SANS Stormcast Thursday Mar 6th: DShield ELK Analysis; Jailbreaking AMD CPUs; VIM Vulnerability; Snail Mail Ransomware

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9352.mp3

previous

next

DShield ELK Analysis; Jailbreaking AMD CPUs; VIM Vulnerability; Snail Mail Ransomware

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form

Podcast Transcript

 Hello and welcome to the Thursday, March 6, 2025
 edition of the SANS and the Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Baltimore, Maryland. Guy has done an amazing job with our
 DSHIELD Honeypot, allowing you to run a Kibana interface, all
 the data being stored in Elasticsearch, and with that,
 making the data that your Honeypot collects much more
 approachable. Now, there is sadly always a lot of data.
 Well, sadly or not so sad, depending on how you look at
 it. But Guy today wrote a diary, walking you a little
 bit through how to better get a handle at the data and
 finding events of interest to better understand what
 attackers are up to with your Honeypot and, well, learn from
 it. Interesting blog post and, yes, if you do want to run the
 DSHIELD Honeypot, please do so. We always like your data
 and with the Elk interface, well, it also becomes much
 more interesting for you to actually look at the data. You
 may need a little bit more powerful system than just sort
 of your basic Raspberry Pi in order to run all of this. The
 Google Bug Hunter team today released a lot of details,
 including working exploit code for a vulnerability that AMD
 patched a month ago. This vulnerability allows you to
 essentially update the microcode in your CPU. The
 microcode is routinely updated and it's often delivered with
 operating system updates like Microsoft Linux updates and
 such include new microcode for your CPU. But this update is
 supposed to be cryptographically signed. The
 problem with AMD's implementation of this update
 procedure was that the hash function that they used, well,
 wasn't really as secure as it should be for this
 application. The patch a month ago did update it with a new
 proprietary hash function that appears to at least solve this
 problem. And with that now, Google did release the details
 about this vulnerability, which would essentially allow
 you to jailbreak your CPU. Remember, sort of the little
 demo that was released a month ago did essentially tell the
 CPU to always produce the same random number. If you're using
 the CPU's random number generator, this is just sort
 of a little proof of concept demo. But with the additional
 code released today and such, well, it's really up to the
 attacker's creativity what they would like your CPU to
 do. So definitely make sure that you are patching this
 issue. It's not necessarily something that's easy to
 patch. But the new details released today may make it
 easier also to check if your CPU has been updated. And then
 we have a critical security update for the popular Linux
 editor Vim. Or maybe not so popular if you never figured
 out how to exit Vim. This update fixes a recently added
 feature to Vim. Sort of one of those things very well. You
 always think of Vim as a relatively straightforward,
 simple editor. But it does have a ton of features. One of
 the features is to actually easily open and then edit
 files that are inside a tar file. The problem here is that
 Vim, as it's opening these files from the tar archive, is
 not properly verifying and validating the file names in
 the tar archive. And that can then lead to code execution.
 So you still would need to trick a Linux user to open a
 file that you're providing them. But then again, they may
 consider Vim safe, which of course it is not. That's why
 we have this update to Vim. And the sort of appearance of
 Vim being like simple and safe may make it actually easier to
 trick an administrator to open like a file in Vim than it is
 to open a file like in Word or Acrobat Reader.
 And then GuidePoint Security ran into a real, a little bit
 weird and interesting twist on ransomware. Turns out there is
 a group that claims to the Bion Lian ransomware group or
 associate with it that actually sends regular postal
 mail to company executives, threatening them with leaking
 data that they stole if they're not paying up a
 ransom. Apparently, these are completely fake, these
 letters. So the attacker did not steal any data from you.
 They just hope, well, to actually still get money. And
 I think one of the ideas here is by directly addressing
 these letters to executives who may not necessarily see a
 lot of the sort of news about this ransomware group, they
 may bypass some of the more technical people in the
 company that would spot something like this as fake.
 At least as my take on it, no idea how successful this
 campaign is. And again, the letters are probably not
 related to the actual Bion Lian ransomware group. They're
 just some copycats that tend to have a new twist on this
 scare. In the past, sadly, these fake ransomware notes
 have been somewhat successful. I remember from a few years
 ago where 30% of the recipients of emails and such
 claiming to come from ransomware groups have
 actually paid up. Well, that's it for today. Thanks for
 listening. And as usual, please subscribe. We are also
 available via Alexa and on various other podcast
 platforms. YouTube also, if you're enjoying a video
 version of this podcast. Thanks and talk to you again
 tomorrow. Bye.