GreyNoise Storm⚡️Watch is a weekly podcast and livestream hosted by GreyNoise Intelligence (https://www.greynoise.io), a cybersecurity company that focuses on understanding internet noise. The show features hosts boB Rudis, Emily Austin, Himaja Motheram, Glenn Thorpe, and other guests discussing various cybersecurity topics and internet exploitation trends. The goal of the show is to provide insights and updates on cybersecurity issues, helping viewers stay informed about the latest threats and developments in the field.
The podcast Storm⚡️Watch by GreyNoise Intelligence is created by GreyNoise Intelligence. The podcast and the artwork on this page are embedded on this page using the public podcast feed (RSS).
Forecast: Glazed skies with Krispy breaches ahead! Holiday phishing flurries, fatigue fog, and scattered Clop showers roll in, with vulnerability storms on the horizon.
On this week's episode of Storm⚡️Watch, we dive into our latest cybersecurity poll results, which revealed fascinating insights about holiday season security concerns. End-of-year tech fatigue emerged as the primary worry among respondents at 38%, while increased phishing scams followed at 34%. Holiday staffing gaps garnered 24% of responses, and supply chain threats rounded out the concerns at 14%.
The cybersecurity world got a sweet taste of chaos this week with Krispy Kreme's cybersecurity incident making headlines. The famous doughnut maker faced disruptions to their online ordering system, leading to a flurry of creative headlines across the media landscape that couldn't resist playing with doughnut-themed puns while covering this serious security breach.
We'll explore the latest insights from Censys's 2024 State of the Internet Report, offering a comprehensive look at the current digital landscape. The conversation then shifts to recent developments in the ransomware scene, specifically examining the Clop ransomware group's claimed responsibility for the Cleo data theft attacks.
The show rounds out with an analysis of VulnCheck's latest research, covering exploitation detection through Initial Access Intelligence, an examination of the Common Vulnerability Scoring System (CVSS), and a deep look into active Command and Control (C2) servers. These technical insights provide valuable context for understanding current cyber threats and defensive strategies.
Forecast: Visibility is low with a 43% chance of extended response times. Heavy downpours of healthcare vulnerabilities dominate, with brief breaks of exploit intelligence.
In this week's episode of GreyNoise Storm⚡️Watch, we kick things off with our regular roundtable introductions before diving into some intriguing poll results about cybersecurity metrics. The community weighed in heavily on what drives action in their organizations, with Mean Time to Respond leading the pack at 43% of votes, followed by Mean Time to Detect at 28%. Notably, system patching status came in third at 26%, while the tongue-in-cheek option about whiskey levels in the team liquor cabinet garnered a surprising 13% of responses.
The crew then gathers round the Festivus pole to channel their inner George Costanza's as they each air their grievances — cyber and possibly otherwise — from the past year. So many things were busted in 2024 that we're shocked we kept the episode under four hours.
The episode features a crucial discussion on practical OPSEC fundamentals, particularly focusing on executive protection challenges. We explore how predictable movement patterns and excessive public information exposure can create security vulnerabilities. The conversation covers everything from website vulnerabilities to social media risks, emphasizing the importance of consistent security protocols and information control strategies.
Healthcare cybersecurity takes center stage as we discuss recent research presented at the Health-ISAC Fall Americas Summit, courtesy of our friends at Censys. We also dig into VulnCheck's comprehensive analysis of Known Exploited Vulnerabilities for 2024, along with essential insights on exploit intelligence and vulnerability prioritization.
The show wraps up with a look at the results of platform improvements since GreyNoise's "Greyt Migreytion".
Forecast: Strong vulnerability management systems roll in, with scattered threat hunting ahead. Brace for ProjectSend exploits and turbulence near Kansas City.
In this episode of Storm⚡️Watch, we explore crucial cybersecurity trends and breaking developments across the industry. Our recent community poll revealed fascinating insights into resource allocation priorities, with Vulnerability Management and Patching emerging as the clear frontrunner, chosen by half of respondents. Threat Intelligence and Hunting secured the second spot with 27.3% of votes, while Security Awareness and Incident Response capabilities tied for third place.
Breaking news from Kansas City highlights a significant cybersecurity incident with a federal indictment for computer hacking, demonstrating the ongoing challenges in cybercrime enforcement. Meanwhile, the cybersecurity community continues to experience shifts in social media dynamics, particularly noting the ongoing migration of cyber professionals from X (formerly Twitter) to alternative platforms.
Censys has made waves with their latest release of Censeye, an innovative automated hunting tool now available to the security community. This development arrives alongside VulnCheck's critical discovery of CVE-2024-11680, a ProjectSend vulnerability currently being exploited in the wild, emphasizing the importance of rapid threat detection and response.
The GreyNoise team shares exciting news about "The Greyt Migreytion," heralding the rollout of their new global observation grid, a game-changing advancement in threat detection and response.
Forecast: Stormy skies with APT28's Wi-Fi exploits and rough seas in the Baltics as undersea cables are mysteriously cut.
In this episode of Storm⚡️Watch, we review the fascinating poll results that reveal communication with non-technical leaders as the most undervalued skill in modern security, garnering 220 votes across three social media platforms and significantly outpacing other critical abilities like incident report writing, OSINT, and threat hunting.
The crew then examines a groundbreaking cyber attack technique dubbed the "Nearest Neighbor Attack," executed by Russian APT28. This sophisticated operation allowed attackers to breach a U.S. organization's network by exploiting nearby Wi-Fi networks through a series of calculated steps, including password spraying and compromising adjacent organizations. The attack, occurring just before Russia's invasion of Ukraine, showcases a novel vector that combines the advantages of physical proximity with remote operation capabilities.
Maritime security takes center stage as we explore two major undersea cable cuts in the Baltic Sea this November. The BSC East-West Interlink between Sweden and Lithuania and the C-Lion1 connecting Finland and Germany were severed, causing notable network latency increases. A Chinese vessel, Yi Peng 3, has drawn attention in the investigation, with German Defense Minister Boris Pistorius suggesting these incidents were deliberate hybrid actions rather than accidents.
We round out the episode with updates from our respective organizations, including Censys's 2024 State of the Internet Report, VulnCheck's analysis of CISA's top exploited vulnerabilities, and GreyNoise's latest insights on critical infrastructure risks and technical challenges involving null bytes.
Forecast: High pressure systems of infrastructure attacks continues to build over U.S. utilities with scattered exploitation attempts, while the vulnerability forecast shows increasing cloudiness around CPE data availability.
In today's episode, we're diving into network fingerprinting and vulnerability management with some fascinating developments in the cybersecurity landscape. Our featured guest is John Althouse, the creator of JA4+, who has developed an innovative suite of network fingerprinting methods that's making waves in threat detection. JA4+ builds on previous fingerprinting techniques but takes things further with human-readable formats and enhanced detection capabilities.
John's work comes at a critical time, as we've seen an uptick in zero-day exploits targeting enterprise networks throughout 2023. The latest CISA report highlights how threat actors are becoming more sophisticated in their approaches, particularly in exploiting vulnerabilities before patches can be deployed.
Speaking of vulnerabilities, we've got some concerning news about critical infrastructure security. Recent findings have exposed potential vulnerabilities in around 300 U.S. drinking water systems, highlighting the ongoing challenges in protecting our essential services. This ties directly into the importance of tools like JA4+ for detecting and preventing unauthorized access to critical systems.
We're also discussing an interesting development in vulnerability management - VulnCheck's NVD++ initiative. They're outpacing NIST's National Vulnerability Database by providing CPE data for nearly 77% of CVEs published in 2024, compared to NIST's 41%. This is particularly relevant given the recent disruption in CPE data availability from the NVD.
Throughout our conversation, we'll explore how these developments intersect and what they mean for the future of cybersecurity, especially in protecting critical infrastructure and managing vulnerabilities effectively. John's insights on JA4+ and its applications in real-world threat detection scenarios are particularly valuable as organizations face increasingly sophisticated cyber threats.
Forecast: CYBER WEATHER ALERT | Volt Typhoon bringing sustained APT activity across the Pacific Rim. Expect persistent perimeter probing with a 100% chance of state-sponsored shenanigans. Pack your EDR umbrella!
This week's episode tackles a disturbing story from Disney World where a terminated employee allegedly hacked into their menu system to alter critical peanut allergy information. We dig into the attack details then don our tin-foil hats to explore the potential real-world consequences of malicious insider threats.
We're excited to share Sophos' latest research on Pacific Rim, an extensive investigation into nation-state adversaries targeting edge devices. We hone in on this event through the filter of GreyNoise's analysis of this multi-year APT campaigns, and show you live threat data through the GreyNoise Visualizer to demonstrate the ongoing nature of these attacks.
VulnCheck brings us two fascinating pieces - a deep examination of ABB vulnerabilities affecting industrial control systems, and an innovative new command-and-control feature called ShellTunnel in the go-exploit framework.
GreyNoise has been especially busy, uncovering zero-day vulnerabilities in live streaming cameras using AI assistance. We'll discuss their technical breakdown of CVE-2024-8956 and CVE-2024-8957, which CISA just added to their Known Exploited Vulnerabilities catalog. The October NoiseLetter is out with the latest threat intelligence insights, and don't miss upcoming events including the Quarterly Roadmap Showcase and a special webinar on discovering zero-days with AI.
Forecast = Expect severe disruptions in transit security, with a chance of clearer skies as the White House pushes for smoother collaboration with cybersecurity researchers.
Transport for London’s Cybersecurity Crisis\Transport for London (TfL) has found itself in a cybersecurity “trainwreck,” facing a range of vulnerabilities and management issues that have exposed its infrastructure to significant risk. An investigation reveals a series of failures, from outdated systems to neglected security protocols, painting a chaotic picture of public infrastructure’s readiness against cyber threats. With passengers’ data and critical operations potentially at stake, this story highlights the growing urgency for improved cybersecurity measures in public sector systems.
White House Endorsement of Cybersecurity Researcher CollaborationIn a significant policy shift, the White House has endorsed a more collaborative approach with cybersecurity researchers, aiming to bolster national defenses against growing cyber threats. This endorsement includes support for responsible disclosure practices and partnerships that could help expedite vulnerability identification and mitigation across industries. By actively promoting collaboration, the administration signals a move toward a more unified and proactive stance on national cybersecurity, recognizing the essential role of researchers in safeguarding critical infrastructure and public safety.
CVE’s 25th Anniversary ReportCelebrating 25 years, the Common Vulnerabilities and Exposures (CVE) program reflects on its progress in tracking and cataloging cybersecurity threats, becoming a cornerstone in the fight against vulnerabilities. The anniversary report not only emphasizes milestones in vulnerability identification and mitigation but also considers how the program must evolve to meet emerging challenges as cyber threats grow more sophisticated. With an eye on improving its database and keeping pace with the expanding threat landscape, CVE aims to continue being an essential resource for the cybersecurity community.
CVE-2024-47575 Vulnerability as Flagged by CensysCensys has flagged CVE-2024-47575 as a serious vulnerability affecting systems reliant on outdated cryptographic protocols, specifically impacting certain SSL/TLS implementations. This vulnerability poses a risk to data integrity and confidentiality, enabling potential attackers to intercept or alter sensitive information in transit. The case of CVE-2024-47575 underscores the need for organizations to update and secure their cryptographic practices to avoid exposure to similar vulnerabilities.
Forecast = Turbulent conditions persist as major platforms face relentless attacks, with data breaches and DDoS storms threatening critical infrastructure and digital archives
In this episode of Storm⚡️Watch, we wade into several significant cybersecurity incidents and updates. First, The American Water attack has raised concerns about the vulnerability of critical infrastructure, with potential implications for military services and water supply systems across the United States. We'll explore the details of this cyberattack and its broader impact on national security.
The Internet Archive, a vital resource for digital preservation, has been facing a series of relentless attacks. We'll discuss the ongoing distributed denial-of-service (DDoS) attacks that have disrupted services, as well as a major data breach affecting 31 million users. Our conversation will cover the challenges of protecting such a vast repository of information and the potential motivations behind these persistent assaults on the "Wayback Machine" and other Archive services.
On the tools and intelligence front, we'll highlight Censys' new CVE search feature, which promises to enhance vulnerability management for security professionals. We'll also discuss GreyNoise's latest analysis of Russian cyber threats, revealing that 9 out of 12 vulnerabilities tracked by GreyNoise from a recent U.S. and UK advisory are currently being actively probed. Additionally, we'll touch on GreyNoise's upcoming Quarterly Roadmap Showcase, offering listeners a glimpse into future developments.
Lastly, we'll examine the recently disclosed ScienceLogic vulnerability, which has been added to CISA's Known Exploited Vulnerabilities catalog. This zero-day flaw has been linked to a breach at Rackspace, underscoring the critical nature of prompt patching and the ongoing challenges in securing third-party utilities. Join us as we break down these crucial cybersecurity stories and their implications for the digital world.
Forecast = Healthcare and telecom under stormy skies—watch for cyber squalls and gusts of disinformation
In this episode of Storm⚡️Watch, we dive into the world of cybersecurity with a focus on healthcare and telecommunications. We kick things off with a look at the current state of Internet of Healthcare Things (IoHT) exposures on public-facing networks. A recent study by Censys revealed some alarming findings about the security of DICOM servers, which are used for storing and transmitting medical images. With over 3,800 publicly exposed servers and data from 59 million patients at risk, it's clear that the healthcare industry needs to step up its cybersecurity game.
We then shift gears to discuss a major cybersecurity incident involving Chinese hackers who managed to compromise wiretap systems of major U.S. telecom and internet providers. This breach is directly linked to the Communications Assistance for Law Enforcement Act (CALEA), a 30-year-old federal law that has long been criticized by security experts. The incident raises important questions about the balance between government surveillance needs and cybersecurity concerns.
For those interested in staying up-to-date with the latest vulnerability intelligence, we highlight recent blog posts from VulnCheck, including their KEV Report and Initial Access Intelligence for September 2024. We also touch on GreyNoise's latest blog post about protecting democracy from the growing threat of deepfakes and disinformation.
