Handler on Duty: Johannes Ullrich
Threat Level: green
Podcast Detail
SANS Stormcast Monday, May 11th: Steganography Challenge; End-of-Life Routers; ASUS Driverhub; RV-Tools SEO Poisoning
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9446.mp3
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Steganography Challenge
Didier revealed the solution to last weekend’s cryptography challenge. The image used the same encoding scheme as Didier described before, but the columns and rows were transposed.
https://isc.sans.edu/forums/diary/Steganography%20Challenge%3A%20My%20Solution/31912/
FBI Warns of End-of-life routers
The FBI is tracking larger botnets taking advantage of unpatched routers. Many of these routers are end-of-life, and no patches are available for the exploited vulnerabilities. The attackers are turning the devices into proxies, which are resold for various criminal activities.
https://www.ic3.gov/PSA/2025/PSA250507
ASUS Driverhub Vulnerability
ASUS Driverhub software does not properly check the origin of HTTP requests, allowing a CSRF attack from any website leading to arbitrary code execution.
https://mrbruh.com/asusdriverhub/
RV-Tools SEO Poisoning
Varonis Threat Labs observed SEO poisoning being used to trick system administrators into installing a malicious version of RV Tools. The malicious version includes a remote access tool leading to the theft of credentials
https://www.varonis.com/blog/seo-poisoning#initial-access-and-persistence
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Podcast Transcript
Hello and welcome to the Monday May 12, 2025 edition of the Sands and Storm Sonners Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida. This weekend Diddier posted the solution for last week's Steganography Challenge. This example used a similar encoding as Diddier presented in his past Steganography Diary but with an interesting twist. Instead of encoding the pixels in their normal order, meaning one line at a time of the image after another, well, this one went actually vertical. So it did encode the data in the rows first and well then went over to the next row. So in order to decode the data you had to transpose it and well imagine that Diddier has a tool to transpose the data for you and decode the image. For details as usual see Diddier's diary. And last week the FBI published a press release that it is observing criminals using compromised routers as proxies to build infrastructure for criminal networks. Now this is nothing fundamentally new but in particular they point out that the compromise of end-of-life devices is contributing to this and of course those devices you can update. One botnet identified in this attack is the Moon botnet. A botnet we have first written about in February of 2014. These router botnets have been very persistent and as I've pointed out multiple times before, well, they keep mutating and they keep adding new vulnerabilities to their arsenal. Remember to track the end-of-life date of your network parameter devices and add monthly firmware update. Check to your calendar for home device in particular. But may not even be a bad idea for some business, particular small business devices to have some setup where you're being reminded, hey, let me double check that particular router if I need to update it. Also like writing the end-of-life date if you know it is quite helpful. Write that on the device also makes it easier to then figure out what must be replaced. Now not all manufacturers make it easy to figure out that a particular device is end-of-life but you can usually find out on their website at least after the fact. And then again as part of your firmware update routine you probably should do it. According to the FBI the botnet they are tracking is turning this device into proxy servers and then these proxies are being resolved, rented to other criminal groups. which of course like them to hide their trace and there have even been some cases aside from this most recent report where some of these proxy servers were then used by more advanced adversaries. And ASUS patched two vulnerabilities in its driver hub software that could be used to execute arbitrary code. So the vulnerability is something that has happened in the past with software like this. A lot of software like this is setting up a little HTTP API listening on loopback. Well and the idea is that then the manufacturer's website is able to interact with that API to install updated drivers. Well the problem with this is that in this particular case ASUS did a pretty lousy job in verifying the origin of these requests. They just looked for the string ASUS.com in the host name for the origin. So an attacker just has to register ASUS.com.evilexample .com and well with that they can launch the have their JavaScript interact with your ASUS driver hub. Next they then also don't check where the software is being downloaded from. Again the string ASUS.com has to show up anywhere in the URL. So it could even be just a random URL parameter that the attacker is adding to it. But of course if they already have that ASUS.com.evilexample.com host name set up then well they may as well use that. Now the person that found it Paul from this vulnerability was identified by Paul from mrbruh.com and responsibly reported to ASUS. ASUS fixed it about a month after receiving the report so that's all good. But sadly no kind of recognition bug bounty for Paul and apparently his ASUS motherboard that he purchased that sort of led to Discovery. Well it still has no working driver for its Wi-Fi interface which apparently is a common issue with this particular ASUS motherboard. And the Varonis threat lab is observing search engine optimizing attacks being used to trick administrator into installing backdoors version of RV tools. Usually we see search engine optimization being used against sort of more commonly used software. But I guess websites search engines have gotten a little bit better in rejecting some of these tricks against things like Google Chrome for example used to be very heavily hit by this. So now attackers are going after more these niche products which of course have potentially a much larger impact. RV tools is being used to manage a VMware and once you're infected with the backdoor version it sets up an SSH channel to the attacker and allows them for additional arbitrary remote code execution. But it also does its usual secret exfiltration. Well and this is it for today. Remember tomorrow Microsoft patch Tuesday. Thanks for listening. Thanks for liking and subscribing to this podcast. Of course as always thanks for spreading the word about this podcast. That's it for today. Thanks and talk to you again tomorrow. Bye.
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 