Podcast Detail

SANS Stormcast Friday Feb 28th: Njrat devtunnels.ms; Apple FindMe Abuse; XSS Exploited; @sans_edu Ben Powell EDR vs. Ransomware

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9344.mp3

previous
next
Podcast Logo
Njrat devtunnels.ms; Apple FindMe Abuse; XSS Exploited; @sans_edu Ben Powell EDR vs. Ransomware
00:00

Njrat Compaign Using Microsoft dev Tunnels:
A recent version of the Njrat remote admin tool is taking advantage of Microsoft's developer tunnels (devtunnels.ms) as a command and control channel.
https://isc.sans.edu/diary/Njrat%20Campaign%20Using%20Microsoft%20Dev%20Tunnels/31724

NrootTag Apple FindMy Abuse
Malware could use a weakness in the keys used for Apple FindMy to abuse it to track victims. Updates were released with iOS 18.2, but to solve the issue the vast majority of Apple users must update.
https://nroottag.github.io/

360XSS: Mass Website Exploitation via Virtual Tour Framework
The Krpano VR library which is often used to implement 3D virtual tours on real estate websites, is currently being abused to inject spam messages. The XSS vulnerabilty could allow attackers to inject even more malicious JavaScript.
https://olegzay.com/360xss/

SANS.edu Research: Proof is in the Pudding: EDR Configuration Versus Ransomware. Benjamin Powell
https://www.sans.edu/cyber-research/proof-pudding-edr-configuration-versus-ransomware/



