Canada's Digital Governance Council has launched a cyber ready validation program to help build trust in cyber security practices. It's designed to help small and medium sized organizations strengthen their cyber security posture. This program provides organizations with a comprehensive, independent review of their cybersecurity approaches, ensuring that they've met baseline requirements while strengthening the stakeholder and public confidence in their digital operations.
Full disclosure, I'm a member of the Digital Governance Council and a big supporter. But I'm also a big supporter of tools for small and medium sized businesses, , who are often left out in cybersecurity discussions. There's a link to this program and the announcement in the show notes. And now, back to our regularly scheduled programming. A new attack bypasses endpoint detection. There's a new SSH backdoor, more attacks on WhatsApp and an update on DeepSeek. Welcome to Cybersecurity Today.
I'm your host, Jim Love. A recent cyber attack method enables attackers to bypass Endpoint Detection and Response, or EDR, systems while operating under low privilege standard user accounts. Traditionally, evading EDR defenses required elevated privileges such as administrative access. However, this new technique employs masquerading and path obfuscation to disguise malicious payloads as legitimate processes, deceiving both automated detection systems and human analysis.
EDR solutions monitor process creation events to identify potential threats, logging details like the image path, command line arguments, current directories, and parent processes. They flag processes based on suspicious execution paths or file names. For example, a process running from program files slash windows, uh, you know, defender slash M S M P E N G dot E X E. That might seem legitimate, but one that's coming from temp slash superjuicy. exe would raise concerns.
EDR systems rely on kernel level protection to safeguard directories like program files and preventing standard users from placing payloads in these protected areas. This new technique circumvents restrictions by manipulating the file path itself. Now, this involves disguising malicious files to appear benign, using methods like double file extensions, you know, pdf, exe, right to left override characters, or imitating legitimate application names.
Another frequent trick has been using Unicode characters that visually look the same as ASCII characters, but are totally different symbols. A classic example of this is you can write www. apple. com in Cyrillic characters used in the Russian language, and to the naked eye, it's going to look like apple. com, but it's not. So using a similar technique and focusing on folder names and paths, the attacker creates a folder mimicking a legitimate path using Unicode characters that resemble ASCII.
in this attack, the focus shifts from file names to directory paths. The attacker creates a folder mimicking a legitimate path using Unicode characters that resemble ASCII white space. For instance, by creating a folder named C colon slash program files, The attacker then copies the contents of C colon slash program files slash Windows Defender into this new directory and adds a malicious payload.
When the payload is executed from the spoofed directory, system logs show a process with an image path resembling C colon slash program file slash Windows Defender slash now superjuicy. exe. And without careful inspection or specialized tools to detect these characters, analysts may make mistakes thinking this is a legitimate process. Even when it's flagged. This is becoming a frequent attack vector And maybe it's worth checking to make sure your EDR software can handle alternate character sets.
But even if it flags the error and analysts aren't aware of this, they could assume that this is a false positive. This new EDR evasion technique is just another example of how cyber attackers are continually adapting to attack our cyber security defenses. A Chinese cyber espionage group identified as Evasive Panda, also known as Daggerfly, has been employing a novel SSH backdoor to compromise network appliances since mid November 2024.
This sophisticated attack involves injecting malware into the SSH daemon, SSHD, enabling persistent access and covert operations on targeted devices. Upon breaching a network appliance, the attackers deploy a dropper component that verifies the device is already infected and confirms its operating with root privileges. Now, if these conditions are met, the dropper installs several binaries, including a malicious SSH library named Lib SS dh, which serves as the primary backdoor.
This library is injected into the SSHD process, allowing the attackers to intercept and manipulate SSH sessions. This enables 'em to execute arbitrary commands, exfiltrate data, and maintain persistent access without detection. The backdoor also employs various obfuscation techniques to evade security measures and hinder analysis. As can be expected the deployment of this SSH backdoor poses significant security risks as it grants attackers extensive control over compromised devices.
