Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Monday, June 3rd, 2024
0:02
edition of the Sans and its Storms Centers
0:07
Stormcast. My name is Johannes Ulrich
0:09
and I'm recording from Jacksonville, Florida.
0:14
Xavier came across an interesting
0:16
little info-stealer written in Python.
0:18
Now this info-stealer appears to
0:20
be targeting Windows
0:22
and well it also uses a somewhat
0:25
odd way to exfiltrate the data
0:28
gofile.io. Actually a bit surprised we
0:30
haven't seen gofile.io earlier probably has
0:33
been used for a while just
0:36
didn't notice it. It's one of
0:38
those sites where you're able to
0:40
upload data to and with a
0:43
free account you are
0:45
limited how much you can upload and
0:47
how long the data is being kept
0:49
at gofile but it's sufficient for
0:52
the needs of your average
0:54
info-stealer. This info-stealer is looking
0:56
for passwords. It's not just
0:58
looking for specific
1:00
files instead it has a
1:03
list of words things like
1:06
password, login, secret and whenever
1:08
it finds a
1:10
file that contains these particular
1:13
words well it considers it
1:15
a password file and attempts to
1:17
exfiltrate the data. In
1:19
addition it also goes for
1:22
specific crypto coin wallets. Xavier
1:24
is calling this particular info-stealer
1:26
kiwi and the i here
1:28
is replaced with the number
1:31
1 because that's a string
1:33
that is present in a
1:35
number of locations kind of
1:37
identifying this particular info-stealer. Talking
1:41
about Malver Kaspersky has released a tool that
1:43
is super for free that should help you
1:45
look for Malver specifically
1:50
on Linux systems. They
1:52
call it the Kaspersky
1:54
Virus Removal Tool or
1:56
KVRT. It's a simple
1:58
signature based tool.
2:00
So this is something that you run
2:02
once. If you are a little bit
2:04
suspicious about a system, maybe you find
2:06
a system that was in your inventory
2:09
and you want to take a quick
2:11
look at it, get sort of a
2:13
first quick triage out of it. There
2:15
are multiple other tools like this around,
2:17
but this sort of one area where
2:20
you always kind of want to give
2:22
the latest greatest tool a try because,
2:24
well, with all these signature based tools,
2:26
the more accurate and the more current
2:28
your signatures are the better the
2:30
tool. And
2:33
on Friday, security company Hudson
2:35
Rock did publish a blog
2:37
post suggesting that Snowflake may
2:40
have been a compromise. Snowflake
2:42
is an AI training company,
2:45
essentially uploading your data into
2:47
their cloud and they will
2:50
use their resources to do
2:53
training on that data.
2:55
Of course, a great service, for example, if you
2:57
don't want to buy a bunch of GPUs
3:00
and such yourself. But
3:02
with that, of course,
3:05
Snowflake also holds a
3:07
lot of highly proprietary
3:09
data, which made this
3:11
potential breach highly critical.
3:13
Well, since then
3:15
Snowflake has stated that they
3:17
themselves have not been breached.
3:19
But what apparently happened according
3:21
to Snowflake is that
3:23
a number of their customers
3:25
were breached because they did
3:28
not enable two-factor authentication and
3:30
their passwords had been leaked
3:32
in other breaches. So classic
3:35
credential stuffing. I think that's
3:37
a good reminder that whenever
3:39
you do upload confidential
3:41
data into someone else's cloud,
3:44
be highly aware of that
3:46
shared responsibility model and just
3:49
the provider offering non-multifactors
3:51
occasion option in order to protect
3:53
that critical data doesn't necessarily mean
3:56
that you should take them up
3:58
on it, but probably. opt
4:01
for the multi-factor or
4:03
if possible the phishing
4:05
resistant version of authentication.
4:10
And talking about AI and
4:12
credentials, HuggingFace did
4:14
publish an advisory that it believes
4:17
the spaces platform in
4:19
particular spaces secrets may
4:22
have been leaked. I
4:24
mentioned HuggingFace before they offer
4:27
essentially a place to exchange
4:29
machine learning models but also
4:31
this spaces feature which allows
4:34
you to run models within
4:36
HuggingFace's resource which essentially
4:38
sort of a container serverless
4:41
solution. That
4:43
particular solution has had some issues
4:46
in the past where they
4:48
had some leaks across a
4:50
tenant in their spaces platform
4:52
and this looks like another
4:54
sort of instance of this in
4:56
particular critical here spaces secrets
4:59
are the authentication tokens that
5:01
you're using in order to
5:03
communicate and authenticate yourself with
5:06
a spaces. So HuggingFace does
5:08
suggest that you probably do
5:10
want to revoke these if
5:13
they haven't already been done so
5:15
and they did notify users via
5:17
email if they believe
5:20
that their credentials were affected.
5:23
Well that's it for today.
5:25
Thanks for listening. Thanks for
5:28
subscribing. Thanks for liking. Thanks
5:30
for telling others about this
5:32
podcast and talk to you
5:34
again on Monday. Bye.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More