Podcast Transcript

 Hello and welcome to the Friday, February 28th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. Xavier today published a quick diary
 with a new version of the NJRAT malware that he found
 and well NJRAT in this example is taking advantage of
 Microsoft Dev Tunnels. This is activity that may go unnoticed
 because it is a legitimate service. Sometimes as I've
 described living off the cloud attacks but essentially Dev
 Tunnels are meant for developers to help test web
 services but of course they can also be used to relay
 other traffic like in this case the exfiltration of
 credentials. The domain to look for here is devtunnels
 .ms, MS for sort of Microsoft. This particular domain is
 exclusively used for these Dev Tunnels and well they're
 called Dev Tunnels because they're used for development
 not necessarily for production software. So unless you are
 actually actively developing software using Dev Tunnels you
 probably shouldn't see that domain network which makes a
 pretty good indicator of compromise here something to
 go hunting for. And researchers at George Mason
 University came up with an interesting method to subvert
 the Apple MyFind network. This is the network that's being
 used to track AirTags and other Apple devices. In order
 for a device to be tracked it needs a valid public-private
 key pair. The public key is then being used to essentially
 send the lost message that's then being received and
 relayed by various Apple devices that are capable of
 participating in this MyFind network. The problem that
 these researchers have discovered is that it's
 actually not that difficult to come up with a valid key pair.
 So Trojan could infect a random computer that's capable
 of participating in Bluetooth low energy which of course not
 pretty much any mobile device is these days. Definitely
 desktops and such usually have some kind of Bluetooth
 capability. And then they have to create a valid key pair for
 the device which they figured out can be done with a
 reasonable effort. They used one of these higher-end NVIDIA
 cards. I believe the H100 card. But they reckon it's
 about a $5 worth of computing time effort if you do it in
 the cloud for example to come up with a valid key pair. And
 that advertisement of a lost device is now being relayed by
 Apple devices for the MyFind network and allows the
 geographic location tracking of the compromised device.
 Apple has released a patch in the latest version of iOS in
 18.2 to prevent relaying these messages. Basically added some
 additional validation of the keys to make them more
 difficult to spoof. Of course as long as there are still old
 devices out there they will relay these messages and the
 exploit would still work.
 Well yesterday I talked about the injection of malicious
 JavaScript that led to this large cryptocurrency theft.
 Today a little bit something similar. Cross-site scripting
 being used in order to inject malicious JavaScript into
 websites that are using these 360 degree virtual tours.
 Cross-site scripting vulnerability is basically
 used here to persistently inject that JavaScript. Oleg
 Zaitsev did come up with details behind this attack.
 Currently it's I guess luckily just being used to advertise
 porn websites. So nothing too malicious yet. But given that
 this is often used sort of on realtor websites or such it
 could also be used for more malicious purposes. Like I see
 a lot of sort of busy email compromise attacks and such
 against realtors, realtor websites. So there's certainly
 room to grow here for this particular attack. And the
 particular library that's vulnerable here is called
 Krpano. And again it's been used for these 360 virtual
 tours. Well and it's Friday again so we do have another
 sans.edu student here to talk about their research paper.
 Ben could you introduce yourself please? Hi there my
 name is Ben Powell. I'm a senior, excuse me, a principal
 security engineer. And I've been in cyber about 15 years
 at this point. I started and worked my way up through the
 military and then separated to do some contracting and then
 now working in the private sector. Yeah and your paper I
 think was about well one of the hot topics that probably
 many are worried about. And that's kind of ransomware and
 how to defend against that. Can you explain a little bit
 what aspect of ransomware, that big topic you covered?
 Yes. So I'm working as an incident responder, have seen
 quite a bit of ransomware and I am often surprised at how
 payloads are executed and how ransomware lands on the
 systems. And so I was curious with some penetration testing
 experience also. How can we as network defenders do a better
 job of preparing ourselves for sort of the inevitable? You
 and I both know it's not going to go anywhere as long as
 companies are paying the ransom. It's just going to
 continue to be present. Yeah, always figure ransomware, they
 figured out it's actually more valuable to steal the data
 than to delete it or sell it to someone else. You're the
 only one who really wants those baby pictures.
 But yeah, so you of course, you're looking at corporate
 environments, not necessarily at people's personal pictures.
 And you looked at different EDR options. So what were
 these EDR endpoint detection response options? So really, I
 kind of targeted my research around small businesses, maybe
 teams that don't necessarily have a large security staff.
 And I was interested in kind of a name brand product. So I
 shot for Microsoft Defender. And within the Microsoft
 Defender world, there's a boatload that's specifically
 focused on Microsoft Defender for endpoint. And excuse me,
 Microsoft Defender for business, because that one was
 focused with companies that had 300 people or less. So my
 thought there was this would kind of definitely hit that
 small business environment. Not everyone needs a full
 -blown Microsoft 365 license. And the second option I looked
 at was Wazoo, open source. I'll call it an integrated
 product. It provides XDR as well as a SEM. So there's
 almost an auto-ingestion portion where you don't
 necessarily manage the – you don't look at the data like
 you would in Defender. You look at it much more from like
 a Splunk or Elastic perspective with the ability
 to create custom searches and look at basically all of the
 event logs off of the machine rather than the Microsoft
 Defender side where you're only kind of looking at those
 threat logs. Yeah, and I've used both of these products. I
 think they are both valid. Like you said, they really hit
 that small, medium business market, both of them. What are
 some of the big differences you found when looking at
 these products? Well, I'll start with Wazoo first. The
 big difference right there is having the ingestion. So you
 have – you deploy the agent. The agent then calls back to
 the indexer. The indexer is going to correlate – not –
 excuse me, not correlate – index all of the logs for you
 to create a common language of all of the file types and log
 data values. And then from there, you actually search
 against that rather than the Microsoft side where you
 deploy the agent and it's looking at those logs locally
 and calling out to the cloud -based console. So with Wazoo,
 you needed an additional internal device. So having
 that server locally, which I will say have seen fairly
 recently some issues where companies or clients don't
 necessarily have that integrated logging, the
 centralized logging or cloud -based logging. And keeping
 all of the logs local is not recommended in today's day and
 age. Yeah. I know it's a common issue. The advantage,
 of course, of having all those logs is that you have
 additional context in case something happens. In
 Microsoft Defender, do you get some of that context from
 Microsoft or is it really more of that red, green, light bulb
 thing? You get a good bit of data from Microsoft. They will
 go ahead. Microsoft will categorize threats. One of the
 big differences was the rule technology or the rule
 creation. With Microsoft Defender for Business, you
 were unable to create any customized detections. So you
 were really kind of left with what Microsoft deemed to be
 threats. With Wazoo, on the other hand, you had the
 ability to write your own YARA rules. And taking those YARA
 rules and deploying them creates a lot more detections
 that you can get out of that system, while also being
 somewhat a bit more manual, needing to find a rule set,
 needing to make sure it's updated, and doing kind of the
 maintenance on that. Whereas Microsoft made it a lot more
 just plug and play, if you will. Yeah, I think that
 customization part is really something, just from my own
 experience running Microsoft Defender, the transcript for
 the podcast often triggers the suspicious file rule. Not sure
 why, but maybe talking about malware or such will cause
 that. But Wazoo, similar, it has, I forgot which it was,
 there was one common Linux binary that last year I ran
 into that Wazoo, for whatever reason, considered malicious.
 And it was a well-known false positive. Now, in Wazoo, I can
 go in and change the rule and make it stop alert on this.
 And then, of
 course, I can
 go in and change the rule of mind, because I can't change
 the rule of mind, because I can't change the rule of mind,
 because I can't change the rule of mind. Yes, it's
 definitely a big problem with that side. And I think, back
 to what you pointed out, it was interesting, because even
 just on my base installation of Windows, importing the tool
 I used for these detections, Atomic Red Team, to create
 some of that activity, Microsoft Defender immediately
 started throwing flags just upon the installation.
 Whereas, Wazoo, on the other hand, you needed to go in and
 specifically tell it to detect on this activity and detect on
 this file type. Yeah, I think Wazoo, in general, is not that
 great in sort of that real -time detection as stuff is
 being uploaded on the system. That doesn't ever seem to be a
 good component of it. But, yeah, now, as far as blocking,
 did Wazoo do any blocking or did it just do alerting? I did
 not get any blocking out of it. I did just alerting,
 focusing on really kind of a default installation, if you
 will, back to the scenario of this being a very small shop,
 maybe not without a security team. So having kind of the
 built-in detections from the Microsoft Defender side was
 really a big pro if I was looking at the two solutions.
 And with Wazoo, you do need a good bit more technical
 expertise to get the rules created, to get the rules
 written and deployed correctly. One slight mishap
 in the logic, if you had a quote or a comma in the wrong
 place, then you definitely would not detect on what
 you're wanting to. So with lots of flexibility comes lots
 of responsibility in getting it right. It's the usual
 issue. Yeah, great. So the paper, is it already in the
 reading room? It's already uploaded? Yes, it is in the
 reading room and uploaded. Okay, good. So I'll add a link
 to the show notes. Any final words? Are you using Wazoo or
 Microsoft Defender? Can you say what you're using right
 now in your day job or are you using both? In the day job,
 we're using Sentinel-1. So it's something, yeah, totally
 different. Definitely. But I would like to leave everybody
 with the Atomic Red Team was the tool I used to test the
 detections. So having an internal team or having
 someone who is familiar with that, it's very simple to
 deploy and create some of these activities. So as
 security defenders, we can definitely make significant
 strides towards blocking out very common ransomware, even
 with very common threat actor tactics through using tools
 like this. Excellent. Yeah. Thanks for joining me here.
 And thanks, everybody, for listening. Thank you.