Podcast Detail

SANS Stormcast Thursday, April 24th: Honeypot iptables Maintenance; XRPL.js Compromise; Erlang/OTP SSH Vuln affecting Cisco

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9422.mp3

previous
Podcast Logo
Honeypot iptables Maintenance; XRPL.js Compromise; Erlang/OTP SSH Vuln affecting Cisco
00:00

Honeypot Iptables Maintenance and DShield-SIEM Logging
In this diary, Jesse is talking about some of the tasks to maintain a honeypot, like keeping filebeats up to date and adjusting configurations in case your dynamic IP address changes
https://isc.sans.edu/diary/Honeypot%20Iptables%20Maintenance%20and%20DShield-SIEM%20Logging/31876

XRPL.js Compromised
An unknown actor was able to push malicious updates of the XRPL.js library to NPM. The library is officially recommended for writing Riple (RPL) cryptocurrency code. The malicious library exfiltrated secret keys to the attacker
https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor
https://github.com/XRPLF/xrpl.js/security/advisories/GHSA-33qr-m49q-rxfx

Cisco Equipment Affected by Erlang/OTP SSH Vulnerability
Cisco published an advisory explaining which of its products are affected by the critical Erlang/OTP SSH library vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy

Podcast Transcript

 Hello and welcome to the Thursday, April 24th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. Jesse and Guy have been maintaining
 part of our DeShield honeypot, in particular the seam
 component. The SIEM component is an optional add-on that you
 can install for your honeypot to give you a local dashboard
 of what's going on with your honeypot and what attacks
 you're seeing and some graphic representations of that. Now,
 keeping all that system up to date and maintained can be a
 little bit tricky at times. So, Jesse did publish a diary
 summarizing some of his learnings about how to
 maintain the honeypot. For example, how to update your
 firewall rules, your IP table rules, automatically to
 reflect a dynamic IP address. One thing we're doing as part
 of the honeypot is we only allow access to the admin
 port, the actual SSH port, from very specific IP
 addresses. Typically, from IP addresses inside your own
 network. And then also only log attacks coming from
 outside of your own network. That may need some tweaking if
 your IP address gets updated. And as a result, Jesse is sort
 of summarizing what he had to do in order to get that all
 working and set up properly. The other thing that Jesse did
 illustrate is how to update the file beats component. Now,
 the SIEM, and again, that's an add-on, doesn't come sort of
 by default with the honeypot. But it uses the usual elk
 stack, Elasticsearch, Logstash, Kibana. Of course, as part of
 that, you need to be able to feed your logs into
 Elasticsearch, which we use file beats for. And that needs
 to be in sync with the versions of the related
 components that were installed otherwise. So that's what this
 diary was about. Take a look. If you are already running a
 honeypot, well, that dashboard may be a nice addition. You
 need a little bit beefier, like a more recent Raspberry
 Pi or maybe Virtual Machine or something like this to run the
 full SIEM. On the older Raspberry Pis, you may not
 have enough horsepower. And we have yet another NPM issue
 here. And Aikido, a software security company, did find on
 Monday that the official recommended NPM library used
 to deal with the Ripple cryptocurrency. The XRPL
 library had been compromised. They identified for some
 suspicious behavior by multiple versions being
 released to NPM in short succession without actually
 finding the related versions then on the official GitHub
 repository. So it looks like only the NPM part was
 compromised, not the GitHub repository itself. And, well,
 of course, there was malicious code added here. This
 malicious code exfiltrates private keys for your wallets
 as they're exposed to this library. At this point, I
 haven't really seen sort of an obvious official kind of
 statement as to what exactly happened, how the NPM part
 here was compromised. I suspect it was either phishing
 or maybe some stupid weak credential. Nevertheless, this
 is a huge problem. The multiple versions, as I said,
 were compromised. All of them released on Monday or shortly
 before that. So definitely, if you are working on code using
 Ripple as a cryptocurrency, make sure that you didn't get
 exposed to this malicious library. And if you did get
 exposed, you must change your private keys. And Cisco now
 released an advisory regarding the Erlang OTP SSH library
 vulnerability. I mentioned it already a couple times before,
 starting Friday. This particular vulnerability,
 again, became officially known on April 16th. Since then,
 public and easy-to-use exploit has been released that gains
 you arbitrary command execution on any Erlang OTP SSH
 server that does use this vulnerable library. Several
 Cisco products are affected. And again, the OTP stands for
 the Open Telecom Platform. So that's sort of where you
 likely are going to find SSH servers written in Erlang that
 are vulnerable. And of course, Cisco is heavily invested in
 the telecom market, which is why they are also exposed to
 this particular issue. You must patch this quickly and at
 this point also assume compromise, even though I
 haven't really heard anything official about the
 vulnerability being exploited. But it's so easy to exploit at
 this point that it would just be negligent not to believe
 someone is already playing with it. Well, and that's it
 for today. Thanks for listening. Thanks for liking
 and recommending and subscribing to this podcast.
 And talk to you again tomorrow. Bye. Bye.