To mitigate the potential threats, obviously we need to make sure that all software and firmware are up to date with recent security patches. Limiting root level access and using least privilege is also also a great strategy, but it's also a heads up to monitor SSHD and related processes, looking for vulnerabilities or looking for tools that can detect and alert suspicious activities in your networK.
WhatsApp has alerted users to a sophisticated zero click hacking technique that compromises devices without any user interaction. Unlike traditional phishing attacks that require users to click on malicious links, this method allows attackers to infiltrate smartphones silently. The company disclosed that nearly 90 individuals, including journalists and human rights activists have been targeted by this exploit.
The attackers employed advanced spyware capable of accessing personal data, messages, and activating the device's camera and microphone without detection. This follows on another story that we also covered earlier where attackers utilized spyware developed by the Israeli company Paragon Solutions and delivered that through malicious PDF files.
When opened, these PDFs installed spyware capable of accessing personal data, messages, and even activating the device's camera and microphone again, without the user's knowledge. So it appears that WhatsApp is becoming an important target. For those who use it, we need to emphasize the importance of keeping the app updated to the latest version. And even then users need to be vigilant about the recent threats and any unusual activity on their devices.
In response to these incidents, WhatsApp is enhancing its security measures and collaborating with cybersecurity experts to identify and try to prevent such vulnerabilities in the future. And finally, I read a story about the Chinese open source AI DeepSeek, and I'm quoting, The web login page of DeepSeek's chatbot contains heavily obfuscated computer script that when deciphered shows connections to computer infrastructures owned by China Mobile, a state owned telecommunications company.
The code appears to be part of the account creation and user login process for DeepSeek. Now, China Mobile, for those who don't know, has been banned from the U. S. and is largely regarded as a tool of the Chinese government. But the article went on to say that nobody has found any evidence that any information was passed to China Mobile. Now, supposedly, this is to inform us that DeepSeek is bad and a trap.
We're going to face a tsunami of opinions like this, so called discoveries about DeepSeek, and we need to make sure that we are part of an intelligent debate. The story about China Mobile is a case in point. It's interesting, but it doesn't matter whether they found China Mobile's signature on this code. This could be a classic reuse of some code doesn't have to be malicious.
But the reality is, users shouldn't be putting company or personal information into this or any other new site that pops up, whether it's in China or Arkansas. Hackers can infect a system hosted in North America, and we know Chinese hackers can attack a system in North America just as well as they can that one that is in China. So the question is, is DeepSeek itself malicious? Well, I've seen tests of it with no examples of it trying to ping back to a Chinese government mothership.
Perplexity has been using a hosted version in the U. S. and today Microsoft announced they won't just be hosting DeepSeek on Azure, they'll be integrating it into Copilot. The point is that security discussions are nuanced. Now, does that mean that DeepSeek is totally safe? No, I think it's new software has some parentage that you might want to question and we want to look at it very, very carefully.
But the point is that security discussions are nuanced and it's incumbent on all of us to promote a real discussion, particularly about AI and open source in particular. There are lots of attack vectors and risks that are not getting the attention they deserve while we debate whether a system hosted in China is a good place to put your corporate or personal information. We're not going to stop people from playing on these new systems, and I'm not sure we want to.
Our workforce needs to be educated in AI, and we have to teach them how to do that safely. so over the next two weekends, we're going to be inviting experts onto cyber security today to try and have that type of no BS factual nuance discussion. As I've said to people before, I proudly have 40 years of it experience and I'll try to ask the right questions, but I'm not a God. So your input is welcome. And you can send me a note at editorial at technewsday.
ca. You can ping me on LinkedIn, or you could just simply leave comments on YouTube. I want to promote the type of discussion that prepares us all to deal with AI. And in particular, this new wave of open source AI systems. I'm looking forward to your help and guidance as we move forward on this. And frankly, on any other key topics. And that's our show. I'm your host, Jim Love. Thanks for listening.