Podcast Detail

SANS Stormcast Wednesday Feb 20th: XWorm Cocktail; Quantum Computing Breakthrough; Signal Phishing

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9332.mp3

XWorm Cocktail; Quantum Computing Breakthrough; Signal Phishing

00:00

My Next Class

Network Monitoring and Threat Detection In-Depth	Baltimore	Mar 3rd - Mar 8th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Apr 13th - Apr 18th 2025

… more classes

XWorm Cocktail: A Mix of PE data with PowerShell Code
Quick analysis of an interesting XWrom sample with powershell code embedded inside an executable
https://isc.sans.edu/diary/XWorm+Cocktail+A+Mix+of+PE+data+with+PowerShell+Code/31700

Microsoft's Majorana 1 Chip Carves New Path for Quantum Computing
Microsoft announced a breack through in Quantum computing. Its new prototype Majorana 1 chip takes advantage of exotic majorana particles to implement a scalable low error rate solution to building quantum computers
https://news.microsoft.com/source/features/ai/microsofts-majorana-1-chip-carves-new-path-for-quantum-computing/

Russia Targeting Signal Messenger
Signal is well regarded as a secure end to end encrypted messaging platform. However, a user may be tricked into providing access to their account by scanning a QR code masquerading as a group channel invitation.
https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Network Monitoring and Threat Detection In-Depth	Baltimore	Mar 3rd - Mar 8th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Apr 13th - Apr 18th 2025
Application Security: Securing Web Apps, APIs, and Microservices	San Diego	May 5th - May 10th 2025
Network Monitoring and Threat Detection In-Depth	Baltimore	Jun 2nd - Jun 7th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 14th - Jul 19th 2025

Podcast Transcript

 Hello and welcome to the Thursday, February 20th, 2025
 edition of the SANS Internet Storm Center's
 Stormcast. My name is Johannes Ullrich and today I'm recording
 from Jacksonville, Florida. If you're into gaming, then you
 probably are somewhat familiar with the cat and mouse game
 between cheaters in online games and software trying to
 prevent cheating in these online games. Now, the tricky
 part here is that quite often software that claims to allow
 you to bypass some of these cheat protections actually
 turns out to be malware. And Xavier ran into a case like
 that. He did find a particular piece of software that called
 itself XING Code Unblocker 2025. XING Code is one of
 these anti-cheat softwares. So this apparently tries to
 unblock the anti-cheat software. At least that's what
 it claims to do. However, what sort of attracted Xavier's
 attention was not the cheating part here or the anti-cheating
 part, but instead that these executables had PowerShell
 code embedded in the code. And that, of course, well, looked
 very much like malware, which it then turned out to be. The
 XWorm is what Xavier identified it as. Interesting
 obfuscation technique. And I think Xavier is still looking
 for some help here to really identify everything that's
 happening here with this particular malware. There are
 links to the virus total copies of the malware in the
 diary. Well, and then we got some interesting news from
 Microsoft today regarding some real breakthrough advances
 when it comes to quantum computing. And, of course,
 that's always one thing to watch. Everybody's sort of
 afraid of. You know, when do we have to switch to quantum
 safe ciphers from a security point of view? And this is
 sort of one of those breakthroughs that may
 significantly accelerate that deadline. So definitely
 something to worry about and to watch. Microsoft calls this
 new, essentially, processor that they developed the
 Majorana One chip. And the name comes from a specific
 particle they're using here. Actually, it's not sort of a
 normal particle, but really sort of an assembly of
 particles that's constrained on the chip by a very tiny
 wire that essentially limits how this particle can behave.
 So this is not sort of your regular conductor or anything
 like this. They call it a topological circuit. Lots of
 little bit salesmanship here in the article. But underneath
 it all, there is a real breakthrough here in having
 the ability to build quantum computers with possibly
 thousands of qubits with low error rates. These are really
 kind of the things that we're missing from quantum computing
 so far and probably make breaking of encryption
 algorithms that are not quantum safe much more
 realistic than what we had before. So definitely look
 into these algorithms. I think that's the first time for me
 that I'm really worried that within the next five to ten
 years, we do have something like this available in
 probably Asia's cloud for cheap for everybody to use
 that could break potential ciphers. We'll have to see
 what details work out to be in once there's some more
 independent testing of these circuits. But this certainly
 looks like they moved it sort of from the research phase
 where it worked once to the engineering phase where they
 get to work it repeatedly. Well, and then we have some
 interesting threat intelligence coming from
 Google. Google is observing what they consider a Russian
 -linked threat actor phishing signal accounts from Ukrainian
 victims. And this is, again, one of these examples where
 the user interface does not really communicate well to the
 user what's happening behind the scenes. Signal uses QR
 codes for a number of purposes. One purpose is to
 easily communicate to a user the address for a group
 channel. So if I would like to invite you to my group
 channel, I would send you a QR code. You scan it with your
 device and then you're a member of the group. However,
 there is another more critical thing that you can do with QR
 codes, and that is linking a new device to your account. So
 what the threat actor does here is they're setting up a
 new device for signal. That new device will display a QR
 code to be scanned by a device that's already connected to
 signal so the two devices can share the same account. And
 that's exactly what they're doing. They're taking that QR
 code. They're sending a message to the victim claiming
 that this is their new group channel. And then when they're
 scanning that QR code, they're not actually connecting the
 group channel. Instead, they're linking their account
 to the attacker's device. So the attacker will now see any
 future messages being sent to the victim's signal account.
 This, of course, is not breaking any of the encryption
 or sort of integrity of the signal communication channel.
 It's, again, one of these human interface issues. Signal
 apparently has released an update to address some of
 that, make it more obvious what's happening here. Haven't
 played with it yet to see how different it is from the old
 user interface. Well, just a quick update here without a
 link in the show notes. But I just saw that Sysa added a new
 Fortinet and Palo Alto vulnerability to their
 exploited vulnerabilities catalog. I think these are
 vulnerabilities I already talked about. So I'm not going
 to cover it here any further. But with all these
 vulnerabilities in these devices, it's always hard to
 keep them apart. Well, that's it for today. Thanks to the
 users who noticed the green tint in yesterday's video. I
 think there's a defect in the camera I'm using. Still
 experimenting with that. Let me know how it goes. I'm not
 that great with color. So trying to do a little bit
 trial and error here. Thanks and talk to you again
 tomorrow. Bye.