0:00

Hello and welcome to the Monday, June 3rd, 2024

0:02

edition of the Sans and its Storms Centers

0:07

Stormcast. My name is Johannes Ulrich

0:09

and I'm recording from Jacksonville, Florida.

0:14

Xavier came across an interesting

0:16

little info-stealer written in Python.

0:18

Now this info-stealer appears to

0:20

be targeting Windows

0:22

and well it also uses a somewhat

0:25

odd way to exfiltrate the data

0:28

gofile.io. Actually a bit surprised we

0:30

haven't seen gofile.io earlier probably has

0:33

been used for a while just

0:36

didn't notice it. It's one of

0:38

those sites where you're able to

0:40

upload data to and with a

0:43

free account you are

0:45

limited how much you can upload and

0:47

how long the data is being kept

0:49

at gofile but it's sufficient for

0:52

the needs of your average

0:54

info-stealer. This info-stealer is looking

0:56

for passwords. It's not just

0:58

looking for specific

1:00

files instead it has a

1:03

list of words things like

1:06

password, login, secret and whenever

1:08

it finds a

1:10

file that contains these particular

1:13

words well it considers it

1:15

a password file and attempts to

1:17

exfiltrate the data. In

1:19

addition it also goes for

1:22

specific crypto coin wallets. Xavier

1:24

is calling this particular info-stealer

1:26

kiwi and the i here

1:28

is replaced with the number

1:31

1 because that's a string

1:33

that is present in a

1:35

number of locations kind of

1:37

identifying this particular info-stealer. Talking

1:41

about Malver Kaspersky has released a tool that

1:43

is super for free that should help you

1:45

look for Malver specifically

1:50

on Linux systems. They

1:52

call it the Kaspersky

1:54

Virus Removal Tool or

1:56

KVRT. It's a simple

1:58

signature based tool.

2:00

So this is something that you run

2:02

once. If you are a little bit

2:04

suspicious about a system, maybe you find

2:06

a system that was in your inventory

2:09

and you want to take a quick

2:11

look at it, get sort of a

2:13

first quick triage out of it. There

2:15

are multiple other tools like this around,

2:17

but this sort of one area where

2:20

you always kind of want to give

2:22

the latest greatest tool a try because,

2:24

well, with all these signature based tools,

2:26

the more accurate and the more current

2:28

your signatures are the better the

2:30

tool. And

2:33

on Friday, security company Hudson

2:35

Rock did publish a blog

2:37

post suggesting that Snowflake may

2:40

have been a compromise. Snowflake

2:42

is an AI training company,

2:45

essentially uploading your data into

2:47

their cloud and they will

2:50

use their resources to do

2:53

training on that data.

2:55

Of course, a great service, for example, if you

2:57

don't want to buy a bunch of GPUs

3:00

and such yourself. But

3:02

with that, of course,

3:05

Snowflake also holds a

3:07

lot of highly proprietary

3:09

data, which made this

3:11

potential breach highly critical.

3:13

Well, since then

3:15

Snowflake has stated that they

3:17

themselves have not been breached.

3:19

But what apparently happened according

3:21

to Snowflake is that

3:23

a number of their customers

3:25

were breached because they did

3:28

not enable two-factor authentication and

3:30

their passwords had been leaked

3:32

in other breaches. So classic

3:35

credential stuffing. I think that's

3:37

a good reminder that whenever

3:39

you do upload confidential

3:41

data into someone else's cloud,

3:44

be highly aware of that

3:46

shared responsibility model and just

3:49

the provider offering non-multifactors

3:51

occasion option in order to protect

3:53

that critical data doesn't necessarily mean

3:56

that you should take them up

3:58

on it, but probably. opt

4:01

for the multi-factor or

4:03

if possible the phishing

4:05

resistant version of authentication.

4:10

And talking about AI and

4:12

credentials, HuggingFace did

4:14

publish an advisory that it believes

4:17

the spaces platform in

4:19

particular spaces secrets may

4:22

have been leaked. I

4:24

mentioned HuggingFace before they offer

4:27

essentially a place to exchange

4:29

machine learning models but also

4:31

this spaces feature which allows

4:34

you to run models within

4:36

HuggingFace's resource which essentially

4:38

sort of a container serverless

4:41

solution. That

4:43

particular solution has had some issues

4:46

in the past where they

4:48

had some leaks across a

4:50

tenant in their spaces platform

4:52

and this looks like another

4:54

sort of instance of this in

4:56

particular critical here spaces secrets

4:59

are the authentication tokens that

5:01

you're using in order to

5:03

communicate and authenticate yourself with

5:06

a spaces. So HuggingFace does

5:08

suggest that you probably do

5:10

want to revoke these if

5:13

they haven't already been done so

5:15

and they did notify users via

5:17

email if they believe

5:20

that their credentials were affected.

5:23

Well that's it for today.

5:25

Thanks for listening. Thanks for

5:28

subscribing. Thanks for liking. Thanks

5:30

for telling others about this

5:32

podcast and talk to you

5:34

again on Monday. Bye.