Podcast Summary: CyberWire Daily – “SSH-attered Trust”

Release Date: April 18, 2025
Host: Dave Bittner
Published by: N2K Networks

1. Critical Vulnerability in Erlang OTP SSH

At the outset of the episode, Dave Bittner highlights a severe security flaw in the Erlang OTP SSH implementation. This vulnerability, rated with a maximum CVSS score of 10, allows unauthenticated remote code execution on affected devices.

Key Details:

• Affected Systems: Widely used in high-availability systems such as telecommunications, IoT, and embedded devices.
• Exploit Mechanism: Improper handling of pre-authentication SSH messages permits attackers to execute commands as root via the SSH daemon.
• Recommendation: Immediate upgrading is urged. For systems where patching isn't feasible, restricting access to trusted IPs or disabling SSH entirely is advised.

Quote:
“The flaw stems from improper handling of pre authentication SSH messages, enabling attackers to run commands often as root, via the SSH daemon.” – Linda Gray Martin [02:00]

2. Bipartisan Effort to Renew Cybersecurity Information Sharing Act

Senators Gary Peters (D-Michigan) and Mike Rounds (R-South Dakota) are spearheading the renewal of the Cybersecurity Information Sharing Extension Act. This bipartisan initiative aims to extend a crucial 2015 law that facilitates the sharing of cyber threat data between businesses and the government.

Key Points:

• Purpose: Encourages companies to report threats like malware and vulnerabilities to the Department of Homeland Security (DHS) while providing legal protections.
• Impact: Enhances real-time collaboration between private firms and agencies such as CISA, aiding responses to major incidents like SolarWinds.
• Expert Opinion: The renewal presents an opportunity to update the law to address modern challenges related to privacy, supply chains, and evolving threats.

Quote:
“Senator Rounds warned that letting it lapse would harm national cyber defenses.” – Dave Bittner [04:30]

3. Newly Discovered Linux Kernel Vulnerability

A newly identified vulnerability in the Linux kernel poses a significant risk by allowing local attackers to escalate privileges and potentially gain root access.

Key Details:

• CVSS Score: 7.8
• Affected Component: Bitmap IP set type in the netfilter subsystem.
• Exploit Mechanism: Allows out-of-bounds writes, bypassing castler, and executing kernel-level code.
• Recommendation: System administrators are strongly urged to apply available patches immediately to mitigate the risk.

Quote:
“The exploit code enables attackers to perform out of bounds writes, bypass castler, and execute kernel level code.” – Linda Gray Martin [05:15]

4. Risky Chrome Extensions Uncovered

Security researcher John Tuckner has identified 57 Chrome extensions deemed risky, collectively serving around 6 million users. These extensions often request excessive permissions and have the potential for surveillance or malicious activities.

Key Concerns:

• Functionality: Extensions claiming to offer privacy or ad-blocking can monitor browsing behavior, access cookies, modify search results, and execute remote scripts.
• Notable Example: The "Fire Shield" extension was found to be heavily obfuscated and communicates with suspicious domains.
• Action Taken: Google is investigating, and users are advised to remove flagged extensions and reset passwords as a precaution. Some extensions have already been removed from the Chrome Web Store.

Quote:
“These extensions, often unlisted from the Chrome Web Store and only installable via direct link, claim to offer privacy or ad blocking services but can monitor browsing behavior.” – Linda Gray Martin [06:45]

5. Strela Stealer Malware Campaigns

Strela Stealer, a credential-stealing malware targeting email clients like Microsoft Outlook and Mozilla Thunderbird, has been active since 2022. Attributed to threat actor Hive0145, recent campaigns have intensified with improved obfuscation and new delivery methods.

Campaign Highlights:

• Distribution: Phishing emails containing zip files with malicious JavaScript that downloads a DLL payload.
• Recent Activity: Over 100 organizations across Europe and the US targeted with enhanced delivery methods involving PowerShell and WebDAV.
• Defense Measures: AttackIQ has released simulations to help organizations test and strengthen their defenses against Strela Stealer.

Quote:
“Attackers use stolen credentials in nearly nine out of 10 data breaches.” – Dave Bittner [08:00]

6. Legends International Data Breach

Legends International, a prominent live events service provider, has informed employees and customers about a data breach identified in November. The breach exposed sensitive information, including Social Security numbers, driver's licenses, payment card details, and medical records of over 8,000 Texans.

