Podcast Detail

SANS Stormcast Thursday Feb 27th: High Exfil Ports; Malicious VS Code Theme; Developer Workstation Safety; NAKIVO PoC; OpenH264 and rsync vuln;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9342.mp3

previous
next
Podcast Logo
High Exfil Ports; Malicious VS Code Theme; Developer Workstation Safety; NAKIVO PoC; OpenH264 and rsync vuln;
00:00

Attacker of of Ephemeral Ports
Attackers often use ephermeral ports to reach out to download additional resources or exfiltrate data. This can be used, with care, to detect possible compromises.
https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Malware%20Source%20Servers%3A%20The%20Threat%20of%20Attackers%20Using%20Ephemeral%20Ports%20as%20Service%20Ports%20to%20Upload%20Data/31710

Compromised Visal Studio Code Extension downloaded by Millions
Amit Assaraf identified a likely compromised Visual Studio Code theme that was installed by millions of potential victims. Amit did not disclose the exact malicious behaviour, but is asking for victims to contact them for details.
https://medium.com/@amitassaraf/a-wolf-in-dark-mode-the-malicious-vs-code-theme-that-fooled-millions-85ed92b4bd26

ByBit Theft Due to Compromised Developer Workstation
ByBit and Safe{Wallet} disclosed that the record breaking ethereum theft was due to a compromised Safe{Wallet} developer workstation. A replaced JavaScript file targeted ByBit and altered a transaction signed by ByBit.
https://x.com/benbybit/status/1894768736084885929
https://x.com/safe/status/1894768522720350673

PoC for NAKIVO Backup Replication Vulnerability
This vulnerability allows the compromise of NAKIVO backup systems. The vulnerability was patched silently in November, and never disclosed by NAKIVO. Instead, WatchTowr now disloses details including a proof of concept exploit.
https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/

OpenH264 Vulnerability
https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x

rsync vulnerability exploited
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Podcast Transcript

 Hello and welcome to the Thursday, February 27th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. Well, today we have a guest diary by
 one of our undergraduate interns, Robin Zaheer. Robin is
 writing about the use of ephemeral ports in order to
 download malware. This is something that happens quite
 common where the web server that the attacker is
 connecting to in order to download additional malware is
 not listening on port 80, 443, not even port 8000, but
 instead on a very high port like 60,000 something or such.
 This is certainly something to look for where you're looking
 for anomalies, looking for HTTP traffic or HTTPS or TLS
 traffic for that matter on these high ports. You have to
 be a little bit careful. I've particularly lately more and
 more seen it with web service and such where they sometimes
 listen on these high odd ports in cloud environments. Also, I
 think in part also because of the overloading of IP
 addresses, people sometimes use these sort of random high
 ports. They're even sometimes negotiated dynamically. So
 where you first have some kind of handshake that then defines
 what high port is being used. This used to be more common
 like for a voiceover IP and for online gaming. But I've
 sadly seen this more and more with sort of more mainstream
 applications as well, which of course makes a detection of
 this kind of attack activity more tricky. Still something
 to look for. And if you can definitely block outbound
 connections on these high ports. Again, just be careful
 that you're not disrupting any important traffic. Well, and
 then we have actually two stories that are related to
 attacks against developers. One of my favorite topics. I
 definitely have to cover it here. First one is a malicious
 theme for Visual Studio Code. What makes this theme
 particularly problematic is that it appears at least 4
 million users have downloaded it. And the respective author
 of this theme and a couple others is one of the most
 prolific authors on the Visual Code store. Now, this comes
 from Amit Assaraf. If Amit did not disclose yet what exact
 the indicators are that made them believe that this
 particular theme is malicious. The theme was called the
 material theme. And one little problem here is that when
 you're applying a theme like this, you're thinking you're
 changing the look and feel of the software. In this case,
 Visual Code somewhat. But even a theme that pretty much just
 changes colors and such often has the ability to also
 execute code. And with that, of course, also execute
 malicious code. It will be interesting to see once Amit
 is coming up with more details here. At this point, Amit is
 asking anybody who has this theme installed to contact
 them for more indicators of compromise. Now, there are a
 couple listed here, essentially the name of the
 theme files that you would have downloaded. The
 supposedly malicious theme is no longer available in the
 Visual Studio Code store. And the second developer store we
 have comes from the Bybit. I hope I pronounce this
 correctly. A breach. Probably have heard of this where Bybit
 lost something like $1.3, $1.4 billion in Ethereum to a
 likely North Korean threat actor. Well, the problem here
 apparently appears to be a compromised workstation of
 SafeWallet developers. SafeWallet is a company that
 provides web applications to basically facilitate the
 signing of these Ethereum contracts. And JavaScript was
 replaced in their application that specifically targeted
 Bybit. So the next time Bybit went to the site, signed a
 digital contract, this malware intercepted this and then
 altered the contract. I just went to the SafeWallet site
 just because I wasn't really familiar with the site. I'm
 not big into cryptocurrencies. And know that they now have a
 pop-up before you go to the site that specifically asks
 you to verify the contract before you sign it. So I guess
 that's how they are trying to counter this a little bit. I
 think just yesterday I talked about how important it is to
 keep your development and production infrastructures
 separate. So a compromise of an individual developer's
 machine cannot compromise your entire architecture and
 infrastructure. We've had this happen a couple times in the
 past where compromised developer machines sort of
 basically took down the entire organization. So please try to
 avoid this. Have some kind of privileged access workstation
 or whatever you want to call it that are specifically
 designed to just be used to, for example, manage things
 like updates, cryptographic keys and such on production
 environments. And then two other vulnerabilities I think
 you should be aware of. First of all, two vulnerabilities in
 rsync that could allow someone to take over a server
 running rsync. Definitely something to be aware of.
 Usually it's not really exposed like this to the
 network. And then secondly, a vulnerability in the OpenH264
 codec. If you're watching the video here, you're probably
 using the H264 codec. It's one of the big codecs being used
 to encode video. So definitely that is probably affecting a
 bunch of different software. And yes, it could lead to
 remote code execution. Well, and this is it for today. So
 thanks again for listening. And thanks to everybody who's
 recommending this podcast. Just saw a nice post today on
 LinkedIn, I think. So thanks a lot for that. And of course,
 always good to click the like or five star or whatever your
 particular podcast app offers or leave a nice little review.
 Thanks and talk to you again tomorrow. Bye.