Podcast Detail

SANS Stormcast Monday, June 16th, 2025: Extracting Data from JPEG; Windows Recall Export; Anubis Wiper; Mitel Vuln and PoC

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9496.mp3

previous
Podcast Logo
Extracting Data from JPEG; Windows Recall Export; Anubis Wiper; Mitel Vuln and PoC
00:00

Extracting Data From JPEGs
Didier shows how to efficiently extract data from JPEGs using his tool jpegdump.py
https://isc.sans.edu/diary/A%20JPEG%20With%20A%20Payload/32048

Windows Recall Export in Europe
In its latest insider build for Windows 11, Microsoft is testing an export feature for data stored by Recall. The feature is limited to European users and requires that you note an encryption key that will be displayed only once as Recall is enabled.
https://blogs.windows.com/windows-insider/2025/06/13/announcing-windows-11-insider-preview-build-26120-4441-beta-channel/

Anubis Ransomware Now Wipes Data
The Anubis ransomware, usually known for standard double extortion, is now also wiping data preventing any recovery even if you pay the ransom.
https://www.trendmicro.com/en_us/research/25/f/anubis-a-closer-look-at-an-emerging-ransomware.html

Mitel Vulnerabilities CVE-2025-47188
Mitel this week patched a critical path traversal vulnerability (sadly, no CVE), and Infoguard Labs published a PoC exploit for an older file upload vulnerability.
https://labs.infoguard.ch/posts/cve-2025-47188_mitel_phone_unauthenticated_rce/
https://www.mitel.com/support/mitel-product-security-advisory-misa-2025-0007

Podcast Transcript

 Hello and welcome to the Tuesday, June 17th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and this episode brought to you by
 the SANS.edu credit certificate program in incident
 response is recorded in Jacksonville, Florida. Well,
 today we have a diary by Didier following up on
 yesterday's diary by Xavier. Of course, Xavier talked about
 extracting data from JPEGs. Well, Didier, of course, has a
 better tool for it, jpegdump, that makes it pretty
 straightforward to extract data blocks like the one that
 Xavier found with the encoded DLL yesterday. And it even
 then allows you to push the data to various other tools
 like head tail, for example, or to the byte stats tool,
 which gives you more detail about the composition of
 particular parts of the file and also how to better than
 extract the related malware. A while ago, after Microsoft
 announced its new recall feature in Windows 11, there
 was a lot of feedback from privacy advocates. Windows
 recall, again, takes snapshots, screenshots and
 such of your system periodically. And then using
 Microsoft's AI tools allows you to then retroactively
 search these screenshots for any items of interest. This,
 of course, meant to be sort of a usability feature for
 Windows. But, of course, all that data must be stored. It's
 stored on your local device. And based on some of the
 feedback that Microsoft initially received, the data
 is encrypted. However, given that data is encrypted, the
 user themselves doesn't really have a good option to review
 what data was actually stored. That, again, caused some
 issues with privacy regulations, in particular in
 Europe. And Microsoft now implemented a new feature in
 the latest preview edition of Windows 11 to allow
 specifically users in Europe to export this data. In order
 to facilitate the decryption of the export, Microsoft will
 display, as you enable this feature, an encryption key.
 Well, this is the only time you'll ever see that
 encryption key. So, if you're interested in preserving it,
 you better write it down at that point. And later, you can
 then export any data that recall created and decrypt it
 using this key. Interesting that this is just limited to
 the European economic area at this point. Maybe that will
 become available later in other regions. I'm not really
 sure what would prevent them from doing that. But at this
 point, again, it's only in the preview release. There are
 also some admin features around this to enterprise-wide
 regulate the use of recall and this recall restore feature.
 And Trend Micro warns of a recent evolution in the Anubis
 ransomware. Anubis is ransomware as a service. So,
 you have various groups using this ransomware in order to
 launch their attacks. It usually starts with a phishing
 email. The part that changed is that Anubis now implemented
 a wiper mode. So, what this means is that your data isn't
 actually just encrypted. It's deleted. And payment of a
 ransom is unlikely going to help you in recovering the
 data. So, be aware if you're getting hit with this
 ransomware. It may not be worthwhile actually paying for
 it. At the very least, ask for a real good sort of sign of
 life for your data. Well, then we have a couple of Mitel
 vulnerabilities that deserve some attention. First of all,
 the MyCollapse suite suffers from a path traversal
 vulnerability that has been patched a couple days ago.
 Definitely pay attention to this. I haven't seen an
 exploit yet, but it looks like something that's relatively
 straightforward to exploit once someone does some patch
 diffing or basically just releases the exploit they used
 to notify Mitel. So, definitely keep that up to
 date. The second Mitel issue is actually a proof of concept
 that was published for an older vulnerability. That's an
 unauthenticated remote code execution vulnerability. It's
 related to the ringtone upload feature in Mitel phones.
 Essentially sort of leads to an unrestricted file upload,
 which then relates to remote code execution. So, if you're
 using Mitel phones, Mitel software, double check, make
 sure everything is up to date. Well, and that's it for today.
 Remember, there will be no podcast for the next two days.
 I'll be traveling Tuesday, so I can't record for Wednesday.
 And then we also have the June 19th holiday coming up. But
 there should be another podcast on Friday. Thanks for
 listening and talk to you again on Friday. Bye. Bye.
 Bye. Bye. Bye. Bye. Bye. Thank you.