SANS Stormcast Thursday May 29th 2025: LLM Assisted Analysis; MSP Ransomware; Everetz Vulnerability

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9470.mp3

previous

LLM Assisted Analysis; MSP Ransomware; Everetz Vulnerability

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Thursday, May 29th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and this episode, brought to you by
 the SANS.edu graduate certificate program in cloud
 security is recorded as usual in Jacksonville, Florida.
 Well, in diaries today we got another one from one of our
 undergraduate students. Jennifer Wilson did a little
 experiment demonstrating how you can use large language
 models like Chat GPT in order to assist you in better
 understanding various artifacts that you may recover
 from a honeypot. Now in this particular case, well, it was
 a little bit oddly named a file that sort of triggered
 the investigation here. It had this sort of hex name, but
 there was a lowercase s at the end as well, which made it
 kind of, well, appear that it's not just sort of a simple
 random hex encoded string. And after going forth and back
 here a little bit with chat GPT, Jennifer was able to
 figure out that this particular file name is
 associated with a Telegram desktop. And well, where you
 basically sort of have various encryption keys and such
 stored. So certainly an interesting finding. Something
 that wasn't quite as easy and straightforward to find with a
 simple search. The help from the chat GPT assistant here
 certainly helped, but also demonstrates how a lot of this
 is about asking the right questions, not accepting the
 first answer you're getting necessarily as true. And sort
 of that dialogue really, where you have a skilled analyst use
 chat GPT in order to figure out what this particular
 string here was really all about. And Sophos published a
 blog post about attacks that they have observed from
 ransomware that took advantage of unpatched instances of
 simple help. Simple help is a tool that's often being used
 by managed service providers. So what the attacker does
 here, and that's sort of, I think, the real dangerous
 pattern that we have seen a couple times before, that
 they're not attacking the victim company directly, but
 they're attacking the managed service provider. The company
 that actually manages the victim's network. And of
 course, they are the ransomware provider is now
 becoming the manager of the network and has full access
 and is then able to launch the ransomware. This is a very
 difficult thing for the victims here because they
 rely, of course, on a managed service provider. And the
 reason they usually hire a managed service provider is
 that they don't have the internal resources like
 smaller companies to adequately manage the network.
 So there isn't also a resource to really verify that the
 managed service provider is doing the right thing. Maybe
 we need sort of a managed service provider, management
 provider, or something like this to keep an eye on them.
 But it should really be up to the MSP in order to make sure
 the tools they're using, like simple help, are properly
 patched. The vulnerabilities being exploited here, Sophos
 lists a few of them, have been patched since January. So
 they're not super fresh, but still fresh enough for a
 complex system like Simple Help. Well, the patches may
 not have been applied yet. Well, and then we have another
 vulnerability disclosure from OneKey. This time it's in
 Evertz Equipment. I guess that's how you pronounce that
 company name. It's an unauthenticated remote code
 execution vulnerability, very easy to exploit. If you're not
 familiar with Evertz, their equipment is predominantly
 used in the broadcasting world. They basically make
 equipment that allows you to send video signals and the
 like from professional cameras over networks. And these kind
 of network switches, gateways, that's what's affected here by
 this vulnerability. OneKey put together is a little sort of
 card summarizing what's exactly vulnerable here. And
 yes, they're assigning it a CSS score of 9.3. The only
 sort of limitations here is that, yes, you are running
 code as the web server and the web server isn't running root.
 But, well, that's really the only sort of thing that
 doesn't make that complete 10. Sadly, Evertz has not responded
 to OneKey's disclosure. They said they reached out to them
 90 days ago, but haven't heard back from them. So, this is as
 of now an unpatched vulnerability. Well, what's
 the vulnerability all about? It's yet again one of these.
 Well, let's just take a user input and pass it to execution
 command here, exec. So, very straightforward, simple OS
 command injection vulnerability. Very easy to
 exploit. They also do provide a little sample exploit string
 here. But once you see that line, it shouldn't really be
 too hard to figure out, well, how an exploit is working. So,
 given that there is no patch available, if you run into any
 equipment like this, well, please make sure that it's not
 exposed to the internet. And maybe reach out to Evertz if
 they have any help for you. Well, and that's it for today.
 Thanks for listening. Thanks for leaving good reviews on
 your favorite podcast platform. And, of course,
 recommending this podcast to your friends. And talk to you
 again tomorrow. Bye.