Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday, May 7th: Infostealer with Webserver; Android Update; CISA Warning
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9440.mp3
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Python InfoStealer with Embedded Phishing Webserver
Didier found an interesting infostealer that, in addition to implementing typical infostealer functionality, includes a web server suitable to create local phishing sites.
https://isc.sans.edu/diary/Python%20InfoStealer%20with%20Embedded%20Phishing%20Webserver/31924
Android Update Fixes Freetype 0-Day
Google released its monthly Android update. As part of the update, it patched a vulnerability in Freetype that is already being exploited. Android is not alone in using Freetype. Freetype is a very commonly used library to parse fonts like Truetype fonts.
https://source.android.com/docs/security/bulletin/2025-05-01
CISA Warns of Unsophistacted Cyber Actors
CISA released an interesting title report warning operators of operational technology networks of ubiquitous attacks by unsophisticated actors. It emphasizes how important it is to not forget basic security measures to defend against these attacks.
https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-actors-targeting-operational-technology
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Podcast Transcript
Hello and welcome to the Wednesday, May 7th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from San Diego, California. Xavier today wrote about a Python Info Stealer. Now, at first it looks like any other Info Stealer. It does Info Stealer things like it checks if it's running in a debugger. It has some anti-VM features. It, of course, steals your information and then exfiltrates it via Telegram as encrypted files. And that's some of the usual add-ons like, for example, the ability to take screen captures. What's a little bit different about this particular Info Stealer is that it also includes a web server. And the intent of this web server appears to be to emulate different login pages, like, for example, Google's. By doing so via the loopback interface, they may be trying to evade some block lists and such that are often being used to control access to phishing websites. Overall, this particular Info Stealer appears to be also a little bit incomplete. There are no certificates for the web server that Xavier was able to recover. And that's likely then part of the more complete package that's going to be delivered to the victim. And Google today had its monthly patch Tuesday for Android. There was one particular vulnerability, a remote code execution vulnerability in the free type library. That's already being exploited. Now, what's sort of what's interesting here is that this free type library is not unique to Android. It's used in multiple open source projects. It's a very commonly used library. So look out for other updates for Linux distributions and the like to fix this particular free type issue. And at least update to the latest version of free types. Some of the more recently released versions of free type apparently were not vulnerable to this issue. Even though the patch itself for the vulnerability was just being added to a free type. This vulnerability is being exploited by loading a malicious true type font into the library. This library has had multiple vulnerabilities in the past. It is always a little bit tricky to sort of parse these compressed font file formats. So no really sort of big surprise that this is being exploited because there have been prior exploits for prior vulnerabilities that they could possibly have used to model their new exploit after. And CISA, the Cybersecurity and Infrastructure Security Agency, published an interesting titled bulletin called Unsophisticated Cyber Actors Targeting Operational Technology. I kind of actually like this very much because we often are focusing a little bit too much on the more advanced threats that are sort of often more exciting, more novel and sort of more intriguing overall. But yes, that totally matches the data that we are seeing in our honeypots. Well, 99.999% of attacks are basically scriptkitties, bots, simple attacks for which we have defenses for years. So the problem is these attacks are still often successful. So CISA uses this particular title to basically point to its basic guidance on how to secure, in this case, operational technology. But I think this goes beyond sort of ICS and operational technology systems that sticking to the basics, making sure that you have some basic, sane configurations, like not exposing any unnecessary services, using strong passwords and such is still an important item. Even though, well, even on this podcast, we hardly ever talk about it. And F5 released what they're calling a canary proof of concept exploit for a recent Apache Parket vulnerability. Apache Parket is a very efficient, compressed database for tabular data used sort of to analyze bulk data. On April 1st, they released an advisory that indicated a critical vulnerability, CVSS score of 10, that can be exploited by basically just feeding a malicious file to Parket. And, well, that file then essentially executes arbitrary Java code in a de -serialization style vulnerability. The reason they're calling this particular exploit a canary proof of concept exploit is that what you essentially do is you create a Parket file using this tool. You feed this file to Parket and then, if successful, this particular exploit will trigger Parket to reach out to a URL that you specify as you create the exploit file. So this is sort of that kind of canary token -like behavior where whenever the particular exploit is executed, it just reaches out to the URL. Well, you set up a web server to register these connection attempts. And in doing so, you may be able to identify vulnerable instances of Parket in your environment. Interesting exploit. And, of course, whenever an exploit like this becomes available, you also have to think about that attackers now have an easy-to-follow blueprint, how to develop their own exploit. So definitely take a look at it if you are running Apache Parket. And, well, this is it for today. So thanks for listening. As I mentioned yesterday, I did an evening talk today here in San Diego. I'm not sure if it will be posted as an archive. I'll leave the links up to it on the SANS website until tomorrow and see if it shows up. Usually it takes them a day or so to process any audio or video files for then sort of archived distribution. Thanks for listening and talk to you again tomorrow. Bye.