Risky Business #774 -- Cleo file transfer appliances under widespread attack
Dec 11, 2024
auto_awesome
Jacob Torrey, an expert from Thinkst Canary, dives into the critical flaws in Cleo file transfer appliances and the ongoing exploitation by ransomware groups. He also discusses Snowflake's upcoming shift to mandatory multi-factor authentication to combat credential theft. With a focus on innovative cybersecurity techniques, Torrey reveals fascinating operating system tricks, including canary tokens that can trigger alarms in your environment. Plus, he delves into the complexities of enhancing security in Windows, keeping attackers at bay!
Defending 'off the land' emphasizes leveraging existing Windows tools for improved visibility and security against intrusions.
Cleo file transfer appliances face significant risks due to a critical vulnerability, highlighting the urgency for proactive vulnerability management.
The decision by Snowflake to phase out single-factor authentication by 2025 reflects a broader trend towards strengthening security protocols in the industry.
Deep dives
Defending Off the Land Concept
The podcast discusses the concept of 'defending off the land,' which revolves around utilizing existing tools and configurations in Windows environments to enhance security and visibility. This approach contrasts with the common strategy of attackers living off the land by exploiting resources already present in the system. By leveraging built-in features and customizing them, defenders can create alerts for suspicious behavior that typically go unnoticed, such as the execution of specific commands indicative of an intrusion. The discussion introduces various practical techniques to implement these defensive measures in a way that is effective without requiring heavy third-party software.
File Transfer Appliance Vulnerabilities
The podcast highlights ongoing issues with file transfer appliances, specifically referencing security vulnerabilities found in products from a company called Clio. An incomplete patch resulted in an exploit that allows unauthorized file uploads, which can be leveraged for command execution, bringing significant risk to those utilizing such products. The discussion indicates rising concerns about the security of these appliances within organizations, particularly in the wake of recent ransomware cases. This situation exemplifies the need for diligent oversight and proactive vulnerability management in file transfer solutions.
Snowflake Authentication Changes
Due to previous data theft incidents, Snowflake has announced plans to phase out non-MFA (Multi-Factor Authentication) access in its environment by late 2025. This decision stems from security breaches where attackers exploited compromised usernames and passwords to gain direct access to sensitive data. The transition towards stronger authentication methods aims to bolster user account security and reduce the risk of unauthorized access. The conversation reflects a broader trend in cybersecurity to eliminate single-factor authentication in favor of more robust systems.
Emerging Ransomware Threats
The podcast also discusses the emergence of new ransomware groups, highlighting a crew named Termite, which is reportedly utilizing both data theft and malware deployment as part of their double-extortion tactics. This indicates a shift in the ransomware landscape, where criminal organizations are diversifying their methods of attack to maximize potential gains. The discussion underscores the challenges faced by organizations in defending against such threats, particularly as attackers continually adapt and find new vulnerabilities to exploit. Proactive measures, including timely recognition and response strategies, are critical in combating these evolving threats.
Legal and Ethical Implications of Technology
Finally, the podcast delves into the implications of technology policies, particularly surrounding TikTok and its potential influence on elections in Europe. The discussion centers around concerns regarding data privacy, manipulation, and the regulatory environment, as evidenced by actions taken against TikTok in the U.S. and the investigation into Romanian elections. The situation raises important questions about governance, social media responsibility, and transparency in the tech sphere, indicating that this is an area requiring ongoing attention and regulation. The multifaceted involvement of governments and tech companies in these matters reflects the complexities of securing digital landscapes.
On this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:
Cleo file transfer products have a remote code exec, here we go again!
Snowflake phases out password-based auth
Chinese Sophos-exploit-dev company gets sanctioned
Romania’s election gets rolled back after Tiktok changed the outcome
AMD’s encrypted VM tech bamboozled by RAM with one extra address bit
Some cool OpenWRT research
And much, much more.
This week’s episode is sponsored by Thinkst, who love sneaky canary token traps. Jacob Torrey previews an upcoming Blackhat talk filled with interesting operating system tricks you can use to trigger canaries in your environment. You wont believe the third trick! Attackers hate him!