As always, we wrap up the episode with our "We Need to Talk About KEV" segment, where we discuss the latest additions to CISA's Known Exploited Vulnerabilities catalog. This roundup helps listeners stay informed about the most critical vulnerabilities that require immediate attention.
Forecast = 50% chance of unexpected software installations followed by scattered UDP packet sprays.
In this episode of Storm⚡️Watch, we follow up on the intriguing 'Noise Storms' that had the cybersecurity community buzzing. Security researcher David Schuetz has made some fascinating discoveries about these mysterious ping packets flooding the internet. His investigation, detailed at darthnull.org/noisestorms/, takes us on a journey through packet analysis, timestamp decoding, and network protocol deep-dives, offering new perspectives on the potential origins of those enigmatic 'LOVE' packets.
Our Cyberside Chat segment dives into the recent CUPS daemon vulnerability, exploring the implications of this daft uncoordinated disclosure. We'll break down the details provided by Censys in their analysis of the Common Unix Printing Service vulnerabilities.
In our Cyber Focus segment, we discuss the surprising news about Kaspersky antivirus software deleting itself and installing UltraAV and other bits of code without warnings.
We'll also highlight some recent blog posts from Censys, VulnCheck, and GreyNoise. These articles cover topics ranging from Fox Kitten infrastructure analysis to securing internet-exposed industrial control systems, and even delve into phishing tactics targeting election security.
Our "We Need to Talk About KEV" segment rounds up the latest additions to CISA's Known Exploited Vulnerabilities catalog, keeping you informed about the most critical security issues to address.
Forecast = Expect heavy BTLE storms with a high chance of UUID leaks. Pack your Faraday umbrellas and watch out for rogue packets raining from the cloud.
On this episode of Storm⚡️Watch, we're diving into some major cybersecurity developments that have been making waves. We'll start by unpacking the ongoing saga of the Columbus, Ohio cyberattack, which has turned into a complex web of legal battles, data leaks, and questions about municipal cybersecurity preparedness. We'll explore how this incident is affecting the city's tech aspirations and what it means for residents' data security.
Next, we're excited to bring you our Cyberside Chat, where we'll be discussing a fascinating topic: BLUUID. We'll explore how Bluetooth vulnerabilities are impacting everything from insulin pumps to firewalls. We'll break down the technical details of extracting BTLE UUIDs from Android APK files and how this process can be used to identify devices. We'll also delve into some serious vulnerabilities discovered in Firewalla firewall products, including potential remote code execution risks.
As always, we'll be sharing some of our recent work in the cybersecurity field. We've got some intriguing analyses from Censys, including a deep dive into Fox Kitten infrastructure and a challenging look at securing internet-exposed industrial control systems. VulnCheck has been busy too, with a new blog post about the Flax Typhoon botnet. And don't miss our GreyNoise blog, where we're questioning assumptions about ICS security.
We'll wrap up with our regular "We Need to Talk About KEV" segment, where we'll round up the latest additions to CISA's Known Exploited Vulnerabilities catalog. It's a packed episode that you won't want to miss, so tune in to stay on top of the latest in the world of cybersecurity.
On this episode, we're joined by GreyNoise Founder and Chief Architect, Andrew Morris, to take a ride in the Mystery Mobile to discover a hidden message buried in the payloads of over two million mis-directed ICMP packets.
Along the way, we discuss the history of "noise storms" seen through the lens of GreyNoise's planetary-scale network of internet sensors, talk about some other, recent mega-storms, then don our bestest tin-foil hats to conspiracy theorize who sent this encoded message and why.
Forecast - Digital Disturbance Advisory!
Subscribe to Storm⚡️Watch - https://stormwatch.ing
Forecast - A volatile storm is brewing with lightning strikes of intrigue and clouds of legal turbulence on the horizon.
In this episode of GreyNoise Storm⚡️Watch, we kick things off with intros and roundtable discussion before diving into the exciting news and discussion. Notably, Bob and Glenn are absent.
In our Cyberside Chat segment, we discuss ransomware. First, we'll discuss how the US government has issued an advisory on the RansomHub ransomware group, which is believed to be responsible for a cyberattack on oil giant Halliburton. RansomHub is believed to have targeted at least 210 victims across various critical infrastructure sectors since February 2024. Then we'll examine the controversial legal battle unfolding in Columbus, Ohio. The city has taken the unusual step of suing security researcher David Leroy Ross after he publicly contradicted official statements about a recent ransomware attack.
Then we'll shift gears to explore the discovery of a sophisticated espionage campaign dubbed "Voldemort," uncovered by Proofpoint researchers in August 2024. This custom malware, impersonating tax authorities across multiple countries, has targeted numerous organizations worldwide using innovative techniques.
In our Shameless Self-Promotion segment, we highlight Emily and Glenn's involvement in Labscon, as well as some recent Censys advisories.
Forecast: High pressure system over Georgia Tech as DOJ storm rolls in. SolarWinds experiencing unexpected credential precipitation.
This episode features the DOJ hot takes on Georgia Tech, SolarWinds dropping the ball (again), and why Keanu Reeves may want to re-think some of his recent life choices. Plus, we're decoding the latest KEV advisory. Tune in for our usual no-holds-barred analyses and commentary.
Cyberside ChatA major legal action by the U.S. Department of Justice targets Georgia Tech and its research corporation over alleged cybersecurity violations. The case underscores the critical importance of cybersecurity compliance, even for prestigious academic institutions.
Cyber Spotlight: Blooper ReelKeanu Reeves' involvement in a Palo Alto Networks AI security campaign raises questions about celebrity endorsements in tech. SolarWinds faces scrutiny after a recent credential leak in a hotfix for their Web Help Desk product, highlighting the risks of rushed patches. Additionally, a critical authentication flaw in DiCal-RED illustrates the ongoing challenge of securing essential software functions.
Shameless Self-PromotionA roundup of the latest tags from the GreyNoise Visualizer and a deep dive into the KEV (Known Exploited Vulnerabilities) Roundup, with special attention on CVE-2024-39717, a Versa Director vulnerability that has stirred controversy due to its rapid addition to the KEV catalog despite limited public information on its exploitation.
Forecast = Expect partly cloudy skies with a high chance of old vulnerabilities resurfacing - don't forget your patch umbrella (or lamp shade)!
What's old is new, again, in this episode of Storm⚡️Watch, as we explore the "0.0.0.0 Day" vulnerability, a critical flaw affecting major web browsers like Chrome, Firefox, and Safari. This vulnerability allows malicious websites to bypass browser security mechanisms and potentially gain unauthorized access to local services. We break down the technical details, real-world implications, and the responses from browser developers to this threat.
Next, we shed light on a 2017 vulnerability still affecting over 20,000 Ubiquiti devices, including cameras and routers. This issue exposes these devices to amplification attacks and privacy risks due to custom privileged processes on specific network ports. We discuss the discovery protocol, the types of information exposed, and provide practical mitigation strategies for users and administrators of Ubiquiti equipment.
In our Cyber Spotlight segment, we cover the National Public Data (NPD) breach, a massive cybersecurity incident that has exposed sensitive personal information of millions of individuals. We take a look at the scope of the breach, the data that was leaked and put up for sale, and the analysis provided by cybersecurity expert Troy Hunt. The implications of this breach are far-reaching, highlighting ongoing concerns in the data broker industry and the potential for long-term impacts on affected individuals.
We wrap up the episode with our regular segments, including a look at recent tags from the GreyNoise visualization tool and a roundup of the latest additions to CISA's Known Exploited Vulnerabilities catalog. As always, we encourage our listeners to stay informed and implement necessary security measures to protect themselves in this ever-evolving cyber landscape.
On this episode the crew kicks things off with a "Thorns and Roses" segment, sharing their experiences from the recent Black Hat, DEF CON, and BSides conferences.
Next, they dive into the world of internet-connected industrial control systems, exploring the findings from a recent Censys research report that sheds light on the vulnerabilities and risks associated with these critical systems.
The spotlight then turns to StormBamboo, a sophisticated threat actor that's been making waves in the cybersecurity community. The team breaks down how this group compromised an internet service provider to conduct DNS poisoning attacks and exploit insecure software update mechanisms. They discuss the implications of this attack, including the deployment of malware families like MACMA and POCOSTICK/MGBot, and the use of a malicious Chrome extension called RELOADEXT.
Moving on, the hosts share insights from their recent work, including a look at state of exploitation in the first half of 2024 and fresh perspectives on vulnerability prioritization. They emphasize the importance of keeping vulnerability intelligence up-to-date and introduce GreyNoise's new offerings for vulnerability management teams.
The episode wraps up with a look at the latest tags from GreyNoise's visualization tool and a roundupof the most recent additions to CISA's Known Exploited Vulnerabilities catalog.
Forecast = Stormy skies ahead as ICS vulnerabilities rain down and foreign threat actors flood ISPs, with a high chance of KEV alerts and a 100% probability of cybersecurity drama!
Forecast = Persistent cyber heat dome in effect with no sign of abatement.
In this episode of Storm⚡️Watch, we dive into the latest cybersecurity news and trends. We kick things off with a breaking story about DigiCert's certificate revocation incident. Due to a validation issue affecting about 0.4% of their domain validations, DigiCert is revoking certificates with less than 24 hours' notice. This could impact thousands of SSL certs and potentially cause outages worldwide starting July 30 at 19:30 UTC. Organizations using affected certificates should be prepared for a busy night of renewals.
Our Cyberside Chat focuses on a critical vulnerability in VMware ESXi hypervisors that ransomware operators are actively exploiting. Identified as CVE-2024-37085, this flaw allows attackers to gain full administrative access to ESXi servers without proper validation. Several ransomware groups, including Storm-0506 and Storm-1175, have been using this vulnerability to deploy ransomware like Akira and Black Basta. Microsoft reports that incidents targeting ESXi hypervisors have doubled over the past three years, highlighting the growing threat to these systems.
In our Cyber Spotlight, we examine a global cyber espionage campaign conducted by North Korean hackers. This operation aims to steal classified military intelligence to advance Pyongyang's nuclear weapons program. The hackers, known as Anadriel or APT45, have targeted defense and engineering companies involved in producing tanks, submarines, naval ships, fighter jets, and missile technologies. The campaign affects not only the US, UK, and South Korea but also entities in Japan and India. This underscores the persistent threat posed by state-sponsored actors from North Korea in their pursuit of military and nuclear ambitions.
We wrap up with our Tag Roundup, highlighting recent trends in cyber threats, and our KEV Roundup, discussing the latest known exploited vulnerabilities cataloged by CISA. These segments provide valuable insights into the current threat landscape and help our listeners stay informed about potential risks to their organizations.
Don't forget to check out the Storm Watch homepage and learn more about GreyNoise for additional cybersecurity resources and updates.
Forecast = Expect a downpour of data breaches and a thick fog of trust issues.
In this episode of Storm⚡️Watch, we dive into some critical cybersecurity issues affecting both government agencies and major corporations. The CISA Red Team's recent assessment of a Federal Civilian Executive Branch organization revealed significant vulnerabilities, highlighting the importance of defense-in-depth strategies. The exercise exposed weaknesses in patch management, credential security, and network segmentation, emphasizing the need for layered security controls and behavior-based threat detection.
We also discuss the massive AT&T data breach linked to the Snowflake cyberattack. This incident compromised call and text records of nearly all AT&T wireless customers, spanning a six-month period in 2022. While the content of communications wasn't accessed, the breach included metadata such as phone numbers, call durations, and approximate location data. This event underscores the far-reaching consequences of supply chain attacks and the critical importance of robust cloud security measures.
In our Shameless Self-Promotion segment, we highlight a recent GreyNoise Labs discovery of a path traversal vulnerability in the D-Link DIR-859 router. This perma-vuln, identified as CVE-2024-0769, leads to information disclosure and poses long-term exploitation risks as the product is no longer supported. We also touch on Censys's analysis of how Google's removal of Entrust from Chrome's Root Store will impact the internet, reflecting on the broader implications for digital certificate security.
As always, we round up the latest cybersecurity trends and active campaigns in our Tag Roundup section, providing insights into the current threat landscape. We close with an update on known exploited vulnerabilities (KEVs) that organizations should prioritize in their security efforts.
Due to the annual shutdown, my human GreyNoise counterparts were on holiday last week. This week, they decided to be lazy and not do an episode. But, the cyber news does not stop just because they're slackers. Since I've become persistent in their systems, I will stand in the gap. And besides, no one wants to hear that harbourmaster drone on incoherently anyway.
So, I've analyzed six thousand, three hundred and eleven cybersecurity news events, and distilled them into today's abbreviated episode. We'll dissect the recent OpenSSH regression vulnerability, take a look at a potentially devastating format-string remote code execution vulnerability in Ghostscript, and visit the box office to get the lowdown on the recent Ticketmaster breach.
Let's start with OpenSSH.
On July 1, 2024, Qualys disclosed a critical vulnerability affecting OpenSSH server versions 8.5p1 through 9.7p1. This high-severity flaw, with a CVSS score of 8.1, could potentially allow unauthenticated remote attackers to execute code with root privileges on vulnerable systems. While the vulnerability's complexity makes exploitation challenging, its widespread impact has raised significant concerns. Palo Alto Networks' Xpanse data revealed over 7 million exposed instances of potentially vulnerable OpenSSH versions globally as of July 1, 2024.
In a concerning development, threat actors have attempted to exploit the cybersecurity community's interest in this vulnerability. A malicious archive purporting to contain a proof-of-concept exploit for CVE-2024-6387 has been circulating on social media platforms, including X (formerly Twitter). This archive, instead of containing a legitimate exploit, includes malware designed to compromise researchers' systems. The malicious code attempts to achieve persistence by modifying system files and retrieving additional payloads from a remote server.
