Transcript
Hi, I'm Matt Radaleck, I'm one of your hosts. Hi, I'm David Gibson, the other one of your hosts. So for those of you that are here for the first time, we always start the show by sharing good news. Oftentimes, there's some doom and gloom in cybersecurity, which there is quite a bit to worry about right now. But the good guys are usually cracking away at it too. So let's start out by talking about Leakbase. The world's biggest leak forum, Leakbase, has been taken down in a joint campaign by the FBI and Interpol that they called Operation Leak. Law enforcement worked across 14 different countries to make arrests, targeting the forum's nearly 40 most active users. For those of you unfamiliar with Leakbase, that's a type of forum that was used to facilitate the trading and the marketing of hacked databases, credentials, log files, and financial information. It's been in operation since about 2021, and it had over 100,000 active users. Here's one about Operation Red Card. By the way, we had Leak. Who gets to name these? That's kind of my, I think that's the most important question. And how often does AI use to name it would be what I want to find out. Oh, yeah. Well, what happened with Operation Red Card, they took down a cyber crime ring who were responsible for money stuff, high yield investment scams, money, mobile money fraud, the fraudulent loan applications. They were responsible for 45 million in financial losses. They identified over 1,200 victims from this group, but from the cyber crime ring. So Operation Red Card resulted in 651 arrests across 16 countries. In Africa, they seized over 2,300 devices, took down over 1,400 malicious IPs. So another good win for the good guys. Yeah, another one for the good guys. And at least one more for the good guys. And another win, Interpol, in an operation that they deemed Synergia 3, sinkholed nearly 50,000 IPs across 72 different countries. They made 94 arrests, and they sieved a lot of infrastructure used by cyber criminals. These criminals were behind phishing campaigns, malware, ransomware, and all other types of online fraud, supporting tens of thousands of scam websites worldwide. And in one more piece of good news that has no name that I know of, the U.S. law enforcement agency shuttered the Ramp Cybercrime Forum. This has been a major hub of ransomware activity. I think it was founded in 2012. It was one of the few, if not the only place, at least that broadly known, where ransomware recruiting was happening. So we're looking for people to help with ransomware. The site boasted over 14,000 users. It's been used by names that our audience will probably be familiar with, like Alpha P, Black Cat, many more, including Shiny Hunters, which will come up later. Some of the interesting things about this one is the FBI left a banner on these sites which said, Ramp, the only place ransomware allowed. And in an effort to, looks like to troll some of the Russian founders and users of the site, they had an image of Masha from the Russian kids cartoon, Masha and the Bear, who is winking. So one of the operators named Stallman wrote about this, that he wouldn't rebuild the site, but he would continue to buy accesses as his core business model remains unchanged. So that's a rough quote, a little scary. I think in summary, we see here with all these stories, the bad guys are under pressure, but they're still going pretty strong, as we'll see a little bit later with Shiny Hunters. Yeah. And I guess Operation Ramp Down was successful. There you go. Good name. So our newest segment, AI Bay, is going to surely leave you saying AI Bay. Now, David, what's going on with OpenClaw? Well, what isn't going on with OpenClaw? So I'm going to get to this OpenClaw, this Clawjack flaw here. But I think I see five, at least five problems with OpenClaw in general. And I'm just going to run through them in no particular order. But first of all, the way OpenClaw works is like you've got an AI you've got on your workstation, basically a broker, a hub that can call different AI, different tools that are command line tools that can connect to stuff that you care about. So I know one problem is like, how are we really managing the credentials there, right? Are we putting them in environment variables or words, clear text, right? This is one problem, I think, with this in general. Problem two, you've got OpenClaw skills, which you can go download skills to have OpenClaw do other stuff, which, you know, like apps in an app store, but I'm not really sure how well vetted these are, right? So this is another risk factor. Next is that untrusted input is being processed by a like, so the same like node and job and process that's looking at untrusted input can also do all sorts of other things. And now I have to tell everybody there is at least a new to me acronym that I learned about this one, IDPI or indirect prompt injection or XPIA, cross domain prompt injection. So this was new to me. And this is another risk here that is now no longer hypothetical. So last month, there was some researchers found that even the link preview features in messaging apps like a discord can be turned into a data exfiltration pathway, right? When with OpenClaw by means of this indirect prompt injection. The