SANS Stormcast Thursday, February 5th, 2026: Malicious Scripts; Synectix Vuln; Google Chrome; Google Looker;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9796.mp3

previous

Malicious Scripts; Synectix Vuln; Google Chrome; Google Looker;

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Thursday, February 5th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in
 penetration testing and ethical hacking. When you're
 dealing with an incident like you find an infected system,
 the problem, probably the hardest thing in instant
 response is always figuring out if you found everything
 that's wrong with the system. And let's have a little
 example here that Xavier posted about today. Initially,
 this looked well like an info stealer that is injected into
 Chrome in order to steal data. So nothing really all that
 fancy. And this is where someone may have stopped
 investigating, but not so Xavier. Xavier dove deeper
 into the script and found that at the end it actually then
 downloads another image. Now this image is at first sight a
 legitimate image. It looks like sort of one of those
 wallpapers for fans of MSI motherboards, I guess. But it
 does have additional code added at the end. And that
 then installs, well, more malware. So after the initial
 malware runs and keeps running, it then installs
 Xworm as an additional payload. The other reason why
 this sometimes happens is just in case antivirus would catch
 the first part. Well, maybe the second makes it through.
 So that's also one reason why an attacker may do that. In
 this case, I think it's probably more that they will
 try to get more out of the system and adding a couple
 lines to the existing script was sort of an easy way to
 expand the capabilities of their malware. And CISA warns
 of an interesting critical vulnerability in Synectix LAN
 232 Trio 3 port serial to Ethernet adapters. I'm
 actually not sure why this is something that is actually
 being discovered because what it's all about is that the web
 admin interface just doesn't require any authentication. So
 without authentication, the hacker, of course, has full
 control over the device, may change settings, may reset the
 device to factory defaults. So pretty obvious vulnerability
 and sadly, no patch available as far as I know. These kind
 of Ethernet to serial adapters, I came first across
 in some sort of remote console access equipment. And they
 have been a problem. One of the issues here is that
 literally the entire device, including the web server,
 literally fits into an Ethernet RJ45 plug. So these
 are very minimal devices and as a result with often minimum
 security and even things like encryption protocols. So don't
 expose them is probably the best bet you have here. And
 Google also released updates for Google Chrome fixing two
 vulnerabilities. One of them is a heap buffer overflow in
 libvpx and the other one is well yet another type
 confusion in v8 Google's JavaScript engine. So keep
 Google Chrome updated. As I always say, keep restarting it
 at least once a day and once a week, double check that you
 are running the latest version. And then we do have
 two severe vulnerabilities that Tenable discovered in the
 Google Looker tool. Now, I wasn't familiar with the on
 -premise version. I've used the Looker Studio, which is
 the cloud version of the tool. But essentially, a tool allows
 you to create reports, graphs, and other sort of
 representations of business data. And it connects to a
 database to do that. Well, these vulnerabilities, first
 of all, there are some git path reversal issues. You can
 define various sort of graphs and reports and then import
 them via Git, but the path is not properly verified here. So
 additional Git repositories may be included. And then with
 Git hooks, you can, well, essentially execute arbitrary
 code. Update it if you're running it on-premise
 yourself. If you're using the cloud version, Google already
 took care of it for you. So nothing that you necessarily
 need to do here. And we got security updates for Django.
 Django is a Python web application framework. There
 are a number of vulnerabilities they
 addressed. The most severe one by far here is a SQL injection
 vulnerability. However, it only affects postGIS data. So
 if you're using Django to create some geographic
 information systems, then this may affect you or anything
 else that sort of deals with geographic coordinates.
 You one, for example, allows you to enumerate users. But
 again, those things are always a little bit hard to prevent
 in your application. And I wouldn't really consider sort
 of a severe must patch now type of vulnerability. Well,
 that's it for today. Just want to point out if you want to
 learn more about web applications like Django and
 some of the vulnerabilities around them, I'll be teaching
 our web application security class first week of April in
 Orlando, and then our network and distribution detection
 class in Amsterdam later in April. If you're interested in
 any classes I teach, I always have in the show notes on the
 SANS and Storm Center website. So not in the show notes
 itself, but below that on the podcast page, a list of
 classes that I'll be teaching in the near future. So both of
 them should be listed or just check the SANS.org website.
 That's it for today. Thanks for listening and talk to you
 again tomorrow. Bye.