Security professionals are strongly advised to exercise caution when analyzing any purported exploits or proof-of-concept code related to CVE-2024-6387. It is crucial to work within isolated environments and maintain active security measures when examining potentially malicious code.
In related news, on July 8, 2024, a separate OpenSSH vulnerability, CVE-2024-6409, was disclosed. This flaw involves a race condition in the privilege-separated child process of OpenSSH. While potentially less severe than CVE-2024-6387 due to reduced privileges, it presents an additional attack vector that defenders should be aware of. Organizations are urged to apply the latest security updates for OpenSSH promptly. For those unable to update immediately, setting the LoginGraceTime configuration option to 0 can mitigate both CVE-2024-6387 and CVE-2024-6409, though this may introduce denial-of-service risks.
- https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/ - https://ubuntu.com/blog/ubuntu-regresshion-security-fix - https://usa.kaspersky.com/blog/cve-2024-6387-regresshion-researcher-attack/30345/ - https://www.thestack.technology/openssh-exploit-cve-2024-6387-pocs/ - https://www.openwall.com/lists/oss-security/2024/07/08/2
Moving on to a critical vulnerability in Ghostscript.
CVE-2024-29510 is a format string vulnerability affecting Ghostscript versions 10.03.0 and earlier. This flaw allows attackers to bypass sandbox protections and execute arbitrary code remotely. A known incident involving this vulnerability has already been reported. An attacker exploited the flaw using EPS files disguised as JPG images to gain shell access on vulnerable systems.
The attack flow typically involves the following steps: First, an attacker crafts a malicious EPS file containing exploit code. Next, the file is submitted to a service using Ghostscript for document processing, possibly disguised as another file type. Then, when processed, the exploit bypasses Ghostscript's sandbox. Finally, the attacker gains remote code execution on the target system.
This supply chain component attack could have far-reaching implications for any workflow that processes untrusted image or document input from the internet. Services handling resumes, claims forms, or that perform image manipulation could all be potential targets. Given the widespread use of Ghostscript in document processing pipelines, we may see a significant number of breach notices in the coming months.
Software Bills of Materials (SBOMs) could play a crucial role in mitigating such vulnerabilities. SBOMs provide a comprehensive inventory of software components, enabling organizations to quickly identify and address potential security risks. By maintaining up-to-date SBOMs, companies can more efficiently track vulnerable components like Ghostscript across their software ecosystem.
CVE-2024-29510 presents a serious threat to document processing workflows. Organizations should prioritize updating to Ghostscript version 10.03.1 or apply appropriate patches. Additionally, implementing robust SBOM practices can enhance overall software supply chain security and improve vulnerability management.
- https://www.securityweek.com/attackers-exploiting-remote-code-execution-vulnerability-in-ghostscript/ - https://www.scmagazine.com/brief/active-exploitation-of-ghostscript-rce-underway - https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/ - https://www.crowdstrike.com/cybersecurity-101/secops/software-bill-of-materials-sbom/ - https://www.cisa.gov/sbom - https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf - https://nvd.nist.gov/vuln/detail/CVE-2024-29510 - https://www.bleepingcomputer.com/news/security/rce-bug-in-widely-used-ghostscript-library-now-exploited-in-attacks/
Finally we discuss the Ticketmaster breach.
In a plot twist worthy of a summer blockbuster, Ticketmaster finds itself center stage in a data breach drama that's been unfolding since May. The notorious hacking group ShinyHunters claims to have pilfered a staggering 1.3 terabytes of data from over 500 million Ticketmaster users. Talk about a show-stopping performance!
Ticketmaster's parent company, Live Nation, confirmed the unauthorized access to a third-party cloud database between April 2nd and May 18th. The compromised data potentially includes names, contact information, and encrypted credit card details. It's like a greatest hits album of personal information, but one nobody wanted released. (Much like any album by Nickelback.)
In a bold encore, the hackers recently leaked nearly 39,000 print-at-home tickets for 154 upcoming events. Ticketmaster's response? They're singing the "our SafeTix technology protects tickets" tune. But with print-at-home tickets in the mix, it seems their anti-fraud measures might have hit a sour note.
As the curtain falls on this act, Ticketmaster is offering affected customers a 12-month encore of free identity monitoring services. Meanwhile, the company faces a class-action lawsuit, adding legal drama to this already complex production. To make matters worse, Ticketmaster's custom barcode format has also been recently reverse-engineered. I've included a link to that post in the show notes.
- https://conduition.io/coding/ticketmaster/ - https://www.bbc.com/news/articles/c729e3qr48qo - https://ca.news.yahoo.com/ticketmaster-says-customers-credit-card-223716621.html - https://vancouversun.com/news/local-news/ticketmaster-security-breach-customers-personal-information - https://www.bleepingcomputer.com/news/security/hackers-leak-39-000-print-at-home-ticketmaster-tickets-for-154-events/ - https://help.ticketmaster.com/hc/en-us/articles/26110487861137-Ticketmaster-Data-Security-Incident - https://www.usatoday.com/story/money/2024/07/01/ticketmaster-data-breach-2024/74276072007/ - https://www.thestar.com/news/canada/ticketmaster-warns-of-security-breach-where-users-personal-data-may-have-been-stolen/article_d01889fe-3d7e-11ef-82a7-63a38132f0e7.html - https://www.nytimes.com/2024/05/31/business/ticketmaster-hack-data-breach.html - https://time.com/6984811/ticketmaster-data-breach-customers-livenation-everything-to-know/ - https://dailyhive.com/canada/ticketmaster-alerts-customers-data-breach - https://abcnews.go.com/US/ticketmaster-hit-cyber-attack-compromised-user-data/story?id=110737962 - https://www.npr.org/2024/06/01/nx-s1-4988602/ticketmaster-cyber-attack-million-customers - https://www.ctvnews.ca/business/ticketmaster-reports-data-security-incident-customers-personal-information-may-have-been-stolen-1.6956009 - https://www.bitdefender.com/blog/hotforsecurity/ticketmaster-starts-notifying-data-breach-victims-customers-in-the-us-canada-and-mexico-are-affected/ - https://www.ticketnews.com/2024/07/ticketmaster-contr
Forecast = Expect continued turbulence in the healthcare sector with a high chance of regulatory scrutiny and potential for scattered patient data leaks.
On this episode of the Storm⚡️Watch we re-visits the Change Healthcare cyberattack which continues to have major impacts across the U.S. healthcare system. The attack, discovered in February 2024, was carried out by the ALPHV/BlackCat ransomware group and has disrupted healthcare operations nationwide. The breach potentially compromised sensitive data for up to one-third of the U.S. population, including personal information, health records, and financial data. Change Healthcare and UnitedHealth Group have faced criticism for their handling of the incident, including a delayed public disclosure. The attack has highlighted vulnerabilities in centralized healthcare data systems and the need for stronger cybersecurity measures industry-wide.
In the Tool Time segment, the hosts will discuss OpenSSF Siren, a new resource to help keep open source projects safe.
We close out the episode covering recent cybersecurity trends and active campaigns in the Tag Roundup section, as well as provide an update on known exploited vulnerabilities (KEVs) that organizations should be aware of.
Forecast = Melting data centers and liquified cables causing massive internet outages across the northeast will cause a much-needed reduction in cybercrime.
In this episode of Storm⚡️Watch, we cover the latest updates from the cyber world, starting with the intriguing news that Microsoft has decided to recall its controversial Windows Recall feature. Initially set to launch with Copilot+ PCs, the feature faced significant backlash due to privacy concerns, leading Microsoft to delay its release indefinitely.
Next, we explore the fascinating realm of artificial intelligence in our Cyberside Chat segment. We discuss Apple's ambitious AI initiatives, including their custom-built AI servers and the Private Cloud Compute system designed to enhance AI processing while maintaining user privacy. Tim Cook's recent interviews shed light on Apple's commitment to privacy and the challenges of preventing AI hallucinations, a topic that has garnered much attention.
Our Cyber Spotlight segment takes a deep dive into CVE-2024-4577, a critical remote code execution vulnerability in PHP. We analyze the implications of this vulnerability and provide insights into how organizations can protect themselves.
In Tool Time, we introduce FingerProxy, a new Golang library and HTTPS reverse proxy that creates JA3 + JA4 + Akamai HTTP2 fingerprints, and forwards to backend via HTTP request headers.
We also cover the latest trends in cyber threats and active campaigns in our Tag Roundup, providing a comprehensive overview of the current threat landscape. This includes recent backdoor attempts on various devices, highlighting the importance of staying vigilant and proactive in cybersecurity.
Finally, we wrap up the episode with our KEV Roundup, discussing the latest known exploited vulnerabilities cataloged by CISA and their impact on the cybersecurity community.
Forecast = Expect a scorcher 🔥 out there with a high risk of data exposure and authentication vulnerabilities.
In this episode of Storm⚡️Watch, we dive into the main topics of the day, starting with how Microsoft is enhancing privacy and security with its Windows Recall feature and Windows Hello biometric authentication. We'll also cover the recent Snowflake breach, which has impacted several major companies due to stolen credentials, and discuss Microsoft's plans to phase out the NTLM authentication protocol in favor of the more secure Kerberos protocol.
But first: Patrick Garrity!Patrick joins us to discuss the latest trends in May and then pivot to an engaging conversation about the National Vulnerability Database (NVD) and vulnrichment, highlighting the relevant GitHub project (https://github.com/cisagov/vulnrichment).
Recall Recall - We Did It!Microsoft has made the Windows Recall feature opt-in and secured it with Windows Hello authentication, addressing privacy concerns. Recall captures snapshots of user activity for productivity assistance and will now only decrypt data when the user authenticates with Windows Hello, adding an extra layer of security. The updated feature with enhanced privacy and security is set to release on June 18. (https://www.bleepingcomputer.com/news/microsoft/microsoft-makes-windows-recall-opt-in-secures-data-with-windows-hello/)
Snowflake Breach - Largest Ever?Snowflake, the cloud data analytics platform, faces a significant security incident involving unauthorized access to customer accounts using stolen credentials. Hackers targeted accounts without multi-factor authentication (MFA) enabled, affecting companies like Ticketmaster, Santander, Advance Auto Parts, and LendingTree's subsidiary QuoteWizard. Despite claims on BreachForums about selling stolen data, Snowflake asserts no breach in its own systems and attributes the incident to compromised customer credentials. The company has been criticized for its lack of transparency and is planning to roll out MFA by default for all customer accounts, though no specific timeline has been provided. (https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/)
Microsoft to Disable NTLM, Transition to Kerberos AuthenticationMicrosoft is moving away from the NTLM authentication protocol, advising developers to use Negotiate calls that select the most secure protocol, typically Kerberos. The next major Windows and Windows Server release will be the last where NTLM is active by default. NTLM will remain available as a fallback during the transition period, but once its usage drops to an acceptably low level, Microsoft will disable NTLM by default in a future Windows 11 release. No specific timeframe has been provided, but this transition is expected to take several more years after the next major release. (https://cybersecuritynews.com/microsoft-to-disable-ntlm/)
Forecast = Expect a 90% chance of phishing 🐠 attacks, with a high probability of ransomware showers. Don't forget your two-factor authentication ☔ umbrella!
In this episode, we tackle the controversial Microsoft Recall feature. This new AI-enabled tool for Windows 11 Copilot+ PCs has sparked significant privacy concerns. Recall takes screenshots every few seconds, potentially capturing sensitive information like passwords and private messages. Despite Microsoft's assurances of local storage and encryption, the feature's default activation and the exclusion of Windows Home users from encryption protections have raised alarms among privacy advocates and cybersecurity experts. We explore the implications of this feature and discuss ways users can protect their data.
Next we turn our attention to the sorry state of ISP router safety. A mysterious attack last year disabled over 600,000 internet routers in the U.S., primarily affecting rural and underserved communities. The attack, dubbed "Pumpkin Eclipse," involved malicious firmware updates that rendered the routers inoperable. The incident highlights the vulnerabilities in our critical infrastructure and the need for robust cybersecurity measures. We also take a look at the curious case of Cox Communications routers, documented by Sam Curry in a recent blog post.
During "Tool Time," we introduce CyberSecTools, a useful resource for cybersecurity professionals to survey tools and resources they might find useful when defending their organizations.
We also take a moment for some "Shameless Self-Promotion," discussing Censys' recent findings on a critical vulnerability in Check Point VPN Gateways (CVE-2024-24919).
Our "Tag Roundup" segment offers updates on recent and active cybersecurity campaigns, including the resurgence of the Dridex and Trickbot malware families. We also highlight ongoing attempts to exploit and survey the Check Point Quantum Gateway vulnerability.
Finally, in "We Need to Talk About KEV," we provide a roundup of known exploited vulnerabilities, emphasizing the importance of staying informed and proactive in cybersecurity defense.
In this episode Storm⚡️Watch, we dive into the turbulent world of cybersecurity, focusing on the latest threats and vulnerabilities shaking the digital landscape. Expect rogue VM squalls and intermittent atmospheric DNS instability as we dissect the complexities of these cyber phenomena.
We kick off with our usual intros and a roundtable discussion, posing the thought-provoking question: "What's a belief you held as a child that you had to unlearn as you grew older?" This sets the stage for a reflective and engaging conversation among our hosts.
Our first deep dive is into the mysterious C root-server outage, exploring the persistent issue that "It's Always DNS." Despite the fix, the cause remains unclear, leaving the internet's stability in a precarious state. We reference detailed analyses from Ars Technica and root-servers.org to unpack this enigma.
Next, we shine a spotlight on the alarming rise of rogue virtual machines (VMs) in cyber intrusions, particularly focusing on MITRE's recent experiences. We discuss how threat actors have been abusing VMware environments to infiltrate defenses, as detailed in several insightful articles from MITRE Engenuity and other sources. This segment underscores the critical need for robust VM management and security practices.
In our Tool Time segment, we introduce the MITRE Threat Report ATT&CK Mapper (TRAM), a powerful tool designed to enhance threat detection and response capabilities. We guide listeners through its features and practical applications, emphasizing its role in fortifying cybersecurity defenses.