idea is you've got instructions that make it to the AI agent that generates an attacker controlled URL, and then when the URL is hit, it exfiltrates a whole bunch of stuff in the parameters in the URL, right? So about the about the user, right? Anything you can embed anything in that URL. So you've got this is just one example. I think there are many. And then number four are vulnerabilities in OpenClaw itself. So that's really where Clawject comes in. And so this is now patched, by the way, but the way this works, I thought that was pretty interesting. So you got just a generic OpenClaw installation and an attacker can take control of your system. Here's how that works. So let's say you've got this basic law in your workstation and the attacker tricks you into going to a malicious website in your browser on that browser or in that website. There is some JavaScript that executes and connects to the WebSocket of OpenClaw on local hosts. So the way OpenClaw works is there's a WebSocket listening on on your loopback. And what it does there, because there was no before the patch, there was no rate limiting for what happened on the local host. It could brute force the admin password. So then once they brute force the admin password, they registered this open session, this JavaScript as a trusted tool or node in OpenClaw, which is kind of like saying to the bouncer at the door, hey, we're with the band. Right. You know, it's like it's like now you're trusted. Now you're going. And then as long as that browser session is open, there's that JavaScript has is a command and control feed so they can take control. They can they can do anything they want with your OpenClaw, which, again, has access to all these other tools. Now, if all four of these weren't bad enough, now you have to worry about people downloading hacked versions of OpenClaw. So it's kind of like worrying about rat poison in your heroin, I guess. I don't know. But Bing was inadvertently promoting one of these hacked versions of OpenClaw that was hosted in a malicious GitHub repo. So all this together, it just is a calamity of of stuff that I worry about. And I think, you know, David, the when you think of the vulnerability and the clawjacked itself where the user would have to fall for the malicious link and then that allowed the WebSocket to brute force the admin creds of the instance of OpenClaw, like, could you know, there's some basic controls here that you want to eliminate the weakest link. But really, it sounds like the at least from my perspective, that the pace of innovation is much faster than that of the pace of A.I. security, at least for now. Yeah, well, I mean, and somebody chatted in stay away from OpenClaw. I really want to use these kinds of productivity tools, but I haven't been able to really kind of get over, you know, I'd have to run that in such an untrusted, you know, container. You know, it's like you just have to assume there's some issues right now. It's there's so much power there. Speaking of, you know, useful A.I. platforms, security researchers identified a handful of vulnerabilities in clawed code, which is one of the I mean, even when I personally use widely used A.I. generated code assistance to to keep in mind of CVE 2025-59536 and 2026-21852. They allow for remote code execution with two different methods, one via poison configuration files. And what those poison config files do is allows an attacker to run shell commands without the consent prompt being shown to the users and then exfiltrate A.P.I. keys. Now, I found these to be like rather interesting. The second one would actually confirm an untrusted JSON project in the configuration settings. So that would allow for full developer machine takeover, even modifications of other files or, you know, think of this like a supply chain attack. And the 59536 actually allows for automated execution of all of those shell commands. Now, fortunately for everyone here, Anthropic actually patched both of these issues. The disclosure was done by researchers from Checkpoint. But there really is this, you know, like we mentioned before, these growing concerns around all of these A.I. platforms, the vulnerabilities that they introduce just because of how early they are and security researchers are just starting to tinker with them. So, you know, in another news story we didn't cover, there was a really big technology provider that had a junior developer push some code to production and experienced a big outage. And that was from Cloud Code as well. So it seems like a lot of chaos, but also a lot of productivity coming from Cloud Code. You had something to say about Cloud Code as well, if I remember. Well, you want to make sure just like with OpenClaw, you want to well, you probably want to make sure you're avoiding installing the right one, like altogether, you know, just avoid OpenClaw altogether. I mean, to each their own, of course, but just from a security perspective, I think you can make that argument. For Cloud Code, you want to make sure that you're not you're installing the real Cloud Code. So apparently what happened here is people were clicking on fake install pages for Cloud Code that were Google sponsored links. By the way, do you ever click on