Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday, July 16th, 2025: ADS Keystroke Logger; Fake Homebrew; Broadcom Altiris RCE; Malicious Cursor AI Extensions
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9528.mp3
ADS Keystroke Logger; Fake Homebrew; Broadcom Altiris RCE; Malicious Cursor AI Extensions
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Keylogger Data Stored in an ADS
Xavier came across a keystroke logger that stores data in alternate data streams. The data includes keystroke logs as well as clipboard data
https://isc.sans.edu/diary/Keylogger%20Data%20Stored%20in%20an%20ADS/32108
Malvertising Homebrew
An attacker has been attempting to trick users into installing a malicious version of Homebrew. The fake software is advertised via paid Google ads and directs users to the attacker’s GitHub repo.
https://medium.com/deriv-tech/brewing-trouble-dissecting-a-macos-malware-campaign-90c2c24de5dc
CVE-2025-5333: Remote Code Execution in Broadcom Altiris IRM
LRQA have discovered a critical unauthenticated remote code execution (RCE) vulnerability in the Broadcom Symantec Altiris Inventory Rule Management (IRM) component of Symantec Endpoint Management.
https://www.lrqa.com/en/cyber-labs/remote-code-execution-in-broadcom-altiris-irm/
Code highlighting with Cursor AI for $500,000
A syntax highlighting extension for Cursor AI was used to compromise a developer’s workstation and steal $500,000 in cryptocurrency.
https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-crypto-heist/116908/
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Wednesday, July 16th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Washington, D.C. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cyber Defense Operations. Xavier has recently been zooming in a little bit on alternate data streams and today in his diary he presents yet another find, a Python script that implements a keystroke logger and stores that data in an alternate data stream. In addition to keystroke log data, it also adds clipboard content to the file that could then later be exfiltrated. That exfiltration is not implemented in the script that Xavier found. It's just the collection of the data. The file is also marked as hidden, which I guess is supposed to make it a little more difficult to find. Of course, attributes like this aren't always that common, so they could also be used as an indicator to find a suspect file. Same for alternate data streams. All the data streams I've talked about in the past, they're being used for the zone identifier or the mark of the web. However, otherwise not that terribly common. Well, Xavier shows a PowerShell script that you can use to easily find and extract some basic information about alternate data stream to find potential malicious ones, or at least suspicious ones that probably should have looked a bit closer. And Mac users, be aware, there is yet another malvertising campaign out there trying to get you to install a malicious version of Homebrew. Homebrew is a very popular package manager for macOS that allows you to install a lot of great open source tools. In this particular case described by Deriv Tech, a user that attempted to Google Pro install or install Pro, and was then presented with a malicious advertisement that directed them to a GitHub page. GitHub is used by Homebrew, but in this case, the user was presented with a malicious install script that did install the actual authentic Homebrew, but also installed additional malware. As usual, be careful what you install and where you get your software from, but these cases are sometimes fairly difficult to detect, in particular with someone who is not familiar with the particular software. And the blog post by Eleftherios Panos with security company LRQA did reveal details regarding a recently patched vulnerability in Broadcom's Symantec Altiris Inventory Rule Management System. This system listens on port 4011. It uses the .NET remoting in order to implement the listening port, but it uses it in a well-known vulnerable configuration, which can easily be exploited using existing standard .NET remoting exploiting tools, as the vulnerability is just a simple deserialization vulnerability in this tool that is often used and, again, has been used in the past in the same insecure configuration. Broadcom has released a patch back in June, and now we do have all the details on how to exploit this vulnerability, so better make sure that you are patched and do not expose port 4011 to the Internet. And one thing that doesn't go away are attacks against developers. We have yet another example. I have been talking about malicious extensions for a couple of years now. This latest example was a malicious extension against Cursor AI. It was used against Russian crypto coin developer who, in the process, lost $500,000 worth of cryptocurrency. Kaspersky documented it as part of their SecureList blog. And apparently what happened is the developer installed a new machine, so installed a new operating system. And with that, of course, reinstalled some of the tools that they were using. And one of those tools was Cursor AI, including an extension that helps with syntax highlighting. This extension was downloaded from OpenBSX. I mentioned that, I think, last week because of a vulnerability there. But this particular issue is unrelated to this vulnerability. It's just simply a malicious extension that was uploaded by the malicious actor and then used to steal secrets. And with that, steal secrets that were used to secure the developer's crypto coin wallet. Well, and that's it for today. So thanks again for listening. If you are here at Science Fire, I am actually, my classroom is down on the concourse level. If you want to pick up any stickers, we also have our little command center here on Thursday. Guy and Jesse will be there again. And we have stickers, we have demos and such. If you want to learn more about Internet Storm Center and our Honeypots and how all works also Thursday evening, don't forget we have our Honeypot Workshop, which also includes a Honeypot giveaway. So thanks for listening and talk to you again tomorrow. Bye.
Follow updates by subscribing to the handler's diary RSS feed
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 