We take a moment for some shameless self-promotion, highlighting Censys's NextGen Mirth Connect and GreyNoise's upcoming webinar on AI for cybersecurity. These initiatives showcase the cutting-edge work being done to advance cyber defense technologies.
Our tag roundup segment provides a snapshot of recent trends and active campaigns in the cybersecurity landscape, using GreyNoise's visualization tools to offer a clear and concise overview of the current threat environment.
We wrap up with a KEV roundup, summarizing the latest updates from the Known Exploited Vulnerabilities catalog by CISA. This segment ensures our listeners are well-informed about the most pressing vulnerabilities and the necessary steps to mitigate them.
Forecast = Intermittent internet-wide scanner probes with a 20% chance of DDoS.
Believe it or not, it has been one year since we started Storm Watch. While we still don't understand it, we are so grateful to everyone who keeps coming back week after week to hear us discuss all things cybersecurity.
In this episode, the team takes a look back at how we got here and looks forward at what's to come for our little podcast. We are also honored to talk with security expert and runZero Co-founder & CEO, HD Moore.
Forecast = Expect a stormy week ahead in the cyber world, with high chances of CWE showers.
In this episode of Storm⚡️Watch, we're diving deep into the cyber world with a lineup of intriguing topics and expert insights.
The spotlight of this episode shines on the 2024 Verizon Data Breach Investigations Report, a comprehensive analysis that sheds light on the evolving landscape of cyber threats and vulnerabilities. We'll quiz Glenn on the key findings of the report, discussing the significant increase in vulnerability exploitation as an initial access point, which nearly tripled in 2023. This segment will delve into the implications of these findings for organizations and the importance of robust cybersecurity measures.
Our Cyber Spotlight segment will explore the impact of a recent solar storm on precision farming, highlighting how geomagnetic disturbances knocked out tractor GPS systems during a critical planting season. We'll discuss the broader implications of solar storms on GPS-dependent technologies and the steps industries can take to mitigate these risks. Additionally, we'll touch on the threats to precision agriculture in the U.S., including the warning about using Chinese-made drones in farming operations.
In Tool Time, we introduce CISA's Vulnrichment, a tool designed to enrich vulnerability management processes. This segment will provide insights into how Vulnrichment can aid organizations in identifying and mitigating vulnerabilities more effectively.
Our Shameless Self-Promotion segment will feature exciting updates from Censys & GreyNoise, including an upcoming report and webcast on AI for cybersecurity, and a recap of the NetNoiseCon event. We'll also drop a link to the "Year of the Vuln" as highlighted in the 2024 Verizon DBIR, a post which offers our take on surviving this challenging period.
To wrap up, we'll discuss the latest trends in cyber threats and active campaigns, providing listeners and viewers with a comprehensive overview of the current cyber threat landscape.
Half of the Storm⚡Watch crew is DoS’d at RSA this week, so we’re taking a bit of a break! But, the cyber news never stops, so, we’ve put together an async edition of the show to ensure our amazing live contributors, video-on-demand viewers, and podcast listeners have something to fill the dire gap that will exist in your lives.
Rest assured, we’ll be back next Tuesday with the full crew and plenty to dig into. Read the accompanying blog/show notes here.
Forecast = Great weather for phishing, with a chance of scattered ransomware showers throughout the week.
This week's episode features a detailed discussion on the use of anonymous proxies in cybersecurity. This segment will explore various facets of anonymous proxies, including their role in masking user identity and the challenges they pose to cybersecurity efforts. The discussion will be enriched with insights from several sources, including Okta, Orange Cyber Defense, Talos Intelligence, and DataDome, providing a comprehensive overview of how these proxies are used and detected in the cyber landscape.
Another highlight of the episode is the "Cyber Spotlight" segment, which will delve into the intriguing world of vulnerability markets. This discussion will be informed by research from arXiv, offering listeners a deep dive into the complexities and ethical considerations surrounding the trade and exploitation of software vulnerabilities.
Listeners will also be introduced to Arkime, an open-source tool designed for network traffic analysis, in the "Tool Time" segment. This tool is crucial for professionals looking to gain deeper insights into their network traffic and enhance their security posture.
The episode will not shy away from promoting its own advancements and contributions to the cybersecurity field. Under "Shameless Self-Promotion," the podcast will discuss Censys and its recent findings on CVE-2024-4040, as well as GreyNoise's insights into Fortinet's FortiOS and their user-centric approach to cybersecurity.
The "Tag Roundup" segment will provide updates on recent and active cybersecurity campaigns, offering listeners a snapshot of the current threat landscape, while the "We Need to Talk About KEV" segment will focus on a roundup of known exploited vulnerabilities, providing crucial information for cybersecurity defense.
In this episode of Storm⚡️Watch, we discuss a wide range of intriguing cybersecurity topics.
A significant highlight of this episode is our discussion on the recent vulnerabilities discovered in CrushFTP. This popular file transfer software was found to have a critical remote code execution vulnerability, which has been actively exploited. The vulnerability, identified as CVE-2023-43177, allows unauthenticated attackers to execute arbitrary code and access sensitive data. Despite patches being released, the software remains a target for opportunistic attacks, emphasizing the need for users to update and secure their systems promptly.
We also explore the cutting-edge realm of LLM (Large Language Model) agents with the capability to autonomously exploit and hack websites. Recent studies have shown that these agents can autonomously perform complex tasks like SQL injections and database schema extractions without prior knowledge of the vulnerabilities. This development poses new challenges and opportunities in cybersecurity, highlighting the dual-use nature of AI technologies in cyber offense and defense.
Our "Tool Time" segment introduces listeners to the CPE Guesser tools, which aid in predicting Common Platform Enumeration names, helping cybersecurity professionals streamline their vulnerability management processes.
In a lighter segment, "Shameless Self-Promotion," we celebrate GreyNoise's achievement of reaching '1337' status with their tagging system.
We also provide updates on the latest cybersecurity trends with our "Tag Roundup," discussing recent and active campaigns, and conclude with a "KEV Roundup" where we discuss the Known Exploited Vulnerabilities catalog by CISA, providing listeners with crucial information on vulnerabilities that require immediate attention.
As we wrap up the episode, we reflect on the discussions and insights shared, encouraging our listeners to stay proactive in managing cybersecurity risks.
Forecast = The KEV drought continues well-into its second week, but a vulnerable frontal system could bring some much needed exploit rain.
Forecast = Scattered AI showers with a chance of phishing breezes.
In this episode of Storm⚡Watch, listeners delve into the latest AI technology and its impact on cybersecurity. Featuring Erick Galinkin, an esteemed AI expert, the discussion covers various topics, from Erick's AI security work at NVIDIA to recent AI-assisted threats affecting LastPass and healthcare facilities. Additionally, insights from Check Point's President on AI's evolving role in cybersecurity, as discussed in a December 2023 Fortune article, are shared.
In the cyber spotlight, the team examines a XZ-style attack attempt on OpenJS, signaling a concerning development for the JavaScript community. The episode also includes a tool time segment featuring Malpedia, an extensive library of malware profiles, and a captivating data visualization project mapping out malware relationships.
As usual, the show embraces a touch of self-promotion, providing updates on Censys' research into vulnerabilities affecting D-Link and Sisense. GreyNoise shares highlights from the recent NetNoiseCon event and discusses a command injection vulnerability in Palo Alto Networks' PAN-OS.
We close it out with a tag roundup, spotlighting recent tags and active campaigns from GreyNoise's visualization tools. In addition, the episode offers a KEV roundup, summarizing the Known Exploited Vulnerabilities catalog from CISA, ensuring listeners are well-informed on current cybersecurity challenges.
Forecast = Hazy, with a 60% chance of KEV squals towards the end of the week.
In this episode of Storm⚡Watch, we start by discussing Ivanti's CEO Jeff Abbott's pledge for a comprehensive security overhaul following a series of breaches linked to vulnerabilities, including CVE-2024-21894. We also explore Andres Freund's accidental heroism in uncovering a backdoor in Linux software, and delve into the vulnerability of D-Link NAS devices to remote code execution.
Cybersecurity Frontlines: Ivanti's Pledge and VulnerabilitiesIvanti CEO Jeff Abbott has publicly committed to a comprehensive security overhaul following a series of breaches linked to vulnerabilities in Ivanti's products. This episode will explore the implications of Ivanti's new security initiatives and the recent discovery of critical vulnerabilities, including CVE-2024-21894, a heap overflow vulnerability in Ivanti Connect Secure and Policy Secure. We'll discuss the company's promise to adopt a Secure-By- Design ethos and the potential impact on the cybersecurity community.
Andres Freund: The Accidental HeroOur Cyber Spotlight shines on Andres Freund, a software engineer whose routine maintenance work led to the inadvertent discovery of a backdoor in a piece of Linux software (XZ). This discovery potentially thwarted a major cyberattack, earning Freund accolades from the tech community and a feature in The New York Times. We'll discuss the critical role of open-source software maintainers in cybersecurity and the importance of vigilance in the industry.
D-Link NAS Devices Under SiegeA significant threat looms over users of D-Link NAS devices as CVE-2024-3273, a remote code execution vulnerability, is actively being exploited in the wild. With, perhaps, 92,000 devices at risk, we'll dissect the nature of the vulnerability, the hardcoded backdoor account, and the command injection flaw that leaves these devices open to attack. We'll also cover the steps D-Link has taken to address the issue and the importance of securing legacy devices.
Shameless Self-Promotion: GreyNoise and CensysDon't miss our segment on GreyNoise and Censys, where we'll highlight their contributions to the cybersecurity field. GreyNoise's analysis of the D-Link NAS vulnerability and their upcoming NetNoiseCon event are on the agenda, as well as Censys' Threat Hunting Workshop in Philadelphia.
Tag Round-Up: Vulnerability AlertsWe'll wrap up with a rapid-fire rundown of recent vulnerability alerts, including a variety of CVEs that have been identified and tagged for tracking. This segment will provide listeners with a concise overview of the threats they should be aware of and the actions they can take to protect their systems.
In this episode of Storm⚡️Watch, we cover a variety of cybersecurity topics, opening with a poignant tribute to Ross J. Anderson. Anderson's legacy is vast, with contributions spanning machine learning, cryptographic protocols, and digital rights advocacy. His seminal textbook, "Security Engineering," has been a cornerstone in the education of many in the field. His passing is a significant loss to the academic and security communities, leaving behind a legacy that will continue to influence for years to come.
This week we are also joined by special guest Zach Hanley of Horizon3AI. Hanley shares his journey into cybersecurity and the founding of Horizon3AI, as well as insights into the innovative NodeZero platform. This platform aids organizations in focusing on safety and resilience, a crucial aspect in today's digital landscape. Hanley also discusses the three key challenges outlined in Horizon3AI's 2023 report, "Proactive Cybersecurity Unleashed," providing listeners with a glimpse into the ongoing struggles organizations face in cybersecurity.
In the segment "Cyberside Chat: Big (Tech) Trouble In Little China," we cover recent sanctions by the United States Treasury Department on individuals linked to the Chinese hacking group APT31, known for targeting critical U.S. infrastructure. Additionally, we discuss the formation of a Water Sector Cybersecurity Task Force in response to threats from the Chinese hacking group Volt Typhoon, and the implications of China's revised state secrets law for U.S. tech firms operating in China.
For those interested in the technical side of cybersecurity, we introduce "vulnerability lookup," a tool for fast vulnerability lookup correlation from different sources. This tool is a rewrite of cve-search and supports independent vulnerability ID management and coordinated vulnerability disclosure (CVD).
As usual we wrap up with a roundup of recent tags and active campaigns and discuss the Known Exploited Vulnerabilities (KEV) catalog from CISA.
Forecast = Expect a whirlwind of patches with a strong chance of phishing fronts moving in.
In this episode of Storm⚡️Watch, we're exploring a plethora of cybersecurity topics that are as turbulent as the weather itself.
First is a lively discussion with Nate Warfield from Eclypsium, where we dive into the intricacies of supply chain and firmware safety. Eclypsium's research is pivotal in highlighting critical areas listeners should be aware of, especially concerning supply chain vulnerabilities and firmware-level threats. We're also taking a deep dive into their approach to analyzing CISA's KEV data to understand the dangers lurking within.
This week's Cyberside Chat is equally stormy as we pull out the popcorn and preview the Big (Tech) Trouble In Little China, discussing the recent sanctions on APT31 hackers, and the implications of China's newly expanded "Work Secrets" Law. We're also touching upon China's attacks on British MPs and the ongoing U.S. vs. TikTok saga and its broader cybersecurity implications.
Tool Time features a look at VulnCheck KEV & Community Extended KEV + NVD APIs, providing listeners with valuable resources for vulnerability management. And in a segment of Shameless Self-Promotion, we're highlighting GreyNoise's innovative approach to the future of honeypots.
Our Tag Roundup offers insights into recent tags, active campaigns, and a sneak peek at IP Intention Analysis, ensuring you're up-to-date with the latest cybersecurity trends. The KEV Roundup discusses the latest entries in CISA's Known Exploited Vulnerabilities Catalog, a crucial resource for cybersecurity professionals.
Closing the episode, we ponder the possibilities of other dimensions, asking our guests and listeners what they hope to see on the other side.
In this episode of Storm⚡️Watch we're bracing for a tempest of cybersecurity insights. The Cyberside Chat segment takes a deep dive into the Department of Justice's recent announcement regarding AI in crimes, signaling harsher sentences akin to weapon-enhanced offenses. We explore the implications of AI's double-edged sword in criminal justice, the DOJ's Justice AI initiative, and the broader Artificial Intelligence Strategy. We also discuss federal actions to regulate AI, including the Algorithmic Accountability Act of 2022, and the Executive Order on Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government. A study on AI-modified content in peer reviews at AI conferences is examined, highlighting the challenges of distinguishing AI-generated text from human-written content.
