Handler on Duty: Guy Bruneau
Threat Level: green
Podcast Detail
SANS Stormcast Friday Feb 28th: Njrat devtunnels.ms; Apple FindMe Abuse; XSS Exploited; @sans_edu Ben Powell EDR vs. Ransomware
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9344.mp3

Njrat devtunnels.ms; Apple FindMe Abuse; XSS Exploited; @sans_edu Ben Powell EDR vs. Ransomware
00:00
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Njrat Compaign Using Microsoft dev Tunnels:
A recent version of the Njrat remote admin tool is taking advantage of Microsoft's developer tunnels (devtunnels.ms) as a command and control channel.
https://isc.sans.edu/diary/Njrat%20Campaign%20Using%20Microsoft%20Dev%20Tunnels/31724
NrootTag Apple FindMy Abuse
Malware could use a weakness in the keys used for Apple FindMy to abuse it to track victims. Updates were released with iOS 18.2, but to solve the issue the vast majority of Apple users must update.
https://nroottag.github.io/
360XSS: Mass Website Exploitation via Virtual Tour Framework
The Krpano VR library which is often used to implement 3D virtual tours on real estate websites, is currently being abused to inject spam messages. The XSS vulnerabilty could allow attackers to inject even more malicious JavaScript.
https://olegzay.com/360xss/
SANS.edu Research: Proof is in the Pudding: EDR Configuration Versus Ransomware. Benjamin Powell
https://www.sans.edu/cyber-research/proof-pudding-edr-configuration-versus-ransomware/
Discussion
New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form
Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Podcast Transcript
Hello and welcome to the Friday, February 28th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. Xavier today published a quick diary with a new version of the NJRAT malware that he found and well NJRAT in this example is taking advantage of Microsoft Dev Tunnels. This is activity that may go unnoticed because it is a legitimate service. Sometimes as I've described living off the cloud attacks but essentially Dev Tunnels are meant for developers to help test web services but of course they can also be used to relay other traffic like in this case the exfiltration of credentials. The domain to look for here is devtunnels .ms, MS for sort of Microsoft. This particular domain is exclusively used for these Dev Tunnels and well they're called Dev Tunnels because they're used for development not necessarily for production software. So unless you are actually actively developing software using Dev Tunnels you probably shouldn't see that domain network which makes a pretty good indicator of compromise here something to go hunting for. And researchers at George Mason University came up with an interesting method to subvert the Apple MyFind network. This is the network that's being used to track AirTags and other Apple devices. In order for a device to be tracked it needs a valid public-private key pair. The public key is then being used to essentially send the lost message that's then being received and relayed by various Apple devices that are capable of participating in this MyFind network. The problem that these researchers have discovered is that it's actually not that difficult to come up with a valid key pair. So Trojan could infect a random computer that's capable of participating in Bluetooth low energy which of course not pretty much any mobile device is these days. Definitely desktops and such usually have some kind of Bluetooth capability. And then they have to create a valid key pair for the device which they figured out can be done with a reasonable effort. They used one of these higher-end NVIDIA cards. I believe the H100 card. But they reckon it's about a $5 worth of computing time effort if you do it in the cloud for example to come up with a valid key pair. And that advertisement of a lost device is now being relayed by Apple devices for the MyFind network and allows the geographic location tracking of the compromised device. Apple has released a patch in the latest version of iOS in 18.2 to prevent relaying these messages. Basically added some additional validation of the keys to make them more difficult to spoof. Of course as long as there are still old devices out there they will relay these messages and the exploit would still work. Well yesterday I talked about the injection of malicious JavaScript that led to this large cryptocurrency theft. Today a little bit something similar. Cross-site scripting being used in order to inject malicious JavaScript into websites that are using these 360 degree virtual tours. Cross-site scripting vulnerability is basically used here to persistently inject that JavaScript. Oleg Zaitsev did come up with details behind this attack. Currently it's I guess luckily just being used to advertise porn websites. So nothing too malicious yet. But given that this is often used sort of on realtor websites or such it could also be used for more malicious purposes. Like I see a lot of sort of busy email compromise attacks and such against realtors, realtor websites. So there's certainly room to grow here for this particular attack. And the particular library that's vulnerable here is called Krpano. And again it's been used for these 360 virtual tours. Well and it's Friday again so we do have another sans.edu student here to talk about their research paper. Ben could you introduce yourself please? Hi there my name is Ben Powell. I'm a senior, excuse me, a principal security engineer. And I've been in cyber about 15 years at this point. I started and worked my way up through the military and then separated to do some contracting and then now working in the private sector. Yeah and your paper I think was about well one of the hot topics that probably many are worried about. And that's kind of ransomware and how to defend against that. Can you explain a little bit what aspect of ransomware, that big topic you covered? Yes. So I'm working as an incident responder, have seen quite a bit of ransomware and I am often surprised at how payloads are executed and how ransomware lands on the systems. And so I was curious with some penetration testing experience also. How can we as network defenders do a better job of preparing ourselves for sort of the inevitable? You and I both know it's not going to go anywhere as long as companies are paying the ransom. It's just going to continue to be present. Yeah, always figure ransomware, they figured out it's actually more valuable to steal the data than to delete it or sell it to someone else. You're the only one who really wants those baby pictures. But yeah, so you of course, you're