DeepSeek Security Concerns: Cyber Security Today for Friday, February 7, 2025

Unknown Speaker

Canada's Digital Governance Council has launched a Cyber Ready Validation program to help build trust in cybersecurity practices. It's designed to help small and medium sized organizations strengthen their cybersecurity posture. This program provides organizations with a comprehensive, independent review of their cybersecurity approaches, ensuring that they've met baseline requirements while strengthening the stakeholder and public confidence in their digital operations. Full Disclosure I'm a member of the Digital Governance Council and a big supporter, but I'm also a big supporter of tools for small and medium sized businesses who are often left out in cybersecurity discussions. There's a link to this program and the announcement in the show Notes and now back to our regularly scheduled Programming A new attack bypasses endpoint detection There's a new SSH backdoor, more attacks on WhatsApp, and an update on Deep Seek. Welcome to Cybersecurity Today. I'm your host Jim Love. A recent cyber attack method enables attackers to bypass endpoint detection and response or EDR systems while operating under low privilege standard user accounts. Traditionally, evading EDR defenses required elevated privileges such as administrative access. However, this new technique employs masquerading and path obfuscation to disguise malicious payloads as legitimate processes, deceiving both automated detection systems and human analysis. EDR solutions monitor process creation events to identify potential threats, logging details like the image path, command line arguments, current directories, and parent processes. They flag processes based on suspicious execution paths or file names. For example, a process running from program files Windows, you know, Defender msmpeng exe might seem legitimate, but one that's coming from temp superjuicy exe would raise concerns. EDR systems rely on kernel level protection to safeguard directories like program files and preventing standard users from placing payloads in these protected areas. This new technique circumvents restrictions by manipulating the file path itself. Now this involves disguising malicious files to appear benign using methods like double file extensions, PDF, exe right to left override characters or imitating legitimate application names. Another frequent trick has been using Unicode characters that visually look the same as ASCII characters but are totally different symbols. A classic example of this is you can write www.apple.com in Cyrillic characters used in the Russian language, and to the naked eye it's going to look like apple.com but it's not. So using a similar technique and focusing on folder names and paths, the attacker creates a folder mimicking a legitimate path using Unicode characters that resemble ascii. In this attack, the focus shifts from file names to directory paths, the attacker creates a folder mimicking a legitimate path using Unicode characters that resemble ASCII white space. For instance, by creating a folder named C Program Files, the attacker then copies the contents of C Program Files Windows Defender into this new directory and adds a malicious payload. When the payload is executed from the spoofed directory, system logs show a process with an image path resembling C Program files Windows Defender now superjuicy exe and without careful inspection or specialized tools to detect these characters, analysts may make mistakes thinking this is a legitimate process even when it's flagged. This is becoming a frequent attack vector, and maybe it's worth checking to make sure your EDR software can handle alternate character sets. But even if it flags the error and analysts aren't aware of this, they could assume that this is a false positive. This new EDR evasion technique is just another example of how cyber attackers are continually adapting to attack our cybersecurity defenses. A Chinese cyber espionage group identified as Evasive Panda, also known as Daggerfly, has been employing a novel SSH backdoor to compromise network appliances since mid November 2024. This sophisticated attack involves injecting malware into the SSH daemon SSH, enabling persistent access and covert operations on targeted devices. Upon breaching a network appliance, the attackers deploy a dropper component that verifies the device is already infected and confirms it's operating with root privileges. Now, if these conditions are met, the dropper installs several binaries, including a malicious ssh library named libssth.s, which serves as the primary backdoor. This library is injected into the SSH D process, allowing the attackers to intercept and manipulate SSH sessions. This enables them to execute arbitrary commands, exfiltrate data, and maintain persistent access without detection. The backdoor also employs various obfuscation techniques to evade security measures and hinder analysis. As could be expected, the deployment of this SSH backdoor poses significant security risks as it grants attackers extensive control over compromised devices to mitigate the potential threats. Obviously, we need to make sure that all software and firmware are upped to date with recent security patches. Limiting root level access and using least privilege is also a great strategy, but it's also a heads up to monitor SSHD and related processes, looking for vulnerabilities or looking for tools that can detect an alert suspicious activities in your network. WhatsApp has alerted users to a sophisticated zero click hacking technique that compromises devices without any user interaction. Unlike traditional phishing attacks that require users to click on malicious links, this method allows attackers to infiltrate smartphones silently. The company disclosed that nearly 90 individuals, including journalists and human rights activists, have been targeted by this exploit. The attackers employed advanced spyware capable of accessing personal data messages and activating the device's camera and microphone without detection. This follows on another story that we also covered earlier, where attackers utilized spyware developed by the Israeli company Paragon Solutions and delivered that through malicious PDF files. When opened, these PDFs installed spyware capable of accessing personal data messages and even activating the device's camera and microphone, again without the user's knowledge. So it appears that WhatsApp is becoming an important target for those who use it. We need to emphasize the importance of keeping the app updated to the latest version, and even then, users need to be vigilant about the recent threats and any unusual activity on their devices. In response to these incidents, WhatsApp is enhancing its security measures and collaborating with cybersecurity experts to identify and try to prevent such vulnerabilities in the future. And finally, I read a story about the Chinese open source AI Deepseek and I'm quoting the web login page of Deepseek's chatbot contains heavily obfuscated computer script that when deciphered, shows connections to computer infrastructures owned by China Mobile, a state owned telecommunications company. The code appears to be part of the account creation and user login process for Deep Seek. Now China Mobile, for those who don't know, has been banned from the US and is largely regarded as a tool of the Chinese government. But the article went on to say that nobody has found any evidence that any information was passed to China Mobile. Now supposedly this is to inform us that Deep Seek is bad and a trap. We're going to face a tsunami of opinions like this so called discoveries about Deep Seek and we need to make sure that we are part of an intelligent debate. The story about China Mobile is a case in point. It's interesting, but it doesn't matter whether they found China Mobile's signature on this code. This could be a classic reuse of some code doesn't have to be malicious. But the reality is users shouldn't be putting company or personal information into this or any other new site that pops up, whether it's in China or Arkansas. Hackers could infect a system hosted in North America. And we know Chinese hackers can attack a system in North America just as well as they can that one that is in China. So the question is, is Deep Seek itself malicious? Well, I've seen tests of it with no examples of it trying to ping back to a Chinese government mothership. Perplexity has been using a hosted version in the US and today Microsoft announced they won't just be hosting Deepseek on Azure, they'll be integrating it into Copilot. The point is that security discussions are nuanced. Now, does that mean that Deepseek is totally safe? No, I think it's new software has some parentage that you might want to question and we want to look at it very, very carefully. But the point is that security discussions are nuanced and it's incumbent on all of us to promote a real discussion, particularly about AI and open source in particular. There are lots of attack vectors and risks that are not getting the attention they deserve. While we debate whether a system hosted in China is a good place to put your corporate or personal information, we're not going to stop people from playing on these new systems, and I'm not sure we want to. Our workforce needs to be educated in AI and we have to teach them how to do that safely. So over the next two weekends, we're going to be inviting experts onto cybersecurity today to try and have that type of no bs, factual, nuanced discussion. As I've said to people before, I proudly have 40 years of IT experience and I'll try to ask the right questions, but I'm not a God, so your input is welcome and you can send me a note at editorialechnewsday CA, you can ping me on LinkedIn or you can just simply leave comments on YouTube. I want to promote the type of discussion that prepares us all to deal with AI, and in particular this new wave of open source AI systems. I'm looking forward to your help and guidance as we move forward on this and frankly on any other key topics. And that's our show. I'm your host, Jim Love. Thanks for listening.