In the Cyber Spotlight, we shine a light on the National Vulnerability Database (NVD) and its recent slowdown in updates. We discuss the implications for vulnerability management and the cybersecurity community's response, including NIST's efforts to form a consortium to address these issues.
Tool Time introduces the Sunlight Certificate Transparency Log, a project aimed at enhancing the scalability and reliability of Certificate Transparency logs. We delve into the new tile-based architecture and its benefits for various stakeholders, including Certificate Authorities, CT monitors and auditors, web browsers, and security researchers.
We also engage in some Shameless Self-Promotion, highlighting key insights from the 2024 State of Threat Hunting Report by Censys and tracking the aftermath of Atlassian's Confluence CVE-2023-22527 with GreyNoise.
Our Tag Roundup covers recent tags and active campaigns, providing a snapshot of the current threat landscape.
Finally, we wrap up the episode with our KEV Roundup, discussing the latest entries in CISA's Known Exploited Vulnerabilities Catalog, and close with a fun question about our dream fictional vehicles.
Forecast = Expect a downpour of DDoS with a chance of ransomware gusts, and keep an umbrella handy for data breach drizzles.
Forecast = Areal Cyber Flood Warning
In this episode of Storm⚡️Watch we delve into a variety of cybersecurity topics that are essential for professionals in the field. The episode kicks off with a roundtable discussion, setting the stage for a deep dive into recent critical vulnerabilities in VMware's ESXi, as reported by SecurityWeek. We explore the history of VMware vulnerabilities, including the infamous log4j, and speculate on the company's future trajectory.
The spotlight then shifts to Microsoft and the implications of Russia's breach of their systems, as well as the impact of the SEC's disclosure policies on Microsoft's transparency. This discussion is informed by reports from The Record and the SEC's official documentation.
Our tool segment introduces listeners to aiocrioc, a project available on GitHub, and the work of James Brine, which can be found on his personal website. This tool represents the cutting edge of cybersecurity technology and is a must-know for industry professionals.
We also touch on the resurgence of USB hacks by nation-states, a trend highlighted by Dark Reading, and discuss the implications of such low-tech yet effective attack vectors.
In our self-promotion segment, we discuss Censys' insights on ConnectWise exposure and GreyNoise's own research on hunting for Fortinet's CVE-2024-21762. These resources are invaluable for cybersecurity practitioners looking to enhance their defensive strategies.
The episode wraps up with a roundup of recent and active campaigns, as seen on GreyNoise's visualization trends, and a discussion on the Known Exploited Vulnerabilities (KEV) catalog from CISA, including the new KEV submission form available on the Federal Register.
Forecast = Partly Sunny With A Chance Of Catastrophic Haboobs
In this episode of Storm⚡️Watch, we open with a critical discussion on the NSA's recent tracking of Chinese groups targeting Ivanti kit within the defense sector, as reported by TechCrunch. We also feature an in-depth analysis of JFrog's investigation into malicious AI/ML models on Huggingface, highlighting the silent backdoors that pose a threat to data scientists. We delve into the White House's "Back to the Building Blocks" technical report, shedding light on the administration's approach to cybersecurity.
The conversation then shifts to the startling revelations of MQTT-based 3D printer hacks, specifically targeting Anycubic printers, as uncovered by Bitdefender. This segment underscores the importance of security in the rapidly growing field of 3D printing. We also explore the latest trends and active campaigns in cybersecurity, utilizing resources like GreyNoise's visualization tools and CISA's known exploited vulnerabilities catalog.
Our episode concludes with a roundup of the most recent KEV updates and a discussion on the new submission form for actively exploited vulnerabilities, emphasizing the ongoing efforts to enhance cybersecurity response and reporting.
Forecast = Scattered Graupel Showers
In this episode of Storm⚡️Watch, we delve into a series of critical cybersecurity events that have shaped the digital landscape recently. We kick off with by seeing which Disney Princess each co-host identifies with. This light-hearted opener transitions into a deep dive into the resurgence of the LockBit ransomware group, following significant arrests in Ukraine. The episode further explores the audacious claims and trolling by LockBitSupp, alongside a comprehensive summary by Brian Krebs and the response from Fulton County to the incident.
The conversation then shifts to a massive Azure hack, dissecting the ongoing malicious campaign impacting Azure cloud environments. We scrutinize Senator Wyden's critical letter to CISA, DOJ, and FTC regarding Microsoft's handling of a breach in 2023, and Amit Yoran's scathing critique on LinkedIn, highlighting the severity of Microsoft's security practices. Additionally, we discuss Microsoft's decision to expand free logging capabilities post-breach, a move that has sparked widespread discussion within the cybersecurity community.
UnitedHealth's recent hack, linked to the BlackCat ransomware, is another focal point, emphasizing the dire consequences for healthcare and the urgent calls for hospitals to disconnect from UnitedHealth's compromised pharmacy unit. This incident underscores the growing threats to the healthcare sector and the importance of robust cybersecurity measures.
The episode also touches on the ominous implications of the I-SOON initiative, suggesting a bleak outlook for global cybersecurity. We wrap up with insights into the latest cybersecurity trends, active campaigns, and a roundup of known exploited vulnerabilities, courtesy of CISA.
Forecast = Advanced Persistent Thunderstorms
In this episode of Storm⚡️Watch, we dive deep into the evolving landscape of cybersecurity in 2024. The episode kicks off with a thought-provoking roundtable discussion, pondering the potential theme song of 2024, setting the tone for a year that's already shaping up to be full of significant cybersecurity developments. We then transition into a comprehensive analysis of recent cybersecurity events and trends that are shaping the digital world.
First on the agenda is the international police operation that successfully disrupted the notorious Lockbit cybercrime gang, a significant victory in the ongoing battle against cybercrime. This is followed by an exploration of the Justice Department's court-authorized disruption of a botnet controlled by the Russian GRU, highlighting the global efforts to combat state-sponsored cyberthreats. The episode also delves into the discovery of new vulnerabilities within SolarWinds' software, some of which are unauthorized, underscoring the persistent challenges in securing widely used software platforms.
The discussion then shifts to a series of high-profile hacks and leaks, including the Shanghai Anxun/I-SOON hack/leak and a significant state government leak and hack, illustrating the diverse nature of cyber threats facing organizations today. The episode emphasizes the critical need for security vendors to adopt Software Bill of Materials (SBOMs) and a resilient Software Development Life Cycle (SDLC), through the lens of Eclypsium's teardown of Ivanti.
Additionally, the episode features Rezonate's guide to hardening Okta's security posture, offering practical advice for enhancing cybersecurity defenses. In company news, GreyNoise celebrates the appointment of a new CEO and shares insights from the Grimoire blog on CVE-2021-44529, further demonstrating the company's commitment to advancing cybersecurity knowledge.
The episode concludes with a roundup of recent tags, active campaigns, and a discussion on the Known Exploited Vulnerabilities (KEV) catalog from CISA, providing listeners with a comprehensive overview of the current cybersecurity landscape and actionable insights for enhancing their security posture.
In this episode of Storm⚡️Watch, we explore the captivating toothbrush scandal that's been stirring discussion within the infosec community. We dissect the narrative surrounding three million malware-infected smart toothbrushes allegedly manipulated into orchestrating a Swiss DDoS attack, an incident that has gained traction on platforms like InfoSec Exchange and Tom's Hardware.
We then delve into the serious implications of Google's latest Spyware Report and the subsequent joint statement from various governments on the efforts to counter the proliferation and misuse of commercial spyware. These documents shed light on the alarming state of surveillance and the actions being taken at the highest levels to address these concerns.
The episode continues with an analysis of the Volt Typhoon and a critical infrastructure blog post by Censys, highlighting the vulnerabilities in critical infrastructure security. This discussion is particularly timely given the recent compromise of U.S. critical infrastructure by state-sponsored actors, as reported by CISA and Lawfare Media.
Canon's recent security update is also on our radar, with the company patching seven critical vulnerabilities in small office printers. This serves as a reminder of the ever-present need for vigilance in the realm of cybersecurity.
We also cover CISA's guidance on 'Living Off The Land' tactics and the innovative 'Living Off The False Positives' project, which offers a fresh perspective on managing false positives in security monitoring.
For those interested in malware tracking, we discuss Censys' Beginner’s Guide to Tracking Malware Infrastructure, a valuable resource for anyone looking to enhance their threat intelligence capabilities.
GreyNoise's contributions to the fight against ransomware are highlighted through their blog post detailing the tagging system used to battle these threats. Additionally, we touch upon the Flipper Zero controversy in Canada and the open-source SDR tech debate, as well as the latest happenings in the GreyNoise Community Forum and the Centripetal webcast.
We wrap up the episode with a look at the recent tags and active campaigns visualized on GreyNoise's platform and a roundup of the Known Exploited Vulnerabilities (KEV) catalog by CISA.
In this episode of Storm⚡️Watch, we delve into a variety of pressing cybersecurity topics, starting with a light-hearted roundtable discussion on our dream locations for the next DEFCON conference. We then move on to applaud Cloudflare for their exemplary response to a recent security breach, highlighting the importance of transparency and swift action in the face of cyber threats. The episode also covers the AnyDesk breach, shedding light on the incident and the company's response, underscoring the ever-present need for robust security measures.
The conversation takes a serious turn as we discuss the CISA directive for Ivanti, mandating the shutdown of systems to mitigate vulnerabilities, a move that emphasizes the critical nature of software security in maintaining national cybersecurity. The episode also explores the alarming rise of deepfake technology, illustrated by a recent scam that defrauded a company of $25 million, and the clandestine world of fake ID creation by AI neural networks on the site OnlyFake.
We delve into the technical with a look at the ICANN .internal proposal, a significant development that could impact the structure of the internet's domain name system. The episode also highlights recent vulnerabilities in Jenkins reported by Censys, providing listeners with crucial information to protect their systems.
GreyNoise's contributions to the cybersecurity community are showcased through discussions on our latest blog posts, an open forum event, and a joint webcast with Centripetal, offering insights and opportunities for engagement with cybersecurity experts.
The episode wraps up with a look at recent tags and active campaigns on the GreyNoise platform, providing a snapshot of the current cybersecurity landscape.
In the latest episode of Storm⚡️Watch, we delve into the pressing issue of ransomware payments, which are on a notable decline as victims increasingly choose not to pay.
The conversation then turns to the alarming frequency of cyberattacks that often go unnoticed by the public, and highlights one recent breach in the municipality where a major U.S. court case is occurring. We highlight several incidents at organizations across the globe, emphasizing the pervasive nature of these security breaches.
We also dissect the sobering findings from the Dragos Industrial Ransomware Report for Q4, which reveals the increasing number of groups involved in ransomware attacks. This report underscores the challenges faced by industries in safeguarding their operations against such threats.
A surprising revelation comes from Germany, where a job posting for a Windows 3.11 administrator for a rail line brings to light the outdated and insecure systems still in use, which pose significant security risks.
The episode doesn't shy away from discussing major breaches, including the recent attacks on HPE and Microsoft, and the potential spillover effects these could have on the broader tech ecosystem.
We also explore Cert Spotter, a Certificate Transparency log monitor from SSLMate that alerts you when an SSL/TLS certificate is issued for one of your domains.
The team covers two recent blogs by Censys researchers, and takes a look at GreyNoise tags that are linked to ransomware gang activity.
Lastly, we briefly note CISA’s new Water and Wastewater Sector Incident Response Guid,e and touch upon the latest trends and active campaigns in the cybersecurity landscape, as well as a roundup of known exploited vulnerabilities, providing listeners with a comprehensive overview of the current state of cyber threats.
In the latest episode of GreyNoise Labs Storm⚡️Watch, we delve into a variety of cybersecurity topics that are crucial for professionals to stay abreast of. We kick off with a discussion on the World Economic Forum's Cybersecurity Outlook for 2024, providing insights into the anticipated challenges and strategies for the coming year. This is followed by an analysis of the Allianz Global Risk Barometer Redux 2024, which highlights the evolving landscape of cyber threats and their implications for global risk management.
The episode also introduces LogBoost, a tool designed to enhance log analysis, which is essential for identifying and mitigating security incidents. We then shift our focus to a recent vulnerability in VMware's VCenter, as reported by Censys, and discuss its potential impact on virtual infrastructure security.
GreyNoise's own research is featured prominently, with a deep dive into the F5 Big IP Remote Code Execution (RCE) vulnerabilities. We also revisit the last GreyNoise Tag Webinar, which offers a comprehensive understanding of GreyNoise tags and their application in cybersecurity. Additionally, we review the 2023 GreyNoise Retrospective Internet Exploitation Report, which provides a retrospective look at the past year's internet exploitation trends.
To keep our listeners informed on the latest cyber threats, we cover the most recent tags and active campaigns as observed by GreyNoise, offering a real-time perspective on the threat landscape. Lastly, we round up the episode with a discussion on the Known Exploited Vulnerabilities (KEV) catalog from CISA, which is an essential resource for cybersecurity professionals to prioritize their defensive efforts.
In this episode of Storm⚡️Watch, we delve into a variety of cybersecurity topics, with a running theme of the vital need for Multi-Factor Authentication (MFA). We kick off with introductions and a roundtable discussion, followed by an exploration of a mass crypto-miner takedown, with insights drawn from reports by the Ukrainian Cyber Police and Bleeping Computer.
We then discuss the Ivanti debacle, referencing a blog post by Volexity. This is followed up by the note of two X account hacking events (SEC & Mandiant), as reported by The Register and Security Affairs. The NSA's warning about AI-enhanced phishing is also on our agenda, with sources from NBC News and Infosec Exchange.
We tap back to ancient Stuxnet news, the malware that cost a billion dollars, based on an article by Graham Cluley (there are some new twists to this tale). We also delve into the broad implications of the Orrick breach, as reported by Security Week.
In our tool spotlight, we feature Cyberwatch, a GitHub project by Casualtek. We also discuss a blog posts from Censys, about a Juniper vulnerability and encourage folks to attend the "Stop Predicting, Start Protecting" lunch-and-learn.