sponsored links? I don't click on anything. I mean, I browse like the same five websites and that's it pretty much. Well, I maybe in another episode you can tell us which of those five sites there are. We'll save that. But anyway, these the interesting thing about these five sites are these these not these five sites, these these malicious sites that are posing as Cloud Code installs, like first of all, they're picture perfect. The only real difference is in the commands that, of course, you copy and paste into your shell to get. And so this is yet another thing that kind of like, yes, we really copy and paste commands from the Internet. I mean, you know, it's it sort of can make your mind wobble that this is where we are. People have learned not to download malware from fake from different sites. But now we just run commands to download malware. But really, unless you look very carefully at the URL, you can be fooled. The they're they're going to, you know, different sites like these fake websites can be hosted on legit hosting platforms like Cloudflare. But if you're if you're not looking at it, you can be fooled. Some mitigation stuff. Apparently, the Windows version makes a web connection using MSHTA.exe and it fetches the HTA files, which then download the malicious version. So for anybody that's, you know, looking at the proxy traffic, you can examine the user agent strings. Probably you'd probably see an Internet Explorer style agent hitting an external domain, returning HTA content. That's probably something worth an alert. Right. So I guess the moral of the story is don't click on sponsored links. Don't blindly copy and paste commands and run them from the Internet in your shell. And be sure where you download your instances of OpenClaw from if you're going to use OpenClaw at all. Yeah. And then you might as well monitor your edge for legacy browser agents that make external calls if you're not doing that already. Well, if we had already been talking about some vulnerable vulnerabilities, we've got a couple more to talk about. Now, for those of you unfamiliar with N8N, I don't know if there's an abbreviation for that, like NAIDEN or something like that. I've never heard it abbreviated, but it's an AI automation and orchestration platform. They have several vulnerabilities, including one, CVE-2025-68613, which is being tracked as a known exploited vulnerability or KEV. Now, the difference there is CISA often warns about vulnerabilities that have a high impact and urging government agencies, U.S. companies to patch them urgently. They also have now started to track which of those vulnerabilities are actively under exploitation. They call that a KEV or a known exploited vulnerability. 2025-68613 is an expression injection vulnerability that allows attackers to execute the arbitrary code at the privileges that N8N processes are running at, which could potentially lead to full N8N compromise. Now, thousands of N8N or N8N instances remain exposed online. In addition to this vulnerability, though, security researchers from Pillar Security identify two additional flaws, 2026-27493 and 27577, that when chained together could allow unauthenticated remote code execution, sandbox escape, and even complete server takeover. Now, fortunately for everyone following along, both of those vulnerabilities were patched in late February and CISA actually issued a mandate to federal agencies to remediate all affected systems by March 25th, which about six days from now, I think, or seven days from now, as exploitation could lead to an enterprise wide breach. By the way, if anybody knows how to how to say N8N correctly, let me know. I think N8N is like a hot dog thing. Isn't that Nathan's though? Yeah. Or is that like a Long Island abbreviation? I certainly don't want to, you know, coercively incorporate any of our New York residents on the bridge today. What's going on with ZombieZip? Well, this was interesting. So most antiviruses obviously know how to examine compressed files and open them up, uncompress, look for malware. Well, ZombieZip confused 50 out of 51 AVs by manipulating one byte in the zip files header. And they changed the compression method to stored, which is basically uncompressed. It basically said, nope, no compressed stuff here. And 50 out of the 51 AVs just said, OK, it looks like gobbledygook. We won't we won't worry about it. We can't see anything. When in reality, it was compressed. So this is, you know, interesting. You know, one one of them actually said, you know, we're going to check this stuff even even if it says it's not compressed. So I bet the other vendors are going to be doing that, too. But, you know, there is a counter debate because by changing that that header, then your no user native user zip tool can actually decompress it. So it it's kind of like, well, all right. Is this really a risk? Because, you know, how would an attacker really use it? You know, if they could use it as a means to get code in. Right. Yes. I think that would be the the novelty of the technique is that if they were trying to bring in and avoid EDR detection, you know, they could maybe somehow bring it in and execute it from like a remote server so that it wasn't running on the machine that the EDR was