SANS Stormcast Monday, May 18th 2025: xorsearch python functions; pwn2own Berlin; senior govt official impersonation; dynamic domain risk

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9456.mp3

previous

xorsearch python functions; pwn2own Berlin; senior govt official impersonation; dynamic domain risk

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, May 19th, 2025 edition
 of the SANS Internt Storm Center's Stormcast. My name is
 Johannes Ullrich and this episode brought to you by the
 SANS EDU Graduate Certificate Program in Industrial Control
 System Security is recorded today in Jacksonville,
 Florida. Well, and as the last few weekends, Didier has a new
 version of xorsearch for us. I guess that's how Didier is
 spending his weekends, making XOR search better.
 Fundamentally, XOR search is meant to extract strings from
 files. That's sort of where the search part comes from. Of
 course, we have now regular expressions and all kinds of
 good things that were added these last few weeks. But what
 we got now is to manipulate the output further. You may
 now define a Python function as, for example, just simply
 is printable. You're using a dash capital P for that. That
 will then filter out all printable characters, making
 output potentially more readable. And last week, the
 zeroday initiative by Trend Micro did conduct another Pwn to Own
 context. They're always attached to larger security
 conferences and are promising substantial money for new
 vulnerabilities and that are actually being demonstrated as
 exploitable as part of the context. The big theme here,
 in my opinion, was purge escalation and virtual machine
 escape. There were a number of different vulnerabilities in,
 for example, Red Hat, Windows 11 being demonstrated. Also on
 the virtual machine escape front, VirtualBox and VMware
 were exploited. Interesting context. They are reporting
 all these vulnerabilities to respective manufacturers. And
 I think I actually heard some browser vulnerabilities like
 in Firefox were already addressed over the weekend.
 But if they're not being actually patched within 90
 days, then at least the existence of the vulnerability
 is made public with a little bit more detail. Now, I'm a
 little bit surprised that the FBI came out with a warning
 stating that they're seeing an increase in attempts to
 impersonate senior government officials via SMS and voice
 messaging. Now, they're not really talking about some
 sophisticated AI deepfakes here. These appear to be very
 simple scams, at least technically how they're being
 conducted. A little bit surprised that they work at
 all. On the other hand, we are seeing more and more reports
 about actual deepfakes being used, for example, to get
 people hired for jobs. Apparently, North Korea is big
 in that. But also to then, for example, issue engineering
 drawings and such with faked credentials being used in
 order to qualify these drawings as authentic. This is
 something that, of course, could have real impact on the
 integrity and such of construction projects.
 Definitely something to consider with all of these
 different scams. Whether it's the less sophisticated, simple
 SMS sort of smishing, phishing, whatever you call
 them type of calls. And the more sophisticated deepfake
 calls. The real defense is usually some kind of business
 logic. Basically, how do you qualify people? Whether or not
 they're good enough for a particular job or good enough
 to deliver some kind of architectural drawing or good
 enough to receive some money or give you an account number.
 Well, there have to be some business rules around this. I
 don't think that's solely a technical problem. If you do
 consider it just a technical problem, you'll probably fail
 because these scams tend to move pretty quickly around any
 kind of technical countermeasures. And
 researchers from Push Security published an update on
 Scattered Spider. This is a group that's mostly well
 simply after money. They have sort of put themselves on the
 map with some big attacks, for example, against MGM. One of
 the techniques they apparently are using more and more is the
 use of dynamic domain name systems. They're describing it
 here sort of as rendable subdomains. And that's in some
 ways what it is. Kind of a little bit of personal
 interest. Before I was working for SANS, I operated myself a
 little system that never really went anywhere. But what
 surprised me a little bit is how well this still works sort
 of from an attacker point of view. Actually, when I first
 started with SANS, we used some of the infrastructure I
 had for this dynamic domain name system for some of the
 SANS domains. And well, actually ran to issues where
 some government organizations back then blocked those
 particular domains because they were using infrastructure
 known for dynamic domain names. The big problem here is
 that you have these domain names. They're mentioning here
 IT.com as one that's popular with Scattered Spider. They
 are well established. A lot of legitimate businesses and such
 are using these subdomains. And as a result, of course,
 blocking them and also just looking for anomalies here is
 becoming a bit more complex. One of the things to look for
 here is where you're looking at what is really a subdomain
 versus a domain. And there is a list by Mozilla, this public
 prefix list that basically lists all of these subdomains
 like IT.com that really in some ways don't behave like a
 domain. They really more behave like a top level domain
 because then subdomains are assigned to different users.
 And if you sort of look at domains by first subtracting
 these public prefixes, well, that can help you get to
 better results looking for anomalies in your DNS traffic.
 Well, and this is it for today. So thanks for listening
 and talk to you again tomorrow. Bye.