SANS Stormcast Wednesday, May 7th: Infostealer with Webserver; Android Update; CISA Warning

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9440.mp3

previous

Infostealer with Webserver; Android Update; CISA Warning

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Wednesday, May 7th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from San
 Diego, California. Xavier today wrote about a Python
 Info Stealer. Now, at first it looks like any other Info
 Stealer. It does Info Stealer things like it checks if it's
 running in a debugger. It has some anti-VM features. It, of
 course, steals your information and then
 exfiltrates it via Telegram as encrypted files. And that's
 some of the usual add-ons like, for example, the ability
 to take screen captures. What's a little bit different
 about this particular Info Stealer is that it also
 includes a web server. And the intent of this web server
 appears to be to emulate different login pages, like,
 for example, Google's. By doing so via the loopback
 interface, they may be trying to evade some block lists and
 such that are often being used to control access to phishing
 websites. Overall, this particular Info Stealer
 appears to be also a little bit incomplete. There are no
 certificates for the web server that Xavier was able to
 recover. And that's likely then part of the more complete
 package that's going to be delivered to the victim. And
 Google today had its monthly patch Tuesday for Android.
 There was one particular vulnerability, a remote code
 execution vulnerability in the free type library. That's
 already being exploited. Now, what's sort of what's
 interesting here is that this free type library is not
 unique to Android. It's used in multiple open source
 projects. It's a very commonly used library. So look out for
 other updates for Linux distributions and the like to
 fix this particular free type issue. And at least update to
 the latest version of free types. Some of the more
 recently released versions of free type apparently were not
 vulnerable to this issue. Even though the patch itself for
 the vulnerability was just being added to a free type.
 This vulnerability is being exploited by loading a
 malicious true type font into the library. This library has
 had multiple vulnerabilities in the past. It is always a
 little bit tricky to sort of parse these compressed font
 file formats. So no really sort of big surprise that this
 is being exploited because there have been prior exploits
 for prior vulnerabilities that they could possibly have used
 to model their new exploit after. And CISA, the
 Cybersecurity and Infrastructure Security
 Agency, published an interesting titled bulletin
 called Unsophisticated Cyber Actors Targeting Operational
 Technology. I kind of actually like this very much because we
 often are focusing a little bit too much on the more
 advanced threats that are sort of often more exciting, more
 novel and sort of more intriguing overall. But yes,
 that totally matches the data that we are seeing in our
 honeypots. Well, 99.999% of attacks are basically
 scriptkitties, bots, simple attacks for which we have
 defenses for years. So the problem is these attacks are
 still often successful. So CISA uses this particular
 title to basically point to its basic guidance on how to
 secure, in this case, operational technology. But I
 think this goes beyond sort of ICS and operational technology
 systems that sticking to the basics, making sure that you
 have some basic, sane configurations, like not
 exposing any unnecessary services, using strong
 passwords and such is still an important item. Even though,
 well, even on this podcast, we hardly ever talk about it. And
 F5 released what they're calling a canary proof of
 concept exploit for a recent Apache Parket vulnerability.
 Apache Parket is a very efficient, compressed database
 for tabular data used sort of to analyze bulk data. On April
 1st, they released an advisory that indicated a critical
 vulnerability, CVSS score of 10, that can be exploited by
 basically just feeding a malicious file to Parket. And,
 well, that file then essentially executes arbitrary
 Java code in a de -serialization style
 vulnerability. The reason they're calling this
 particular exploit a canary proof of concept exploit is
 that what you essentially do is you create a Parket file
 using this tool. You feed this file to Parket and then, if
 successful, this particular exploit will trigger Parket to
 reach out to a URL that you specify as you create the
 exploit file. So this is sort of that kind of canary token
 -like behavior where whenever the particular exploit is
 executed, it just reaches out to the URL. Well, you set up a
 web server to register these connection attempts. And in
 doing so, you may be able to identify vulnerable instances
 of Parket in your environment. Interesting exploit. And, of
 course, whenever an exploit like this becomes available,
 you also have to think about that attackers now have an
 easy-to-follow blueprint, how to develop their own exploit.
 So definitely take a look at it if you are running Apache
 Parket. And, well, this is it for today. So thanks for
 listening. As I mentioned yesterday, I did an evening
 talk today here in San Diego. I'm not sure if it will be
 posted as an archive. I'll leave the links up to it on
 the SANS website until tomorrow and see if it shows
 up. Usually it takes them a day or so to process any audio
 or video files for then sort of archived distribution.
 Thanks for listening and talk to you again tomorrow. Bye.