SANS Stormcast Monday, September 15th, 2025: More Archives; Salesforce Attacks; White Cobra; BSides Augusta

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9612.mp3

previous

More Archives; Salesforce Attacks; White Cobra; BSides Augusta

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, September 15th, 2025
 edition of the SANS and Internet Storm Centers Stormcast.
 My name is Johannes Ulrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Undergraduate Certificate Program in Applied
 Cybersecurity. Anyway, Didier this weekend published a brief
 post just confirming some of the scans that I've observed
 for archives and also filling in a couple of other archive
 types that are being searched for. Just a quick recap. This
 is all about our web honeypods. What we are seeing
 is over the last few months at least an increase in scans for
 .zip and similar archive files, often pointing that the
 attackers are looking, for example, to retrieve backups
 or such of configuration files that the system administrators
 may have left in the document route. Well, in addition to
 zip files, Didier also saw .rar, .7z, .gz and .tar files being
 looked for. And the file names being, well, backup mostly.
 But we have also seen a couple of other file names. So backup
 .back, backup.sh, various files that basically point to
 the attacker, hoping that careless administrators left
 these backup files behind. And of course, they often contain
 credentials and other goodies. So that's probably what
 they're ultimately after. And on Friday, the FBI released
 another one of its flash alerts focusing on particular
 threat actors. There are actually two distinct threat
 actors that this latest flash alert does focus on, both
 Salesforce related. The first one is just sort of your
 classic Salesforce social engineering and phishing
 attack, where then the attacker also often attempts
 to get the victim to approve various applications via OAuth
 and then essentially steals the OAuth tokens. So that's
 the first threat actor. The second one is one that we
 already covered here. And that's in relationship to the
 sales drift compromise, where OAuth tokens were stolen. And
 then they were, again, being used against Salesforce and
 other applications. Either way, these are actively
 ongoing attacks. The first one, I think, is probably the
 broader and more real threat in particular, not just
 against Salesforce, but any kind of enterprise application
 like this. One thing I want to note, and it has been pointed
 out by a couple people on X and other social media as
 well, is that this advisory includes lists of IP addresses
 and such. Never, ever just blindly, for example, block
 access to these IP addresses. There are Cloudflare,
 Microsoft, ZScaler IP addresses and such in that
 advisory that are definitely used by the threat actor here.
 But of course, also have lots of non-evil uses. So for
 detection, yes, that can be useful, but certainly not sort
 of from a blocking or enforcement point of view. As
 I always put it, also when it comes to data that we publish
 in Internet Storm Center, use it to color your logs, to
 better understand what a particular log entry is about.
 But using something like this as a block list can be
 dangerous. And security company Koi Security did
 reveal some interesting insight into how some of the
 fake browser extension and editor extension campaigns are
 working. They call this particular campaign, they
 unraveled here, White Cobra. And they're basically going
 over the playbook of that particular threat actor. Well,
 a couple of interesting things here. First of all, that
 they're manufacturing credibility by artificially
 increasing the number of downloads for malicious
 extensions they're uploading. For example, for Visual Studio
 Code extensions or such, they usually suggest about 50,000
 fake downloads before they then start advertising a
 particular extension on social media to trick developers into
 installing that extension. That also leads to another
 caveat here. We often measure the impact of these sort of,
 you know, fake Visual Studio Code extensions and such based
 on the number of downloads and have to realize that this
 number is likely inflated because of the fake downloads
 that the attacker added before they started advertising their
 particular extension. In this particular case with White
 Cobra, we do know that they got at least one high value
 victim. There was one particular crypto influencer
 who stated that they lost something like $500,000
 because, well, they installed one of these malicious
 extensions into their IDE and as a result, well, were
 compromised. Well, of course, attacks against developers is
 sort of one of my favorite topics. I've spoken about this
 multiple times on this podcast. Also have spoken
 about it before at conferences. I will be
 speaking again about attacks against developers at B-Sides
 in Augusta. I know there are a couple of Augusta listeners on
 the podcast, so hope to see some of them there. And
 that'll happen at the end of October. I'll add a link to
 the show notes. Well, that's it for today. So thanks again
 for listening and talk to you again tomorrow. Bye.