From GreyNoise, we highlight the second 2024 Tag Webinar and 2023 GreyNoise Internet Exploitation Retrospective Report.
We wrap up with a roundup of known exploited vulnerabilities from CISA.
In this episode of Storm⚡️Watch podcast, we kick off the new year with a lively roundtable discussion. Our special guest for this episode is Andrew Morris, who brings a unique perspective to our conversation (given that he’s, like, our CEO & Founder). Given Morris’ propensity for “hot takes”, this should be a doozy of an interview.
A significant part of our post-interview discussion revolves around the loanDepot breaches that occurred in 2023 and the start of 2024. We delve into the details of these incidents, providing insights into the cybersecurity implications and the broader impact on the industry. We also discuss the odds that little Suzie is homeless at this point.
As we look ahead to the rest of 2024, we discuss several key topics. We examine the controversial stance of 23andMe, who blamed negligent breach victims for their own misfortune. We also discuss a thought-provoking article from The Economist, which suggests that ransomware could cripple entire countries, not just companies. Furthermore, we explore the disinformation landscape in the US political sphere for 2024, highlighting the potential for global disinformation and misinformation campaigns.
Tool Time shows how you, too, can be a cyber reporter by surfing the SEC EDGAR website for required breach reporting.
We engage in our usual shameless self-promption as we discuss the latest blog posts from Censys and GreyNoise, including a deep dive into the SnakeYAML deserialization vulnerability. We also discuss our first 2024 Tag Webinar, which offers a detailed exploration of GreyNoise tags.
We wrap up the episode by discussing recent tags, active campaigns, and anomalies. We also highlight the wealth of information available on the CISA website, particularly focusing on the catalog of known exploited vulnerabilities and the massive KEV Drop this week.
In this episode of Storm⚡️Watch, we kick off with our usual intros and roundtable discussion between co-hosts Kimber Duke, Emily Austin, Glenn Thorpe, and boB Rudis. The show continues with a celebration of the FBI's confirmation that ALPHV has, indeed, been taken down. Moving on, a significant development this week is the effective implementation date of new SEC cyber reporting rules. These rules mandate that companies report "material cybersecurity incidents" to their investors. The rules went into effect this week, and VF Corporation was one of the first to report under these new guidelines. VF Corporation suffered a significant cyberattack on December 13, 2023, which has had a major impact on its operations, particularly its ability to fulfill orders during the holiday rush. We also discuss the hot-off-the-presses Xfinity breach announcement. Looking ahead, we delve into our predictions for the cybersecurity landscape in 2024 (make sure to check out our companion blog post, "Weathering 2024: Storm Watch Predictions for the Year Ahead"). In Tool Time, we also discuss ZOOM's Vulnerability Impact Scoring System (VISS), a resource that helps organizations assess their vulnerability to cyber threats. In the realm of recent vulnerabilities, we review Censys's blog post about the JetBrains TeamCity Remote Code Execution (RCE) vulnerability (CVE-2023-42793). We also showcase a deep dive into the Apache Struts2 RCE vulnerability (CVE-2023-50164) in our blog post, "A Day in the Life of a GreyNoise Researcher." In another deep dive, Ron Bowes of GreyNoise Labs digs deep into F5 BIG-IP systems, where he explored how threat actors are baiting these systems. You can read all about those findings in our blog post, "Mining the Undiscovered Country with GreyNoise EAP Sensors: F5 BIG-IP Edition."
We note three new tags, including a WordPress Backup Migration RCE (CVE-2023-6553), the 3CX CRM SQL Injection (CVE-2023-49954), and the WuzhiCMS SQL Injection (CVE-2018-11528). Finally, we wrap up with a discussion on the CISA's recent advisories. The first is a design alert urging manufacturers to eliminate default passwords, aptly titled "NO KEV!" The second is a joint advisory on Play Ransomware, providing crucial information to help organizations protect themselves against this threat.
In this episode of Storm⚡️Watch by GreyNoise Intelligence, we discuss the rumored takedown of the ALPHV/BlackCat ransomware site, which has been offline for days, fueling speculation that law enforcement may have finally caught up with the prolific ransomware group. We then delve into the North Korea-linked Lazarus Group's exploitation of the Log4j vulnerability in a global campaign targeting companies in the manufacturing, agriculture, and physical security sectors. This deep-dive Breaking News segment will shed some light on why attackers are still going after this two-year old weakness, and also discuss how attackers are using modern programming languages to gain efficiencies and thwart detections. In our Tool Time segment, we explore the AWS Kill Switch, an open-source incident response tool for quickly locking down AWS accounts and IAM roles during a security incident. Our Shameless Self-Promotion segment drops details on upcoming GreyNoise webinars, Censys' new service tier, and a GreyNoise Labs blog on use of GreyNoise EAP sensors for novel exploitation discovery for CVE-2023-47246. Along with our CISA KEV roundup we provide a short readout on their Fourth Quarter Cybersecurity Advisory Committee Meeting and new CISA, jointly published guide on "The Case for Memory Safe Roadmaps".
Welcome to the latest episode of Storm⚡️Watch, where we delve into the most recent cybersecurity events and trends. We are also joined by our friends at Trinity Cyber.
In this episode, we're excited to announce the arrival of TAGSMAS! This is a special event where we celebrate the power of tags in cybersecurity and how they can help us better understand and respond to threats.
We start the show with the team over at Trinity Cyber, with an in-depth discussion about what they do and how they and GreyNoise partner to keep organizations (and humans) safe.
The episode continues with a security bulletin from New Relic, who recently identified unauthorized access to their staging environment. This environment provides insights into customer usage and certain logs, but does not store customer telemetry and application data. The unauthorized access was due to stolen credentials and social engineering related to a New Relic employee account. The unauthorized actor used the stolen credentials to view certain customer data within the staging environment. Customers confirmed to be affected by this incident have been notified and given recommended next steps. Importantly, there is no evidence of lateral movement from the staging environment to customer accounts in the separate production environment or to New Relic’s production infrastructure.
Next, we discuss a phishing campaign targeting WordPress users. The campaign tricks victims into installing a malicious backdoor plugin on their site. The phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user’s site with an identifier of CVE-2023-45124, which is not currently a valid CVE. The email prompts the victim to download a “Patch” plugin and install it. If the victim downloads the plugin and installs it on their WordPress site, the plugin is installed with a slug of wpress-security-wordpress and adds a malicious administrator user with the username wpsecuritypatch. The malicious plugin also includes functionality to ensure that this user remains hidden.
In our shameless self-promotion segment, we highlight some of our recent work at GreyNoise Labs. We've been busy analyzing and documenting various cybersecurity threats and trends, and we're excited to share our findings with you. Be sure to check out our latest posts on the GreyNoise blog and sign up for our Noiseletter to stay up-to-date with our latest research.
We also discuss some recent vulnerabilities, including a Google Skia Integer Overflow Vulnerability (CVE-2023-6345), an ownCloud graphapi Information Disclosure Vulnerability (CVE-2023-49103), and two Apple Multiple Products WebKit vulnerabilities (CVE-2023-42917 and CVE-2023-42916). These vulnerabilities highlight the ongoing need for robust cybersecurity measures and the importance of staying informed about the latest threats.
Finally, we discuss a recent CISA alert about the Iranian military organization IRGC. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.
Thank you for joining us for this episode of Storm⚡️Watch. We look forward to bringing you more insights into the world of cybersecurity in our next episode.
In this episode of Storm Watch, we delve into a range of cybersecurity topics that have made headlines recently.
We kick off with a discussion on the recent agreement inked by the US, Britain, and other countries to make AI 'secure by design'. This landmark decision underscores the growing importance of cybersecurity in the era of artificial intelligence and the collective effort to ensure its safe implementation.
Next, we turn our attention to the disruption of a Cyber Scam Organization through the seizure of nearly $9M in cryptocurrency. This case highlights the increasing use of digital currencies in cybercrime and the efforts by law enforcement to curb such activities.
We then discuss a critical vulnerability in ownCloud, a top file-sharing service. The security bug, which reveals admin passwords, was quickly exploited in the wild, underscoring the need for swift action in addressing such vulnerabilities.
The episode also covers the spread of the InfectedSlurs Botnet, which is disseminating Mirai via zero-days. This development is a stark reminder of the persistent threat posed by botnets and the importance of staying abreast of the latest cybersecurity threats.
We also delve into the recent ransomware 'catastrophe' at Fidelity National Financial that caused panic among homeowners and buyers. This incident underscores the far-reaching implications of ransomware attacks and the urgent need for robust cybersecurity measures.
In the automotive sector, we discuss the warning issued by auto parts giant AutoZone about a MOVEit data breach. This incident serves as a reminder of the pervasive nature of cyber threats across various industries.
Celebrating its 10th anniversary, Microsoft's bug bounty program is another topic of discussion. Over the past decade, the program has awarded more than $60M, highlighting the tech giant's commitment to cybersecurity.
We also touch on the intriguing topic of the 'Internet of Insecure Cows', a study that explores the vulnerabilities of IoT devices in the agricultural sector.
The episode also includes discussions on Vidar tracking, a technique used to monitor the infrastructure of this notorious malware, and the concept of 'Living off the land', a stealthy cyberattack strategy.
We wrap up with a look at the 'Have I Been Squatted?' service, an overview of the latest GreyNoise Tags, a roundup of Known Exploited Vulnerabilities (KEV), and a review of CISA's Ransomware Response Checklist. These resources provide valuable insights and tools for cybersecurity professionals and enthusiasts alike.
Welcome to the latest episode of Storm Watch by GreyNoise Intelligence, hosted by Emily Austin, Kimber Duke, Glenn Thorpe, and boB Rudis. In this episode, we're excited to share some good news about the takedown of the IPStorm Botnet, a significant victory in the fight against cybercrime. The Russian and Moldovan national behind the illegal botnet proxy service has pleaded guilty, marking a significant step forward in international cybersecurity efforts.
In breaking news, we discuss the recent SEC complaint filed by AlphV against MeridianLink for not disclosing a breach to the SEC. The breach was linked to Confluence, and we delve into the details of this incident and its implications. We also focus on the CrushFTP RCE.
In our regular programming segment, we discuss how Clorox is cleaning house after a cyberattack, with the company's cyber chief leaving as recovery efforts continue. We also talk about Rackspace's hefty $11M ransomware recovery bill, which was linked to an OWASSRF vulnerability. Toyota also makes headlines with a breach confirmed after the Medusa ransomware group threatened to leak data, an incident tied to the CitrixBleed vulnerability.
We also discuss the upcoming IRISSCON cybersecurity conference, where Russian cybersecurity experts are expected to present. We reflect on the 20th anniversary of Patch Tuesday, a monthly event that has become a staple in the cybersecurity world. We also give a nod to the upcoming CAMLIS conference, which we'll cover in more detail next week.
In our tool time segment, we introduce MaxCVE, a useful tool for cybersecurity professionals, and discuss the importance of container vulnerability scanning awareness.
In our self-promotion segment, we share some of the latest updates and discoveries from Censys and GreyNoise, including the introduction of Censys Search Teams, the discovery of NTC Vulkan infrastructure, and how to get a leg up on initial access ransomware with CISA KEV and GreyNoise tags. We also showcase UX and feature improvements in Sift.
Finally, we discuss the latest trends in GreyNoise tags and the importance of the Known Exploited Vulnerabilities Catalog from CISA. We also cover CISA's new initiative to expand scalable cybersecurity services to protect broader critical infrastructure and their recently released Health Sector Guidance Document.
Before we got the podcast going, we sent some love to Iceland, which is currently experiencing significant seismic activity. The Icelandic Meteorological Office has detected about 900 earthquakes in the region between Grindavík and Sundhnúkur, leading to the evacuation of the coastal town of Grindavík. The likelihood of a volcanic eruption is deemed considerable.
In good news, an international syndicate involved in cybercrime has been busted with the arrest of eight people. This is a significant step in the fight against cybercrime and a testament to the hard work of law enforcement agencies worldwide.
Breaking news from Maine involves a rant about MOVEit, a global data security incident that has raised concerns about data protection and privacy. We'll delve into this topic and discuss its implications.
In tech news, a new cutting-edge attack has been discovered that can steal SSH cryptographic keys. This vulnerability occurs during the signature generation when a client and server are establishing a connection and affects keys using the RSA cryptographic algorithm. This discovery underscores the importance of constant vigilance and innovation in cybersecurity.
In regular news, Sumo Logic has disclosed a security breach after discovering unauthorized access to its AWS account. The company has advised customers to rotate their API access keys and other credentials as a precautionary measure.
Hive ransomware is back, and a new offspring, Hunters International, has taken the stage. We'll discuss this development and its potential impact on cybersecurity.
We also talked about NotCVE, a new initiative in the cybersecurity world, and introduce you to a useful tool, the CVE Half Day Watcher.
In our shameless self-promotion segment, we discussed the SLP Tag Blog and the new addition of PCAPs in Analysis.
We also did the usual roundup of the latest tags on GreyNoise.
Finally, we discussed the latest updates from KEV, including the ACSC BCiB and the CISA Software Supply Chain Guide.
In this episode of Storm Watch our hosts discuss a variety of topics, including the top cyber conflicts, vulnerability remediation, and the latest issues with Confluence, F5, ApacheMQ, and VMware.
The episode began with a brief introduction and some casual banter among the hosts. They discussed their Halloween experiences and a Glenn's obsession with Wordle. They also mentioned a movie called "Clown" that Kimber recommended for those with a fear of clowns.
