Cybersecurity Worms, Steganography Attacks, Municipal Cyber Incidents and More...
In this episode of Cybersecurity Today, host Jim Love delves into multiple cybersecurity threats affecting the tech landscape. He discusses the 'Shai Hulud' worm, which has infiltrated over 187 JavaScript libraries on NPM, exploiting developer tokens for spread, including those maintained by CrowdStrike. Love explains practical but challenging measures to mitigate such threats. He also explores steganography's role in hiding malicious scripts within seemingly benign image files, urging vigilance against embedding hidden commands. Additionally, the episode covers a cyber incident in Yellowknife, causing severe disruptions to municipal services and emphasizing the importance of cyber hygiene and support from higher government levels. Lastly, Jim examines how a Windows 11 patch has created a new vulnerability, stressing the need for enhanced monitoring and quick updates.
00:00 Introduction and Overview
00:21 The Shy Ude Worm: A New Threat
02:19 Steganography: Hiding in Plain Sight
05:30 Cybersecurity Incident in Yellowknife
07:24 Microsoft's Patch Problems
08:27 Conclusion and Contact Information
Episode Transcript
A self-replicating worm spreadsthrough developer packages.
File fix fish hides with steganography.
The city of Yellowknife is hit by acybersecurity incident and Microsoft
Patches one flaw and creates another.
This is Cybersecurity today.
I'm your host, Jim Love.
(00:21):
A worm that researchers are callingthe shy Ude named after the famous
sand worms in Frank Herbert's Dune.
But it's not the size of these worms thatdoes the damage, it's how they spread.
It's already been found in over187 JavaScript libraries on NPM
It spreads.
When a developer installs an infectedpackage, then the worm looks for an
(00:45):
NPM published token on their machine.
If it finds one, it uses thattoken to inject itself in up to
20 of the most popular packagesthe developer can publish to.
Then it automatically publishesTrojan updates among the victims were
packages maintained by CrowdStrike.
About 25 of their NPM packages wereTrojan, although CrowdStrike said its
(01:11):
main Falcon sensor was not compromised,and that the affected packages
were removed and keys were rotated.
The worm spreads by abusing automationand developer tokens rather than
exploiting a library bug, whichmakes it especially pernicious.
Once it lands in a developer environment,it can quickly jump into many projects
(01:34):
This is a supply chain multiplier.
It weaponizes trusted developerworkflows and package publishing.
The very automation teamsrely on to move fast.
Practical responses arestraightforward but painful.
You rotate any exposed tokens,you narrow token permissions.
You enforce human checks beforepublishing, and you isolate, build and
(01:57):
publish credentials from developmentmachines with two factor authentication.
The activity looks quieternow, but supply chain worms are
designed to lie dormant and erupt.
So treat this as a reminder.
Developer tokens are not aconvenience, they're your crown jewels.
(02:19):
It is called steganography.
I had to look it up.
I admit it.
one of those words that youthink you know what it means,
but you don't use it very often.
It's the practice of concealing the veryexistence of a hidden message by embedding
it within another ordinary object orfile, such as an image, video, or audio
file, and it's at the heart of this story.
(02:40):
picture.
This, your user encountersa convincing support page.
It tells them their Meta accountwill be suspended unless they
review an incident report.
Victims are asked to copy whatlooks like a file path and
pasted into Windows File Explorer.
But the clipboard actually contains aPowerShell command that runs locally and
(03:01):
it's well hidden, with a simple trick.
The attackers append a long variablestuffed with spaces so that the
only file path that appears inthe address bar looks great.
It hides the malicious command from aquick glance, and when the command runs,
it downloads a JPEG from Bitbucket and theimage conceals a second stage script and
(03:23):
encrypted payloads using steganography.
The chain decrypts and loadspayloads in memory using RC four
plus GIP streams XOR encoded URLsand fragmented variables specifically
to frustrate signature scanner.
The final dropper is StealC VM sandboxchecks and harvests, browser cookies and
(03:49):
logins, discord and telegram credentials,cloud keys, crypto wallets, VPN tokens,
and even screenshots because much ofthe unpacking happens in memory and
the image looks benign, this campaignsidesteps many basic detections.
What can you do?
Well never paste text from a webpageinto an OS dialogue or file explorer.
(04:14):
Block or alert power shall commandspawn as children on a browser.
What to do?
Well, never past from a webpage intoa. OS Dialogue or File Explorer, you
(04:34):
can block or alert PowerShell CommandSpawn as children of a browser.
you can monitor or quarantine imagesdownloaded by automated scripts.
In this case, the JPEGis the delivery vehicle.
But old ideas are being recombinedinto quieter, harder to detect chains.
Actors are iterating and the lull wesee now may be them just testing this.
(05:00):
So far from reports, this hasn't done muchdamage, but old ideas are being recombined
into quieter, harder to detect chains,and the actors just might be iterating.
The lull we see right now couldbe them just testing this.
I've done my best research to givepeople some ideas of how to handle this.
(05:23):
If you have suggestionsas well, send them to me.
You can get my contact informationat the end of the podcast.
The city of Yellowknife in the Yukonis responding to a cybersecurity
incident that has taken down municipalemail online services, including
their virtual city hall and cardpayments at some city facilities.
(05:44):
The outage began over the weekendand officials say they've activated
their incident response planand engaged outside experts.
At the time of the reporting, the citysaid there was no evidence of stolen
data, but services remain limited.
Public library.
Computer access is offline.
Lending is restricted, and residentsare being asked to use cash or delay
(06:05):
payments until systems are restored.
City officials say protecting sensitiveinformation is the priority and
that regular updates will follow.
I don't know if you know Yellowknife orthe Yukon, but it's a small municipality
and they often run Lean IT operationswith limited budgets for resilience,
which makes them attractive targets,
(06:27):
When local services go offline, theimpact is immediate and practical.
There are tremendous spaces and remoteservices are really important in
the north from blocked payments tohalted permits, recovery can be slow.
This is a reminder that cyber hygiene andincident readiness are civic necessities.
(06:48):
Municipal services and risksaffect our everyday life.
They're not just data breacheson paper or on a podcast.
It's also a reminder tosenior levels of government.
You've got to take action to helpthese smaller municipalities, be
they in Canada, the US, or anywhere.
The municipalities may be the rock face,but the senior levels of government
(07:11):
have to step up and help them.
You can't just sit backand say, sucks to be them.
You've gotta step up.
If not, it's on you.
September's Windows 11 update hasintroduced CVE 20 25 53 1 3 6, A
flaw that exposes kernel memoryaddresses in Windows 11 24H2
(07:35):
builds, and in Windows server 2022.
That disclosure weakens kerneladdress, space layout, randomization,
kasler, one of Windows coremitigations, and with addresses.
Leaked attackers have an easier timeturning other bugs into full compromises.
Microsoft has acknowledged theissue and says a fix is forthcoming.
(07:58):
Until then, administrators are leftto tighten monitoring and detection
around kernel level activity andto prioritize defensive telemetry
This is another fix.
One break, one moment.
The patch pushed to repair other problems.
Has itself exposed new risk for defenders.
The only immediate option is vigilance.
(08:18):
More logging, stricter telemetryand readiness to roll out and
reconfigure updates if necessary.
That's our show today.
You can reach me with tips, comments,and even some constructive criticism.
Just go to tech newsday.com or.ca.
Use the Contact us page.
(08:38):
Let me know what you're thinking.
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.