running on. I'm guessing that that's the usefulness of it. I actually like this is great. I applaud the security researchers that figured this out. This is quite a level of tinkering and obfuscation to smuggle data into an organization. It is, I mean, you'd still have to smuggle something in to actually read the file. So it's a bit of a chicken and the egg. But you could just flip the bit with somewhere you could theoretically flip the bit if you could access the metadata or had like a metadata modification tool. Yeah, yeah. It's it is definitely a way to get malware in it, probably in a distributed way, probably at scale. I was thinking earlier, like, well, all right, if you get a zip file, you can't open like it. It's probably still in your inbox, you know, for a while. Right. If somebody emails it to you and it got by your antivirus. Right. If somebody downloaded a bunch of files from a, you know, let's say it was a third party, you know, I guess I'm just trying to work through, OK, how could you use this? But. Yeah, yeah. Now, speaking of other dangerous things to throw on the radar, there's a new botnet that's been deemed CADNEP. CADNEP has taken over more than 14,000 Internet connected devices, most of them being ACES routers, and established a decentralized peer to peer botnet. What's interesting about this botnet is it's shown resistance to takedown as it uses stealth routing for its malicious traffic. And the botnet has been primarily used for distributed denial of service attacks, brute force campaigns and exploitation of targets located in the U.S., Europe, UK, Australia, Brazil and Russia. What I find interesting about this is we are still seeing like Internet connected devices be, you know, used and exploited when they're running like legacy firmware or old OS's. And there's still tons and tons of people that have these things facing the Internet, whether for personal use or small corporate use. And attackers are taking advantage of it. The decentralized nature of this one makes it pretty hard to take down. It seems resistance to takedowns, at least according to researchers. I'm curious whether the audience thinks the malware names are more interesting than the the operation, you know, takedown names. Now, in another not so cleverly named operation, Palo Alto researchers identified a long running campaign by a Chinese APT group that they tracked as CLSTA1087, dating back as far as 2020. Attackers from CLSTA1087 had custom malware like Applecrisis and Memfund backdoors. They use the get pass credential harvester and oftentimes use PowerShell to manage their infrastructure. Now, when we think about a typical style APT attack, sometimes the attackers' motivations are different. They want to cause chaos. They want to wipe machines or interrupt operations. But in this case, this infrastructure was used in a low and slow way to gather intelligence on military units and their movements, the structure of military organizations. And there wasn't any kind of like large scale data theft or ransomware event. It's something that, you know, happened against the Southeast Asian military organizations over the course of many, many years. You know, they use the Windows management interface or DLL hijacking to do lateral movement. They got into domain controllers and workstations and executive systems. And the real goal was to gather intelligence for military operations. Low and slow. What's going on with Glassworm? So we've talked about Glassworm before, but there's some new wrinkles with it. These are this is actually shaping up to be a pretty scary campaign. It's a coordinated supply chain campaign where there's invisible code showing up in GitHub repos and packages like the OpenBSX extension registry. About 151 malicious packages so far have showed up that have been detected. And the code itself is invisible to the human eye. So the attackers are hiding the malicious payloads inside Unicode private use area characters. And these are they don't really render in anything where a human looks. So all your code editors, any terminal, a GitHub code review, you don't see it. So that's one aspect that's scary. The the the I guess that the worm itself, that the loader is now being distributed across these extensions. So you can have an extension that is in itself benign. But these extensions can call other extensions as dependencies. So it's like a nesting doll. And if you've got let's say you've got one of these vulnerable extensions and you auto update. And between the time you downloaded it and the auto update, the attacker just inserts another dependency. It'll call that dependency and there could be a loader for the worm. So that's another thing that's scary. And the other, I guess the last thing I think that is scary is that these the worm gets its instructions from the memos that are hidden on Solana blockchain transactions. So what happens if you take down a single node in the blockchain? Doesn't matter, right? It's a distributed ledger. And we can't take down the entire blockchain because we rely on it right now. It's a, it's a, it's a, and we couldn't do that with every blockchain, right? So this is scary because you've got a CNC network that you effectively can't take down. So, you know, what