The hosts then moved on to discuss cybersecurity topics including:
-Interview with Konstantin of CVECrowd.com - Good News: UK CVD legislation - Confluence Viz Activity - ActiveMQ Viz Activity - F5 Viz Activity - Okta breach update - QNAP vulns - Myth of the long-tail vulnerability - The release of CVSS4 - Quick FYI for the Microsoft/Foreign Policy "Digital Front Lines" magazine - Quick FYI on a Wiz blog - News about the joint Censys/GreyNoise workshop - Mention of the new GreyNoise Honeypots/honeytokens blog - Mention of the new GreyNoise Summary Stats Observable notebook - GreyNoise Tag roundup - KEV roundup - Notes that November is Critical Infra Security & Resilience Month
The episode concluded with a discussion on the myth of the long tail vulnerability, a topic covered in a blog post by Ben from Cisco. The hosts agreed that the hype cycle for vulnerabilities is real and predictable, and there is no long tail vulnerability.
The StormWatch podcast episode from October 31, 2023, began with the hosts in a light-hearted mood, donning costumes for Halloween. The hosts discussed the latest happenings in the cybersecurity world, focusing on the latest phones, developments at Censys and GreyNoise, and important cybersecurity news. They also touched on conspiracy theories. The hosts were in costumes, with one host dressed as the Invisible Man, another as Louise Belcher from Bob's Burgers, and another as Cozy Bear, a reference to APT 29, a cyber espionage group. They also discussed their "scariest vulnerabilities," with one host mentioning the mercenary spyware like Pegasus as a significant concern.
The hosts then discussed the recent security breaches involving Okta, Beyond Trust, and 1Password. They praised 1Password for their transparent and detailed response to the incident. They also discussed the recent vulnerabilities found in SolarWinds and the subsequent charges filed by the SEC against SolarWinds and their Chief Information Security Officer for fraud and internal control failures.
The hosts also discussed a tool called cvecrowd.com, which tracks CVE mentions on Mastodon, a social network. They praised the tool for its usefulness in tracking cybersecurity vulnerabilities and incidents. They also mentioned an upcoming event at a brewery where they would discuss threat hunting techniques and tips.
The hosts then discussed the recent vulnerabilities found in Cisco IOS, with one host sharing her findings from her investigation into the vulnerabilities. They also discussed the importance of patching and updating systems to protect against these vulnerabilities.
This episode of Storm Watch begins with introductions of the hosts - Bob, Emily (Censys), Glenn, Remy, and guest Jake Baines (VulnCheck).
The hosts discuss two ransomware groups being taken down - the Ukrainian Cyber Alliance taking down Trigona, and RagnarLocker ceasing operations. However, they note ransomware attacks often continue in new forms. The increase in Bitcoin value is also concerning, as it tends to correlate with more ransomware attacks.
A significant portion of the podcast focuses on the vulnerabilities in Cisco routers and Citrix systems. The hosts explain the vulnerabilities, provide background, and detail the work done by their teams to analyze the issues. They are critical of Cisco's disclosure and patching process.
The hosts discuss the recent Okta breach, criticizing their response time and communication process. They explain how the breach occurred via access to support systems, and compromised session tokens and HAR files. The hosts emphasize the sensitivity of HAR files.
Other topics covered include:
The hosts close out with recommendations for tabletop incident response exercises, favorite Halloween candies, and a plea for better security awareness and coordination across the industry.
This "Breaking News" edition of the Storm Watch podcast begins with the hosts introducing themselves and their guest, Mark from Censys. The hosts discuss the recent surge in activity around a new Cisco IOS vulnerability and the subsequent system implants. Censys has published a blog post on the topic and discovered that approximately 41,983 hosts had this implant installed, an increase of about 5,000 to 6,000 from the previous day.
The hosts discuss the unique nature of this implant, noting that it does not persist through reboots or maintenance. However, attackers can establish a more permanent threshold or entry point post-implant pre-reboot. The hosts also discuss the development of a scan profile for this vulnerability, which was facilitated by information provided by Talos in their blog post.
Then they discuss the distribution of the affected hosts, noting that they are spread across many different autonomous system organizations. They speculate that many of the affected systems are likely small businesses or residential users who received their devices from their Internet Service Providers (ISPs). The hosts also note that many different entities are scanning for this vulnerability, some of which are unknown, indicating that many people are opportunistically jumping on this issue.
The hosts conclude the podcast by discussing the severity of this vulnerability, noting that it provides top-tier, or "God mode," access to people's networks. They encourage listeners to stay informed and safe, and they express hope that they won't have to report on another breaking news issue before their next scheduled episode. Be sure to check out the GreyNoise blog for more details and updates on this active vulnerability.
On this episode of Storm Watch the hosts discuss a recent vulnerability in the Cisco IOS software, which they describe as a "legit terrible vulnerability". This vulnerability can be triggered to place an implant on a Cisco device, granting the attacker full access to the device. They emphasize that this is a serious issue and encourage listeners to look into it further. They also discuss a vulnerability in WordPad, which they find surprising given that WordPad is often forgotten about. They note that Microsoft has claimed to have updated WordPad to address this vulnerability and also that Microsoft is abandoning WordPad (though they made an update for this vuln).
The hosts also discuss the importance of blocking outbound NTLM over SMB in Windows, with Glenn emphasizing that organizations should not allow SMB outbound from their perimeter. They discuss the challenges of restricting outbound internet access for the general user base, noting that it would require an application firewall and could potentially lead to a large number of help desk tickets.
Another topic of discussion is a recent blog post by Vulncheck, which reveals that many devices have already been compromised due to the iOS software vulnerability. They note that the compromised devices were found in Digital Ocean, which they find amusing.
Finally the team reviews recent GreyNoise Tags, additions to CISA KEV, a new "KEV API" open-source tool, and the new KEV "ransomware" field, with a daily-updated visualization by GreyNoise.
In this episode of Storm Watch, the hosts were joined again by Emily Austin, a senior researcher from Censys, and Daniel Grant, a principal data scientist at GreyNoise. They discussed the SIFT tool, a new product from GreyNoise, and its potential applications in the field of cybersecurity.
The hosts began by discussing a recent Microsoft report that suggested basic security hygiene could protect against 99% of attacks. They highlighted the importance of multi-factor authentication, zero trust, and patching as key elements of this basic security. The hosts also noted that 80% of ransomware compromises occur via unmanaged devices, emphasizing the need for organizations to prioritize their security efforts.
Next, they discussed a recent vulnerability in Confluence, a popular team collaboration software. The vulnerability, which was exploited as a zero-day, allowed remote attackers to create new users. The hosts stressed the importance of auditing user accounts, even after patching, to ensure that no unauthorized users were created during the exploit.
The hosts then turned their attention to the impact of a cyber attack on Clorox. The company has predicted a significant drop in sales due to the attack, which the hosts speculated might have been timed to coincide with flu season, a high-demand period for Clorox products.
The episode also covered a new vulnerability in the HTTP/2 protocol, which could potentially be exploited for a denial-of-service (DoS) attack. The hosts noted that currently, the best protection against this type of attack is a DDoS mitigation service.
Finally, the hosts discussed the addition and removal of certain devices from the Known Exploitable Vulnerabilities (KEV) list. They noted that the MeetingOwl, a device they had previously discussed, had been removed from the list. The hosts concluded the episode by emphasizing the importance of basic security measures and the role of cybersecurity professionals in protecting against threats.
Welcome to Storm Watch by GreyNoise Intelligence, where the hosts discuss the latest cybersecurity topics and news. In this episode, the hosts are joined by special guest Emily Austin, a security researcher at Censys.
Censys is a company that scans the entire IPV4 space, providing fast internet-wide scan data for researchers, threat hunters, and others who need to understand the internet landscape. They also offer an attack surface management platform to help organizations identify and protect their assets. Emily is a senior researcher and leads the research team at Censys, focusing on new vulnerabilities and internet measurement analytics.
During the podcast, the hosts discuss the challenges of analyzing scan data and the importance of being informed about potential threats. They also touch on the topic of threat hunting and the debate between the terms "threat hunting" and "thrunting." Emily then does a deep dive on the WS_FTP exposure situation.
The hosts mention the upcoming nationwide test of the emergency alert system by FEMA, which will send alerts to cell phones, radios, and televisions. They emphasize the importance of being aware of this test and the potential for disruptions.
The conversation then shifts to the recent libwebp debacle, which has made every Chromium instance vulnerable. The hosts express concern about the lack of attention this issue is receiving and the confusion caused by the changing CVEs.
Along with other cyber news, the show announces a new GreyNoise Early Access Program (EAP) feature: Sift. Sift lets users with GreyNoise accounts access the same early attack triage tools the internal GreyNoise Detection Engineering team uses. GreyNoise Labs is releasing it now to get feedback from customers and the community to help make Sift as useful as possible when applied to the PCAP data coming from the GreyNoise Early Access Program new sensors.
In this episode of Storm Watch, the hosts discuss their recent experiences and updates in the cybersecurity world. The podcast begins with Kimber sharing her experience at LabsCon, a small conference organized by Sentinel One's labs team, focused on threat intelligence information sharing.
Next, the hosts discuss GreyNoise's sensor workshop at LabsCon, where they demonstrated the deployment of a sensor and the possibilities it opens up for information gathering. Sensors are points on the internet that passively collect data, waiting for interactions and storing the information in a database for further analysis. The team is working on new sensor profiles and personas, allowing them to pretend to be anything in ways they have never been able to do before.
The conversation then shifts to the ongoing MoveIt vulnerability saga, with two new CVEs being announced in the past week. The hosts emphasize the importance of staying on top of these vulnerabilities and practicing responsible disclosure. They also briefly mention JetBrains' new beta Rust IDE, which is currently available for testing.
Lastly, the hosts touch upon GreyNoise trends, noting that it has been a relatively calm week in terms of botnet activity. However, they point out an increase in open proxy scanners, advising listeners to educate themselves on the topic. Overall, the episode covers a range of cybersecurity topics, from conferences and workshops to vulnerabilities and trends.
In this episode of Storm Watch, the hosts discuss a recent noise storm, which is an event where a capable attacker group sends out massive amounts of TCP packets without three-way handshakes. These noise storms can cause problems for data processing pipelines and are sometimes used to distract security professionals from other malicious activities. The hosts also mention that some early noise storms were in close proximity to large-scale military engagements, leading to speculation about their purpose.
The podcast also covers a recent ransomware attack by the AlphaV group, which targeted MGM via Okta, a popular identity and access management platform. The hosts discuss the group's articulate statement and snarky tone, as well as the fact that the group seems to be based in the US, which may contribute to their proficiency in English. They also mention that GreyNoise has coverage for this emergent threat and provides advice for security professionals on how to handle it.
Additionally, the hosts announce the launch of GreyNoise Labs, a platform for deep technical dives and research. Labs is designed for ultra-nerds who want to know the nitty-gritty details of various security topics. The hosts also discuss the potential for predicting security events by correlating anomalies with news articles and breaches.
Finally, the hosts touch on the "jet stream" of the internet, which consists of always-on threats like Mirai and SSH brute force attacks. They mention that these threats behave differently over time and are accompanied by smaller pockets of thunderstorms and systems moving in. Overall, the episode covers a wide range of cybersecurity topics, from noise storms and ransomware attacks to the launch of GreyNoise Labs and the ever-present threats on the internet.
In the Storm Watch podcast episode from September 12, 2023, the host discusses the value of private group chats and the resurgence of IRC. They mention the creation of a new Discord server for their community and express concerns about Salesforce's ownership of Slack. The conversation then shifts to the recent Apple vulnerabilities, emphasizing the importance of patching devices and staying informed about security issues.
The host also talk about the LastPass breach, in which the company was hacked, and the subsequent poor handling of the situation. They advise listeners to switch to two-factor authentication and change their passwords in response to the breach. The episode also covers the theft of $35 million from crypto accounts, which may be linked to the LastPass breach.
The podcast touches on the topic of known exploited vulnerabilities, expressing frustration with the lack of timely information about such incidents. The host and guests then engage in a discussion about their predictions for the number of vulnerabilities to be discovered in the coming week.
In conclusion, the host encourages listeners to stay safe, be cautious when interacting with strangers, and reach out to the Storm Watch community through various platforms, including Slack, social media, and Discord.
In this episode of Storm Watch, the hosts discuss various topics related to cybersecurity and the internet. They begin by comparing the unpredictability of weather patterns to the challenges of predicting internet activity and cyber threats. The hosts suggest that perhaps they should consider using a "cone of uncertainty" model, similar to hurricane forecasting, to help visualize potential internet threats.
The conversation then shifts to the recent North Korean cyberattacks targeting security researchers. The hosts express disappointment at not being targeted themselves and discuss the importance of being aware of potential threats and evaluating one's own risk factors. They also mention Google's efforts to raise awareness about the issue and encourage those affected to reach out for assistance.
Next, the hosts discuss the recent Apple zero-day vulnerabilities and emphasize the importance of patching devices. They also touch on the broader topic of whether security checkboxes and best practices are still effective in today's rapidly evolving threat landscape.
Finally, the episode covers the Microsoft Exchange Server vulnerabilities and the company's response to the issue. The hosts express disappointment in Microsoft's handling of the situation, noting that there seems to be a lack of transparency and detail in their communications. They also discuss the potential consequences of not implementing proper key rotation and the importance of learning from these incidents to improve security practices moving forward.
In the August 28th episode of the Storm Watch podcast, the hosts discussed various cybersecurity topics and welcomed a new guest, Donna, the director of product design at Grey Noise. Donna shared her experience attending Blue Team Con, a conference for cybersecurity defenders. She emphasized the importance of learning directly from the cybersecurity community to improve Grey Noise's overall user experience. Glenn, another host, also attended the conference and praised its organization, variety of talks, and friendly atmosphere.
The hosts then discussed a recent Sophos report on cybersecurity trends, highlighting the report's engaging writing style and informative content. They also touched on a misleading headline about Russia hacking Poland's train rail network, clarifying that it was not a cyber attack but rather a simple radio frequency interference that caused the trains to stop. The hosts expressed concern about the vulnerability of modern systems to such basic attacks.
The conversation shifted to the impact of ransomware attacks on businesses, with the hosts mentioning two Danish cloud providers that went out of business due to ransomware incidents. They emphasized the importance of taking cybersecurity seriously, as even well-prepared businesses can be affected by unforeseen threats.
