Hello, welcome to the Friday, June 14th, 2019 edition of the Santernet Storm Service Stormcast.

My name is Johannes Ulrich, and the time recording from Neptune, New Jersey.

About a week ago, we had this critical remote code execution vulnerability in the XM mail server that was being

patched.

Well, it looks like the bad guys wasted no time and there are now a couple of different bot

nets that are exploiting this vulnerability.

One of these bots is described by cyber reason in a blog post and what they're seeing is XM servers that haven't been patched being exploited and backdoored.

The attacker in this case will modify the authorized keys file for ZH in order to be able to log in to that server. Later, it also

installs crypto miners on vulnerable servers. So before you're leaving for the weekend, it may be a good

idea to run a quick scan on your network, making sure you don't have any XM servers running and

if you do that these servers are patched. If they're not patched at this point, you definitely

should assume that the server has been compromised. And Ubiki is recalling several of its FIPS certified Ubikis.

The problem apparently here is that after you power up one of these affected UB keys,

the initial cryptographic keys being used for the first few operations are using up to 80

predictable bits, which may not be a big issue for, for example, an RZE key, which has a total

of 2048 bits, but for some of the elliptic curve keys, of course, that are shorter, this may be more of a problem.

So in order to check if your particular UB keys affected, you should see the four letters FIPS.

So FIPS printed on the UB key if your UB key is affected.

Also only UB keys shipped before April 30th are affected.

These Ubikis are running fervors prior to 445, which would be either 442 or 444.

So if you're using Ubikis, take a look at the Ubico advisory regarding this issue. They also

have pictures of affected UBKs in order to make it easier to identify if your particular key is

...