The CyberWire Daily Podcast 7.2.24
Ep 2100 | 7.2.24

Take a trip down regreSSHion lane.


A new OpenSSH vulnerability affects Linux systems. The Supreme Court sends social media censorship cases back to the lower courts. Chinese hackers exploit a new Cisco zero-day. HubSpot investigates unauthorized access to customer accounts. Japanese media giant Kadokawa confirmed data leaks from a ransomware attack. FakeBat is a popular malware loader. Volcano Demon is a hot new ransomware group. Google launches a KVM hypervisor bug bounty program. Johannes Ullrich from SANS Technology Institute discusses defending against API attacks. Goodnight, Sleep Tight, Don’t Let the Hackers Byte! 

Today is Tuesday July 2nd, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A new OpenSSH vulnerability affects Linux systems. 

A new OpenSSH vulnerability, dubbed "regreSSHion" (CVE-2024-6387), allows unauthenticated remote code execution with root privileges on glibc-based Linux systems. Discovered by Qualys in May 2024, this flaw results from a race condition in the sshd signal handler. It can be exploited if a client fails to authenticate within the default 120-second LoginGraceTime, triggering unsafe async-signal calls. Exploitation could lead to a complete system takeover. Although Qualys notes it's challenging to exploit, AI tools might improve success rates. The flaw affects OpenSSH versions 8.5p1 to 9.8p1 on Linux, with older and OpenBSD systems unaffected. Mitigation includes updating to version 9.8p1 or adjusting sshd configurations.

The Supreme Court sends social media censorship cases back to the lower courts. 

The U.S. Supreme Court avoided ruling on Republican-backed laws in Florida and Texas that limit social media companies' power to moderate content. Instead, they unanimously threw out previous judicial decisions and sent the cases back to lower courts for further First Amendment analysis.

The laws, passed in 2021, were challenged by NetChoice and the Computer & Communications Industry Association, whose members include Meta, Google, TikTok, and Snap. The lower courts had mixed rulings, blocking parts of Florida’s law while upholding Texas’s law. Neither law is currently in effect.

Liberal Justice Elena Kagan, writing for the majority, questioned the legality of the Texas law, stating it forces platforms to change their content moderation in ways that conflict with the First Amendment. The core issue is whether the First Amendment protects the editorial discretion of social media platforms, allowing them to manage content to avoid spam, extremism, and hate speech.

Republicans claim these platforms censor conservative voices, while President Biden’s administration argues that the laws force platforms to promote objectionable content, violating the First Amendment. Florida and Texas officials argue the platforms' moderation actions are not protected speech.

The Texas law bans social media companies with over 50 million users from "censoring" based on viewpoint, allowing users or the state to sue. Florida’s law prohibits large platforms from banning political candidates or journalistic content. The Supreme Court’s decision highlights the ongoing debate over free speech and content moderation in the digital age.

Chinese hackers exploit a new Cisco zero-day. 

A new zero-day vulnerability, CVE-2024-20399, affecting Cisco NX-OS software on Nexus-series switches was exploited by Chinese state-backed hackers, dubbed Velvet Ant, in April. The hackers used administrator credentials to access the switches and deploy custom malware for remote control and data exfiltration. Cisco and cybersecurity firm Sygnia published advisories about the flaw, which has no workarounds but is addressed in recent software updates. Velvet Ant's primary goal is espionage, focusing on long-term network access. They previously maintained access to a victim's network for three years using outdated F5 BIG-IP equipment. Most affected devices are not internet-exposed, but often lack sufficient protection.

HubSpot investigates unauthorized access to customer accounts. 

HubSpot is investigating a cyberattack involving unauthorized access to a limited number of customer accounts. The company has activated incident response procedures, contacted impacted customers, and revoked unauthorized access since June 22. HubSpot's Chief Information Security Officer, Alyssa Robinson, confirmed the investigation but provided no further details about the incident's impact or affected clients. HubSpot serves over 216,000 corporate customers, including Discord, Talkspace, and Eventbrite.

Japanese media giant Kadokawa confirmed data leaks from a ransomware attack. 

Japanese media giant Kadokawa confirmed data leaks from a ransomware attack last month, affecting business partner information and personal data of subsidiary Dwango's employees. No credit card data was compromised. Kadokawa, which operates Niconico, BookWalker, and holds a stake in FromSoftware, apologized for the inconvenience caused. The BlackSuit ransomware gang, linked to the defunct Conti group, claimed responsibility, exfiltrating 1.5 TB of data. Kadokawa is verifying the authenticity of the claims and is working on system restoration. Niconico temporarily shut down some services due to the attack.

FakeBat is a popular malware loader. 

During the first half of 2024, FakeBat (also known as EugenLoader or PaykLoader) became one of the most widespread loaders using drive-by download techniques. Distributing malware like IcedID, Lumma, and Redline, FakeBat campaigns used malvertising, fake browser updates, and social engineering to trick users into downloading malicious software. Sekoia's Threat Detection & Research (TDR) team tracked multiple campaigns and identified infrastructure, such as compromised websites and command-and-control servers, used to distribute FakeBat. Despite efforts to evade detection, TDR continues to monitor and track these activities, providing Indicators of Compromise (IoCs) and technical details to help protect against these threats.

Volcano Demon is a hot new ransomware group. 

Halcyon identified a new ransomware group, Volcano Demon, responsible for several recent attacks. They use an encryptor called LukaLocker, affecting files with the .nba extension, and have a Linux version. Volcano Demon locked both Windows workstations and servers by exploiting common administrative credentials and exfiltrated data for double extortion. They cleared logs, making full forensic evaluation difficult. The group has no leak site and instead uses threatening phone calls to leadership and IT executives to demand ransom, with calls from unidentified numbers.

Google launches a KVM hypervisor bug bounty program. 

Google has launched a bug bounty program, kvmCTF, to enhance the security of the Kernel-based Virtual Machine (KVM) hypervisor, offering up to $250,000 for critical vulnerabilities. The program invites security researchers to find zero-day vulnerabilities in KVM, used in platforms like Android and Google Cloud. Participants can test exploits in specialized lab environments provided by Google. Rewards vary based on the severity of the findings, with $250,000 for full virtual machine escapes, $100,000 for arbitrary memory writes, and $50,000 for arbitrary memory reads. The program aims to improve KVM security through collaboration within the open-source community. Detailed rules and submission guidelines are available on the program’s GitHub page, with a Discord channel for community discussions.


Coming up, we’ve got  Johannes Ullrich from SANS Technology Institute talking about defending against attacks affecting APIs and dangerous new attack techniques you need to know about.  We’ll be right back

Welcome back. You can learn more about the topics Johannes discussed from his 2024 RSA presentations in our show notes. We’ve got links in there. 

Goodnight, Sleep Tight, Don’t Let the Hackers Byte! 

And finally, our Circadian rhythms desk tells of the tale of one Dillan Mills, an enterprising home hacker who managed to gain root access to their Sleep Number bed's hub. Tinkering enthusiasts, start your engines: this involves some serious hacking with a UART-TTY device and a bit of code wizardry. The goal? Total bed control without relying on Sleep Number's servers. This techy journey began with cracking open the hub, poking around with a logic analyzer, and discovering a secret backdoor. After some script sorcery and hardware hijinks, the bed now obeys commands over the local network. The ultimate hack lets users adjust sleep settings, lighting, and more. Just a heads-up: warranty voids apply, and Sleep Number won't bail you out if things go sideways. Proceed with caution. 

Because nothing says 'sweet dreams' like a command prompt and root access.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.