Podcast Detail

SANS Stormcast Thursday, July 24th, 2025: Reversing SharePoint Exploit; NPM “is” Compromise;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9540.mp3

Reversing SharePoint Exploit; NPM “is” Compromise;

00:00

My Next Class

Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 22nd - Sep 27th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Denver	Oct 4th - Oct 9th 2025

… more classes

Reversing SharePoint “Toolshell” Exploits CVE-2025-53770 and CVE-2025-53771
A quick walk-through showing how to decode the payload of recent SharePoint exploits
https://isc.sans.edu/diary/Analyzing%20Sharepoint%20Exploits%20%28CVE-2025-53770%2C%20CVE-2025-53771%29/32138

Compromised JavaScript NPM “is” Package
The popular npm package “is” was compromised by malware. Luckily, the malicious code was found quickly, and it was reversed after about five hours.
https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack

Microsoft Quick Machine Recovery
Microsoft added a new quick machine recovery feature to Windows 11. If the system is stuck in a reboot loop, it will boot to a rescue partition and attempt to find fixes from Microsoft.
https://learn.microsoft.com/en-gb/windows/configuration/quick-machine-recovery/?tabs=intune

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 22nd - Sep 27th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Denver	Oct 4th - Oct 9th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025

Podcast Transcript

 Hello and welcome to the Thursday, July 24, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu undergraduate certificate program in Applied
 Cybersecurity. Well, today I still spend some time with the
 SharePoint tool shell exploits that we have been collecting
 and that others have been collecting to do a little bit
 reverse analysis on them. So I figured that I'll summarize
 some of the things that I learned here in a quick blog
 post. Also did a video showing you a little bit how some of
 this works. And well, it's actually not terribly
 difficult for many of these exploits to figure out exactly
 what the attacker does. To get started, first of all, of
 course, there is the referrer. That's one of the key features
 here that's being exploited by this vulnerability or by this
 exploit. And then it's really just a lot of decoding Base64.
 So there's Base64 and Base64. That's sort of what it all
 ends up. Now, it starts out here with this compressed data
 table feature, which, well, is Base64 and compressed and
 moves on from there. Don't want to go over everything
 here in the podcast because many of you may not really be
 that interested. But here is sort of the final page that
 was uploaded by some of the early exploits that stole the
 machine key from the system. Other than that, no real sort
 of big fundamental new use here. Lots of research, you
 know, scanning for machines that may have this particular
 backdoor installed on the system. This releases the
 machine keys. And that's, again, the key lesson, I
 think, here that can't be emphasized enough. That just
 the patching is probably insufficient at this point.
 That you must count on this particular exploit being used
 against your machine as soon as last weekend. And that as a
 result, your machine keys are lost. So you must rotate them.
 Or it's relatively straightforward for an
 attacker to recompromise your system. And then we have yet
 another compromised NPM package to talk about. Kind of
 keep thinking about not covering them as much anymore.
 But this one I think is interesting in a couple of
 aspects. First of all, it's a very popular package with a
 few million downloads. The maintainer here at least paid
 attention. And the compromise was mitigated within hours of
 actually being made live. The root cause here appear to be
 compromised maintainer credentials. The problem
 appears to be that currently there are spam and phishing
 emails going around for npmjs .com. That domain does not
 apparently have proper DKIM, DMARC, and SPF records. Making
 email spoofing relatively easy for this particular domain.
 And several maintainers have fallen for this. Leading to a
 little bit of a rush in compromised packages. The
 other kind of odd and interesting thing about this
 package is there is quite a bit of discussion about how
 much of this is actually necessary. Whether it is
 packed necessary, I'm not enough of an npm javascript
 developer to really make that call. But as a developer, be a
 little bit conservative in how many packages you install.
 Having a little convenience package may be nice to have.
 But definitely be careful with this. There's also a ton of
 exploits, for example, for some of these visual code
 plugins and such. That pretty much target some of the pretty
 printers and such. Because it just makes things look a
 little bit nicer. So before you install something like
 this, first of all, make sure that you really need it. And
 then secondly, make sure that these are packages that appear
 to be well maintained. Of course, for the IS package,
 well, it was well maintained in the sense that there were
 many downloads. There were regular updates. And the
 maintainer was able to spot the problem quickly, like
 within five hours. Just the maintainer, I guess, didn't
 pay close attention to their credentials. And after
 announcing it earlier and testing it in some of the
 insider editions, Microsoft now with Windows 11 24H2 has
 released the new quick machine recovery feature that promises
 to make life a little bit easier for individual users as
 well. And I think that's actually sort of a little bit
 the main audience here for IT administrators in larger
 environments. The goal of quick machine recovery is to
 automatically detect if a machine keeps rebooting, sort
 of stuck in some kind of reboot loop. And then the
 machine will automatically reboot into a safe recovery
 environment. That recovery environment will then check
 what errors happened, contact a cloud service that will
 offer potential fixes for this issue, and then apply them and
 reboot. Sounds interesting, of course, sort of with
 CrowdStrike being just about a year behind us. This is a
 feature that was inspired by this particular incident
 because, of course, back then it required walking around and
 updating lots and lots of systems sort of, you know,
 with hands on keyboard. This is supposed to make these
 things a bit easier. I see where also for a lot of home
 users and less technical, this sort of will make life easier
 in case, for example, some update or some third-party
 software fails and causes problems like this. Well, and
 that's it for today. So thanks again for listening. Thanks
 for liking and subscribing to this podcast. The video I
 mentioned earlier about how to reverse the SharePoint
 exploit, I made it live in the same YouTube channel as the
 podcast. If you're listening to the podcast or watching the
 podcast via YouTube, I would like some feedback if you
 think that's appropriate, if I should set up different
 playlists or something like this. I may do this anyway,
 but just any kind of feedback here, how that worked out,
 please let me know. Because we overall plan to do a little
 bit more video content and that will be made live via
 YouTube. So still trying to work some of the details here,
 how we best and most efficiently do this. So thanks
 for listening and talk to you again tomorrow. Bye.