have a Linux version. Volcano Demon locked both Windows workstations and servers by exploiting common administrative credentials and exfiltrated data for double extortion. They cleared logs, making full forensic evaluation difficult. The group has no leak site and instead uses threatening phone calls to leadership and IT executives to demand ransom with calls from unidentified numbers. Google has launched a bug bounty program, KVM CTF, to enhance the security of the kernel-based virtual machine as the KVM hypervisor, offering up to $250,000 for critical vulnerabilities. The program invites security researchers to find zero-day vulnerabilities in KVM, used in platforms like Android and Google Cloud. Participants can test exploits in specialized lab environments provided by Google. Rewards vary on the severity of the findings with a quarter million dollars for full virtual machine escapes, 100 grand for arbitrary memory rights, and $50,000 for arbitrary memory reads. The program aims to improve KVM security through collaboration with the open-source community. Detailed rules and submission guidelines are available on the program's GitHub page with a Discord channel for community discussions. Coming up after the break, Johannes Ulrich from the Sands Technology Institute discusses defending against API attacks, stay with us. And now, a word from our sponsor, no before. Where would InfoSec professionals be without users making security mistakes, working less than 60 hours per week maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an InfoSec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more at nobefore.com/securitycoach. That's nobefore.com/securitycoach. And we thank no before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. One came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. And it is always my pleasure to welcome back to the show, Johannes Ulrich. He is the Dean of Research at the Sands Technology Institute and also the host of the ISC Stormcast podcast. Johannes, welcome back. Yeah, good being back here, even though I'm not in person this time at RSA. Well, that's what I wanted to talk about with you today. You and I missed out on our opportunity to get together face-to-face like we usually enjoy doing at RSA conference this year. So I wanted to take this opportunity to follow up and learn about some of the things that you presented on at this year's conference. Yeah, again, I had the pleasure to be part of our Sands panel this time that we had again at SCOTUS kind of managing it all and Heather Barnhart and Terence Williams, actually he was first time on the panel. So I had Steven Simspak to give us a little bit more and offensive security spin on things. Quite the lineup there. So a couple of presentations here. One of them was called attack and defend. How to defend against three attacks affecting APIs. It's a hot topic. Yeah, this is actually a little learning lab that I did with Jason Lamb. What was sort of cool about it, we did a hands-on lab where we actually walked people through attacking and defending APIs. What are some of the threats that are affecting APIs? And the lab is actually available online. If you just go to sandsapi.com, you can do the lab right now. We have all the instructions there. We sort of clean it up about once a day kind of just to give everybody a clean slate again to start out with. But yes, this worked really well. We had about 100 people in the room that participate in that lab. So can you give us an overview of the kind of things that you cover here in this lab? In this lab, we talked about, first of all, authentication. Some of the mistakes that happen with APIs, for example, the API keys where there's some of the more modern methods like OAuth, also access control, where function level, where, for example, you do give the user access to a URL, but do you allow them to just request data from the URL with a GET request, or do you allow them to update it up with a post? I noticed that this particular session, you were using the Chatham House Rules here. What's the advantage of that? Is this to give people an opportunity to open up in ways perhaps they wouldn't otherwise? Yeah. It's a really more interactive where you have also people contributing to the material. I think it's a two-hour session, and for this session, we only had like 10 slides. So everything else was hands-on, was discussions, so it was a very interactive, very hands-on session. Yeah. I think one was titled, "The Five Most Dangerous New Attack Techniques You Need to Know About." Tell us about that one. Yeah. So this is our annual SANS panel, and this is always sort of a highlight for myself kind of off the year, because as I mentioned, they're Dutch, a great company here for the panel, and we try to predict a little bit what are kind of the up-and-coming threats. So part of it is a little bit, "Hey, what's currently happening?" One of it is, "How are we projecting this moving forward?" Can you give us some of the highlights here, or what are some of the things you all covered? Yeah. So just a couple of the topics we had here, I was talking a little bit about technical debt and how that affects security, in particular, in security devices. And I think that's nothing fundamentally new, that's sort of really projecting forward again. Very little bit of an inflection point here, where a lot of the people who developed these devices back in the early 2000s are leaving the industry, where we have some of these companies that develop these devices being now bought by private equity funds and such, who don't necessarily have the experience in actually maintaining software like that. And I think that's, we have seen some of this last year happening, but I think that's something that's probably going to be a big issue going forward, and as an example here, I had some security devices that had literally code in them copyrighted in 1998, and 2001. So Pearl code, that's sort of what's my favorite language back then. So this is one of the topics. Probably Heather had sort of one of the little bit more disturbing topics, and that's a nice extortion for children, particularly teenagers, which in middle schools, high schools, a huge problem leading to suicide in particular in teenage boys that are affected by this. And one of the topics that sort of went a little bit through it all, of course, was AI. And this is all sort of one of those areas, very AI, of course, has a major impact. You know, I was going to ask you about that and kind of give you a little bit of a hard time that, you know, neither of these presentations had the word AI in the title. So how could you possibly expect anybody to show up? It was not people show up, and you know, everything is about AI, of course, these days. Your APIs are integrated with the AIs, you're using APIs to connect to AIs, but yeah, and I think actually we had, in this one in particular, the next topic then, Terrence Williams was talking about against of deep fake AIs and election security, how that matters. Steven Simms actually was talking about how AI is being used to accelerate exploit