ISC StormCast for Monday, June 3rd, 2024

ISC StormCast for Monday, June 3rd, 2024

Update: 2024-06-03
Share

Digest

This episode of the Sands and its Starmcast covers several security topics. First, Johannes Ulrich discusses a new info-stealer written in Python that targets Windows systems and uses gofile.io for data exfiltration. The info-stealer searches for files containing keywords like "password" and "login" and attempts to steal them. It also targets specific cryptocurrency wallets. Next, Johannes mentions Kaspersky's release of a free malware removal tool for Linux systems called KVRT. This signature-based tool can be used for quick triage of potentially infected systems. The episode then moves on to a potential breach of Snowflake, an AI training company. While Snowflake claims they were not breached, they acknowledge that some customers were compromised due to credential stuffing attacks. This highlights the importance of multi-factor authentication when storing sensitive data in the cloud. Finally, Johannes discusses a potential leak of secrets on the Hugging Face Spaces platform. Hugging Face provides a platform for sharing machine learning models and offers a serverless solution called Spaces. Previous leaks across tenants in Spaces have occurred, and this latest incident may involve the leakage of authentication tokens used to access Spaces. Hugging Face has advised users to revoke their secrets and has notified affected users via email.

Outlines

00:00:00
Introduction and Info-Stealer

This Chapter introduces the episode and discusses a new Python-based info-stealer targeting Windows systems. The info-stealer uses gofile.io for data exfiltration and searches for files containing keywords like "password" and "login" to steal them. It also targets specific cryptocurrency wallets.

00:01:40
Kaspersky Virus Removal Tool (KVRT)

This Chapter discusses Kaspersky's release of a free malware removal tool for Linux systems called KVRT. This signature-based tool can be used for quick triage of potentially infected systems.

00:02:32
Potential Snowflake Breach

This Chapter discusses a potential breach of Snowflake, an AI training company. While Snowflake claims they were not breached, they acknowledge that some customers were compromised due to credential stuffing attacks. This highlights the importance of multi-factor authentication when storing sensitive data in the cloud.

00:04:10
Possible Hugging Face Spaces Secrets Leak

This Chapter discusses a potential leak of secrets on the Hugging Face Spaces platform. Hugging Face provides a platform for sharing machine learning models and offers a serverless solution called Spaces. Previous leaks across tenants in Spaces have occurred, and this latest incident may involve the leakage of authentication tokens used to access Spaces. Hugging Face has advised users to revoke their secrets and has notified affected users via email.

Keywords

Info-stealer
A type of malware that steals sensitive information from a victim's computer, such as passwords, credit card details, and personal data. This particular info-stealer is written in Python and targets Windows systems. It uses gofile.io for data exfiltration and searches for files containing keywords like "password" and "login" to steal them. It also targets specific cryptocurrency wallets.

gofile.io
A file-sharing service that allows users to upload and download files. This info-stealer uses gofile.io to exfiltrate stolen data from infected systems. It is a free service with limitations on file size and storage duration, but it is sufficient for the needs of an average info-stealer.

Kaspersky Virus Removal Tool (KVRT)
A free malware removal tool released by Kaspersky for Linux systems. It is a signature-based tool that can be used for quick triage of potentially infected systems. It is designed to detect and remove known malware threats based on its signature database.

Snowflake
An AI training company that provides cloud-based data warehousing and analytics services. Snowflake allows users to upload their data to their cloud and use their resources for AI training. This potential breach highlights the importance of multi-factor authentication when storing sensitive data in the cloud.

Credential Stuffing
A type of cyberattack where attackers use stolen credentials from previous data breaches to attempt to log into accounts on other websites or services. This attack was used against Snowflake customers who did not enable multi-factor authentication, leading to their accounts being compromised.

Hugging Face Spaces
A serverless platform offered by Hugging Face that allows users to run machine learning models within their resources. It provides a containerized environment for deploying and executing models. This platform has experienced leaks across tenants in the past, and this latest incident may involve the leakage of authentication tokens used to access Spaces.

Spaces Secrets
Authentication tokens used to communicate and authenticate with Hugging Face Spaces. These secrets are used to access and manage models and resources within the Spaces platform. The potential leak of these secrets could allow attackers to gain unauthorized access to user accounts and data.

Q&A

  • What is the new info-stealer discussed in this episode?

    The info-stealer is written in Python and targets Windows systems. It uses gofile.io for data exfiltration and searches for files containing keywords like "password" and "login" to steal them. It also targets specific cryptocurrency wallets.

  • What is Kaspersky's new free malware removal tool for Linux systems?

    The tool is called KVRT (Kaspersky Virus Removal Tool) and is a signature-based tool that can be used for quick triage of potentially infected systems.

  • What happened with Snowflake?

    While Snowflake claims they were not breached, they acknowledge that some customers were compromised due to credential stuffing attacks. This highlights the importance of multi-factor authentication when storing sensitive data in the cloud.

  • What is the potential leak on Hugging Face Spaces?

    The potential leak involves Spaces secrets, which are authentication tokens used to access and manage models and resources within the Spaces platform. Hugging Face has advised users to revoke their secrets and has notified affected users via email.

Show Notes

Comments 
00:00
00:00
x

0.5x

0.8x

1.0x

1.25x

1.5x

2.0x

3.0x

Sleep Timer

Off

End of Episode

5 Minutes

10 Minutes

15 Minutes

30 Minutes

45 Minutes

60 Minutes

120 Minutes

ISC StormCast for Monday, June 3rd, 2024

ISC StormCast for Monday, June 3rd, 2024

Dr. Johannes B. Ullrich