Handler on Duty: Guy Bruneau
Threat Level: green
Podcast Detail
SANS Stormcast Thursday Feb 27th: High Exfil Ports; Malicious VS Code Theme; Developer Workstation Safety; NAKIVO PoC; OpenH264 and rsync vuln;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9342.mp3

High Exfil Ports; Malicious VS Code Theme; Developer Workstation Safety; NAKIVO PoC; OpenH264 and rsync vuln;
00:00
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Attacker of of Ephemeral Ports
Attackers often use ephermeral ports to reach out to download additional resources or exfiltrate data. This can be used, with care, to detect possible compromises.
https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Malware%20Source%20Servers%3A%20The%20Threat%20of%20Attackers%20Using%20Ephemeral%20Ports%20as%20Service%20Ports%20to%20Upload%20Data/31710
Compromised Visal Studio Code Extension downloaded by Millions
Amit Assaraf identified a likely compromised Visual Studio Code theme that was installed by millions of potential victims. Amit did not disclose the exact malicious behaviour, but is asking for victims to contact them for details.
https://medium.com/@amitassaraf/a-wolf-in-dark-mode-the-malicious-vs-code-theme-that-fooled-millions-85ed92b4bd26
ByBit Theft Due to Compromised Developer Workstation
ByBit and Safe{Wallet} disclosed that the record breaking ethereum theft was due to a compromised Safe{Wallet} developer workstation. A replaced JavaScript file targeted ByBit and altered a transaction signed by ByBit.
https://x.com/benbybit/status/1894768736084885929
https://x.com/safe/status/1894768522720350673
PoC for NAKIVO Backup Replication Vulnerability
This vulnerability allows the compromise of NAKIVO backup systems. The vulnerability was patched silently in November, and never disclosed by NAKIVO. Instead, WatchTowr now disloses details including a proof of concept exploit.
https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/
OpenH264 Vulnerability
https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x
rsync vulnerability exploited
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Discussion
New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form
Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Podcast Transcript
Hello and welcome to the Thursday, February 27th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. Well, today we have a guest diary by one of our undergraduate interns, Robin Zaheer. Robin is writing about the use of ephemeral ports in order to download malware. This is something that happens quite common where the web server that the attacker is connecting to in order to download additional malware is not listening on port 80, 443, not even port 8000, but instead on a very high port like 60,000 something or such. This is certainly something to look for where you're looking for anomalies, looking for HTTP traffic or HTTPS or TLS traffic for that matter on these high ports. You have to be a little bit careful. I've particularly lately more and more seen it with web service and such where they sometimes listen on these high odd ports in cloud environments. Also, I think in part also because of the overloading of IP addresses, people sometimes use these sort of random high ports. They're even sometimes negotiated dynamically. So where you first have some kind of handshake that then defines what high port is being used. This used to be more common like for a voiceover IP and for online gaming. But I've sadly seen this more and more with sort of more mainstream applications as well, which of course makes a detection of this kind of attack activity more tricky. Still something to look for. And if you can definitely block outbound connections on these high ports. Again, just be careful that you're not disrupting any important traffic. Well, and then we have actually two stories that are related to attacks against developers. One of my favorite topics. I definitely have to cover it here. First one is a malicious theme for Visual Studio Code. What makes this theme particularly problematic is that it appears at least 4 million users have downloaded it. And the respective author of this theme and a couple others is one of the most prolific authors on the Visual Code store. Now, this comes from Amit Assaraf. If Amit did not disclose yet what exact the indicators are that made them believe that this particular theme is malicious. The theme was called the material theme. And one little problem here is that when you're applying a theme like this, you're thinking you're changing the look and feel of the software. In this case, Visual Code somewhat. But even a theme that pretty much just changes colors and such often has the ability to also execute code. And with that, of course, also execute malicious code. It will be interesting to see once Amit is coming up with more details here. At this point, Amit is asking anybody who has this theme installed to contact them for more indicators of compromise. Now, there are a couple listed here, essentially the name of the theme files that you would have downloaded. The supposedly malicious theme is no longer available in the Visual Studio Code store. And the second developer store we have comes from the Bybit. I hope I pronounce this correctly. A breach. Probably have heard of this where Bybit lost something like $1.3, $1.4 billion in Ethereum to a likely North Korean threat actor. Well, the problem here apparently appears to be a compromised workstation of SafeWallet developers. SafeWallet is a company that provides web applications to basically facilitate the signing of these Ethereum contracts. And JavaScript was replaced in their application that specifically targeted Bybit. So the next time Bybit went to the site, signed a digital contract, this malware intercepted this and then altered the contract. I just went to the SafeWallet site just because I wasn't really familiar with the site. I'm not big into cryptocurrencies. And know that they now have a pop-up before you go to the site that specifically asks you to verify the contract before you sign it. So I guess that's how they are trying to counter this a little bit. I think just yesterday I talked about how important it is to keep your development and production infrastructures separate. So a compromise of an individual developer's machine cannot compromise your entire architecture and infrastructure. We've had this happen a couple times in the past where compromised developer machines sort of basically took down the entire organization. So please try to avoid this. Have some kind of privileged access workstation or whatever you want to call it that are specifically designed to just be used to, for example, manage things like updates, cryptographic keys and such on production environments. And then two other vulnerabilities I think you should be aware of. First of all, two vulnerabilities in rsync that could allow someone to take over a server running rsync. Definitely something to be aware of. Usually it's not really exposed like this to the network. And then secondly, a vulnerability in the OpenH264 codec. If you're watching the video here, you're probably using the H264 codec. It's one of the big codecs being used to encode video. So definitely that is probably affecting a bunch of different software. And yes, it could lead to remote code execution. Well, and this is it for today. So thanks again for listening. And thanks to everybody who's recommending this podcast. Just saw a nice post today on LinkedIn, I think. So thanks a lot for that. And of course, always good to click the like or five star or whatever your particular podcast app offers or leave a nice little review. Thanks and talk to you again tomorrow. Bye.