Key Points:

• Response: Systems were taken offline upon discovery, and affected individuals are offered two years of free identity protection.
• Legal Outcome: The airport retailer has agreed to a $6.9 million settlement to resolve a class action lawsuit related to the breach.
• Attribution: No group has claimed responsibility for the attack.

Quote:
“The company took systems offline and found that attackers exfiltrated files containing sensitive data.” – Linda Gray Martin [10:00]

7. CISA Warning on Actively Exploited SonicWall Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to US Federal agencies about a high-severity remote code execution vulnerability affecting SonicWall SMA100 series appliances.

Vulnerability Details:

• Impact: Allows low-privileged remote attackers to execute arbitrary code via the SMA 100 management interface.
• Status: Initially classified as a denial of service issue, it has been upgraded in severity after confirming active exploitation.
• Recommendation: Agencies must apply patches by May 7th, and all organizations are urged to act swiftly to prevent potential breaches.

Quote:
“CISA warns of an actively exploited SonicWall vulnerability.” – Dave Bittner [11:25]

8. Ransomware Settlement with Paradis Shops

Paradis Shops, an airport retailer, has agreed to a $6.9 million settlement to resolve a class action lawsuit following a 2020 ransomware attack. The breach compromised personal data of 76,000 current and former employees, including names and Social Security numbers.

Legal Proceedings:

• Allegations: Plaintiffs accused Paradis Shops of negligence and delayed notification post-breach.
• Resolution: The company chose to settle to avoid prolonged litigation, reflecting a growing trend of post-breach class action lawsuits.

Quote:
“Paradis opted to settle to avoid prolonged litigation.” – Linda Gray Martin [12:10]

9. RSAC 2025 Conference Preview

In the latter portion of the episode, Linda Gray Martin and Britta Glade provide an extensive preview of the upcoming RSAC 2025 conference, emphasizing new features and offering tips for attendees.

Conference Highlights:

• New Branding: RSA Conference is now rebranded as RSAC Conference, with updated materials across the campus.
• Expanded Campus: Incorporation of the Yerba Buena Center for the Arts, accommodating the 20th anniversary of the Innovation Sandbox Content contest.
• Keynote Program: The newly named YBCA Keynote Program will feature speakers in a state-of-the-art theater setting.
• Interactive Experiences: Introduction of DARPA's AI Cyber Challenge, an immersive journey set in a fictional city to demonstrate AI-driven cybersecurity.
• Early Stage Expo: Expansion to include nearly 70 startups, fostering innovation and networking opportunities.

Tips for Attendees:

1. Plan Ahead: Utilize the RSAC website to filter and schedule sessions, reserve seats, and map out vendor visits.
2. Networking Opportunities: Attend the first-timers' reception on Sunday night to connect with peers and industry leaders.
3. Stay Flexible: With over 400 sessions across 29 tracks, prioritize key events and maintain a backup plan.
4. Comfort Matters: Wear comfortable shoes and stay hydrated to navigate the extensive conference layout efficiently.

Notable Quotes:

• “Come with a plan... reserve seats, and see which vendors are in the expo hall.” – Britta Glade [19:10]
• “The networking opportunity and the ability to impact this, your cohort for life, cannot be understated.” – Dave Bittner [20:24]

10. DNS Disruption Incident with Zoom

The episode briefly touches on a DNS disruption incident where Zoom experienced significant connectivity issues not due to cyberattacks but a miscommunication between Zoom's domain registrar and GoDaddy. The incident resulted in millions being unable to access Zoom services for nearly two hours.

Incident Summary:

• Cause: GoDaddy accidentally disabled Zoom's domain, removing it from the internet.
• Effect: Users received error messages, leading to widespread confusion during ongoing meetings.
• Resolution: DNS cache delays extended the recovery time, and Zoom implemented a registry lock to prevent future occurrences.

Quote:
“A miscommunication between Zoom's domain registrar and GoDaddy... making it disappear from the Internet.” – Dave Bittner [23:00]

This episode of CyberWire Daily delves into pressing cybersecurity vulnerabilities, legislative efforts, recent breaches, and offers a comprehensive preview of the upcoming RSAC 2025 conference. Through expert analysis and detailed reporting, listeners are kept informed on the latest threats and industry developments essential for maintaining robust cybersecurity defenses.