development. Now for all of these, we also tried to give a little bit positive side on how to defend against it. It's easy to just admire the problem, kind of, but we, for example, with AI, you can also accelerate the defensive part, developing solutions to vulnerabilities, or for the technical debt. AI is actually a great tool to help you move some of this ancient code to more modern platforms. It can really help you also understand code that someone else wrote back in 1998 and maybe hasn't documented back then, that's of course always a problem, and have AI help you read that code. With the sextortion part, AI can in some ways help and assist in identifying these deep fakes and such, where I have to be honest, I think when it comes to election security, when it comes to sextortion, my hope is, kind of, that AI and deep fake will be so common that when you are seeing an image, you assume it's deep fake before you actually consider it being real. So there is maybe some desensitization happening here with AI. It's a little bit, maybe, a bleak future, but it almost sounds like a better thing than having these deep fakes and such rule public discourse and rule our lives. Yeah, I mean, I guess it's fair to say that, you know, that genie is not going back in the bottle anytime soon. Yeah, and techniques like ourselves proposed, like for example, labeling these deep fakes, that'll work if you're going to one of the honest AI tools, but then you have specific AI tools. What's another topic that I covered? How do you, for example, establish someone's identity online? This has been a big problem now, with some of these Know Your Customer Rules, where you have websites like onlyfakes.com that specialize in creating not just fake IDs, but images of fake IDs that look real in the sense that, for example, they look like they're, it's a snapshot taken on a piece of carpet or a wood floor and such, how someone would typically take a picture of an idea at home. I wonder about things like chain of custody with AI and dare I mention the word blockchain is being a potential tool for something like that. Do you have thoughts there? Well, for chain of custody, I think something like blockchain, digital signatures and such, of course, is what you want to do. And it's one solution where you do have, for example, images that are automatically digitally signed by the camera, so you know who took damage. But not even talking about deep fakes, I don't think you'll ever really see an image in a major news publication that's displayed as it was taken. They're always cropped, they're being color adjusted, usually minor modifications like this that are perfectly honest for the most part, but doing something like an identical match to a hash is very difficult. But you at least could have that original image and have some proof that this image was taken at a certain date by a certain photographer using a specific camera. So that way, I think you could establish sort of a chain of custody for images. If someone should question the authenticity of an image. Yeah. So a big picture, as you left this year's RSA conference, how are you feeling? What's your sense of sort of the tone that people are leaving this year's show with? Well, of course, the AI hype train isn't full swing. And at this point, if you are a company, if you are a startup, and as you say, if you don't have AI in your title on the first slide of your pitch deck, you don't have a case. The sad part, of course, with that is something called AI washing, where you have a lot of things that probably don't need to be done with AI that are better done without AI. Besides on his mouth, drivers, you shouldn't really replace a regular expression with AI or a simple string match with a regular expression, so it's sometimes a simpler solution wins. And I think there is currently a lot of carbon being burnt and wasted for AI stuff that's probably not necessary. I think the market will hopefully tell us in the end what will survive, what will work. As many as always, with startups, most of them will sadly not survive, in part, probably because they went on that AI bandwagon without really considering that you have now the major cybersecurity players coming out with their own tools that are properly integrated into the existing product, into tools that enterprises already use without having at another supplier, your ever-complicating supply chain, so that I think is what will be the next couple of years of that shaking out of what AI will survive, which will just not be forgotten. Yeah. All right, well, Johannes Ulrich is the dean of research at the Sands Technology Institute and also the host of the ISC Stormcast podcast. Johannes, thanks so much for joining us. Yeah, thank you. And now a message from Black Cloak. What's the easiest way for threat actors to bypass your company's cyber defenses targeting your executives at home? That's because 87% of executives use personal devices to conduct business, often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking, credential theft, and reputational harm. Close the at-home security gap with Black Cloak Concierge Cybersecurity and Privacy, award-winning 24/7, 365 protection for executives and their families. Do more at blackcloak.io. This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify. The global commerce platform that supercharges you're selling, wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at shopify.com/tech, all lowercase. That's shopify.com/tech. And finally, our circadian rhythms desk tells us the tale of one Dylan Mills, an enterprising home hacker who managed to gain root access to their sleep number bed's hub. Tinkering enthusiasts start your engines. This involves some serious hacking with a URTTY device and a bit of code wizardry. The goal? Total bed control, without relying on sleep number's servers. This tech journey began with cracking open the hub, poking around with a logic analyzer, and discovering a secret-backed door. There's some script sorcery and hardware hijinks. The bed now obeys commands over the local network. The ultimate hack let users adjust sleep settings, lighting, and more. Just a heads-up, warranty voids apply, and sleep number won't bail you out if things go sideways. Proceed with caution. Because nothing says sweet dreams like a command prompt and root access. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the Cyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. These also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K's cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester, with original music and sound design by Elliot Pelsmann. Our executive producer is Jennifer Iben. Our executive editor is Brandon Carp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here, tomorrow. [Music] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cyber security challenges we face. It's happening at MYs, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, MYs features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. Register early and save at MYs.io/Cyberwire. That's MYs.io/Cyberwire. [Music] (gentle music)
