Podcast Detail

SANS Stormcast Thursday, July 17th, 2025: catbox.moe abuse; Sonicwall Attacks; Rendering Issues

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9530.mp3

previous
Podcast Logo
catbox.moe abuse; Sonicwall Attacks; Rendering Issues
00:00

More Free File Sharing Services Abuse
The free file-sharing service catbox.moe is abused by malware. While it officially claims not to allow hosting of executables, it only checks extensions and is easily abused
https://isc.sans.edu/diary/More%20Free%20File%20Sharing%20Services%20Abuse/32112


Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor
A group Google identifies as UNC6148 is exploiting the Sonicwall SMA 100 series appliance. The devices are end of life, but even fully patched devices are exploited. Google assumes that these devices are compromised because credentials were leaked during prior attacks. The attacker installs the OVERSTEP backdoor after compromising the device.
https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor

Weaponizing Trust in File Rendering Pipelines
RenderShock is a comprehensive zero-click attack strategy that targets passive file preview, indexing, and automation behaviours in modern operating systems and enterprise environments. It leverages built-in trust mechanisms and background processing in file systems, email clients, antivirus tools, and graphical user interfaces to deliver payloads without requiring any user interaction.
https://www.cyfirma.com/research/rendershock-weaponizing-trust-in-file-rendering-pipelines/

Podcast Transcript

 Hello and welcome to the Thursday, July 17th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Washington, D.C. And this episode is brought to you by
 the SANS.edu Graduate Certificate Program in
 Cybersecurity Engineering. Xavier today wrote up a series
 of attacks that took advantage of a file sharing box called
 Catbox. Catbox.moe is the domain being used by this file
 sharing service and Xaviy was able to capture about 600 or
 so different URLs being abused at this particular file
 sharing service. Just like any free file sharing service, it
 can easily be used to distribute malware. Now on
 their web page, they're stating that they do not allow
 the hosting of .exe and similar files, but it looks
 like they're really only checking the extension and
 something like .dll or such is easily used to evade some of
 the filters being set up by Catbox. You may want to
 consider blocking access to this service. It doesn't look,
 based on the website, that it is all that terribly useful
 for business purposes. Also, of course, any use of some of
 these newer generic top-level domains like .moe in this case
 is often a good indicator that something suspicious may be
 happening. And Google's Threat Intelligence Group has
 published details regarding a compromise of a fully patched
 SonicWall SMA 100 devices. These devices are end-of-life,
 but the particular devices compromised here were fully
 patched. Now, this is not a zero day, apparently, that's
 being used here. Instead, what Google believes is happening
 is that these particular devices were vulnerable in the
 past to some of these vulnerabilities that allowed
 attackers to retrieve credentials, including the
 seats for multi-factor authentication. So now they're
 just coming back after devices were being patched and they're
 compromising them using the credentials that the attacker
 did collect in earlier attacks. Good reminder that
 whenever you find a vulnerable device that may have been
 attacked to certainly rotate credentials, including any
 seats for multi-factor authentication. And security
 companies, Cyfirma published a blog post outlining attackers
 not really fundamentally new. I have seen it over the years
 evolve in various forms. They're calling it a render
 shock. And what it really is all about is that on modern
 systems, you do have multiple tools that will render various
 file formats in the background. And with that,
 potentially expose you to vulnerabilities. These are
 often indexing programs, preview programs, most
 famously things like file managers that will render sort
 of previews of files, but also software that will index files
 in the background. For example, searching. Now, what
 can happen here is that all of these different renderers that
 are being used and that these files are exposed to may have
 various vulnerabilities. And there are multiple examples
 where these vulnerabilities have been triggered in the
 past by malware being sent to the system. So possible attack
 scenario is where a user does receive an email attachment,
 but is not actually opening the attachment, maybe saving
 it to a directory or even just keeping it in their email
 reader. And unbeknown to the user, this file is now being
 parsed and analyzed by all these different renders, which
 of course then may execute code or in more simple cases,
 just may reach out to various URLs. Like, for example, SMB
 URLs. We had a number of issues around that in the
 past, which then of course could lead to the leak of
 credentials. This thread overall, like I said, it's not
 theoretical, even though this particular blog post does not
 expose any fundamentally new vulnerability. It has been
 exposed in the past. It's a real good sort of overview of
 various things that you may be able to do to protect yourself
 here and really just to foster some awareness of the threat
 of having all of these renders on your system. Well, and this
 is it for today. Thanks for listening and thanks for
 everybody who came to my talk today. It may be online
 available in the near future. I haven't checked yet if the
 recording of it worked out on the net. Thanks for liking
 this podcast. Thanks for listening and talk to you
 again tomorrow. Bye.