Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
SANS ISC Stormcast, Jan 30th 2025: Python vs. Powershell; Fortinet Exploits and Patch Policy; Voyager PHP Framework Vuln; Zyxel Targeted; VMWare AVI Patch
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9302.mp3
Python vs. Powershell; Fortinet Exploits and Patch Policy; Voyager PHP Framework Vuln; Zyxel Targeted; VMWare AVI Patch
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
From PowerShell to a Python Obfuscation Race!
This information stealer not only emulates a PDF document convincingly, but also includes its own Python environment for Windows
https://isc.sans.edu/diary/From%20PowerShell%20to%20a%20Python%20Obfuscation%20Race!/31634
Alleged Active Exploit Sale of CVE-2024-55591 on Fortinet Devices
An exploit for this week's Fortinet vulnerability is for sale on russian forums. Fortinet also requires patching of devices without cloud license within seven days of patch release
https://x.com/MonThreat/status/1884577840185643345
https://community.fortinet.com/t5/Support-Forum/Firmware-upgrade-policy/td-p/373376
The Tainted Voyage: Uncovering Voyager's Vulnerabilities
Sonarcube identified vulnerabilities in the popular PHP package Voyager. One of them allows arbitrary file uploads.
https://www.sonarsource.com/blog/the-tainted-voyage-uncovering-voyagers-vulnerabilities/
Hackers exploit critical unpatched flaw in Zyxel CPE devices
A currently unpatches vulnerablity in Zyxel devices is actively exploited.
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-unpatched-flaw-in-zyxel-cpe-devices/
VMSA-2025-0002: VMware Avi Load Balancer addresses an unauthenticated blind SQL Injection vulnerability (CVE-2025-22217)
VMWare released a patch for the AVI Load Balancer addressing an unauthenticated blink SQL injection vulnerability.
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25346
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Podcast Transcript
Hello and welcome to the Thursday, January 30th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. One of the comments we often get when we're talking about Python malware is that on Windows, usually there is no sort of full Python environment like you have it commonly on Linux. Well, today Xavier has an interesting piece of Python malware that actually includes the entire Python environment in the form of a fake document. Document .zip is being downloaded here with the Python environment. Also interesting and not really that terribly unusual, when you start the malware, a PDF will open. In this case, some sort of generic Garmin -related PDF. This is usually done to make the user feel like they opened a document. Probably the pretense here for delivering of the malware was that this attachment is supposed to include this PDF document. So if the user now clicks on the file, which really starts the malware, the PDF is opened for them, making them feel safe and sound. While in the background, all of their crypto coins and other sensitive information is being exfiltrated. Let me have two updates for Fortinet users. First of all, there is an exploit apparently for sale now. According to Threatmon, they posted on X that they saw an exploit for sale on a Russian forum. This exploit apparently takes advantage of the vulnerability I talked about yesterday. That's the interesting remote access via WebSocket bypassing authentication vulnerability. So definitely make sure that your devices are patched. It affects FortiOS version 7.0.0 through 7.0.16. The second item is a little bit related maybe, but Fortinet also notified its users that if you are running a device without a FortiCloud license, if you don't have an active subscription, you must update the device within seven days or you essentially will lose access to the FortiCloud interface via the device. Interesting strategy here to really push users to update quickly. Again, this only affects devices without a subscription. So of course, the other motivation here is to get users to sign up for a subscription. The advisory also points out that you can use the auto update feature in order to make sure that you are complying with this particular rule. Seven days sounds a little bit short, but that's the time limit they give you here to update your devices. And SonarCube reviewed the open source Voyager package. This is a PHP package that's designed to manage Laravel applications. Laravel being the PHP framework. Both the Laravel framework and Voyager are extremely popular with millions of downloads. So nice for someone to look for vulnerabilities here. And they found three good ones. The first one, probably the most important one here, an arbitrary file write vulnerability. Next, there is also a reflected cross-site scripting vulnerability. And finally, an arbitrary file leak and deletion vulnerability. In particular, of course, arbitrary file writes are always critical since they often then lead to arbitrary code execution. This actually involves polyglot files, which is always an interesting issue. We covered that a little bit in class this week. Where it can be quite difficult to actually figure out the correct MIME type for a file. Sometimes there are files that identify as multiple MIME types. It's easy to then mislabel them. And attackers are apparently exploiting an unpatched vulnerability in Zyxel devices. This vulnerability was actually discovered, reported back in July. So it has been known, has also been publicly known for a while. Finally, attackers get around to exploit it. So no big surprise here. What's probably more surprising is that there is still no patch apparently available for this vulnerability. And talking about patches, VMware released a patch for a vulnerability in the AVI load balancer. This is an unauthenticated blind SQL injection vulnerability. And VMware assigned it a CVSS score of 8.6. Certainly something that you do want to patch. It was reported privately to VMware. So there are no additional details at this point available. And no known exploit at this point. Well, and this is it for today. So thanks again for listening. Thanks to everybody who is sending in links. In particular, for example, the FortiGate news came in from a listener. Thanks and talk to you again tomorrow. Bye.
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 