can we do? I think, you know, there's a lot of basics that we have to remind ourselves to do that, you know, probably everybody on this podcast has been preaching for a long time, careful with extensions, the developers install, careful with auto update. You know, you can't, you can't just rely on human visual reviews, got a scan for non-printable characters. Regex can flag some of these things in the source file. So just a, just a scary thing that's exploiting a lot of different different, I don't even, I just, these techniques just seem so sophisticated. I think like the, the, the operating in white space too, like things that you can hide even from like a more sophisticated developer, that's when you're like, you know, you're at a level of you know, the invisibility to deliver a payload that could be successful even in a, you know, well-equipped security aware organization. Now I'm sure the story that a lot of people showed up today for and are tuned in for is shiny hunters. Now, how many times, David, I feel like there was another thing. What was it? Was it Cisco vulnerabilities we used to cover in every episode for a while there that now it's, it's the shiny hunters, shiny hunters are showed up what five or six times. Now we'll have to have our, our hosts check out and see just how many times we've covered it in different episodes. And now this time something like 400 different companies were breached by shiny hunters across like, you know, go ahead. Yeah. So shiny has hundreds is the new Cisco, I guess is what you're trying to say. Well, or maybe Salesforce is the new Cisco. It's the same attacker group though. And you know, 400 different companies have been impacted so far. There's these Salesforce experience cloud where some guest privileges have excessive permissions and those excessive permissions allow attackers to access backend data objects with API calls. Essentially you're querying a company's Salesforce instance as a guest user, using an API that you can get from authenticating as a guest user. So it's, it is a misconfiguration on top of excessive permissions. Now there is an enumeration, you know, that the, the attackers can do to discover these end points. But ultimately like, whatever you have exposed to the guest profile in your Salesforce could be accessible externally via API. It could be customer data. It could be employee data. It could be contact information, deal data, your support case system. It is important. I mean, Salesforce is a big time partner of ours. So I don't want anyone to walk away today thinking is Salesforce vulnerable, right? Yeah, no. Salesforce doesn't have a known vulnerability that shiny hunters has taken advantage of. You might have misconfigured your Salesforce and you might have allowed get unauthenticated users to have API access. Like I think there's really two misconfigurations here. One would be that you have the guest profile with API access. And two would be that you have important or sensitive, you know, records or object types with the guest profile on them. So there's really two layers of exploitation that could happen here. Yeah. If I was going to simplify, I think if you are running kind of a community site or experience cloud, you have a guest user because you have to have unauthenticated users that they can get to some of the content there. And so that guest, that's why people have a guest user in the first place. By the way, one thing we we've been writing about this, this for years, we first wrote about this, this vulnerability about five years ago. Last year, we updated a checklist that you can go through about what you can do to check yourself there. And of course we can always help you. But you have to check a bunch of things to make sure what Matt said doesn't happen. That the guest user has too much access. You have to check the profile, you have to check the org-wide defaults. You have to check sharing settings. And shiny hundreds had been using the, this vulnerability or this technique for a while, but it really got going after the open source tool or inspector was released by, I think Mandia. And it was, it was a tool that was supposed to be used like, you know, Nessus, like, you know, any vulnerability scanner to find your own vulnerabilities. And the tool had some limitations baked into it. Like you couldn't extract more than 2000 records. Well, shiny hunters figured out how to fix that limitation. And they were able to extend it so that they can, and rapid been in a, in an exploit tool. And they were basically able to find these vulnerable sites and export all sorts of records. It, it, it's a, it is you're right. It's not officially a vulnerability. It's part of that shared responsibility model that, that, you know, it's sometimes a lot bigger and harder than, than folks think. So this one's easy to get wrong. And things that can be publicly accessible, right? Like it's in the cloud. It's already on the internet. Yeah, exactly. So, and I think the moral of the story for me is any vulnerability that you've got on any component, I just think the time before it's exploited and exploited quickly just seems to be shrinking. And thank you everyone for being here today for another episode of state of cybercrime. Thanks so much.
