Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday, June 3rd, 2025: Windows SSH C2; Google Removes CAs from trusted list; MSFT issues Emergency Patch to fix Crash issue; Qualcom Adreno GPU 0-day
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9476.mp3

Windows SSH C2; Google Removes CAs from trusted list; MSFT issues Emergency Patch to fix Crash issue; Qualcom Adreno GPU 0-day
00:00
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Simple SSH Backdoor
Xavier came across a simple SSH backdoor taking advantage of the ssh client preinstalled on recent Windows systems. The backdoor is implemented via an SSH configuration file that instructs the SSH client to connect to a remote system and forward a shell on a random port. This will make the shell accessible to anybody able to connect to the C2 host.
https://isc.sans.edu/diary/Simple%20SSH%20Backdoor/32000
Google Chrome to Distrust CAs
Google Chrome will remove the Chunghwa Telecom and Netlock certificate authorities from its list of trusted CAs. Any certificates issued after July 31st will not be trusted. Certificates issued before the deadline will be trusted until they expire.
https://security.googleblog.com/2025/05/sustaining-digital-certificate-security-chrome-root-store-changes.html
Microsoft Emergency Update to Fix Crashes Caused by May Patch
Microsoft released an emergency update for a bug caused by one of the patches released in May. Due to the bug, systems may not restart after the patch is applied. This affects, first of all, virtual systems running in Azure and HyperV but apparently has also affected some physical systems.
https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23h2#kb5058405-might-fail-to-install-with-recovery-error-0xc0000098-in-acpi-sys
Qualcomm Adreno Graphics Processing Unit Patch (Exploited!)
Qualcomm released an update for the driver for its Adreno GPU. The patched vulnerability is already being exploited against Android devices.
https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Tuesday, June 3rd, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and this episode brought to you by the SANS.edu Graduate Certificate Program in Industrial Control Systems Security is recorded in Jacksonville, Florida. Well, in diaries today, Xavier came across an interesting malware sample that takes advantage of SSH on Windows. That's something we have seen for years and years in Linux. Linux, of course, always had SSH as one of its standard components, typically pre -installed. Now, Windows started doing this a couple of years ago and now pretty much any new Windows system that you are using has an SSH client at least pre-installed. Now, the SSH client, of course, does not listen on any port by default. That's exactly sort of what that malware takes care of. It does deploy a simple SSH client configuration file that will basically instruct the system, the SSH client, to connect to a particular command control server and then forward connections from that command control server to an internal listening port. As Xavier points out, this configuration file is actually not 100% syntactically correct. So, it probably doesn't work quite the way it was deployed here. The particular command control server, yes, it's no longer listening. I would just want to point out that they're using SSH over port 443. Of course, that's supposed to better blend in with common network traffic. However, if you do have any kind of network monitoring system, that should really raise a flag. If you all of a sudden have SSH over port 443, that's a pretty simple and straightforward detection. Pretty much all the network monitoring systems will tell you about this. So, definitely something to take care of and make sure that you're able to detect a backdoor like this, not just for Linux, but also for Windows. Well, and then we have more problems with certificate authorities. Google announced that they will stop trusting two certificate authorities, Chunghwa Telecom and Netlock. Chunghwa Telecom, so it's with a Chinese telecom company. Netlock, associated with a Hungarian company. Now, similar action is also pending in the larger server authority browser forum. So, this may in the near future also affect other browsers. As far as Google Chrome is concerned, Google Chrome will stop trusting certificates being issued by these two server authorities as of July 31st. So, any certificate issued after that date will not be trusted. If your certificate issued now, it will still be trusted until it expires. So, you don't have to do anything immediately now. But, yes, definitely, you know, find a different set of authority if you want to still use your records to be trusted. I looked a little bit into, you know, what the reason is behind that. For Chunghwa, apparently, they didn't observe the CAA DNS record. That's a DNS record where you are indicating which set of authorities are able to actually issue certificates on behalf of your domain. And during some cutover, they didn't check that properly. And then they also didn't revoke affected certificates in a timely manner. If you remember, there was, like, Let's Encrypt had a similar issue, but they ended up revoking, like, millions and millions of certificates as a result. Here, the revocation really was the problem. They didn't properly respond to that incident. For NetLock, it's actually a little bit more problematic. They did issue signing certificates. So, in immediate certificates that could be used to sign other certificates on NetLock's behalf. And they didn't disclose that they actually issued those signing certificates. So, then related certificates didn't show up in sort of transparency logs and the like. And that, of course, could then allow, like, you know, a larger sort of machine -in-the-middle attack, which is certainly an important concern here. And, again, that's why they get kicked out. And, also, they didn't really respond in any timely manner to these issues. Neither of these certificates authorities, I think, has a large user base. So, the impact should be minimal. But, again, double-check what certificates you're using, if any of them are being signed by these set of authorities, or if any of your vendors are using the set of authority. That can be a problem if, for example, automatic update processes and such are failing because you no longer trust these certificates. If you, for example, connect to some vendor's web server to pull in updates. Well, then we got a critical update from Qualcomm for their Adreno graphics processing units or their GPU. This particular driver is mostly used on Android. So, that's where you have to watch out for this patch. And, well, it is already being exploited. It's a privilege escalation vulnerability. But, given it's already being exploited, you definitely should try to apply related updates as soon as possible. Of course, it's part of that Android ecosystem. So, you pretty much have to wait for an Android update for your particular device that will include this patch. Well, and this is it for today. So, thanks again for listening and talk to you again tomorrow. Bye.