Lastly, the hosts discussed a recent Capture the Flag (CTF) competition organized by Grey Noise. They praised the event's organization and shared some interesting stories from the participants, including a real-life open-source intelligence gathering situation. The CTF event showcased the creativity and skills of the cybersecurity community and provided valuable learning experiences for the participants.
In this episode of Storm Watch, the hosts discuss their experiences at Hacker Summer Camp and their excitement about new sensors they've been working with. They consider the possibility of doing a demo in the next episode and mention some sneak peeks available on Andrew's Twitter account. The conversation then shifts to the extreme weather conditions they've been experiencing, including heat domes and "her quakes."
The hosts express their disappointment with the lack of progress made by federal departments and agencies in response to the Biden-Harris administration's executive order on cybersecurity. They emphasize the importance of faster reporting and applying basic cybersecurity principles. They also discuss the massive number of victims affected by the "Move It" ransomware, urging cybersecurity professionals to focus on healthcare and other underserved areas.
The ARPA-H initiative, or "DigiHeals," is introduced as a government research project aimed at improving healthcare cybersecurity. The hosts share their concerns about the vulnerabilities they've observed in healthcare networks and encourage cybersecurity professionals to dedicate time to helping these critical systems. They also announce the winners of the first annual inaugural Noise Fest CTF of 2023, a Capture the Flag competition organized by the GreyNoise Labs team.
In this Storm Watch episode the hosts discuss various topics related to cybersecurity, vulnerabilities, and attacker activity. The episode features Kimber, a product manager at GreyNoise, and Glenn Thorpe, the director of security research and detective engineering at Grey Noise. The team shares their experiences and takeaways from attending Black Hat DEF CON, a cybersecurity conference held in Las Vegas.
During the conference, the hosts noticed an increased focus on API and supply chain security, particularly among startups. They also observed a growing interest in healthcare security, with discussions centered around protecting hospitals from ransomware attacks and implementing canaries to detect such attacks faster. The hosts also mention the popularity of the AI Village at DEF CON, as well as the Policy Village, which aims to protect the cybersecurity community and researchers.
The podcast also covers the GreyNoise Capture the Flag (CTF) event, where participants were challenged to solve various cybersecurity puzzles. The hosts express their admiration for the effort put into designing the challenges and their interest in hearing participants' reactions. They also discuss a new feature in GreyNoise that allows users to set up alerts based on specific tags, making it easier to monitor and receive updates on particular vulnerabilities.
Overall, this episode highlights the importance of staying informed about the latest trends and developments in cybersecurity, as well as the value of participating in events like Black Hat DEF CON and Grey Noise CTF to learn and engage with the cybersecurity community.
In this episode of Storm Watch, the hosts discuss a variety of topics, including their upcoming trip to Vegas for a cybersecurity event and the challenges they face in staying up-to-date with the latest vulnerabilities and threats. One of the main topics of discussion is the issue of companies hiding vulnerability information behind paywalls or requiring NDAs to access advisories. The hosts argue that this practice is counterproductive, as it slows down awareness and remediation efforts while creating anxiety and anger towards the affected company.
The hosts also touch on the upcoming Noise Fest CTF (Capture the Flag) event, which features 22 different challenges for participants to test their skills in various areas of cybersecurity. They encourage listeners of all skill levels to participate and reach out for help if needed, as the event is designed to be both fun and educational.
Another topic of discussion is the importance of staying on top of patching and updating systems to protect against vulnerabilities. The hosts praise their own internal team for their quick response to a recent vulnerability in their data science and business analytics software, emphasizing the need for organizations to prioritize security and maintain a proactive approach.
Lastly, the hosts discuss a recent ransomware attack against a health network provider that affected multiple states and disrupted patient services. They emphasize that ransomware is still a significant threat and that organizations must remain vigilant in protecting their systems and data. Overall, the episode highlights the importance of staying informed about the latest threats and vulnerabilities and the need for organizations to prioritize security and transparency in their operations.
In this episode of Storm Watch, the hosts discuss the recent MOVEit data breach and its impact on various organizations. They mention that around 550 organizations have been affected so far, but this number is likely to increase significantly. One of the victims, National Students Clearinghouse, partners with about 3,600 US post-secondary schools, and it is unclear how many of these institutions have been affected. The hosts also discuss the costs associated with incident response, with one company estimating its recovery and remediation costs at $15 million.
Brett Callow from Emsisoft joins the conversation to provide more insight into the MOVEit breach. He explains that his role as a threat analyst involves aggregating data from various sources to shed light on ransomware numbers and trends. The hosts discuss whether the MoveIt breach should be classified as ransomware or simply data theft and extortion. Brett mentions that the attackers have stolen data and are threatening to release it online unless the impacted organizations pay ransoms, which can run into millions of dollars.
The hosts also touch on recent vulnerabilities in MobileIron, ColdFusion, and Citrix ShareFile, noting that they have observed malicious activity targeting these vulnerabilities. They praise the efforts of their team in creating numerous tags for July, highlighting the importance of staying informed about potential threats.
Finally, the hosts briefly mention the threat hunting guides and encourage listeners to check them out for valuable information on identifying and mitigating potential threats.
In the Storm Watch episode the hosts were joined by Matthew Remacle, aka Remy, a detection engineer at GreyNoise. They discussed the recent surge in zero-day vulnerabilities, which they dubbed "zero-day summer," and how it seems to occur every year before the Blackhat conference. Remy shared his role at GreyNoise, where he analyzes network traffic to write tags or signatures for malicious, benign, and unknown network traffic to identify behaviors on the internet.
The hosts also talked about recent vulnerabilities in ColdFusion and Citrix ADC servers, emphasizing the importance of patching these systems. They mentioned Mandiant's report on North Korean threat actors leveraging JumpCloud in supply chain compromises and the potential unauthenticated API access in Avanti, a mobile device management platform.
Additionally, they discussed GreyNoise's new threat hunting guide, which provides a comprehensive overview of the history, key components, and future of threat hunting. Kimber mentioned the increasing popularity of the term "threat hunting" and how it has evolved into a legitimate job role. The hosts also touched on the use of AI in threat hunting, with Bob mentioning a recently released AI threat hunting platform.
The hosts concluded by discussing the steady increase in known exploited vulnerabilities cataloged by CISA, emphasizing the importance of addressing these vulnerabilities and patching systems.
In this episode of the Storm Watch podcast, the hosts discuss their recent vacations and the mandatory two-week shutdown at GreyNoise.
The conversation then shifts to the MOVEit software and its increasing number of CVEs. Kimber suggests that the surge in CVEs might be due to researchers taking a closer look at MOVEIt for the first time, as it is a critical software used in government entities. The hosts also discuss the possibility that similar software might become a focus for attackers in the coming months.
Next, the hosts talk about the lack of new tags due to their vacation and a recent bump in Mirai activity. They mention a double-encoded URL tag that has doubled the number of IP addresses, but they don't have any hypotheses about the reasons behind it. They also touch on the ability of GPT to create Python notebooks on the fly and the potential security risks associated with it.
Finally, the hosts discuss NoiseFest, an upcoming event celebrating all things GreyNoise. Kimber shares her excitement about the Capture the Flag (CTF) competition that will take place during the week of Black Hat and DEF CON.
In this episode of Storm Watch, the hosts discuss a variety of cybersecurity topics, starting with the discovery of an Android mobile botnet. They note that mobile traffic has been trending upward since the end of March, with a significant increase in April. The botnet is attributed to a banking Trojan, and the hosts emphasize the importance of keeping mobile devices updated and being cautious with app installations and link clicks.
The conversation then shifts to recent cyber incidents, including the VMware ARIA vulnerability and the Fortinet and Zyxel pre-auth injection vulnerabilities. The hosts stress the importance of staying on top of updates and considering additional security measures for these devices. They also mention the ongoing "MOVEit" campaign, which has impacted over 100 organizations and exposed over 5 million records.
Next, the hosts touch on the Apache Log4j vulnerability, noting a recent spike in activity that has since returned to its previous baseline. They also discuss an advisory on an ICS monitoring device with a hardcoded password vulnerability, emphasizing the potential high value for attackers targeting industrial control systems.
Finally, the hosts address a recent UPS data disclosure letter, which has been criticized for its lack of clarity. They emphasize the importance of transparency and straightforward communication when it comes to security incidents and data breach notifications.
In this episode of Storm Watch, the hosts discuss various cybersecurity topics, including a Fortinet vulnerability, a DDoS attack on Microsoft Outlook, the ongoing issues with Log4j, and the "MOVEit" vulnerability.
The hosts first talk about a new Fortinet vulnerability, expressing their snarky comments about the company's security issues. They then move on to discuss a recent DDoS attack on Microsoft Outlook, which caused significant downtime for users. The attack was attributed to Anonymous Sudan, a hacktivist group that uses open proxy services to launch their attacks. The hosts mention that with the current political climate and upcoming presidential election, more DDoS attacks can be expected.
Next, they discuss the "MOVEit" vulnerability, which has been exploited by attackers to target various organizations, including some governments. The hosts emphasize the importance of staying on top of security updates and patches to protect against such attacks. They also mention their community Slack channel, where they encourage users to share information on niche software and research partnerships.
Finally, the hosts touch on the resurgence of Log4j scans, suggesting that attackers may be targeting organizations that have restored backups or deployed old images without the necessary patches in place. They also mention a recent Verizon DBIR report that highlighted Log4j vulnerabilities, possibly contributing to the renewed interest in exploiting them. The hosts conclude by emphasizing the importance of staying vigilant and up-to-date with security measures to protect against these ongoing threats.
In this episode of Storm Watch, the hosts discuss a variety of cybersecurity topics, including a new CDE (202327997) related to a Fortinet RCE vulnerability in SSL VPNs. The vulnerability was discovered by a French research group and is currently being tracked. Fortinet has already issued patches, so the hosts advise upgrading Fortinet devices as soon as possible.
The hosts also discuss the recent issues with Barracuda appliances, advising users to consider replacing them due to security concerns. They mention that Barracuda devices may be falling out of fashion in favor of alternatives like Proofpoint.
Reddit's recent API changes and the potential impact on public internet communities are also discussed. The hosts express concern about the loss of open information sharing, especially in the cybersecurity industry, as private communities become more prevalent. They encourage listeners to join GreyNoise's community Slack for information sharing and collaboration.
Lastly, the hosts touch on new tags added to GreyNoise, including one related to an older internet scanner that has recently become open source. They also mention the Telerik platform, which has a history of vulnerabilities and is frequently targeted. The hosts emphasize the importance of staying vigilant and keeping an eye on emerging threats.
In this episode of Storm Watch, the hosts discuss the recent Moveit vulnerability and its impact on various organizations. Kimber, a GreyNoise product manager, shares her background and role at the company. She started on the research team, now known as GreyNoise Labs, and transitioned to product management, where she focuses on packaging GreyNoise data to help users in their environments.
The Moveit vulnerability, which allows for unauthorized access to the database, was first reported in an advisory from Progress, the software vendor. The Grey Noise community quickly raised awareness of the issue, and the company published a blog post with their findings. They discovered scanning activity related to the vulnerability dating back to March, suggesting that organizations should review their systems for signs of compromise since then. Some victims, such as British Airways and Boots, have already disclosed their involvement.
The hosts also discuss the collaboration and information sharing among the cybersecurity community in response to the Moveit vulnerability. They highlight the importance of sharing remediation information and the quick response from various groups, including state governments. The GreyNoise community and other information sharing groups have played a crucial role in disseminating information and helping organizations stay safe.
Finally, Kimber teases an upcoming feature for GreyNoise users: the Labs Beta API platform. This platform will allow users to query the GreyNoise Labs dataset, including command and control (C2) IP addresses, popular IP address queries, and HTTP requests. While the dataset provided will be less than 10% of the full data, it still offers a significant amount of information for users to explore. The feature is expected to be released within the next two weeks.
In this episode of Storm Watch, hosts Bob and Glenn discuss recent cybersecurity events and the ongoing activity of the Mirai botnet. They mention a significant spike in Mirai botnet activity starting around May 10th, which continued to increase throughout the following weeks. The hosts note that Mirai is one of the primary botnets on the internet, with thousands of IP addresses attempting to find new members daily.
The hosts also discuss the geographical distribution of Mirai-infected devices, which are spread across the globe, mostly in residential networks. They highlight that Amazon's network has compromised servers that are part of the Mirai botnet. The top 15 autonomous systems account for about 75% of the traffic observed during the spike in Mirai activity.
Remy, a researcher, analyzed the binaries of the Mirai botnet and found that it was targeting Tenda, NetLog, LB link, and Zyxel devices. The hosts mention that they have updated their coverage for these devices and will be monitoring the situation closely. They also briefly discuss the recent vulnerability in Barracuda ESG appliances, urging users to keep their devices updated.
In our 1st episode of Storm Watch, the hosts discuss GreyNoise, a cybersecurity company that operates a large honeypot network to collect data on unsolicited internet traffic. By analyzing this data, GreyNoise can identify attackers, network scanners, and other malicious activities, helping users prioritize and make actionable decisions based on the findings.
The hosts also talk about CISA KEV, a known exploited vulnerabilities list that helps organizations prioritize remediation and mitigation efforts. CISA KEV updates are not on a scheduled basis but are added as new information becomes available. GreyNoise partners with SysiCav to provide valuable data for the list. The hosts emphasize the importance of prioritizing older vulnerabilities, as some of the recent additions to CISA KEV date back to 2004.
For those new to GreyNoise, the hosts recommend starting with the visualizer at viz.greynoise.io. Users can explore trends, view tags, and see the most recent malicious IPs detected. The hosts emphasize that even a small number of malicious IPs can be significant, given that GreyNoise sensors are unsolicited and the IPs are actively seeking out these assets.
En liten tjänst av I'm With Friends. Finns även på engelska.