looking at corporate environments, not necessarily at people's personal pictures. And you looked at different EDR options. So what were these EDR endpoint detection response options? So really, I kind of targeted my research around small businesses, maybe teams that don't necessarily have a large security staff. And I was interested in kind of a name brand product. So I shot for Microsoft Defender. And within the Microsoft Defender world, there's a boatload that's specifically focused on Microsoft Defender for endpoint. And excuse me, Microsoft Defender for business, because that one was focused with companies that had 300 people or less. So my thought there was this would kind of definitely hit that small business environment. Not everyone needs a full -blown Microsoft 365 license. And the second option I looked at was Wazoo, open source. I'll call it an integrated product. It provides XDR as well as a SEM. So there's almost an auto-ingestion portion where you don't necessarily manage the – you don't look at the data like you would in Defender. You look at it much more from like a Splunk or Elastic perspective with the ability to create custom searches and look at basically all of the event logs off of the machine rather than the Microsoft Defender side where you're only kind of looking at those threat logs. Yeah, and I've used both of these products. I think they are both valid. Like you said, they really hit that small, medium business market, both of them. What are some of the big differences you found when looking at these products? Well, I'll start with Wazoo first. The big difference right there is having the ingestion. So you have – you deploy the agent. The agent then calls back to the indexer. The indexer is going to correlate – not – excuse me, not correlate – index all of the logs for you to create a common language of all of the file types and log data values. And then from there, you actually search against that rather than the Microsoft side where you deploy the agent and it's looking at those logs locally and calling out to the cloud -based console. So with Wazoo, you needed an additional internal device. So having that server locally, which I will say have seen fairly recently some issues where companies or clients don't necessarily have that integrated logging, the centralized logging or cloud -based logging. And keeping all of the logs local is not recommended in today's day and age. Yeah. I know it's a common issue. The advantage, of course, of having all those logs is that you have additional context in case something happens. In Microsoft Defender, do you get some of that context from Microsoft or is it really more of that red, green, light bulb thing? You get a good bit of data from Microsoft. They will go ahead. Microsoft will categorize threats. One of the big differences was the rule technology or the rule creation. With Microsoft Defender for Business, you were unable to create any customized detections. So you were really kind of left with what Microsoft deemed to be threats. With Wazoo, on the other hand, you had the ability to write your own YARA rules. And taking those YARA rules and deploying them creates a lot more detections that you can get out of that system, while also being somewhat a bit more manual, needing to find a rule set, needing to make sure it's updated, and doing kind of the maintenance on that. Whereas Microsoft made it a lot more just plug and play, if you will. Yeah, I think that customization part is really something, just from my own experience running Microsoft Defender, the transcript for the podcast often triggers the suspicious file rule. Not sure why, but maybe talking about malware or such will cause that. But Wazoo, similar, it has, I forgot which it was, there was one common Linux binary that last year I ran into that Wazoo, for whatever reason, considered malicious. And it was a well-known false positive. Now, in Wazoo, I can go in and change the rule and make it stop alert on this. And then, of course, I can go in and change the rule of mind, because I can't change the rule of mind, because I can't change the rule of mind, because I can't change the rule of mind. Yes, it's definitely a big problem with that side. And I think, back to what you pointed out, it was interesting, because even just on my base installation of Windows, importing the tool I used for these detections, Atomic Red Team, to create some of that activity, Microsoft Defender immediately started throwing flags just upon the installation. Whereas, Wazoo, on the other hand, you needed to go in and specifically tell it to detect on this activity and detect on this file type. Yeah, I think Wazoo, in general, is not that great in sort of that real -time detection as stuff is being uploaded on the system. That doesn't ever seem to be a good component of it. But, yeah, now, as far as blocking, did Wazoo do any blocking or did it just do alerting? I did not get any blocking out of it. I did just alerting, focusing on really kind of a default installation, if you will, back to the scenario of this being a very small shop, maybe not without a security team. So having kind of the built-in detections from the Microsoft Defender side was really a big pro if I was looking at the two solutions. And with Wazoo, you do need a good bit more technical expertise to get the rules created, to get the rules written and deployed correctly. One slight mishap in the logic, if you had a quote or a comma in the wrong place, then you definitely would not detect on what you're wanting to. So with lots of flexibility comes lots of responsibility in getting it right. It's the usual issue. Yeah, great. So the paper, is it already in the reading room? It's already uploaded? Yes, it is in the reading room and uploaded. Okay, good. So I'll add a link to the show notes. Any final words? Are you using Wazoo or Microsoft Defender? Can you say what you're using right now in your day job or are you using both? In the day job, we're using Sentinel-1. So it's something, yeah, totally different. Definitely. But I would like to leave everybody with the Atomic Red Team was the tool I used to test the detections. So having an internal team or having someone who is familiar with that, it's very simple to deploy and create some of these activities. So as security defenders, we can definitely make significant strides towards blocking out very common ransomware, even with very common threat actor tactics through using tools like this. Excellent. Yeah. Thanks for joining me here. And thanks, everybody, for listening. Thank you.