SANS Stormcast June, Tuesday, June 10th, 2025: Octosql; Mirai vs. Wazuh DNS4EU; Wordpress Fair Package Manager

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9486.mp3

previous

next

Octosql; Mirai vs. Wazuh DNS4EU; Wordpress Fair Package Manager

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Tuesday, June 10th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and this episode brought to you by
 the SANS.edu Master's Degree Program in Information
 Security Engineering is recorded in Jacksonville,
 Florida. Well, in diaries today, we do have a little
 tool introduction by Russ. Russ introduces us to OctoSQL,
 a tool I haven't used yet myself, but actually sounds
 like something that I like. It essentially allows you to read
 in files in various text file formats like JSON, CSV, tab
 delimited and the like. And then it allows you to write
 SQL queries against the content of these files. So
 that makes it really handy to have sort of a simplified
 query language, no matter what the particular file format is
 that you're reading into. And the example that Russ here
 presents is using the NVD JSON database and then writing
 queries against this. For example, figuring out various
 products, what their vulnerabilities are. So it
 doesn't just read in the vulnerabilities, also like the
 product identifier database from NVD in order to then be
 able to join the two. So interesting tool. And like I
 said, certainly something that I'll probably give a try as
 well. Well, yesterday I talked about DVR vulnerability in
 Mirai, which I mentioned, well, is sort of nothing
 really that unique and new. But, well, today I have to
 talk again about Mirai. And this time it's a little bit
 more interesting in that Mirai now apparently is also
 exploiting Wazuh-related vulnerability. If you're not
 familiar with Wazuh, it's actually a real great open
 source tool. It is an open source endpoint detection
 response tool. So monitor systems, does some log
 aggregation alike. But, yes, back in April, I think it was,
 they had a severe vulnerability. Don't expose
 these kind of dashboards and complex tools to the Internet.
 Of course, something like Wazuh, the tricky part is that
 hosts in your network have to connect to its API. So there
 is some restriction around what kind of firewall rules
 and such you can put in place around these tools in order to
 really isolate them well from exploitation. And, yeah, the
 fact that Mirai is now taking advantage of this
 vulnerability just shows that this is very straightforward,
 very simple to exploit vulnerability. So if Mirai
 knows about it, well, everybody else in the world
 who may have a little bit more access to your network already
 is exploiting it as well. Well, and then we have another
 recursive resolver that the public can use. This one is a
 little bit different. It's run by a government entity right
 now. And that's the European Union. Now, the European Union
 runs it right now. It will configure it, set it up. They
 hope to hand it over to a yet -to-be-named private entity
 that then will also fund this service. Given that it was
 created by the European Union, that means that it's
 specifically sort of built around some of the privacy
 requirements that come with that. And they offer otherwise
 of the standard services that usually these public resolvers
 are offering, where they offer various levels of filtering
 based on what particular resolver you select. Whenever
 you configure a recursive resolver like this, of course,
 the key issue is do you trust a particular entity that is
 running this particular recursive resolver? We do have
 a number of existing ones, like the famous ones run by
 Google, Cloudflare, Cisco, and the like, that are already
 offering very similar services, also similar levels
 of filtering. One of the advantages, in addition to the
 filtering, if you want to do that, is, of course, also that
 these resolvers tend to be a little bit faster than setting
 up your own internal recursive resolver. Because you're kind
 of, you know, gaining some speed from all data that they
 may have already cached in their system. Well, I stopped
 over the last couple years to talk about WordPress add-on of
 Waterbleach. Just because there are so many, and I think
 it's really brave if you're still hosting WordPress
 yourself with a bunch of different packages installed.
 But lately, things apparently have been even more
 complicated for WordPress users with some legal issues
 between some of the big backers behind WordPress. And
 that made it particularly difficult to keep all of your
 WordPress packages and add-ons up to date. Well, the Linux
 Foundation now stepped forward together with some people that
 manage and create WordPress packages to create this new
 Package Manager project, FAIR, that's intended to provide you
 with an independent way to keep your WordPress packages
 up to date. So, if you are running WordPress, take a look
 at this. Probably will make it a little bit easier to keep
 WordPress running safely for you.
 Well, and that's it for today. So, thanks for listening.
 Thanks for recommending this podcast. Thanks for leaving
 reviews on Apple Podcasts or whatever platform you're
 using. Remember, there's a video format on YouTube as
 well as, for example, on Alexa. You should be able to
 include this podcast as part of your daily flash briefing.
 Thanks, everybody, and talk to you again tomorrow. Bye.