Handler on Duty: Guy Bruneau
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday Mar 4th: Mark of the Web Details; Sharepint and Click-Fix Phishing; Paragon Partionmanager BYOVD Exploit
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9348.mp3
Mark of the Web Details; Sharepint and Click-Fix Phishing; Paragon Partionmanager BYOVD Exploit
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Mark of the Web: Some Technical Details
Windows implements the "Mark of the Web" (MotW) as an alternate data stream that contains not just the "zoneid" of where the file came from, but may include other data like the exact URL and referrer.
https://isc.sans.edu/diary/Mark%20of%20the%20Web%3A%20Some%20Technical%20Details/31732
Havoc Sharepoint with Microsoft Graph API
A recent phishing attack observed by Fortinet uses a simple HTML email to trick a user into copy pasting powershell into their system to execute additional code. Most of the malware interaction uses a Sharepoint site via Microsoft's Graph API futher hiding the malicious traffic
https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2
Paragon Partition Manager Exploit
A vulnerable Paragon Partition Manager has been user recently to escalate privileges for ransomware deployment. Even if you to not have PAragon installed: An attacker may just "bring the vulnerable driver" to your system.
https://kb.cert.org/vuls/id/726882
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Podcast Transcript
Hello and welcome to the Tuesday, March 4th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Baltimore, Maryland. Well, and today we have a great diary by Didier showing some of the details of the mark of the web. That's a feature that we have covered a few times already in the podcast, usually because it didn't get properly propagated to different file formats depending on, for example, zip file extraction software, things like ISO images and the like, where the mark of the web is lost in transfer. So the purpose of the mark of the web is to indicate to the system that this file has been downloaded from the Internet so the user can be presented with a warning if this file is executable and the user is attempting to execute it. On Windows, the mark of the web is implemented as an alternate data stream, which is supported by the NTFS file system, but not all file systems, and with that, not all archive utilities do properly support alternate data streams, which explains some of the limitations around the mark of the web implementation on Windows. Didier also shows a little bit the details here. So first of all, the mark of the web is essentially a little text file, like an alternate data stream, and it includes, first of all, zone information that indicates where the file came from. So there are zones one through four that will then tell you three, for example, would be this was downloaded from an external website. In addition, you may find things like the URL the file was downloaded for, the referrer, basically how was the user directed to that URL. However, those details then also depend on things like the incognitive mode in the browser because that would potentially leak private information. So if you are in incognito mode, you don't get all of those details. Interesting overall, and also like the little hack, how you look at the content of the mark of the web at that alternative data stream, just in notepad, by specifying the alternate data stream as part of your file name as you open it. And Fortinet published an interesting piece of research regarding some recent phishing attacks that they have observed. They start with a simple email that contains an HTML attachment. The HTML attachment is something that I've actually seen more and more recently. I think we have also written some diaries about this. It's what Fortinet calls click fix. And what it refers to is if the user opens the particular HTML document, they're presented with an error message. The error message then instructs them to copy-paste code to execute it. Yes, users will do this. The user here doesn't really realize what they're doing, of course. And that will execute then a PowerShell script that installs additional malware. Another sort of interesting tidbit here is that the downloads are coming from a SharePoint site that the attacker set up and then they just use the Graph API in order to interact with that SharePoint site. This way, it also becomes quite difficult for inter-retection tools and other tools to detect the attack because, first of all, the initial email is just an HTML email. There is nothing sort of executable really in that HTML. It's not like JavaScript or anything like this that's often associated with malicious HTML. Well, the user here essentially exploits themselves by copy-pasting that PowerShell script. And secondly, all the interaction with SharePoint, of course, may not necessarily trigger alerts because that's usually considered a valid business resource and something that you may use for lots of other purposes. Then an interesting noteworthy vulnerability is we do have a vulnerability in the Paragon Partition Manager. Actually, it's not a software itself or part of it. It's really the driver that's being delivered with that software. That's a kernel-level driver. And as such, it's digitally assigned to be trusted to operate at the kernel level, which will you need if you are trying to manage partitions. The problem is that versions prior to version 2 are vulnerable to actually a number of different vulnerabilities, one of which is now being exploited by ransomware gangs for privilege escalation. It's a little bit of a tricky thing. So, first of all, yes, you should update Paragon Partition Manager if you run it, but this is even a problem if you never installed this software because an attacker may install that driver for you and then use it for privilege escalation. Microsoft did add this driver to its vulnerable driver block list, so make sure you have that implemented. But there have been issues with that vulnerable driver block list in the past, so not sure how well this works these days. Maybe add some signatures as such to detect these older versions of the driver just as outright malicious if you're not using this software. And yes, of course, definitely upgrade if you are using this software. Well, and that's it for today. Thanks for everybody who noted that I forgot to actually add this outro yesterday. Sorry for that. Just forgot to splice it in. At the end, if you are interested in taking the Introduction Detection class with me that I'm teaching this week here in Baltimore, I'll actually be back in Baltimore with the same class first week of June. Links to future classes, you'll always find them below the show notes for the podcast. Thanks and talk to you again tomorrow. Bye.
Learn about the Internet Storm Center and our volunteer InfoSec handlers
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 