SANS Stormcast Thursday, April 24th: Honeypot iptables Maintenance; XRPL.js Compromise; Erlang/OTP SSH Vuln affecting Cisco

April 23, 2025

SANS Stormcast Thursday, April 24th: Honeypot iptables Maintenance; XRPL.js Compromise; Erlang/OTP SSH Vuln affecting Cisco

Episode Transcript

Honeypot Iptables Maintenance and DShield-SIEM Logging
In this diary, Jesse is talking about some of the tasks to maintain a honeypot, like keeping filebeats up to date and adjusting configurations in case your dynamic IP address changes
https://isc.sans.edu/diary/Honeypot%20Iptables%20Maintenance%20and%20DShield-SIEM%20Logging/31876
XRPL.js Compromised
An unknown actor was able to push malicious updates of the XRPL.js library to NPM. The library is officially recommended for writing Riple (RPL) cryptocurrency code. The malicious library exfiltrated secret keys to the attacker
https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor
https://github.com/XRPLF/xrpl.js/security/advisories/GHSA-33qr-m49q-rxfx
Cisco Equipment Affected by Erlang/OTP SSH Vulnerability
Cisco published an advisory explaining which of its products are affected by the critical Erlang/OTP SSH library vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy

News Tech News Technology

Show Transcript

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Thursday, April 24th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. Jesse and Guy have been maintaining part of our DeShield honeypot, in particular the seam component. The SIEM component is an optional add-on that you can install for your honeypot to give you a local dashboard of what's going on with your honeypot and what attacks you're seeing and some graphic representations of that. Now, keeping all that system up to date and maintained can be a little bit tricky at times. So, Jesse did publish a diary summarizing some of his learnings about how to maintain the honeypot. For example, how to update your firewall rules, your IP table rules, automatically to reflect a dynamic IP address. One thing we're doing as part of the honeypot is we only allow access to the admin port, the actual SSH port, from very specific IP addresses. Typically, from IP addresses inside your own network. And then also only log attacks coming from outside of your own network. That may need some tweaking if your IP address gets updated. And as a result, Jesse is sort of summarizing what he had to do in order to get that all working and set up properly. The other thing that Jesse did illustrate is how to update the file beats component. Now, the SIEM, and again, that's an add-on, doesn't come sort of by default with the honeypot. But it uses the usual elk stack, Elasticsearch, Logstash, Kibana. Of course, as part of that, you need to be able to feed your logs into Elasticsearch, which we use file beats for. And that needs to be in sync with the versions of the related components that were installed otherwise. So that's what this diary was about. Take a look. If you are already running a honeypot, well, that dashboard may be a nice addition. You need a little bit beefier, like a more recent Raspberry Pi or maybe Virtual Machine or something like this to run the full SIEM. On the older Raspberry Pis, you may not have enough horsepower. And we have yet another NPM issue here. And Aikido, a software security company, did find on Monday that the official recommended NPM library used to deal with the Ripple cryptocurrency. The XRPL library had been compromised. They identified for some suspicious behavior by multiple versions being released to NPM in short succession without actually finding the related versions then on the official GitHub repository. So it looks like only the NPM part was compromised, not the GitHub repository itself. And, well, of course, there was malicious code added here. This malicious code exfiltrates private keys for your wallets as they're exposed to this library. At this point, I haven't really seen sort of an obvious official kind of statement as to what exactly happened, how the NPM part here was compromised. I suspect it was either phishing or maybe some stupid weak credential. Nevertheless, this is a huge problem. The multiple versions, as I said, were compromised. All of them released on Monday or shortly before that. So definitely, if you are working on code using Ripple as a cryptocurrency, make sure that you didn't get exposed to this malicious library. And if you did get exposed, you must change your private keys. And Cisco now released an advisory regarding the Erlang OTP SSH library vulnerability. I mentioned it already a couple times before, starting Friday. This particular vulnerability, again, became officially known on April 16th. Since then, public and easy-to-use exploit has been released that gains you arbitrary command execution on any Erlang OTP SSH server that does use this vulnerable library. Several Cisco products are affected. And again, the OTP stands for the Open Telecom Platform. So that's sort of where you likely are going to find SSH servers written in Erlang that are vulnerable. And of course, Cisco is heavily invested in the telecom market, which is why they are also exposed to this particular issue. You must patch this quickly and at this point also assume compromise, even though I haven't really heard anything official about the vulnerability being exploited. But it's so easy to exploit at this point that it would just be negligent not to believe someone is already playing with it. Well, and that's it for today. Thanks for listening. Thanks for liking and recommending and subscribing to this podcast. And talk to you again tomorrow. Bye. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich