SANS Stormcast Tuesday, June 24th, 2025: Telnet/SSH Scan Evolution; Fake Sonicwall Software; File-Fix vs Click-Fix

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9504.mp3

previous

Telnet/SSH Scan Evolution; Fake Sonicwall Software; File-Fix vs Click-Fix

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Wednesday, June 25, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and this episode brought to you by
 the SANS.edu Graduate Certificate Program in Cyber
 Defense Operations is recorded in Stockheim, Germany. In
 diaries today I took a quick look at the history of the
 password brute forcing that we have seen in our honeypots. We
 collected the data starting in about 2015. Now my analysis I
 start with 2018 data because that's where things became a
 bit more stable and we sort of have a consistent volume of
 data to look at. And what I looked at is first of all do
 we have modern bots that are using more username password
 combinations to attack a particular target than the
 older bots. That appears to be somewhat true. In the
 beginning, meaning 2018, we had about 10 different
 username and password combinations attempted by each
 individual source IP address. That is now up to about 70 or
 so different username and passwords. I also took a quick
 look at the complexity of the passwords and that has been
 relatively steady around 8 characters on average. But
 remember, these are default passwords that these bots
 usually attempt. Now there are a couple of default passwords
 that are a bit larger and more complex. But most of them are
 simple stuff like admin, admin, password and the like.
 So relatively short passwords. The length doesn't necessarily
 mean that it's a more difficult to guess password if
 it is actually just a simple default password. And the blog
 post on mobilehacker.com does describe an interesting, I
 would say, further development of the ClickFix malware.
 ClickFix refers to attackers that present users with fake
 captchas and then trick them into copy pasting code into
 their system. Now that usually requires opening some kind of
 command prompt. What mobilehacker proposes here,
 and I don't think the attack has been seen in the wild yet.
 So at this point it's really sort of more proof of concept
 style attack, is to instead use just the file explorer.
 This may make it a little bit easier for victims to actually
 fall for it. Because they're less likely to sort of
 recognize this as actually executing a command. And may
 also make detection a little bit more difficult, in
 particular if your detection is very specifically targeting
 the ClickFix behavior. So they're calling this a file
 fix. And essentially the trick is the same. You're presenting
 the victim with a fake captcha. But instead of copy
 pasting the command to a command prompt, you just copy
 paste it into the URL bar of the file explorer. Which will
 then also execute the command, including command options. In
 talking about tricking users into doing the wrong thing.
 SonicWall is warning that it has observed a fake
 NetExtender version. NetExtender is software
 published by SonicWall used to log in to its VPN solutions.
 The fake version of the software uses a valid digital
 certificate. But of course not one from SonicWall. Just a
 random stolen certificate that has since been revoked. The
 fake version of the application will steal the
 user's credentials. And that appears to be the main purpose
 of that application. Well, and this is it for today. Thanks
 for listening and talk to you again tomorrow. Bye.