Podcast Detail

SANS ISC Stormcast, Jan 29th 2025: Python Crypto Stealer; SimpleHelp Exploited; Apple Silicon Vuln; Teamviewer Vuln; Odd QR Code

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9300.mp3

previous
next
Podcast Logo
Python Crypto Stealer; SimpleHelp Exploited; Apple Silicon Vuln; Teamviewer Vuln; Odd QR Code
00:00

Learn about fileless crypto stealers written in Python, the ongoing exploitation of recent SimpleHelp vulnerablities, new Apple Silicon Sidechannel attacks a Team Viewer Vulnerablity and an odd QR Code

Fileless Python InfoStealer Targeting Exodus
This Python script targets Exodus crypto wallet and password managers to steal crypto currencies. It does not save exfiltrated data in files, but keeps it in memory for exfiltration
https://isc.sans.edu/diary/Fileless%20Python%20InfoStealer%20Targeting%20Exodus/31630

Campaign Exploiting SimpleHelp Vulnerablity
Arcticwolf observed attacks exploiting SimpleHelp for initial access to networks. It has not been verified, but is assumed that vulnerabilities made public about a week ago are being exploited.
https://arcticwolf.com/resources/blog-uk/arctic-wolf-observes-campaign-exploiting-simplehelp-rmm-software-initial-access/

Two new Side Channel Vulnerabilities in Apple Silicon
SLAP (Data Speculation Attacks via Load Address Prediction): This attack exploits the Load Address Predictor in Apple CPUs starting with the M2/A15, allowing unauthorized access to sensitive data by mispredicting memory addresses. FLOP (Breaking the Apple M3 CPU via False Load Output Predictions): This attack targets the Load Value Predictor in Apple's M3/A17 CPUs, enabling attackers to execute arbitrary computations on incorrect data, potentially leaking sensitive information.
https://predictors.fail/

Teamviewer Security Bulletin
Teamviewer patched a privilege escalation vulnerability CVE-2025-0065
https://www.teamviewer.com/en-us/resources/trust-center/security-bulletins/tv-2025-1001/

Odd QR Code
A QR code may resolve to a different URL if looked at at an angle.
https://mstdn.social/@isziaui/113874436953157913

Limited Discount for SANS Baltimore
https://sans.org/u/1zQd

Podcast Transcript

 Hello and welcome to the Wednesday, January 29th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. In Diaries today, Xavier is
 talking about a new Python malware that Xavier came
 across. This one going after Exodus wallets. Exodus is a
 popular cryptocurrency wallet and in this case the malware
 is trying to exfiltrate secret keys. In case the wallet is
 password protected, it also is looking for passwords in
 common password managers. All is written in Python, not
 leaving much of a fingerprint on the file system. Like all
 the data is kept in memory and then directly exfiltrated. The
 keystroke logger is also kind of interesting in that it
 doesn't just simply record keystroke, but also has sort
 of special setups. For example, if something is
 copied to the clipboard, it will automatically then grab
 data from the clipboard and exfiltrate this as well.
 Cryptocurrencies keep coming up more and more, of course,
 lately with the increased value of cryptocurrencies. And
 that's probably just going to continue. Interesting to see
 Python sort of jumping in here with some malware. And yeah,
 Xavier has lots more details in his diary, including code
 snippets from the actual malware. And ArcticWolf is
 snippets from the actual malware. And Arctic Wolf is
 reporting that they are now seeing some compromised simple
 help server. No surprise, Horizon3.ai released about a
 help server. No surprise, Horizon 3 AI released about a
 help server. No surprise, Horizon3.ai released about a
 week ago details about a number of vulnerabilities.
 There was an unauthenticated path traversal vulnerability.
 There was an arbitrary file upload and remote code
 execution vulnerability, as well as a privilege escalation
 vulnerability. So no surprise that these systems are being
 exploited. There weren't a ton of exposed system out there,
 according to Shodan. I think a couple thousands, which I
 consider sort of a little bit average to low. Arctic Wolf is
 sadly a little bit light on details. They can't confirm
 which exact vulnerabilities were used in these
 compromises. But double check that all of your simple help
 installs are patched. And if they're not patched yet,
 assume compromise.
 Then we got new two side channel attacks to worry
 about. The first one is called slab for speculation attack
 via load address prediction. The second one, flop, false
 load output predictions. Both of these attacks specifically
 affect Apple silicon processors. The M2 or A15 on
 iPhone, iPad or the M3 and the A17 CPU. These
 vulnerabilities, like all the side channel vulnerabilities,
 violate the separation of different processes on the
 system. Where one process is able to access data and affect
 another process. What makes this one particular worrisome
 is a pretty impressive demo that they posted. Where a
 browser window can, JavaScript running in a browser window.
 Can be used to essentially read data from another browser
 window. In this case, they demoed it very effectively
 with ProtonMail. Where basically JavaScript running
 in the malicious window is able to read email from the
 ProtonMail window. These type of attacks, of course, are
 dangerous and real. In the sense that, well, you can't
 really predict what JavaScript is going to run on a
 particular website. All it takes is you visit one
 compromised slash malicious webpage in order for this
 particular vulnerability to be exploited. At this point, I
 haven't really seen anything specific about possible
 patches for these vulnerabilities. Or if they
 are even possible.
 We got two issues that I would consider not quite as
 critical. First of all, bridge escalation vulnerability in
 team viewer clients. Patch it. Get it over with. Kind of. The
 second one is really more sort of what I would consider a
 curiosity. An interesting QR code Christian Walther came up
 with. That depending on what angle you use to look at the
 QR code, it resolves into different URLs. Interesting
 little trick here. Now, initially, this was created
 with like little lenses. You may have sort of, you may
 remember these simple hologram kind of images that just show
 different images depending on the angle you're looking at.
 But this does actually not use any lens like that. It's just
 printed on a flat piece of paper. But by looking at an
 angle, some of the distances between the dots in the QR
 code are shrunk. That then makes them look slightly
 different. And as a result, present a different still
 valid URL. Interesting little party trick. I think I'm not a
 huge fan of sort of overemphasizing the dangers of
 QR codes. But this could certainly be abused in some
 circumstances. Well, and this is it for today. So thanks
 again for listening. Also, if you're interested in any class
 I'm teaching, I'll be teaching in Baltimore in March. SEC 503
 Packet Analysis. So intrusion detection. If you're
 interested in that subject, if you really like to sort of go
 in-depth on protocols, well, join me in Baltimore. That's
 it for today. Thanks and talk to you again tomorrow. Bye.