Hello and welcome to the Tuesday, May 6, 2025 edition
of the SANS and Night Storm Center's Stormcast. My name is
Johannes Ulrich and today I am recording from San Diego,
California. In diaries today, well, I saw some initial
attacks against Samsung's Magic Info CMS. This is a
somewhat defunct, not quite a really sort of maintained
piece of software anymore. But last August Samsung did
release a patch for it, fixing an arbitrary file upload
vulnerability that then can lead to remote code execution.
This particular vulnerability was not really noticed much,
part probably because of the very sort of short sort of one
-liner that Samsung published about it. Last week,
Cybersecurity Info did cite some research reports. Sadly,
I didn't see a link to the actual research report or any
more attribution to it. But this particular article about
the research report did quote it, noting a particular URL
that's being used to upload these files and then also some
additional details about the vulnerability. Well, a couple
days later, we started seeing some actual exploit attempts.
These exploit attempts appear to be coming from what's sort
of often described still as Mirai, basically a botnet that
does exploit various vulnerabilities, often of
course IoT style vulnerabilities. This I would
definitely not necessarily sort of call an IoT style
vulnerability. It is more a server component used to
basically manage content. That's what CMS content
management servers are doing. Not really sure how successful
these exploit are, but they sort of follow very much the
standard pattern where the initial upload uses a number
of different ways like TFTP, WGET, CURL, FTP and such to
download the second stage. The second stage is then the
typical shell script that lists the next download that
attempts to download the actual Mirai bot for various
architectures. Actually, very extensive list in this
particular version. And then, well, they basically just
trial and run and whatever version they get to run. Well,
then try to find additional victims. It's very well
recognized by VirusTotal, so definitely not a new threat.
I'm obviously a bit careful characterizing stuff like
this, Cilis Mirai. Yes, they probably still share some of
the original Mirai code, but that has been worked on,
changed, updated so many times now. So many vulnerabilities
have been added by various actors to be exploited by
these botnets. But ultimately, they still don't really do
anything different than the original Mirai bot. Anyway, if
you're running any of these Samsung match again for nine
CMSs. So make sure they're patched. Like I said, the
patch was released last August, but not really
advertised much. So it may be easy to miss this particular
patch. And if you're a user of Kali Linux, be aware that Kali
Linux lost access to their original signing key. What
this means is that they had to create a new signing key for
any packages used by Kali Linux. And as a result, well,
you may get some signature verification failures if
you're trying to update Kali Linux. They don't specify how
or why the key was lost. It could be as easy as them,
well, basically losing a hard drive. The key was stored on
not having a proper backup. They specifically state that
the key was not compromised. So any packages that you have
from before the key was lost that are signed by this
original key should still be considered trusted. But the
problem is since basically the key was lost before they were
able to push a new replacement key, you now have to do so
manually and manually mark that key as trusted, that new
key in order to validate any future packages. This is
mostly a problem if you're automatically updating your
system. One possible solution that they recommend is just to
rebuild the system from scratch. If you're downloading
Kali Linux now from the official website, well, you'll
get the new keys already preinstalled on the image. Not
a great thing to happen. But well, stuff happens. And good
reminder to always keep multiple backups and if
possible, also just a simple printed copy of any key keys
for critical issues like this. And researchers at Microsoft
published a blog warning of default configurations
commonly deployed in popular Kubernetes Helm charts. Helm
is a packet manager for Kubernetes. And Helm charts
are essentially scripts that you're using to deploy
applications. So all the necessary packages are being
installed and the application is completely installed and
configured in your Kubernetes cluster. But as so often, many
of the default settings in these Helm charts aren't
necessarily appropriate. In particular, they're exposing
ports. They're not necessarily configuring the system
securely, including often missing passwords. If you are
using Helm charts, definitely read the article, and then
read the article. And you'll be aware of some of these
issues. So you can then fix up the configurations and make
sure that they are secure. Well, that's it for today in
San Diego on Tuesday evening. I'll actually give a talk
about some of the developer supply chain risks. If you
happen to be here at the event, welcome to attend. If
you just happen to be in the area, send me a message if
you're interested. I may be able to get a couple of people
in here. So that's it for today and talk to you again
tomorrow. Bye.
