Hello and welcome to the Thursday, March 6, 2025
edition of the SANS and the Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Baltimore, Maryland. Guy has done an amazing job with our
DSHIELD Honeypot, allowing you to run a Kibana interface, all
the data being stored in Elasticsearch, and with that,
making the data that your Honeypot collects much more
approachable. Now, there is sadly always a lot of data.
Well, sadly or not so sad, depending on how you look at
it. But Guy today wrote a diary, walking you a little
bit through how to better get a handle at the data and
finding events of interest to better understand what
attackers are up to with your Honeypot and, well, learn from
it. Interesting blog post and, yes, if you do want to run the
DSHIELD Honeypot, please do so. We always like your data
and with the Elk interface, well, it also becomes much
more interesting for you to actually look at the data. You
may need a little bit more powerful system than just sort
of your basic Raspberry Pi in order to run all of this. The
Google Bug Hunter team today released a lot of details,
including working exploit code for a vulnerability that AMD
patched a month ago. This vulnerability allows you to
essentially update the microcode in your CPU. The
microcode is routinely updated and it's often delivered with
operating system updates like Microsoft Linux updates and
such include new microcode for your CPU. But this update is
supposed to be cryptographically signed. The
problem with AMD's implementation of this update
procedure was that the hash function that they used, well,
wasn't really as secure as it should be for this
application. The patch a month ago did update it with a new
proprietary hash function that appears to at least solve this
problem. And with that now, Google did release the details
about this vulnerability, which would essentially allow
you to jailbreak your CPU. Remember, sort of the little
demo that was released a month ago did essentially tell the
CPU to always produce the same random number. If you're using
the CPU's random number generator, this is just sort
of a little proof of concept demo. But with the additional
code released today and such, well, it's really up to the
attacker's creativity what they would like your CPU to
do. So definitely make sure that you are patching this
issue. It's not necessarily something that's easy to
patch. But the new details released today may make it
easier also to check if your CPU has been updated. And then
we have a critical security update for the popular Linux
editor Vim. Or maybe not so popular if you never figured
out how to exit Vim. This update fixes a recently added
feature to Vim. Sort of one of those things very well. You
always think of Vim as a relatively straightforward,
simple editor. But it does have a ton of features. One of
the features is to actually easily open and then edit
files that are inside a tar file. The problem here is that
Vim, as it's opening these files from the tar archive, is
not properly verifying and validating the file names in
the tar archive. And that can then lead to code execution.
So you still would need to trick a Linux user to open a
file that you're providing them. But then again, they may
consider Vim safe, which of course it is not. That's why
we have this update to Vim. And the sort of appearance of
Vim being like simple and safe may make it actually easier to
trick an administrator to open like a file in Vim than it is
to open a file like in Word or Acrobat Reader.
And then GuidePoint Security ran into a real, a little bit
weird and interesting twist on ransomware. Turns out there is
a group that claims to the Bion Lian ransomware group or
associate with it that actually sends regular postal
mail to company executives, threatening them with leaking
data that they stole if they're not paying up a
ransom. Apparently, these are completely fake, these
letters. So the attacker did not steal any data from you.
They just hope, well, to actually still get money. And
I think one of the ideas here is by directly addressing
these letters to executives who may not necessarily see a
lot of the sort of news about this ransomware group, they
may bypass some of the more technical people in the
company that would spot something like this as fake.
At least as my take on it, no idea how successful this
campaign is. And again, the letters are probably not
related to the actual Bion Lian ransomware group. They're
just some copycats that tend to have a new twist on this
scare. In the past, sadly, these fake ransomware notes
have been somewhat successful. I remember from a few years
ago where 30% of the recipients of emails and such
claiming to come from ransomware groups have
actually paid up. Well, that's it for today. Thanks for
listening. And as usual, please subscribe. We are also
available via Alexa and on various other podcast
platforms. YouTube also, if you're enjoying a video
version of this podcast. Thanks and talk to you again
tomorrow. Bye.
