Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
SANS Stormcast Monday, May 5th: Steganography Challenge; Microsoft Makes Passkeys Default and Moves Away from Authenticator as Password Manager; Magento Components Backdoored.
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9436.mp3
Steganography Challenge; Microsoft Makes Passkeys Default and Moves Away from Authenticator as Password Manager; Magento Components Backdoored.
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Steganography Challenge
Didier published a fun steganography challenge. A solution will be offered on Saturday.
https://isc.sans.edu/diary/Steganography+Challenge/31910
Microsoft Makes Passkeys Default Authentication Method
Microsoft is now encouraging new users to use Passkeys as the “default” and only login method, further moving away from passwords
https://www.microsoft.com/en-us/security/blog/2025/05/01/pushing-passkeys-forward-microsofts-latest-updates-for-simpler-safer-sign-ins/
Microsoft Authenticator Autofill Changes
Microsoft will no longer support the use of Microsoft authenticator as a password safe. Instead, it will move users to the password prefill feature built into Microsoft Edge. This change will start in June and should be completed in August at which point you must have moved your credentials out of Microsoft Authenticator
https://support.microsoft.com/en-gb/account-billing/changes-to-microsoft-authenticator-autofill-09fd75df-dc04-4477-9619-811510805ab6
Backdoor found in popular e-commerce components
SANSEC identified several backdoored Magento e-commerce components. These backdoors were installed as far back as 2019 but only recently activated, at which point they became known. Affected vendors dispute any compromise at this point.
https://sansec.io/research/license-backdoor
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Podcast Transcript
Hello and welcome to the Monday, May 5th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I am recording from San Diego, California. As promised, this weekend Didier released his Steganography Challenge. This is a further evolution of a couple diaries that Didier recently published regarding steganography and how to use his python scripts in order to help you extract hidden messages from images. This is a sample image using a slightly different methodology here but the tools should still work. I think I may give away a couple of stickers or so to some of the solutions left to figure out how to exactly do that but if you're interested submit your answer to either our handler's email or to the Didier directly and well we'll see what we can do with regards to prizes for this challenge. There's also a little hint there that is ROT13 encoded so give you a little bit more of a hint if you are just stuck with this particular challenge. And then we have a couple of news items related to Microsoft and passwords. First of all Microsoft is now starting to offer passkeys by default. If you're setting up a new Microsoft account you'll be offered to use passkeys and as a result well you will no longer have a password for your Microsoft account. So this is further sort of pushing the agenda here of getting the rate of passwords replacing them with passkeys. Certainly a solid security decision that many organizations have sort of embraced on but this is probably pushing it further than others have done in the past by just making that the default. The only issue here apparently is that this really only works if you're using the Microsoft Authenticator. For other authenticators of the end such it will not work. You will then still need a password which sort of softens the entire system somewhat but we'll see how it goes and it's always of course difficult for large public systems like this to make changes. The other news item here is also related to Authenticator. Microsoft will move away from using Microsoft Authenticator as a password manager. That's sort of what Microsoft is offering right now starting June. So relatively soon you will no longer be able to add new passwords to Microsoft Authenticator and then the entire feature will kind of go away in July. So relatively soon. The replacement for it will be Microsoft Edge. So Microsoft's version of the Chromium browser will be your password manager. I guess makes sense to have it integrated browser. That's why you usually need your passwords. Of course it will make sort of the operability with different browsers more difficult. You probably really want still some standalone password management application. It just can't be Authenticator anymore. And then we have a little bit of an odd supply chain attack. I call it odd because well first of all apparently the backdoor components were included in these particular packages as soon as 2019 but only recently activated. The other odd thing about it is there are three or four different vendors involved according to the blog post by SANSEC. But those vendors actually at this point do not acknowledge the compromise even though the backdoor packages still appear to be available. The backdoor is relatively straightforward but also on the other hand kind of nicely disguised. It claims to be an admin license that is required to run the plugin. There is an admin load license function that can be used to upload a file to the server and then a second function that executes the content of the file as PHP. The very early versions of this backdoor did not require any kind of authentication to upload these license files but later do. They essentially have simple hard coded keys that of course now have been made public. If you are running Magento and these packages do affect Magento double check that you're not running any of these malicious packages. They're definitely malicious but like I said the vendor response is a little bit odd so I'm not sure if they really don't know if they're compliant or complicit with the particular attack. That's really hard to tell and open at this point. I'm not familiar with any of the vendors but then again I'm not really running any Magento website so not really that familiar with that ecosystem. If anybody has any kind of insight a little bit here please let me know. Well that is it for today. Thanks for listening and of course I am here in San Diego at San Security West. I'll be teaching this week if you happen to run into me. I tend to have some stickers on me or such so always happy to meet any listeners. That's it for today and talk to you again tomorrow. Bye.
Make the web a better place by sharing the SANS Internet Storm Center with others
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 